From 13f134386259fa955febe5459a852aa160e79abb Mon Sep 17 00:00:00 2001 From: ZVN DEV <78920650+zvndev@users.noreply.github.com> Date: Tue, 16 Jun 2026 23:57:33 -0400 Subject: [PATCH] fix(ci): pin fuzz toolchain to nightly explicitly MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fuzz.yml pins `dtolnay/rust-toolchain` to a SHA (supply-chain safety) with a `# nightly` comment. That action derives the channel from its ref, and a SHA ref can't convey "nightly", so the action falls back to stable. cargo-fuzz then fails to build every target with "the option `Z` is only accepted on the nightly compiler" (it needs `-Z sanitizer=address`). The current pinned SHA happens to still resolve nightly, but the pending Dependabot bump (#93) to a newer SHA surfaced the latent break — all four fuzz jobs failed on that PR while ci.yml (legitimately stable) passed. Set `toolchain: nightly` explicitly so the channel no longer depends on which SHA the action is pinned to. This unblocks the Dependabot action bump. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/fuzz.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 8921d6b..ed1fadf 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -48,6 +48,14 @@ jobs: - name: Install Rust nightly uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly + with: + # cargo-fuzz needs nightly (`-Z sanitizer`). The channel is derived + # from the action ref, but this step pins the action to a SHA (for + # supply-chain safety), and a SHA can't convey "nightly" — so without + # this explicit input the action installs *stable* and every fuzz + # build fails with "the option `Z` is only accepted on nightly". + # Setting it explicitly keeps fuzz working across dependabot SHA bumps. + toolchain: nightly - name: Cargo cache uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5