This pins all third-party actions to immutable commit SHAs, with the
resolved version tag in a trailing comment. This prevents upstream
tags from silently changing under us.
- actions/checkout → v6.0.2 (bumped from v5 to reduce `artipacked`
severity: v6 no longer stores credentials in `.git/config`)
- actions/setup-node → v6.3.0
- rust-lang/crates-io-auth-action → v1.0.4
See https://docs.zizmor.sh/audits/#unpinned-uses
This disables the update-dependencies cron job in forks. It's not
uncommon for people to leave GitHub Actions enabled in a fork (which in
my experience seems to be the default?), and this unfortunately means
that this job will run in all those forks which is probably not what
people want.
This adds a job to automatically update cargo dependencies once a month.
I've added this script instead of using Renovate because I couldn't get
Renovate to update versions in `Cargo.toml`. I also wanted to batch
transitive dependency updates all in one PR.