◐ Shell
clean mode source ↗

[zizmor] ignore `superfluous-actions` by ShaharNaveh · Pull Request #7548 · RustPython/RustPython

coderabbitai

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "All dtolnay/rust-toolchain references in workflows:"
rg -nP 'uses:\s*dtolnay/rust-toolchain@' .github/workflows

echo
echo "Non-SHA refs (should be empty after pinning):"
rg -nP 'uses:\s*dtolnay/rust-toolchain@(?![0-9a-f]{40}\b)\S+' .github/workflows

echo
echo "Current upstream heads for convenience (pick reviewed SHAs, don't auto-trust):"
git ls-remote https://github.com/dtolnay/rust-toolchain refs/heads/master refs/heads/stable || true

Repository: RustPython/RustPython

Length of output: 2329

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Verifying exact line ranges in ci.yaml ==="
echo "Line 53:"
sed -n '51,55p' .github/workflows/ci.yaml

echo
echo "Lines 172–174:"
sed -n '170,176p' .github/workflows/ci.yaml

echo
echo "Line 255:"
sed -n '253,257p' .github/workflows/ci.yaml

echo
echo "Line 368:"
sed -n '366,370p' .github/workflows/ci.yaml

echo
echo "Lines 426–429:"
sed -n '424,431p' .github/workflows/ci.yaml

echo
echo "Lines 452–454:"
sed -n '450,456p' .github/workflows/ci.yaml

echo
echo "Lines 529–531:"
sed -n '527,533p' .github/workflows/ci.yaml

Repository: RustPython/RustPython

Length of output: 1512

Pin dtolnay/rust-toolchain action references to commit SHAs instead of mutable tags.

Lines 53, 172–174, 255, 368, 426–429, 452–454, and 529–531 use mutable refs (@stable and @master). These can change without notice, compromising CI reproducibility and introducing supply chain risk. Line 426 with @master is especially problematic. Pin all references to full 40-character commit SHAs with a comment preserving the original tag/intent.

Suggested pattern 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable
         with:
           components: clippy
-      - uses: dtolnay/rust-toolchain@master
+      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9  # master
         with:
           toolchain: ${{ env.NIGHTLY_CHANNEL }}
           components: miri
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

- uses: dtolnay/rust-toolchain@stable
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yaml at line 53, Replace all uses of the reusable
action reference dtolnay/rust-toolchain that use mutable tags (e.g., `@stable` and
`@master`) with their corresponding full 40-character commit SHAs to avoid mutable
refs; update each occurrence (the instances currently written as
dtolnay/rust-toolchain@stable and dtolnay/rust-toolchain@master) to the exact
commit SHA and add a short comment on the same line preserving the original
tag/intent (for example: # originally `@stable`) so CI remains reproducible and
reviewers know the intended channel.