From 9bb840f0899480c1742a4e466c4f4df812886a72 Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Fri, 10 Apr 2026 09:36:23 +0200 Subject: [PATCH] chore(ci): Pin GitHub Actions to commit SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us. - actions/checkout → v6.0.2 - actions/upload-artifact → v6.0.0 - EmbarkStudios/cargo-deny-action → v2.0.15 - taiki-e/install-action → v2.75.4 - crate-ci/typos → v1.44.0 `taiki-e/install-action` was previously referenced via the `@cargo-hack` tool-specific tag, which is force-updated on every release. Pinning it requires switching to the versioned `v2.75.4` tag and passing `tool: cargo-hack` explicitly, since the versioned action.yml does not default the tool input. See https://docs.zizmor.sh/audits/#unpinned-uses --- .github/workflows/audit.yml | 4 ++-- .github/workflows/contrib.yml | 2 +- .github/workflows/main.yml | 38 ++++++++++++++++++----------------- .github/workflows/release.yml | 2 +- 4 files changed, 24 insertions(+), 22 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index e96482deded..4646afc9a9c 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -21,8 +21,8 @@ jobs: - advisories - bans licenses sources steps: - - uses: actions/checkout@v6 - - uses: EmbarkStudios/cargo-deny-action@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15 # Prevent sudden announcement of a new advisory from failing ci: continue-on-error: ${{ matrix.checks == 'advisories' }} with: diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml index f74f7825355..63765d167c8 100644 --- a/.github/workflows/contrib.yml +++ b/.github/workflows/contrib.yml @@ -20,7 +20,7 @@ jobs: contents: write # for Git to git push runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Install mdbook diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7e6300b5d18..813628f2010 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -58,7 +58,7 @@ jobs: rustfmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update stable && rustup default stable - run: rustup component add rustfmt - run: cargo fmt --all --check @@ -77,7 +77,7 @@ jobs: name: Clippy ${{ matrix.name }} runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update stable && rustup default stable - run: rustup component add clippy - run: cargo clippy --workspace --all-targets --no-deps -- -D warnings @@ -85,14 +85,14 @@ jobs: stale-label: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update stable && rustup default stable - run: cargo stale-label lint-docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update stable && rustup default stable - run: cargo lint-docs --check @@ -100,7 +100,7 @@ jobs: lockfile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update stable && rustup default stable - run: cargo update -p cargo --locked @@ -111,7 +111,7 @@ jobs: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha != '' && github.event.pull_request.head.sha || github.sha }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - run: rustup update stable && rustup default stable @@ -185,7 +185,7 @@ jobs: other: i686-pc-windows-gnu name: Tests ${{ matrix.name }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Dump Environment run: ci/dump-environment.sh # Some tests require stable. Make sure it is set to the most recent stable @@ -251,21 +251,21 @@ jobs: schema: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update stable && rustup default stable - run: cargo test -p cargo-util-schemas -F unstable-schema resolver: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update stable && rustup default stable - run: cargo test -p resolver-tests test_gitoxide: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update --no-self-update stable && rustup default stable - run: rustup target add i686-unknown-linux-gnu - run: rustup target add wasm32-unknown-unknown @@ -278,7 +278,7 @@ jobs: build_std: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update nightly && rustup default nightly - run: rustup component add rust-src - run: cargo build @@ -288,7 +288,7 @@ jobs: docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update nightly && rustup default nightly - run: rustup update stable - run: rustup component add rust-docs @@ -316,8 +316,10 @@ jobs: msrv: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: taiki-e/install-action@cargo-hack + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: taiki-e/install-action@97a5807a604e12de3a13b52d868ebecaeeea757c # v2.75.4 + with: + tool: cargo-hack - run: cargo hack check --all-targets --rust-version --workspace --ignore-private --locked spellcheck: @@ -325,22 +327,22 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Actions Repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Spell Check Repo - uses: crate-ci/typos@v1.44.0 + uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d # v1.44.0 report-timings: name: Timing HTML report runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update nightly && rustup default nightly - run: cargo build - name: Generate timing report for rustfix run: | cargo run -- build -p rustfix -Zbuild-analysis -Zsection-timings --config build.analysis.enabled=true --config 'build.build-dir="tmp"' cargo run -- report timings -Zbuild-analysis - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: timing-report path: target/cargo-timings/*.html diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5bb99d9af38..79770feb2c0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout the source code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Publish Cargo to crates.io run: ./publish.py