Skip to content

chore(ci): Update actions/checkout from v5 to v6#16867

Merged
weihanglo merged 1 commit intorust-lang:masterfrom
Turbo87:update-checkout-v6
Apr 9, 2026
Merged

chore(ci): Update actions/checkout from v5 to v6#16867
weihanglo merged 1 commit intorust-lang:masterfrom
Turbo87:update-checkout-v6

Conversation

@Turbo87
Copy link
Copy Markdown
Member

@Turbo87 Turbo87 commented Apr 9, 2026

What does this PR try to resolve?

Using actions/checkout prior to v6 has potential to unintentionally leak git credentials, unless persist-credentials: false is explicitly used (see https://docs.zizmor.sh/audits/#artipacked and https://github.com/orgs/community/discussions/179107#discussioncomment-14906259)

This PR updates the checkout actions to v6, which significantly reduces the risk and makes the zizmor scanner happy(er).

How to test and review this PR?

Run CI, I guess 😅

and maybe take a look at https://github.com/actions/checkout/blob/main/CHANGELOG.md#v600 to confirm that there are no other changes included in this major version release that could break CI here.

@Turbo87
chore(ci): Update actions/checkout from v5 to v6
8c0d940 
v6 stores credentials in `$RUNNER_TEMP` instead of `.git/config`,
reducing risk of accidental credential leakage through artifacts.

See https://docs.zizmor.sh/audits/#artipacked
@rustbot rustbot added A-infrastructure Area: infrastructure around the cargo repo, ci, releases, etc. S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Apr 9, 2026
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Apr 9, 2026

r? @ehuss

rustbot has assigned @ehuss.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: @ehuss, @epage, @weihanglo
  • @ehuss, @epage, @weihanglo expanded to ehuss, epage, weihanglo
  • Random selection from ehuss, epage, weihanglo

epage
epage approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@epage epage left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovatebot should have done this but it has seemed unreliable lately, alternating what months we get updates.

View changes since this review

@epage epage enabled auto-merge April 9, 2026 19:05
@epage epage added this pull request to the merge queue Apr 9, 2026
@Turbo87
Copy link
Copy Markdown
Member Author

Turbo87 commented Apr 9, 2026

while we're on the topic of actions updates here, what are your thoughts on https://docs.zizmor.sh/audits/#unpinned-uses? I'm happy to send a (renovatebot-compatible) PR that pins all the actions with corresponding version comments.

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Apr 9, 2026
@weihanglo
Copy link
Copy Markdown
Member

weihanglo commented Apr 9, 2026

while we're on the topic of actions updates here, what are your thoughts on docs.zizmor.sh/audits#unpinned-uses? I'm happy to send a (renovatebot-compatible) PR that pins all the actions with corresponding version comments.

Look good to me!

@weihanglo
Copy link
Copy Markdown
Member

weihanglo commented Apr 9, 2026 

---- util::local_poll_adapter::tests::deferred_success stdout ----

thread 'util::local_poll_adapter::tests::deferred_success' (8316) panicked at src/cargo/util/local_poll_adapter.rs:177:9:
assertion `left == right` failed
  left: Ready(Ok(50))
 right: Pending


failures:
    util::local_poll_adapter::tests::deferred_success

Time-based test failed. Retrying.

cc @arlosi

@weihanglo weihanglo added this pull request to the merge queue Apr 9, 2026
@epage
Copy link
Copy Markdown
Contributor

epage commented Apr 9, 2026

I've been experimenting with zizmor on my own repos. There are rough edges with some Actions but I don't think we are using any of those today.

Merged via the queue into rust-lang:master with commit cb8b759 Apr 9, 2026
29 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Apr 9, 2026
@Turbo87 Turbo87 mentioned this pull request Apr 10, 2026
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Apr 10, 2026
@weihanglo
chore(ci): Pin GitHub Actions to commit SHAs (#16868)
53e1d9d 
Pin all third-party actions to immutable commit SHAs, with the resolved
version tag in a trailing comment. This prevents upstream tags from
silently changing under us.

