From 282ea9019939fd09fde4b4492bfbe058a429f52d Mon Sep 17 00:00:00 2001 From: Forge Date: Fri, 1 May 2026 01:11:21 -0700 Subject: [PATCH 1/2] chore: pin GitHub Actions to fixed SHAs Pin GitHub Actions to immutable SHAs: - checkout@v4: 34e114876b0b11c390a56381ad16ebd13914f8d5 - checkout@v6: de0fac2e4500dabe0009e67214ff5f5447ce83dd --- .github/workflows/cargo-audit.yml | 2 +- .github/workflows/cargo-deny.yml | 2 +- .github/workflows/cargo-machete.yml | 2 +- .github/workflows/cargo-semver-checks.yml | 2 +- .github/workflows/codeql-rust.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml index e57b692..b909510 100644 --- a/.github/workflows/cargo-audit.yml +++ b/.github/workflows/cargo-audit.yml @@ -14,7 +14,7 @@ jobs: audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - uses: rustsec/audit-check@v2 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml index b99d44d..042b8a8 100644 --- a/.github/workflows/cargo-deny.yml +++ b/.github/workflows/cargo-deny.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable diff --git a/.github/workflows/cargo-machete.yml b/.github/workflows/cargo-machete.yml index d652706..8686d30 100644 --- a/.github/workflows/cargo-machete.yml +++ b/.github/workflows/cargo-machete.yml @@ -14,5 +14,5 @@ jobs: machete: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - uses: bnjbvr/cargo-machete@main diff --git a/.github/workflows/cargo-semver-checks.yml b/.github/workflows/cargo-semver-checks.yml index 638ec1b..24e7323 100644 --- a/.github/workflows/cargo-semver-checks.yml +++ b/.github/workflows/cargo-semver-checks.yml @@ -9,5 +9,5 @@ jobs: semver-checks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - uses: obi1kenobi/cargo-semver-checks-action@v2 diff --git a/.github/workflows/codeql-rust.yml b/.github/workflows/codeql-rust.yml index 16c7399..54d94e4 100644 --- a/.github/workflows/codeql-rust.yml +++ b/.github/workflows/codeql-rust.yml @@ -20,7 +20,7 @@ jobs: security-events: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: From 442686a948894efeafd7a5a10b6db18c2ae8ad47 Mon Sep 17 00:00:00 2001 From: Forge Date: Fri, 1 May 2026 01:57:57 -0700 Subject: [PATCH 2/2] chore: pin GitHub Actions to specific SHAs --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 38f5e4f..ad4a84d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -29,7 +29,7 @@ jobs: results_format: sarif publish_results: true - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with: name: SARIF file path: results.sarif