CI: Pin GitHub Actions to commit SHAs

This pins all third-party actions to immutable commit SHAs, with the
resolved version tag in a trailing comment. This prevents upstream
tags from silently changing under us.

- actions/checkout → v6.0.2 (bumped from v5 to reduce `artipacked`
  severity: v6 no longer stores credentials in `.git/config`)
- actions/setup-node → v6.3.0
- rust-lang/crates-io-auth-action → v1.0.4

See https://docs.zizmor.sh/audits/#unpinned-uses
This commit is contained in:
Tobias Bieniek 2026-04-10 14:34:53 +02:00
parent 05fbc5d3d0
commit 2ab29ef789
No known key found for this signature in database
3 changed files with 13 additions and 13 deletions

View file

@ -30,7 +30,7 @@ jobs:
os: windows-latest
name: Deploy ${{ matrix.target }}
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: ci/install-rust.sh stable ${{ matrix.target }}
- name: Build asset
@ -43,7 +43,7 @@ jobs:
name: GitHub Pages
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust (rustup)
run: rustup update stable --no-self-update && rustup default stable
- name: Deploy the User Guide to GitHub Pages using the gh-pages branch
@ -56,12 +56,12 @@ jobs:
id-token: write
environment: publish
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust (rustup)
run: rustup update stable --no-self-update && rustup default stable
- name: Authenticate with crates.io
id: auth
uses: rust-lang/crates-io-auth-action@v1
uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
- name: Publish
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}

View file

@ -44,7 +44,7 @@ jobs:
target: x86_64-unknown-linux-gnu
name: ${{ matrix.name }}
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: bash ci/install-rust.sh ${{ matrix.rust }} ${{ matrix.target }}
- name: Build and run tests
@ -55,7 +55,7 @@ jobs:
aarch64-cross-builds:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: bash ci/install-rust.sh stable aarch64-unknown-linux-musl
- name: Build
@ -65,7 +65,7 @@ jobs:
name: Rustfmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: rustup update stable && rustup default stable && rustup component add rustfmt
- run: cargo fmt --check
@ -74,11 +74,11 @@ jobs:
name: GUI tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu
- name: Install npm
uses: actions/setup-node@v6
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 24
- name: Install browser-ui-test
@ -92,7 +92,7 @@ jobs:
clippy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu
- run: rustup component add clippy
@ -102,7 +102,7 @@ jobs:
name: Check API docs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu
- name: Ensure intradoc links are valid
@ -114,7 +114,7 @@ jobs:
name: Check version bump
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- run: rustup update stable && rustup default stable
- name: Install cargo-semver-checks
run: |

View file

@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
if: github.repository == 'rust-lang/mdBook'
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu
- name: Install cargo-edit