From 1dd22f0bebd6885f224e3abd6e992ac718815e74 Mon Sep 17 00:00:00 2001 From: Sven Pistre <100095453+SvenPistre@users.noreply.github.com> Date: Wed, 10 Jun 2026 21:10:27 +0200 Subject: [PATCH 1/6] ci: pin GitHub Actions to hash --- .github/workflows/audit-on-push.yml | 4 ++-- .github/workflows/docker.yml | 18 +++++++-------- .github/workflows/general.yml | 18 +++++++-------- .github/workflows/release.yml | 32 +++++++++++++-------------- .github/workflows/scheduled-audit.yml | 4 ++-- .github/workflows/tag-and-publish.yml | 8 +++---- 6 files changed, 42 insertions(+), 42 deletions(-) diff --git a/.github/workflows/audit-on-push.yml b/.github/workflows/audit-on-push.yml index 707be3d..d7af6a5 100644 --- a/.github/workflows/audit-on-push.yml +++ b/.github/workflows/audit-on-push.yml @@ -13,7 +13,7 @@ jobs: security_audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: rustsec/audit-check@v2.0.0 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 66d9371..cdce7b9 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -25,11 +25,11 @@ jobs: group_matrix: ${{ steps.collect.outputs.group_matrix }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -147,13 +147,13 @@ jobs: group_entry: ${{fromJSON(needs.resolve_inputs.outputs.group_matrix)}} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -205,9 +205,9 @@ jobs: group_entry: ${{fromJSON(needs.resolve_inputs.outputs.group_matrix)}} steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml index 6bd13dc..8483759 100644 --- a/.github/workflows/general.yml +++ b/.github/workflows/general.yml @@ -14,16 +14,16 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 - run: cargo test fmt: name: Rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 with: components: rustfmt - run: cargo fmt --all -- --check @@ -32,8 +32,8 @@ jobs: name: Clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 with: components: clippy - run: cargo clippy -- -D warnings @@ -43,12 +43,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install stable toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 - name: Install cargo-tarpaulin - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@0631aa6515c7d545823c67cfae7ef4fc7f490154 # v2.81.8 with: tool: cargo-tarpaulin checksum: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d9aa406..8f336a2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,7 +56,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 with: persist-credentials: false submodules: recursive @@ -66,7 +66,7 @@ jobs: shell: bash run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.31.0/cargo-dist-installer.sh | sh" - name: Cache dist - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: cargo-dist-cache path: ~/.cargo/bin/dist @@ -82,7 +82,7 @@ jobs: cat plan-dist-manifest.json echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT" - name: "Upload dist-manifest.json" - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: artifacts-plan-dist-manifest path: plan-dist-manifest.json @@ -116,7 +116,7 @@ jobs: - name: enable windows longpaths run: | git config --global core.longpaths true - - uses: actions/checkout@v6 + - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 with: persist-credentials: false submodules: recursive @@ -131,7 +131,7 @@ jobs: run: ${{ matrix.install_dist.run }} # Get the dist-manifest - name: Fetch local artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: artifacts-* path: target/distrib/ @@ -158,7 +158,7 @@ jobs: cp dist-manifest.json "$BUILD_MANIFEST_NAME" - name: "Upload artifacts" - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: artifacts-build-local-${{ join(matrix.targets, '_') }} path: | @@ -175,19 +175,19 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} BUILD_MANIFEST_NAME: target/distrib/global-dist-manifest.json steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 with: persist-credentials: false submodules: recursive - name: Install cached dist - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: cargo-dist-cache path: ~/.cargo/bin/ - run: chmod +x ~/.cargo/bin/dist # Get all the local artifacts for the global tasks to use (for e.g. checksums) - name: Fetch local artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: artifacts-* path: target/distrib/ @@ -205,7 +205,7 @@ jobs: cp dist-manifest.json "$BUILD_MANIFEST_NAME" - name: "Upload artifacts" - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: artifacts-build-global path: | @@ -225,19 +225,19 @@ jobs: outputs: val: ${{ steps.host.outputs.manifest }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 with: persist-credentials: false submodules: recursive - name: Install cached dist - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: cargo-dist-cache path: ~/.cargo/bin/ - run: chmod +x ~/.cargo/bin/dist # Fetch artifacts from scratch-storage - name: Fetch artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: artifacts-* path: target/distrib/ @@ -250,14 +250,14 @@ jobs: cat dist-manifest.json echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT" - name: "Upload dist-manifest.json" - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: # Overwrite the previous copy name: artifacts-dist-manifest path: dist-manifest.json # Create a GitHub Release while uploading all files to it - name: "Download GitHub Artifacts" - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: artifacts-* path: artifacts @@ -290,7 +290,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 with: persist-credentials: false submodules: recursive diff --git a/.github/workflows/scheduled-audit.yml b/.github/workflows/scheduled-audit.yml index d120038..efe5f84 100644 --- a/.github/workflows/scheduled-audit.yml +++ b/.github/workflows/scheduled-audit.yml @@ -11,7 +11,7 @@ jobs: audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: rustsec/audit-check@v2.0.0 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tag-and-publish.yml b/.github/workflows/tag-and-publish.yml index affbb16..2265b1b 100644 --- a/.github/workflows/tag-and-publish.yml +++ b/.github/workflows/tag-and-publish.yml @@ -17,15 +17,15 @@ jobs: steps: - &checkout name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3 with: fetch-depth: 0 persist-credentials: false - &install-rust name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 - name: Run release-plz - uses: release-plz/action@v0.5 + uses: release-plz/action@4a08fbe6cb1bb0e4d066058e6efcf50f352db236 # v0.5.129 with: command: release env: @@ -45,7 +45,7 @@ jobs: - *checkout - *install-rust - name: Run release-plz - uses: release-plz/action@v0.5 + uses: release-plz/action@4a08fbe6cb1bb0e4d066058e6efcf50f352db236 # v0.5.129 with: command: release-pr env: From 0130e581764a3745eb1ec28e3b320c44d5ceafbd Mon Sep 17 00:00:00 2001 From: Sven Pistre <100095453+SvenPistre@users.noreply.github.com> Date: Wed, 10 Jun 2026 21:05:52 +0200 Subject: [PATCH 2/6] ci: update GitHub actions updates via dependabot --- .github/dependabot.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 58818df..0ff0f2a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,7 +5,10 @@ updates: directory: "/" schedule: interval: "weekly" - ignore: - - dependency-name: "*" - update-types: - - "version-update:semver-patch" + groups: + github-actions: + # Group all GitHub Actions updates together + patterns: + - "*" + cooldown: + default-days: 7 From e515663a3071efc3b30306b0ce3497d47e06a3a0 Mon Sep 17 00:00:00 2001 From: Sven Pistre <100095453+SvenPistre@users.noreply.github.com> Date: Wed, 10 Jun 2026 21:15:00 +0200 Subject: [PATCH 3/6] ci: run `zizmor . --fix=all` --- .github/workflows/audit-on-push.yml | 2 ++ .github/workflows/docker.yml | 16 +++++++++++++--- .github/workflows/general.yml | 8 ++++++++ .github/workflows/release.yml | 11 ++++++++--- .github/workflows/scheduled-audit.yml | 2 ++ 5 files changed, 33 insertions(+), 6 deletions(-) diff --git a/.github/workflows/audit-on-push.yml b/.github/workflows/audit-on-push.yml index d7af6a5..4c6b418 100644 --- a/.github/workflows/audit-on-push.yml +++ b/.github/workflows/audit-on-push.yml @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index cdce7b9..7a38b90 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login to DockerHub @@ -148,6 +150,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx @@ -160,7 +164,7 @@ jobs: - name: Determine if canonical image exists id: canonical_status run: | - CHEF_PACKAGE_VERSION=${{ needs.resolve_inputs.outputs.package_version }} + CHEF_PACKAGE_VERSION=${NEEDS_RESOLVE_INPUTS_OUTPUTS_PACKAGE_VERSION} GROUP_KEY='${{ matrix.group_entry.group_key }}' GROUP_KEY_TAG=$(printf '%s' "$GROUP_KEY" | shasum -a 256 | cut -c1-16) CANONICAL_IMAGE=$DOCKER_REPO:$CHEF_PACKAGE_VERSION-base-$GROUP_KEY_TAG @@ -172,10 +176,12 @@ jobs: echo "Canonical image does not exist for group $GROUP_KEY_TAG. Building." echo "result=true" >> "$GITHUB_OUTPUT" fi + env: + NEEDS_RESOLVE_INPUTS_OUTPUTS_PACKAGE_VERSION: ${{ needs.resolve_inputs.outputs.package_version }} - name: Build and push canonical image if: ${{ steps.canonical_status.outputs.result == 'true' }} run: | - CHEF_PACKAGE_VERSION=${{ needs.resolve_inputs.outputs.package_version }} + CHEF_PACKAGE_VERSION=${NEEDS_RESOLVE_INPUTS_OUTPUTS_PACKAGE_VERSION} RUST_IMAGE_TAG=${{ matrix.group_entry.representative_rust_tag }} GROUP_KEY='${{ matrix.group_entry.group_key }}' GROUP_KEY_TAG=$(printf '%s' "$GROUP_KEY" | shasum -a 256 | cut -c1-16) @@ -194,6 +200,8 @@ jobs: --platform "$PLATFORMS" \ --push \ ./docker + env: + NEEDS_RESOLVE_INPUTS_OUTPUTS_PACKAGE_VERSION: ${{ needs.resolve_inputs.outputs.package_version }} publish_group_aliases: name: Publish group aliases needs: [resolve_inputs, build_unique_images] @@ -215,7 +223,7 @@ jobs: run: | set -euo pipefail - CHEF_PACKAGE_VERSION=${{ needs.resolve_inputs.outputs.package_version }} + CHEF_PACKAGE_VERSION=${NEEDS_RESOLVE_INPUTS_OUTPUTS_PACKAGE_VERSION} GROUP_KEY='${{ matrix.group_entry.group_key }}' GROUP_KEY_TAG=$(printf '%s' "$GROUP_KEY" | shasum -a 256 | cut -c1-16) CANONICAL_IMAGE=$DOCKER_REPO:$CHEF_PACKAGE_VERSION-base-$GROUP_KEY_TAG @@ -244,3 +252,5 @@ jobs: fi docker buildx imagetools create "${tag_args[@]}" "$CANONICAL_IMAGE" + env: + NEEDS_RESOLVE_INPUTS_OUTPUTS_PACKAGE_VERSION: ${{ needs.resolve_inputs.outputs.package_version }} diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml index 8483759..77a866e 100644 --- a/.github/workflows/general.yml +++ b/.github/workflows/general.yml @@ -15,6 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 - run: cargo test @@ -23,6 +25,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 with: components: rustfmt @@ -33,6 +37,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 with: components: clippy @@ -44,6 +50,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Install stable toolchain uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8f336a2..127bfab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -195,7 +195,7 @@ jobs: - id: cargo-dist shell: bash run: | - dist build ${{ needs.plan.outputs.tag-flag }} --output-format=json "--artifacts=global" > dist-manifest.json + dist build ${NEEDS_PLAN_OUTPUTS_TAG_FLAG} --output-format=json "--artifacts=global" > dist-manifest.json echo "dist ran successfully" # Parse out what we just built and upload it to scratch storage @@ -204,6 +204,8 @@ jobs: echo "EOF" >> "$GITHUB_OUTPUT" cp dist-manifest.json "$BUILD_MANIFEST_NAME" + env: + NEEDS_PLAN_OUTPUTS_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }} - name: "Upload artifacts" uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: @@ -245,10 +247,12 @@ jobs: - id: host shell: bash run: | - dist host ${{ needs.plan.outputs.tag-flag }} --steps=upload --steps=release --output-format=json > dist-manifest.json + dist host ${NEEDS_PLAN_OUTPUTS_TAG_FLAG} --steps=upload --steps=release --output-format=json > dist-manifest.json echo "artifacts uploaded and released successfully" cat dist-manifest.json echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT" + env: + NEEDS_PLAN_OUTPUTS_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }} - name: "Upload dist-manifest.json" uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: @@ -272,11 +276,12 @@ jobs: ANNOUNCEMENT_TITLE: "${{ fromJson(steps.host.outputs.manifest).announcement_title }}" ANNOUNCEMENT_BODY: "${{ fromJson(steps.host.outputs.manifest).announcement_github_body }}" RELEASE_COMMIT: "${{ github.sha }}" + NEEDS_PLAN_OUTPUTS_TAG: ${{ needs.plan.outputs.tag }} run: | # Write and read notes from a file to avoid quoting breaking things echo "$ANNOUNCEMENT_BODY" > $RUNNER_TEMP/notes.txt - gh release create "${{ needs.plan.outputs.tag }}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/* + gh release create "${NEEDS_PLAN_OUTPUTS_TAG}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/* announce: needs: diff --git a/.github/workflows/scheduled-audit.yml b/.github/workflows/scheduled-audit.yml index efe5f84..392db29 100644 --- a/.github/workflows/scheduled-audit.yml +++ b/.github/workflows/scheduled-audit.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} From 8b94fa586cb34aff4617d603018f9d7d1abdee83 Mon Sep 17 00:00:00 2001 From: Sven Pistre <100095453+SvenPistre@users.noreply.github.com> Date: Wed, 10 Jun 2026 21:15:01 +0200 Subject: [PATCH 4/6] ci: tighten permissions --- .github/workflows/release.