Copilot commented on code in PR #60:
URL: https://github.com/apache/arrow-erlang/pull/60#discussion_r3487701591


##########
.github/workflows/rust-ci.yml:
##########
@@ -89,12 +89,12 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - uses: dtolnay/rust-toolchain@master
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 
# v1
         with:
           toolchain: "${{ env.RUST_TOOLCHAIN_VERSION }}"
           components: rustfmt
 
-      - uses: Swatinem/rust-cache@v2
+      - uses: swatinem/rust-cache@v2 # v2.9.1

Review Comment:
   This step still uses `swatinem/rust-cache@v2` (moving tag). To satisfy the 
approved-actions policy consistently (and to match the pinned version used in 
the lint job), pin it to the specific commit SHA for v2.9.1 instead of the 
major tag.



##########
.github/workflows/rust-ci.yml:
##########
@@ -64,12 +64,12 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - uses: dtolnay/rust-toolchain@master
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 
# v1
         with:
           toolchain: "${{ env.RUST_TOOLCHAIN_VERSION }}"
           components: rustfmt
 
-      - uses: Swatinem/rust-cache@v2
+      - uses: swatinem/rust-cache@v2 # v2.9.1

Review Comment:
   This step still references `swatinem/rust-cache@v2` (a moving tag) while 
other jobs in this workflow pin `swatinem/rust-cache` to a specific commit SHA. 
Under the ASF GitHub Actions policy for third-party actions, this likely 
remains unapproved/blocked, and the inline `# v2.9.1` comment is misleading if 
the tag moves. Pin this to the same vetted commit SHA used elsewhere in the 
workflow.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to