mdbook/.github/workflows/deploy.yml
Tobias Bieniek 2ab29ef789
CI: Pin GitHub Actions to commit SHAs
This pins all third-party actions to immutable commit SHAs, with the
resolved version tag in a trailing comment. This prevents upstream
tags from silently changing under us.

- actions/checkout → v6.0.2 (bumped from v5 to reduce `artipacked`
  severity: v6 no longer stores credentials in `.git/config`)
- actions/setup-node → v6.3.0
- rust-lang/crates-io-auth-action → v1.0.4

See https://docs.zizmor.sh/audits/#unpinned-uses
2026-04-10 14:35:42 +02:00

68 lines
2.1 KiB
YAML

name: Deploy
on:
release:
types: [created]
defaults:
run:
shell: bash
permissions:
contents: write
jobs:
release:
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- target: aarch64-unknown-linux-musl
os: ubuntu-22.04
- target: x86_64-unknown-linux-gnu
os: ubuntu-22.04
- target: x86_64-unknown-linux-musl
os: ubuntu-22.04
- target: x86_64-apple-darwin
os: macos-latest
- target: aarch64-apple-darwin
os: macos-latest
- target: x86_64-pc-windows-msvc
os: windows-latest
name: Deploy ${{ matrix.target }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust
run: ci/install-rust.sh stable ${{ matrix.target }}
- name: Build asset
run: ci/make-release-asset.sh ${{ matrix.os }} ${{ matrix.target }}
- name: Update release with new asset
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $MDBOOK_TAG $MDBOOK_ASSET
pages:
name: GitHub Pages
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust (rustup)
run: rustup update stable --no-self-update && rustup default stable
- name: Deploy the User Guide to GitHub Pages using the gh-pages branch
run: ci/publish-guide.sh
publish:
name: Publish to crates.io
runs-on: ubuntu-latest
permissions:
# Required for OIDC token exchange
id-token: write
environment: publish
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Rust (rustup)
run: rustup update stable --no-self-update && rustup default stable
- name: Authenticate with crates.io
id: auth
uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
- name: Publish
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
run: cargo publish --workspace --no-verify