chore: pin GitHub Actions to full-length commit SHAs#7831
chore: pin GitHub Actions to full-length commit SHAs#7831
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| with: | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable |
There was a problem hiding this comment.
Pinned SHA from force-pushed branch will be garbage-collected
High Severity
The dtolnay/rust-toolchain action uses force-pushed branches (stable, nightly, etc.) that are periodically rebased. The repository explicitly documents that any commit not in the master branch history will eventually be garbage-collected. The devenv pin_gha tool resolved @stable to the current HEAD of the stable branch, but that SHA will become unreachable after the next force-push, breaking CI. The correct approach per the maintainer is to pin to a SHA from the master branch and add toolchain: stable to the with: block.
2 participants
Summary
.github/workflow files to full-length commit SHAsGenerated by
devenv pin_gha.🤖 Generated with Claude Code