Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refine Dependabot config to not update rust-toolchain
When `dtolnay/rust-toolchain` is a tag, it specifies a particular version of the actual Rust toolchain to use. It is also sometimes used with a branch such as `master` (to then specify the version as an option rather than in the action version) or `stable`, but branches are ineligible for Dependabot version updates and also would not ordinarily require them since they move much more often than tags. Therefore, this tells Dependabot to ignore `dtolnay/rust-toolchain` for the purpose of version updates. As commented, this is done in a way that *should* avoid causing it to be ignored for security updates. Old Rust toolchains may have known vulnerabilities but still be safe to use on CI based on a consideration of the risks (for triggers such as `push` and `pull_request` that run with the same privileges of the user who can cause the triggering event to occur), and I believe the action itself does not get advisories for those versions. But it is possible that at some point in the future a vulnerability might be discovered in the action itself and an advisory produced for it, so having Dependabot be able to show any related alert and, if enabled, produce a security update PR for it automatically is still valuable. Ignoring `dtolnay/rust-toolchain` addresses the problem identified in GitoxideLabs#1362 (review) without requiring any decreased use of actions to install dependencies, modification of how the actions' versions or options are given, or `@dependabot` ignore commands.
- Loading branch information