From 0a0894dcba9d1ba86aa28dfe2d3c022454aa8566 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Feb 2026 11:12:21 +0000 Subject: [PATCH 1/3] ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8...de0fac2e4500dabe0009e67214ff5f5447ce83dd) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/cargo_hack.yml | 2 +- .github/workflows/ci.yaml | 24 ++++++++++++------------ .github/workflows/codeql.yml | 2 +- .github/workflows/devskim.yml | 2 +- .github/workflows/release-plz.yml | 4 ++-- .github/workflows/scorecards.yml | 2 +- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/cargo_hack.yml b/.github/workflows/cargo_hack.yml index 006d205c6..661f3b962 100644 --- a/.github/workflows/cargo_hack.yml +++ b/.github/workflows/cargo_hack.yml @@ -26,7 +26,7 @@ jobs: uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4345d194f..8f8a8ae46 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -36,7 +36,7 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: 'Dependency Review' @@ -78,7 +78,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: rustup toolchain add ${{ matrix.rust }} && rustup default ${{ matrix.rust }} @@ -110,7 +110,7 @@ jobs: - name: Conditionally set env if: matrix.browser_flags != '--node' # if browser testing run: echo "WASM_BINDGEN_USE_BROWSER=1" >> $GITHUB_ENV - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 @@ -139,7 +139,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 @@ -168,7 +168,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: obi1kenobi/cargo-semver-checks-action@5b298c9520f7096a4683c0bd981a7ac5a7e249ae # v2.8 @@ -184,7 +184,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 @@ -210,7 +210,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: rustup toolchain add nightly && rustup default nightly @@ -235,7 +235,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy @@ -261,7 +261,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy @@ -319,7 +319,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy @@ -369,7 +369,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy @@ -427,7 +427,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7d4084497..512bb3510 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -66,7 +66,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 064febf99..0828edbe8 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -38,7 +38,7 @@ jobs: egress-policy: audit - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index adb52a11f..0381aa4e7 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -23,7 +23,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ secrets.RELEASE_PLZ_PAT }} @@ -58,7 +58,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ secrets.RELEASE_PLZ_PAT }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b91527c9e..4f0d2a618 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -44,7 +44,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false From 1a3361ef07d58376e44e960c9629aec965fc37f6 Mon Sep 17 00:00:00 2001 From: Chris Hennick <4961925+Pr0methean@users.noreply.github.com> Date: Mon, 2 Feb 2026 10:24:27 -0800 Subject: [PATCH 2/3] Add check for ACTIONS_RECURSIVE_PRIVATE_KEY secret Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com> --- .github/workflows/auto_merge_prs.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/auto_merge_prs.yml b/.github/workflows/auto_merge_prs.yml index 0dafcda04..3e61f2e57 100644 --- a/.github/workflows/auto_merge_prs.yml +++ b/.github/workflows/auto_merge_prs.yml @@ -14,6 +14,12 @@ jobs: uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 with: egress-policy: audit + - name: Check that private key is set + run: | + if [ -z "${{ secrets.ACTIONS_RECURSIVE_PRIVATE_KEY }}" ]; then + echo "Error: ACTIONS_RECURSIVE_PRIVATE_KEY secret is not set!" + exit 1 + fi - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: 2754721 From 7a51de84312e3ee950dfeec87d28e19ce3f550f2 Mon Sep 17 00:00:00 2001 From: Chris Hennick <4961925+Pr0methean@users.noreply.github.com> Date: Mon, 2 Feb 2026 10:29:20 -0800 Subject: [PATCH 3/3] Fix: create-github-app-token step needs ID so we can address its output Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com> --- .github/workflows/auto_merge_prs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/auto_merge_prs.yml b/.github/workflows/auto_merge_prs.yml index 3e61f2e57..043944769 100644 --- a/.github/workflows/auto_merge_prs.yml +++ b/.github/workflows/auto_merge_prs.yml @@ -21,6 +21,7 @@ jobs: exit 1 fi - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-token with: app-id: 2754721 private-key: ${{ secrets.ACTIONS_RECURSIVE_PRIVATE_KEY }}