Harden GitHub workflows against action supply-chain risk

[blackopsrepl]

Motivation

• The workflows referenced mutable third‑party GitHub Action tags (e.g. actions/checkout@v4, actions/cache@v4, softprops/action-gh-release@v1), creating a supply‑chain risk that could exfiltrate CI secrets such as CARGO_REGISTRY_TOKEN.
• The goal is a minimal, workflow-only remediation to remove mutable uses: references while preserving CI/build/publish behavior.

Description

• Replaced uses: actions/checkout@... steps in ci.yml, publish-crates.yml, and release.yml with explicit shell-based checkout steps using git and the github.token to avoid relying on mutable action tags.
• Removed the actions/cache@v4 cache steps from the workflows to eliminate another unpinned third‑party action dependency.
• Replaced softprops/action-gh-release@v1 with a gh release create shell step (using GITHUB_TOKEN) that preserves release notes and prerelease handling without invoking an unpinned external action.
• Files modified: .github/workflows/ci.yml, .github/workflows/publish-crates.yml, and .github/workflows/release.yml.

Testing

• Ran rg -n "uses:" .github/workflows to verify the unpinned uses: references were removed and this check passed.
• Validated workflow YAML by loading each file with ruby -e 'YAML.load_file(...)' and this succeeded for all modified files.
• Ran git diff --check to ensure there were no whitespace or git-diff issues and it returned clean.
• Ran cargo test and the test suite completed successfully (0 tests; all checks passed).

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fca786dc23

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require the release tag to exist before publishing

gh release create will auto-create v${{ steps.version.outputs.version }} when that tag is missing. In this workflow the version value is entered manually on workflow_dispatch, so a typo or a forgotten git push --tags now publishes a brand-new tag at ${{ github.sha }} instead of failing fast. Adding --verify-tag (or checking the tag first) would prevent accidentally cutting a release from the wrong commit.

Useful? React with 👍 / 👎.

[blackopsrepl]

Codex review was correct. On the rebased branch, workflow_dispatch still accepts a manual version, and gh release create would auto-create a missing v<version> tag at ${{ github.sha }}. That means a typo or missing pushed tag could cut a release from the wrong commit instead of failing fast. I updated the release step to pass --verify-tag so the tag must already exist. Local validation passed with cargo fmt --all -- --check, cargo clippy --workspace --all-targets -- -D warnings, and cargo test.