This pins all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us. - actions/checkout → v6.0.2 (bumped from v5 to reduce `artipacked` severity: v6 no longer stores credentials in `.git/config`) - actions/setup-node → v6.3.0 - rust-lang/crates-io-auth-action → v1.0.4 See https://docs.zizmor.sh/audits/#unpinned-uses
21 lines
604 B
YAML
21 lines
604 B
YAML
name: Update dependencies
|
|
on:
|
|
schedule:
|
|
- cron: '0 0 1 * *'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
update:
|
|
name: Update dependencies
|
|
runs-on: ubuntu-latest
|
|
if: github.repository == 'rust-lang/mdBook'
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: Install Rust
|
|
run: bash ci/install-rust.sh stable x86_64-unknown-linux-gnu
|
|
- name: Install cargo-edit
|
|
run: cargo install cargo-edit --locked
|
|
- name: Update dependencies
|
|
run: ci/update-dependencies.sh
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|