This pins all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us. - actions/checkout → v6.0.2 (bumped from v5 to reduce `artipacked` severity: v6 no longer stores credentials in `.git/config`) - actions/setup-node → v6.3.0 - rust-lang/crates-io-auth-action → v1.0.4 See https://docs.zizmor.sh/audits/#unpinned-uses |
||
|---|---|---|
| .. | ||
| ISSUE_TEMPLATE | ||
| workflows | ||
| renovate.json5 | ||