This pins all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us. - actions/checkout → v6.0.2 (bumped from v5 to reduce `artipacked` severity: v6 no longer stores credentials in `.git/config`) - actions/setup-node → v6.3.0 - rust-lang/crates-io-auth-action → v1.0.4 See https://docs.zizmor.sh/audits/#unpinned-uses
68 lines
2.1 KiB
YAML
68 lines
2.1 KiB
YAML
name: Deploy
|
|
on:
|
|
release:
|
|
types: [created]
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
release:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- target: aarch64-unknown-linux-musl
|
|
os: ubuntu-22.04
|
|
- target: x86_64-unknown-linux-gnu
|
|
os: ubuntu-22.04
|
|
- target: x86_64-unknown-linux-musl
|
|
os: ubuntu-22.04
|
|
- target: x86_64-apple-darwin
|
|
os: macos-latest
|
|
- target: aarch64-apple-darwin
|
|
os: macos-latest
|
|
- target: x86_64-pc-windows-msvc
|
|
os: windows-latest
|
|
name: Deploy ${{ matrix.target }}
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: Install Rust
|
|
run: ci/install-rust.sh stable ${{ matrix.target }}
|
|
- name: Build asset
|
|
run: ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }}
|
|
- name: Update release with new asset
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: gh release upload $MDBOOK_TAG $MDBOOK_ASSET
|
|
pages:
|
|
name: GitHub Pages
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: Install Rust (rustup)
|
|
run: rustup update stable --no-self-update && rustup default stable
|
|
- name: Deploy the User Guide to GitHub Pages using the gh-pages branch
|
|
run: ci/publish-guide.sh
|
|
publish:
|
|
name: Publish to crates.io
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# Required for OIDC token exchange
|
|
id-token: write
|
|
environment: publish
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: Install Rust (rustup)
|
|
run: rustup update stable --no-self-update && rustup default stable
|
|
- name: Authenticate with crates.io
|
|
id: auth
|
|
uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
|
|
- name: Publish
|
|
env:
|
|
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
|
|
run: cargo publish --workspace --no-verify
|