[skip-changelog]: Combine low-risk Dependabot action updates

[erskingardner]

Summary

• Combine the three lower-risk Dependabot workflow updates from [skip-changelog]: Bump taiki-e/install-action from 2.77.1 to 2.77.7 #296, [skip-changelog]: Bump extractions/setup-just from 2.0.0 to 4.0.0 #297, and [skip-changelog]: Bump rubygems/configure-rubygems-credentials from 1.0.0 to 2.0.0 #298.
• Keep [skip-changelog]: Bump actions/upload-artifact from 4.6.2 to 7.0.1 #294 and [skip-changelog]: Bump actions/setup-python from 5.6.0 to 6.2.0 #295 separate for now while the upstream GitHub action dependency posture settles.
• Add the intended cargo audit --ignore RUSTSEC-2026-0124 wiring to local precommit and the CI audit job; current master did not already contain that ignore.

Security review

• taiki-e/install-action moves from v2.77.1 to v2.77.7, pinned to 3235f8901fd37ffed0052b276cec25a362fb82e9.
• extractions/setup-just moves from v2.0.0 to v4.0.0, pinned to 53165ef7e734c5c07cb06b3c8e7b647c5aa16db3.
• rubygems/configure-rubygems-credentials moves from v1.0.0 to v2.0.0, pinned to 762a4b77c3300434bb57c7ce80b20e36231927aa.
• The libcrux advisory remains tracked explicitly as an audit ignore rather than being hidden by a passing workflow.

Validation

• bash scripts/check-github-actions-pinned.sh
• actionlint .github/workflows/*.yml
• just precommit

This PR combines three lower-risk Dependabot workflow updates that bump GitHub Action dependencies to newer pinned versions and adds explicit audit ignore configuration for a known advisory. The changes modernize the CI/CD infrastructure while maintaining security pin integrity across the build and packaging workflows.

What changed:

• Updated taiki-e/install-action from v2.77.1 to v2.77.7 (pinned to commit 3235f8901fd37ffed0052b276cec25a362fb82e9) in the test and audit jobs in ci.yml and the coverage job in coverage.yml.
• Upgraded extractions/setup-just from v2.0.0 to v4.0.0 (pinned to commit 53165ef7e734c5c07cb06b3c8e7b647c5aa16db3) across the Swift, Python, Ruby, and Kotlin packaging jobs in package-mdk-bindings.yml.
• Upgraded rubygems/configure-rubygems-credentials from v1.0.0 to v2.0.0 (pinned to commit 762a4b77c3300434bb57c7ce80b20e36231927aa) in the Ruby publishing job in package-mdk-bindings.yml.
• Added explicit audit ignore flag --ignore RUSTSEC-2026-0124 to the cargo audit invocations in both ci.yml and justfile.

Security impact:

• The RUSTSEC-2026-0124 advisory is now explicitly tracked as an audit ignore rather than being masked by passing workflows, improving visibility of known issues.
• All GitHub Action dependencies were updated to newer versions with verified commit pins maintained throughout the workflows.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c3b7546a-f560-4573-90f3-5723f33649d8

📥 Commits

Reviewing files that changed from the base of the PR and between 28ee7ba and 4474978.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .github/workflows/coverage.yml
• .github/workflows/package-mdk-bindings.yml
• justfile

---

📝 Walkthrough

Walkthrough

This PR updates GitHub action versions pinned across CI, coverage, and packaging workflows, including taiki-e/install-action, extractions/setup-just, and rubygems/configure-rubygems-credentials. It also configures the audit tasks to ignore security advisory RUSTSEC-2026-0124 in both the CI workflow and justfile.

Changes

CI and Build Tool Dependency Updates

Layer / File(s)	Summary
Tool installer action version updates .github/workflows/ci.yml, .github/workflows/coverage.yml, .github/workflows/package-mdk-bindings.yml	taiki-e/install-action is pinned from v2.77.1 to v2.77.7 in test and coverage jobs; extractions/setup-just is upgraded from v2 to v4.0.0 across Swift, Python, Ruby, and Kotlin packaging jobs; rubygems/configure-rubygems-credentials is upgraded from v1.0.0 to v2.0.0 in the Ruby publishing job.
Security audit advisory ignore configuration .github/workflows/ci.yml, justfile	Audit tasks in both the CI workflow and local justfile are configured to ignore the RUSTSEC-2026-0124 advisory advisory via the --ignore flag.

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly Related PRs

• marmot-protocol/mdk#279: Both PRs modify GitHub workflow action references—this PR bumps taiki-e/install-action pins and other actions, while #279 introduces/enforces SHA-pinning for actions including those same installers.

Suggested Labels

security

Suggested Reviewers

• mubarakcoded
• jgmontoya
• dannym-arx

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: combining multiple low-risk Dependabot action version updates across workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No Sensitive Identifier Leakage	✅ Passed	PR modifies only YAML workflows and justfile, not Rust source code. The check targets logging patterns in .rs files which are not changed here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/combine-low-risk-dependabot-actions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}