From 2ab29ef789748d7c8b75e1ba4ebbd5b5b1f04381 Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Fri, 10 Apr 2026 14:34:53 +0200 Subject: [PATCH] CI: Pin GitHub Actions to commit SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This pins all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us. - actions/checkout → v6.0.2 (bumped from v5 to reduce `artipacked` severity: v6 no longer stores credentials in `.git/config`) - actions/setup-node → v6.3.0 - rust-lang/crates-io-auth-action → v1.0.4 See https://docs.zizmor.sh/audits/#unpinned-uses --- .github/workflows/deploy.yml | 8 ++++---- .github/workflows/main.yml | 16 ++++++++-------- .github/workflows/update-dependencies.yml | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 42bf8056..7c4d52a3 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,7 +30,7 @@ jobs: os: windows-latest name: Deploy ${{ matrix.target }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust run: ci/install-rust.sh stable ${{ matrix.target }} - name: Build asset @@ -43,7 +43,7 @@ jobs: name: GitHub Pages runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust (rustup) run: rustup update stable --no-self-update && rustup default stable - name: Deploy the User Guide to GitHub Pages using the gh-pages branch @@ -56,12 +56,12 @@ jobs: id-token: write environment: publish steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust (rustup) run: rustup update stable --no-self-update && rustup default stable - name: Authenticate with crates.io id: auth - uses: rust-lang/crates-io-auth-action@v1 + uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4 - name: Publish env: CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b4016767..3dad6712 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -44,7 +44,7 @@ jobs: target: x86_64-unknown-linux-gnu name: ${{ matrix.name }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust run: bash ci/install-rust.sh ${{ matrix.rust }} ${{ matrix.target }} - name: Build and run tests @@ -55,7 +55,7 @@ jobs: aarch64-cross-builds: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust run: bash ci/install-rust.sh stable aarch64-unknown-linux-musl - name: Build @@ -65,7 +65,7 @@ jobs: name: Rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust run: rustup update stable && rustup default stable && rustup component add rustfmt - run: cargo fmt --check @@ -74,11 +74,11 @@ jobs: name: GUI tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu - name: Install npm - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 - name: Install browser-ui-test @@ -92,7 +92,7 @@ jobs: clippy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu - run: rustup component add clippy @@ -102,7 +102,7 @@ jobs: name: Check API docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu - name: Ensure intradoc links are valid @@ -114,7 +114,7 @@ jobs: name: Check version bump runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - run: rustup update stable && rustup default stable - name: Install cargo-semver-checks run: | diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index f3540565..bc8ddd58 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'rust-lang/mdBook' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Rust run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu - name: Install cargo-edit