fix: replace dtolnay/rust-toolchain with rustup in dependency-audit.yml

[don-petry]

Summary

• Removes the unpinned external action dtolnay/rust-toolchain@stable (compliance finding Compliance: unpinned-actions-dependency-audit.yml #47)
• Replaces it with rustup toolchain install stable --profile minimal — a built-in command that requires no external action and no SHA pinning
• Syncs dependency-audit.yml with the latest org standards template (petry-projects/.github/standards/workflows/dependency-audit.yml), which also adds pnpm audit support and updates cargo-audit to 0.22.1

Closes #47

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 31 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 3 minutes and 31 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 11bef371-10fe-4f6d-9da2-bee3ef93c8a5

📥 Commits

Reviewing files that changed from the base of the PR and between c29026e and 4102acd.

📒 Files selected for processing (1)

• .github/workflows/dependency-audit.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-47-20260408-0149

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry — this PR is ready for your review and merge.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Updates the GitHub Actions dependency-audit workflow to align with org standards and address compliance finding #47 by removing an unpinned external Rust toolchain action.

Changes:

• Replace dtolnay/rust-toolchain@stable with a rustup toolchain install stable --profile minimal step.
• Add pnpm ecosystem detection + a dedicated pnpm audit job.
• Update pinned action SHAs and bump cargo-audit to 0.22.1.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Inside the Audit Cargo dependencies script (below this run: |), the subshell uses cd "$dir" && cargo generate-lockfile ...; cargo audit—because of the ;, cargo audit will still run even if the cd fails (auditing the wrong directory). Consider chaining cargo audit with && (or otherwise explicitly handling failures) to ensure the audit only runs in the intended directory.