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 127bfab..faefab1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ name: Release permissions: - "contents": "write" + contents: read # This task will run whenever you push a git tag that looks like a version # like "1.0.0", "v0.1.0-prerelease.1", "my-app/0.1.0", "releases/v1.0.0", etc. @@ -47,6 +47,8 @@ on: jobs: # Run 'dist plan' (or host) to determine what tasks we need to do plan: + permissions: + contents: write runs-on: "ubuntu-22.04" outputs: val: ${{ steps.plan.outputs.manifest }} @@ -223,6 +225,8 @@ jobs: if: ${{ always() && needs.plan.result == 'success' && needs.plan.outputs.publishing == 'true' && (needs.build-global-artifacts.result == 'skipped' || needs.build-global-artifacts.result == 'success') && (needs.build-local-artifacts.result == 'skipped' || needs.build-local-artifacts.result == 'success') }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + permissions: + contents: write runs-on: "ubuntu-22.04" outputs: val: ${{ steps.host.outputs.manifest }} From dadec551ee52cad80d9d1066997de01602bca379 Mon Sep 17 00:00:00 2001 From: Sven Pistre <100095453+SvenPistre@users.noreply.github.com> Date: Wed, 10 Jun 2026 21:15:04 +0200 Subject: [PATCH 5/6] ci: separate template expansion from shell parsing --- .github/workflows/release.yml | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index faefab1..c09ce61 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -78,8 +78,14 @@ jobs: # (PRs run on the *source* but secrets are usually on the *target* -- that's *good* # but also really annoying to build CI around when it needs secrets to work right.) - id: plan + env: + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} run: | - dist ${{ (!github.event.pull_request && format('host --steps=create --tag={0}', github.ref_name)) || 'plan' }} --output-format=json > plan-dist-manifest.json + if [ "$IS_PULL_REQUEST" = "true" ]; then + dist plan --output-format=json > plan-dist-manifest.json + else + dist host --steps=create --tag="$GITHUB_REF_NAME" --output-format=json > plan-dist-manifest.json + fi echo "dist ran successfully" cat plan-dist-manifest.json echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT" @@ -110,7 +116,7 @@ jobs: # - N "local" tasks that build each platform's binaries and platform-specific installers matrix: ${{ fromJson(needs.plan.outputs.val).ci.github.artifacts_matrix }} runs-on: ${{ matrix.runner }} - container: ${{ matrix.container && matrix.container.image || null }} + container: ${{ matrix.container && matrix.container.image || null }} # zizmor: ignore[unpinned-images] dynamic matrix from cargo-dist env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} BUILD_MANIFEST_NAME: target/distrib/${{ join(matrix.targets, '-') }}-dist-manifest.json @@ -130,7 +136,11 @@ jobs: echo "$HOME/.cargo/bin" >> $GITHUB_PATH fi - name: Install dist - run: ${{ matrix.install_dist.run }} + shell: bash + env: + MATRIX_INSTALL_DIST_RUN: ${{ matrix.install_dist.run }} + run: | + eval "$MATRIX_INSTALL_DIST_RUN" # Get the dist-manifest - name: Fetch local artifacts uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 @@ -139,12 +149,18 @@ jobs: path: target/distrib/ merge-multiple: true - name: Install dependencies + shell: bash + env: + MATRIX_PACKAGES_INSTALL: ${{ matrix.packages_install }} run: | - ${{ matrix.packages_install }} + eval "$MATRIX_PACKAGES_INSTALL" - name: Build artifacts + env: + NEEDS_PLAN_OUTPUTS_TAG_FLAG: ${{ needs.plan.outputs.tag-flag }} + MATRIX_DIST_ARGS: ${{ matrix.dist_args }} run: | # Actually do builds and make zips and whatnot - dist build ${{ needs.plan.outputs.tag-flag }} --print=linkage --output-format=json ${{ matrix.dist_args }} > dist-manifest.json + dist build ${NEEDS_PLAN_OUTPUTS_TAG_FLAG} --print=linkage --output-format=json ${MATRIX_DIST_ARGS} > dist-manifest.json echo "dist ran successfully" - id: cargo-dist name: Post-build From 2d36bb354484c3d0a510eda3a091f613c937f397 Mon Sep 17 00:00:00 2001 From: Sven Pistre <100095453+SvenPistre@users.noreply.github.com> Date: Wed, 10 Jun 2026 21:21:33 +0200 Subject: [PATCH 6/6] ci: add zizmor job --- .github/workflows/general.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml index 77a866e..228881b 100644 --- a/.github/workflows/general.yml +++ b/.github/workflows/general.yml @@ -62,3 +62,18 @@ jobs: checksum: true - name: Run cargo-tarpaulin run: cargo tarpaulin --ignore-tests + + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + annotations: true + advanced-security: false