CI: install MSRV toolchain via input instead of pinning the action tag#33
Merged
Conversation
dtolnay/rust-toolchain treats its git ref as the Rust version to install, so the msrv job's `@1.88.0` pin was both the action version and the toolchain version. Dependabot only sees it as an action version and kept opening PRs to bump it to the latest tag (e.g. 1.100.0), which fails because that Rust release does not exist yet, and would defeat the job's purpose even if it did. Pin the action to the `@stable` branch and pass the MSRV as the `toolchain` input. Dependabot's github-actions updater only rewrites the `uses:` ref, never `with:` inputs, so it leaves this alone, while the job still verifies the `rust-version = "1.88"` declared in Cargo.toml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
dtolnay/rust-toolchainuses its git ref as the Rust version to install, so themsrvjob's@1.88.0pin doubled as both the action version and the toolchain version. Dependabot only sees it as an action version and kept opening PRs to bump it to the latest tag (#32 bumped it to1.100.0), which:rustup404s on download.rust-version = "1.88"). Floating it to the newest toolchain silently defeats that check.Fix
Pin the action to the
@stablebranch and pass the MSRV as thetoolchaininput:Dependabot's github-actions updater only rewrites the
uses:ref, neverwith:inputs, so it leaves this alone — no ignore rule needed. The job still verifies therust-version = "1.88"declared inCargo.toml.Supersedes and closes #32.
🤖 Generated with Claude Code