From 9be6c0b583c22f3611922eb0ffeaf7ef557399c1 Mon Sep 17 00:00:00 2001
From: MK <fengmk2@gmail.com>
Date: Thu, 19 Mar 2026 21:46:58 +0800
Subject: [PATCH] fix(ci): clone rolldown repo in cargo deny workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The rolldown directory is not a git submodule — it's an external repo
cloned by the CI clone action. The deny workflow had `submodules: true`
which was a no-op. Replace it with an explicit rolldown checkout at the
pinned hash from .upstream-versions.json.
---
 .github/workflows/deny.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
index 9a63537020..b82b305f42 100644
--- a/.github/workflows/deny.yml
+++ b/.github/workflows/deny.yml
@@ -30,7 +30,16 @@ jobs:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
-          submodules: true
+
+      - name: Output rolldown hash
+        id: upstream-versions
+        run: node -e "console.log('ROLLDOWN_HASH=' + require('./packages/tools/.upstream-versions.json').rolldown.hash)" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          repository: rolldown/rolldown
+          path: rolldown
+          ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_HASH }}
 
       - uses: oxc-project/setup-rust@d286d43bc1f606abbd98096666ff8be68c8d5f57 # v1.0.0
         with: