Skip to content

Commit bce4c42

Browse files
authored
ci: pin GitHub Actions to full commit SHAs (#85)
Addresses 15 open code-scanning alerts (actions/unpinned-tag) by replacing tag-based action references with pinned commit SHAs and preserving original refs in inline comments. Affected files: - .github/workflows/ci.yml (9 actions pinned) - .github/workflows/release.yml (6 actions pinned) - .github/workflows/dependabot-automerge.yml (2 actions pinned)
1 parent 601b275 commit bce4c42

3 files changed

Lines changed: 38 additions & 38 deletions

File tree

.github/workflows/ci.yml

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,9 @@ jobs:
1919
permissions:
2020
contents: read
2121
steps:
22-
- uses: actions/checkout@v6
23-
- uses: dtolnay/rust-toolchain@stable
24-
- uses: Swatinem/rust-cache@v2
22+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
23+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # dtolnay/rust-toolchain stable
24+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # Swatinem/rust-cache v2
2525
- run: cargo check --all-targets --all-features
2626

2727
fmt:
@@ -30,8 +30,8 @@ jobs:
3030
permissions:
3131
contents: read
3232
steps:
33-
- uses: actions/checkout@v6
34-
- uses: dtolnay/rust-toolchain@nightly
33+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
34+
- uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # dtolnay/rust-toolchain nightly
3535
with:
3636
components: rustfmt
3737
- run: cargo +nightly fmt --all -- --check
@@ -42,11 +42,11 @@ jobs:
4242
permissions:
4343
contents: read
4444
steps:
45-
- uses: actions/checkout@v6
46-
- uses: dtolnay/rust-toolchain@stable
45+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
46+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # dtolnay/rust-toolchain stable
4747
with:
4848
components: clippy
49-
- uses: Swatinem/rust-cache@v2
49+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # Swatinem/rust-cache v2
5050
- run: cargo clippy --all-targets --all-features -- -D warnings
5151

5252
test:
@@ -65,12 +65,12 @@ jobs:
6565
- os: ubuntu-latest
6666
rust: "1.85" # MSRV
6767
steps:
68-
- uses: actions/checkout@v6
69-
- uses: dtolnay/rust-toolchain@master
68+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
69+
- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # dtolnay/rust-toolchain master
7070
with:
7171
toolchain: ${{ matrix.rust }}
72-
- uses: Swatinem/rust-cache@v2
73-
- uses: taiki-e/install-action@nextest
72+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # Swatinem/rust-cache v2
73+
- uses: taiki-e/install-action@dee540ee3f3ff5c6a0665fed9996875d0ba04ca2 # taiki-e/install-action nextest
7474
- run: cargo nextest run --all-features
7575

7676
docs:
@@ -79,9 +79,9 @@ jobs:
7979
permissions:
8080
contents: read
8181
steps:
82-
- uses: actions/checkout@v6
83-
- uses: dtolnay/rust-toolchain@stable
84-
- uses: Swatinem/rust-cache@v2
82+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
83+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # dtolnay/rust-toolchain stable
84+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # Swatinem/rust-cache v2
8585
- run: cargo doc --no-deps --all-features
8686
env:
8787
RUSTDOCFLAGS: -D warnings
@@ -92,23 +92,23 @@ jobs:
9292
permissions:
9393
contents: read
9494
steps:
95-
- uses: actions/checkout@v6
96-
- uses: EmbarkStudios/cargo-deny-action@v2
95+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
96+
- uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # EmbarkStudios/cargo-deny-action v2
9797

9898
coverage:
9999
name: Coverage
100100
runs-on: ubuntu-latest
101101
permissions:
102102
contents: read
103103
steps:
104-
- uses: actions/checkout@v6
105-
- uses: dtolnay/rust-toolchain@stable
104+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
105+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # dtolnay/rust-toolchain stable
106106
with:
107107
components: llvm-tools-preview
108-
- uses: Swatinem/rust-cache@v2
109-
- uses: taiki-e/install-action@cargo-llvm-cov
108+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # Swatinem/rust-cache v2
109+
- uses: taiki-e/install-action@caf4aedf2bfe5bfb679703b29290921f4711b2f3 # taiki-e/install-action cargo-llvm-cov
110110
- run: cargo llvm-cov --all-features --lcov --output-path lcov.info
111-
- uses: codecov/codecov-action@v6
111+
- uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # codecov/codecov-action v6
112112
with:
113113
token: ${{ secrets.CODECOV_TOKEN }}
114114
files: lcov.info

