Support hash-based pinning of action version

[AliSajid]

Hi. I am trying to establish some security best practices in my work and personal projects. One of the requirements for those is that GitHub actions should be pinned by their hash, instead of tag. This is both recommended by GitHub and part of the OSSF Scorecard.

I have implemented it for everything except this action, which also happens to be the best way to install Rust in the GitHub hosted runners. Would it be possible for you to integrate some kind of versioning-like strategy that allows for pinning the dependency? Particularly for the stable, beta and nightly versions of Rust?

[yonas]

Ran into this issue as well.

Run dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa
  with:
    components: rustfmt
  env:
    CARGO_TERM_COLOR: always
    SCCACHE_GHA_ENABLED: true
    RUSTC_WRAPPER: sccache
    SCCACHE_PATH: /opt/hostedtoolcache/sccache/0.8.2/x64/sccache
    ACTIONS_CACHE_URL: https://acghubeus1.actions.githubusercontent.com/ng2RRMXR35TLbKmCF8lGzz9SBV6tayAtiHpiRPP5cnFaWYDrju/
    ACTIONS_RUNTIME_TOKEN: ***
Run : parse toolchain version
Run : construct rustup command line
Run : set $CARGO_HOME
Run : install rustup if needed
Run rustup toolchain install  --component rustfmt --profile minimal --no-self-update
error: error: the following required arguments were not provided:
  <toolchain>...

Usage: rustup toolchain install --component <components>... --profile <profile> --no-self-update <toolchain>...

For more information, try '--help'.

Error: Process completed with exit code 1.

[dtolnay]

As far as I can tell, this is already supported. You can pick whatever commit hash from the history of the master branch you want, and pass whatever with: toolchain: you want including stable or beta or nightly.

@AliSajid would you mind clarifying more what the request is?

[AliSajid]

@dtolnay Thank you. That's what I am doing right now. The problem then becomes whether the commit I've picked is stable or not. Although that is unlikely, given you, but it is still possible that a particular commit might have a regression or a bug. Is it possible to have a way to mark the commits as stable or not with a different series of tags in addition to the moving tag scheme you have here?

[dtolnay]

I don't make a distinction between commits that go to master which are ready to use vs not ready to use. The readme recommends using dtolnay/rust-toolchain@master and all the rest of the tags (@1.83.0 etc) are always rebased on master too. If you want to make your own determination about what commit is ready to use, you could review recent commits yourself before upgrading your pin, or you could trail master by some number of months.

[AliSajid]

Thank you. That makes sense.