diff --git a/.github/workflows/ci-actions.yaml b/.github/workflows/ci-actions.yaml index 19ee854..ef04d69 100644 --- a/.github/workflows/ci-actions.yaml +++ b/.github/workflows/ci-actions.yaml @@ -19,7 +19,7 @@ jobs: actions: read # Needed to read actions steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -29,7 +29,7 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0 + uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - name: Run zizmor run: uvx zizmor --pedantic --format sarif . > results.sarif @@ -37,7 +37,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: sarif_file: results.sarif category: zizmor diff --git a/.github/workflows/ci-code.yaml b/.github/workflows/ci-code.yaml index b027e7c..bd76046 100644 --- a/.github/workflows/ci-code.yaml +++ b/.github/workflows/ci-code.yaml @@ -24,7 +24,7 @@ jobs: cache-key: ${{ steps.cache-cargo-make.outputs.cache-primary-key }} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -38,7 +38,7 @@ jobs: - name: Cache cargo-make binary id: cache-cargo-make - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/bin/cargo-make key: ${{ runner.os }}-cargo-make-${{ steps.get-version.outputs.cargo_make_version }} @@ -59,7 +59,7 @@ jobs: needs: setup-cargo-make steps: - name: harden runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -70,7 +70,7 @@ jobs: persist-credentials: false - name: Restore cached cargo-make - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/bin/cargo-make key: ${{ runner.os }}-cargo-make-${{ needs.setup-cargo-make.outputs.cargo_make_version }} @@ -84,7 +84,7 @@ jobs: needs: setup-cargo-make steps: - name: harden runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -95,7 +95,7 @@ jobs: persist-credentials: false - name: Restore cached cargo-make - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/bin/cargo-make key: ${{ runner.os }}-cargo-make-${{ needs.setup-cargo-make.outputs.cargo_make_version }} @@ -115,7 +115,7 @@ jobs: needs: setup-cargo-make steps: - name: harden runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -126,7 +126,7 @@ jobs: persist-credentials: false - name: Restore cached cargo-make - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/bin/cargo-make key: ${{ runner.os }}-cargo-make-${{ needs.setup-cargo-make.outputs.cargo_make_version }} @@ -147,7 +147,7 @@ jobs: name: 'Full build linux-${{ matrix.arch }}' steps: - name: harden runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -158,7 +158,7 @@ jobs: persist-credentials: false - name: Restore cached cargo-make - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/bin/cargo-make key: ${{ runner.os }}-cargo-make-${{ needs.setup-cargo-make.outputs.cargo_make_version }} @@ -179,7 +179,7 @@ jobs: name: 'Full test linux-${{ matrix.arch }}' steps: - name: harden runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -190,7 +190,7 @@ jobs: persist-credentials: false - name: Restore cached cargo-make - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/bin/cargo-make key: ${{ runner.os }}-cargo-make-${{ needs.setup-cargo-make.outputs.cargo_make_version }} @@ -210,7 +210,7 @@ jobs: name: 'Full clippy linux-${{ matrix.arch }}' steps: - name: harden runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -221,7 +221,7 @@ jobs: persist-credentials: false - name: Restore cached cargo-make - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/bin/cargo-make key: ${{ runner.os }}-cargo-make-${{ needs.setup-cargo-make.outputs.cargo_make_version }} diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index ecbc0de..792695c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -42,7 +42,7 @@ jobs: runs-on: '${{ matrix.platform.on }}' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -85,7 +85,7 @@ jobs: STYROLITE_PLATFORM: '${{ steps.name.outputs.platform }}' - name: 'Upload styrolite to workflow run' - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: styrolite-${{ steps.name.outputs.platform }} path: | @@ -93,7 +93,7 @@ jobs: - name: generate cultivator token if: ${{ github.event_name == 'release' }} - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: generate-token with: app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1e3dbc2..ee2689e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,7 +21,7 @@ jobs: id-token: write # Needed for trusted publishing steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -35,7 +35,7 @@ jobs: uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 # zizmor: ignore[stale-action-refs] -- pinned to stable branch - name: generate cultivator token - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: generate-token with: app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}" @@ -62,7 +62,7 @@ jobs: cancel-in-progress: false steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 with: egress-policy: audit @@ -76,7 +76,7 @@ jobs: uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 # zizmor: ignore[stale-action-refs] -- pinned to stable branch - name: generate cultivator token - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: generate-token with: app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"