Branch force-pushes confuse dependabot

[crepererum]

It's good practice to pin GitHub action via commits instead of tags or branch names.

Dependabot supports this as well.

However, if the commit that a GitHub action refers to is gone due to a force push, it trips over it. E.g. when dependabot checks for updates for this file, it errors:

...
updater | 2024/04/17 01:39:15 ERROR <job_815812220> Error processing dtolnay/rust-toolchain (Dependabot::SharedHelpers::HelperSubprocessFailed)
updater | 2024/04/17 01:39:15 ERROR <job_815812220> error: no such commit d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3
...

updater | 2024/04/17 01:39:15 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +----------------------------------------+
updater | |     Dependencies failed to update      |
updater | +------------------------+---------------+
updater | | dtolnay/rust-toolchain | unknown_error |
updater | +------------------------+---------------+
updater | time="2024-04-17T01:39:15Z" level=info msg="task complete" container_id=job-815812220-updater exit_code=0 job_id=815812220 step=updater

One could argue that dependabot shouldn't trip and just pick a new commit, but I think force-pushing to the branch leaves the pinned commit dangling and subject to garbage collection, which would break CI pipelines. So I think my ask is to NOT force push branches at all. This also makes reasoning about changes a bit easier when you look at the Git history.

PS: Other than that the rust-toolchain action works super well. Thank you very much! ❤️

[dtolnay]

The master branch is never force pushed. This is enforced by a branch protection rule.

There should be no reason for you to be using a pinned sha1 on anything other than the master branch; that makes no sense.

[crepererum]

OK, pinning the master branch and specifying toolchain: stable (instead of using the stable branch) works.