- actions/checkout → v6.0.2
- actions/upload-artifact → v6.0.0
- EmbarkStudios/cargo-deny-action → v2.0.15
- taiki-e/install-action → v2.75.4
- crate-ci/typos → v1.44.0

`taiki-e/install-action` was previously referenced via the `@cargo-hack`
tool-specific tag, which is force-updated on every release. Pinning it
requires switching to the versioned `v2.75.4` tag and passing `tool:
cargo-hack` explicitly, since the versioned action.yml does not default
the tool input.

See https://docs.zizmor.sh/audits/#unpinned-uses (and
#16867 (comment))
@weihanglo weihanglo mentioned this pull request Apr 18, 2026
Merged
rust-bors Bot pushed a commit to rust-lang/rust that referenced this pull request Apr 18, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
cb7913a 
Update cargo submodule

26 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..3bf1388b8823ec4eab622340036593381d8871aa
2026-04-09 13:10:20 +0000 to 2026-04-17 23:27:26 +0000
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)

r? ghost
@weihanglo weihanglo mentioned this pull request Apr 18, 2026
Closed
rust-bors Bot pushed a commit to rust-lang/rust that referenced this pull request Apr 18, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
296747c 
Update cargo submodule

28 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..7ecf0285ebb408d596e4a8ac76a0980d8edb7005
2026-04-09 13:10:20 +0000 to 2026-04-18 15:34:11 +0000
- fix: use `portable-atomic` for 64-bit atomics (rust-lang/cargo#16906)
- fix: rename incorrectly documented target-spec-json to json-target-sp… (rust-lang/cargo#16905)
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)
rust-bors Bot pushed a commit to rust-lang/rust that referenced this pull request Apr 19, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
ec2d669 
Update cargo submodule

28 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..7ecf0285ebb408d596e4a8ac76a0980d8edb7005
2026-04-09 13:10:20 +0000 to 2026-04-18 15:34:11 +0000
- fix: use `portable-atomic` for 64-bit atomics (rust-lang/cargo#16906)
- fix: rename incorrectly documented target-spec-json to json-target-sp… (rust-lang/cargo#16905)
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)
@rustbot rustbot added this to the 1.97.0 milestone Apr 19, 2026
github-actions Bot pushed a commit to rust-lang/stdarch that referenced this pull request Apr 20, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
35589c6 
Update cargo submodule

28 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..7ecf0285ebb408d596e4a8ac76a0980d8edb7005
2026-04-09 13:10:20 +0000 to 2026-04-18 15:34:11 +0000
- fix: use `portable-atomic` for 64-bit atomics (rust-lang/cargo#16906)
- fix: rename incorrectly documented target-spec-json to json-target-sp… (rust-lang/cargo#16905)
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)
github-actions Bot pushed a commit to rust-lang/miri that referenced this pull request Apr 20, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
211a31c 
Update cargo submodule

28 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..7ecf0285ebb408d596e4a8ac76a0980d8edb7005
2026-04-09 13:10:20 +0000 to 2026-04-18 15:34:11 +0000
- fix: use `portable-atomic` for 64-bit atomics (rust-lang/cargo#16906)
- fix: rename incorrectly documented target-spec-json to json-target-sp… (rust-lang/cargo#16905)
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)
lnicola pushed a commit to lnicola/rust-analyzer that referenced this pull request Apr 20, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
0b35f7b 
Update cargo submodule

28 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..7ecf0285ebb408d596e4a8ac76a0980d8edb7005
2026-04-09 13:10:20 +0000 to 2026-04-18 15:34:11 +0000
- fix: use `portable-atomic` for 64-bit atomics (rust-lang/cargo#16906)
- fix: rename incorrectly documented target-spec-json to json-target-sp… (rust-lang/cargo#16905)
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@epage epage epage approved these changes

Assignees

@ehuss ehuss

Labels

A-infrastructure Area: infrastructure around the cargo repo, ci, releases, etc.

Projects

None yet

Milestone

1.97.0

Development

Successfully merging this pull request may close these issues.

5 participants

@Turbo87 @rustbot @weihanglo @epage @ehuss