Pin dtolnay/rust-toolchain action refs in CI workflows by h4x3rotab · Pull Request #661 · Dstack-TEE/dstack

h4x3rotab · 2026-05-06T00:35:56Z

Remove a supply-chain vulnerability introduced by using the moving branch dtolnay/rust-toolchain@master in CI workflows so upstream changes cannot execute arbitrary code in the project's CI.
Preserve the existing toolchain and workflow behavior while ensuring reproducible, auditable CI action refs.

Replaced dtolnay/rust-toolchain@master with the fixed ref dtolnay/rust-toolchain@1.86 in .github/workflows/rust.yml.
Replaced dtolnay/rust-toolchain@master with the fixed ref dtolnay/rust-toolchain@1.86 in .github/workflows/sdk.yaml.
Kept existing toolchain: 1.92.0, components, and additional targets intact so workflow behavior is unchanged.

Verified the workflow contents with sed -n '1,200p' .github/workflows/rust.yml and sed -n '1,220p' .github/workflows/sdk.yaml, which showed the updated action refs and unchanged toolchain settings; these commands succeeded.
Searched for remaining moving refs with rg -n "dtolnay/rust-toolchain@" .github/workflows, which returned only the pinned @1.86 entries; this check succeeded.
Inspected the diff with git diff -- .github/workflows/rust.yml .github/workflows/sdk.yaml to confirm only the action ref lines were changed; this check succeeded.

Pin rust-toolchain action refs in CI workflows

214096b

h4x3rotab added codex aardvark labels May 6, 2026 — with ChatGPT Codex Connector

h4x3rotab enabled auto-merge May 6, 2026 00:36

h4x3rotab merged commit e2b67cf into master May 6, 2026
15 checks passed

Provide feedback