dtolnay
Add dependabot-compatible tag for each release
Currently, there's a branch per release to make it easy to select the Rust version you want. However, to improve the security posture of some projects (and reproducability of CI), I'd like to instead pin them to a specific commit, and then have dependabot automatically bump that commit (and the tag comment) when a new version is available. Dependabot understands tags like v1.2.3, but does not know what to do when there are no tags and just branches.
In other words, I want to write
uses: dtolnay/rust-toolchain@223bb27ae52e8d884432aaedb658fa4d9fc173b1 # tag=v1.72.1
with:
toolchain: stable
This works today, it just doesn't get auto-updated by dependabot since there are no tags.
The sad part is that this loses out on is the ability to make changes to 1.72.1 after the fact, such as if the means of installation change (i.e., the action changes), since there would be no way to indicate that such a change had been made through the tags alone. I don't have a great answer to that. One way to go about it is to have the tag instead be the version of the action (as just a simple sequence number), bump that on every new Rust release (or action change), and then have the version of Rust be chosen with toolchain:, but I don't know if that's compatible with the action's current implementation?
