From 23d04191b78a0f7adc1a352245dfe428d8c646f2 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Tue, 7 May 2024 21:45:20 +0000 Subject: [PATCH] Refine Dependabot config to not update rust-toolchain When `dtolnay/rust-toolchain` is a tag, it specifies a particular version of the actual Rust toolchain to use. It is also sometimes used with a branch such as `master` (to then specify the version as an option rather than in the action version) or `stable`, but branches are ineligible for Dependabot version updates and also would not ordinarily require them since they move much more often than tags. Therefore, this tells Dependabot to ignore `dtolnay/rust-toolchain` for the purpose of version updates. As commented, this is done in a way that *should* avoid causing it to be ignored for security updates. Old Rust toolchains may have known vulnerabilities but still be safe to use on CI based on a consideration of the risks (for triggers such as `push` and `pull_request` that run with the same privileges of the user who can cause the triggering event to occur), and I believe the action itself does not get advisories for those versions. But it is possible that at some point in the future a vulnerability might be discovered in the action itself and an advisory produced for it, so having Dependabot be able to show any related alert and, if enabled, produce a security update PR for it automatically is still valuable. Ignoring `dtolnay/rust-toolchain` addresses the problem identified in https://github.com/Byron/gitoxide/pull/1362#pullrequestreview-2044036145 without requiring any decreased use of actions to install dependencies, modification of how the actions' versions or options are given, or `@dependabot` ignore commands. --- .github/dependabot.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ce30635aa48..8b884984875 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,16 @@ updates: directory: "/" schedule: interval: weekly + ignore: + # Ignore version updates to dtolnay/rust-toolchain, as @X.Y.Z tags are used for exact toolchain + # versions (and @master and @stable are branches). To still get Dependabot *security* updates + # if the action itself ever has an advisory, we list all version update types explicitly. See: + # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + dependency-name: dtolnay/rust-toolchain + update-types: + - "version-update:semver-major" + - "version-update:semver-minor" + - "version-update:semver-patch" groups: github-actions: patterns: ["*"]