You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Refine Dependabot config to not update rust-toolchain
When `dtolnay/rust-toolchain` is a tag, it specifies a particular
version of the actual Rust toolchain to use. It is also sometimes
used with a branch such as `master` (to then specify the version as
an option rather than in the action version) or `stable`, but
branches are ineligible for Dependabot version updates and also
would not ordinarily require them since they move much more often
than tags.
Therefore, this tells Dependabot to ignore `dtolnay/rust-toolchain`
for the purpose of version updates. As commented, this is done in a
way that *should* avoid causing it to be ignored for security
updates.
Old Rust toolchains may have known vulnerabilities but still be
safe to use on CI based on a consideration of the risks (for
triggers such as `push` and `pull_request` that run with the same
privileges of the user who can cause the triggering event to
occur), and I believe the action itself does not get advisories for
those versions. But it is possible that at some point in the future
a vulnerability might be discovered in the action itself and an
advisory produced for it, so having Dependabot be able to show any
related alert and, if enabled, produce a security update PR for it
automatically is still valuable.
Ignoring `dtolnay/rust-toolchain` addresses the problem identified
in GitoxideLabs#1362 (review)
without requiring any decreased use of actions to install
dependencies, modification of how the actions' versions or options
are given, or `@dependabot` ignore commands.
0 commit comments