.github/workflows/dependabot-automerge.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,15 +16,15 @@ jobs:
1616
steps:
1717
- name: Fetch Dependabot metadata
1818
id: metadata
19-
uses: dependabot/fetch-metadata@v2
19+
uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # dependabot/fetch-metadata v2
2020
with:
2121
github-token: ${{ secrets.GITHUB_TOKEN }}
2222

2323
- name: Wait for CI checks to complete
2424
if: |
2525
steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
2626
steps.metadata.outputs.update-type == 'version-update:semver-minor'
27-
uses: lewagon/wait-on-check-action@v1.6.0
27+
uses: lewagon/wait-on-check-action@a08fbe2b86f9336198f33be6ad9c16b96f92799c # lewagon/wait-on-check-action v1.6.0
2828
with:
2929
ref: ${{ github.event.pull_request.head.sha }}
3030
running-workflow-name: 'Auto-merge'

.github/workflows/release.yml

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -20,15 +20,15 @@ jobs:
2020
upload_url: ${{ steps.create_release.outputs.upload_url }}
2121
version: ${{ steps.get_version.outputs.version }}
2222
steps:
23-
- uses: actions/checkout@v6
23+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
2424

2525
- name: Get version from tag
2626
id: get_version
2727
run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
2828

2929
- name: Create Release
3030
id: create_release
31-
uses: softprops/action-gh-release@v2
31+
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # softprops/action-gh-release v2
3232
with:
3333
draft: false
3434
prerelease: false
@@ -82,22 +82,22 @@ jobs:
8282
use_cross: false
8383

8484
steps:
85-
- uses: actions/checkout@v6
85+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
8686

8787
- name: Install Rust
88-
uses: dtolnay/rust-toolchain@stable
88+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # dtolnay/rust-toolchain stable
8989
with:
9090
targets: ${{ matrix.target }}
9191

9292
- name: Install cargo-binstall
93-
uses: cargo-bins/cargo-binstall@main
93+
uses: cargo-bins/cargo-binstall@b6c541758da069b696c176405f63bd11cc1f21f9 # cargo-bins/cargo-binstall main
9494

9595
- name: Install cross (for cross-compilation)
9696
if: matrix.use_cross
9797
run: cargo binstall --no-confirm cross
9898

9999
- name: Cache Cargo
100-
uses: Swatinem/rust-cache@v2
100+
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # Swatinem/rust-cache v2
101101
with:
102102
shared-key: "release-${{ matrix.target }}"
103103

@@ -141,7 +141,7 @@ jobs:
141141
shell: cmd
142142

143143
- name: Upload release archive
144-
uses: softprops/action-gh-release@v2
144+
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # softprops/action-gh-release v2
145145
with:
146146
files: |
147147
mcpls-${{ matrix.target }}.*
@@ -156,13 +156,13 @@ jobs:
156156
contents: read
157157
id-token: write
158158
steps:
159-
- uses: actions/checkout@v6
159+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
160160

161161
- name: Install Rust
162-
uses: dtolnay/rust-toolchain@stable
162+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # dtolnay/rust-toolchain stable
163163

164164
- name: Cache Cargo
165-
uses: Swatinem/rust-cache@v2
165+
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # Swatinem/rust-cache v2
166166

167167
- name: Verify version matches tag
168168
run: |
@@ -175,10 +175,10 @@ jobs:
175175
176176
- name: Authenticate with crates.io
177177
id: crates-io-auth
178-
uses: rust-lang/crates-io-auth-action@v1
178+
uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # rust-lang/crates-io-auth-action v1
179179

180180
- name: Publish crates to crates.io
181-
uses: katyo/publish-crates@v2
181+
uses: katyo/publish-crates@02cc2f1ad653fb25c7d1ff9eb590a8a50d06186b # katyo/publish-crates v2
182182
with:
183183
registry-token: ${{ steps.crates-io-auth.outputs.token }}
184184
ignore-unpublished-changes: true
@@ -190,14 +190,14 @@ jobs:
190190
needs: [create-release, build-binaries, publish-crates]
191191
runs-on: ubuntu-latest
192192
steps:
193-
- uses: actions/checkout@v6
193+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout v6
194194

195195
- name: Get version
196196
id: version
197197
run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
198198

199199
- name: Update release with installation instructions
200-
uses: softprops/action-gh-release@v2
200+
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # softprops/action-gh-release v2
201201
with:
202202
append_body: true
203203
body: |

0 commit comments

Comments
 (0)