Skip to content

fix(ci): pin dtolnay/rust-toolchain to reachable v1 release so Dependabot resolves#4077

Merged
rysweet merged 1 commit into
mainfrom
engineer/steward-ci-github-actions-health-across-all-gov-e06d9e64-1784091707-4dfecf
Jul 15, 2026
Merged

fix(ci): pin dtolnay/rust-toolchain to reachable v1 release so Dependabot resolves#4077
rysweet merged 1 commit into
mainfrom
engineer/steward-ci-github-actions-health-across-all-gov-e06d9e64-1784091707-4dfecf

Conversation

@rysweet

@rysweet rysweet commented Jul 15, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes the failing default-branch Dependabot Updates (github_actions) run on rysweet/Simard (run 29375996164, 2026-07-14). Every functional workflow (verify, release) is green on main, but the Actions-health surface was red because the Dependabot updater aborted.

Supersedes the now-stale, conflict-dirty #2917 (same fix, rebased clean onto current main dcf909c5; conflict in coverage.yml resolved to preserve main's reproducible dated nightly nightly-2026-07-01).

Root cause (verified from the failing run log)

ERROR <job_1461030544> Error processing dtolnay/rust-toolchain (HelperSubprocessFailed)
error: no such commit 5b842231ba77f5c045dba54ac5560fed2db780e2
        …PackageDetailsFetcher#find_container_branch

Dependabot's github_actions updater shallow-clones each action and runs a branch-contains resolution against the default branch. The repo SHA-pinned dtolnay/rust-toolchain to the HEAD of dtolnay's per-channel branches (# stable, # nightly). Those commits are diverged from the action's default branch (dtolnay force-pushes the rolling channel branches), so they become unreachable/dangling — GitHub Actions can still check them out by direct SHA, but Dependabot's git branch --contains fails with no such commit, aborting the entire update run.

$ gh api repos/dtolnay/rust-toolchain/compare/nightly...5b842231…  → diverged  (unreachable)
$ gh api repos/dtolnay/rust-toolchain/compare/master...e97e2d8c…   → behind    (ancestor → resolvable ✅)

Fix

Pin the reachable v1 release SHA (e97e2d8c…, an ancestor of the default branch, tagged v1) and select the channel via the with: toolchain: input — same pattern #2864 applied to taiki-e/install-action. Applied to all three pins:

File Channel
.github/workflows/coverage.yml nightly-2026-07-01 (dated, preserved)
.github/workflows/release.yml stable
.github/actions/rust-runner-prep/action.yml (composite) stable

Functionally equivalent — identical toolchains installed; only the pin/selection mechanism changes to one Dependabot can resolve. Verified dtolnay/rust-toolchain@v1's action.yml accepts the toolchain input (passes it to rustup toolchain install, so dated nightlies like nightly-2026-07-01 work).


Merge-ready evidence

1. qa-team scenario (gadugi)

Extended tests/gadugi/dependabot-action-pins-resolvable.{sh,yaml} to also guard dtolnay/rust-toolchain and to scan in-repo composite action.yml files (Dependabot reads those too).

  • Underlying scenario script run locally → PASS: all 3 dtolnay/rust-toolchain pins are SHA+version-tag pinned, all 7 taiki-e/install-action pins…, dead diverged SHAs (754bf4db…, 29eef336…, 5b842231…) absent, embedded Rust guard passes. (gadugi-test binary is not installed on this host and is not part of the repo's CI; the .sh is the scenario's executed command and was run directly.)

2. Docs updated

docs/reference/dependency-trust-policy.md documents the dtolnay/rust-toolchain v1-release pin + channel-input policy and why per-channel branch HEADs must not be pinned.

3. quality-audit (SEEK→VALIDATE→FIX, ≥3 cycles, clean final)

  • Cycle 1 — SEEK: root cause = dangling nightly SHA 5b842231. FIX: repin coverage nightly to v1. VALIDATE: regression test passes.
  • Cycle 2 — SEEK: are the # stable pins (release.yml, rust-runner-prep) also diverged? Yes (29eef336… diverged). FIX: repinned all 3 uses. VALIDATE: grep confirms 0 dead SHAs; all 3 use v1.
  • Cycle 3 — SEEK: does @v1 accept dated nightly + components? Confirmed via upstream action.yml inspection; YAML of all changed files parses. VALIDATE (final, clean): 0 findings — cargo test --test dependabot_action_pins = 2 passed / 0 failed; gadugi scenario PASS; pre-push gate (fmt + race-subset tests + clippy --all-targets --all-features --locked -D warnings) passed.

4. CI green

Pushed; CI runs on this PR. Local pre-push gate (mirrors CI verify subset: cargo fmt --all --check, race-subset cargo test --release, full clippy --all-targets --all-features --locked -- -D warnings) passed. Will confirm 100% green before requesting merge. The actual Dependabot-updates fix is only verifiable on the next scheduled/dynamic run against main post-merge.

6. Focused diff

7 files, only the CI pins + their test/doc guards. No unrelated edits.

Closes #2864 follow-up; supersedes #2917.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

…abot resolves (completes taiki-e fix from #2864)

The default-branch `dependabot/dependabot-updates` (github_actions) run failed
on TWO dependencies with the same root cause, not one:

    | taiki-e/install-action | unknown_error |
    | dtolnay/rust-toolchain | unknown_error |

PR #2864 fixed only `taiki-e/install-action`. `dtolnay/rust-toolchain` was still
pinned to the HEAD of dtolnay's per-channel *branches* (`# stable`, `# nightly`),
whose commits are diverged from the action's default branch
(`git compare master...<sha>` → `status=diverged`). Dependabot shallow-clones the
default branch to look for newer versions, so it cannot resolve a diverged-branch
commit ("no such commit ..."), which aborts the whole update run and keeps the
default branch's Actions health red on the next scheduled Dependabot run.

Fix (same pattern #2864 applied to taiki-e): pin the reachable `v1` release SHA
(`e97e2d8c...`, an ancestor of the default branch → Dependabot-resolvable) and
select the channel via the `with: toolchain:` input. Applied to all three pins:
coverage.yml (nightly), release.yml (stable), and the rust-runner-prep composite
action (stable). Functionally equivalent — same toolchains installed.

Regression guards extended to cover dtolnay/rust-toolchain and to scan in-repo
composite actions (not just workflows):
- tests/dependabot_action_pins.rs: new `dtolnay_rust_toolchain_pins_are_dependabot_resolvable`
- tests/gadugi/dependabot-action-pins-resolvable.{sh,yaml}
Both fail if a diverged per-channel/per-tool pin is reintroduced (verified).

Docs: dependency-trust-policy.md documents the dtolnay v1-release pin policy.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@rysweet

rysweet commented Jul 15, 2026

Copy link
Copy Markdown
Owner Author

Criterion 4 — CI 100% green (final evidence). All 15 checks passing, 0 failures; mergeStateStatus=CLEAN, mergeable=MERGEABLE. Both verify runs green: pre-commit (11m58s / 12m18s), install-real (2m52s / 2m49s), e2e-dashboard, cargo-audit/deny/vet, npm-audit, GitGuardian — all pass. Self-merging per the CI-stewardship standing goal (clean green fix).

@rysweet
rysweet merged commit 9e74f54 into main Jul 15, 2026
15 checks passed
@rysweet
rysweet deleted the engineer/steward-ci-github-actions-health-across-all-gov-e06d9e64-1784091707-4dfecf branch July 15, 2026 05:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant