From 27fb7714540b3867770a32d4b7d2e6502c88c5a7 Mon Sep 17 00:00:00 2001 From: Nils Homer Date: Thu, 9 Apr 2026 00:39:09 -0700 Subject: [PATCH] ci: pin all actions by full-length commit SHA The fg-labs org enforces a policy that all GitHub Actions must be pinned to a full-length commit SHA. This blocked the publish.yml run on the chore: release v0.1.0 merge: The actions actions/checkout@v4, dtolnay/rust-toolchain@stable, and release-plz/action@v0.5 are not allowed in fg-labs/fg-sra because all actions must be pinned to a full-length commit SHA. Pins all actions in ci.yml and publish.yml to full SHAs with a version comment, matching the pattern used by other fg-labs crates. Also adapts taiki-e/install-action usage from tool-as-ref (`@nextest`) to the pinned+`tool:` input form. --- .github/workflows/ci.yml | 36 ++++++++++++++++++++--------------- .github/workflows/publish.yml | 10 +++++----- 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f00bc0c..2357f27 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,8 +16,8 @@ jobs: name: rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: components: rustfmt - run: cargo ci-fmt @@ -26,13 +26,13 @@ jobs: name: clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: components: clippy - - uses: mozilla-actions/sccache-action@v0.0.9 + - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Install build dependencies run: sudo apt-get update && sudo apt-get install -y cmake libxml2-dev - run: cargo ci-lint @@ -41,12 +41,14 @@ jobs: name: test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: mozilla-actions/sccache-action@v0.0.9 - - uses: taiki-e/install-action@nextest + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable + - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 + - uses: taiki-e/install-action@80e6af7a2ec7f280fffe2d0a9d3a12a9d11d86e9 # v2 + with: + tool: nextest - name: Install build dependencies run: sudo apt-get update && sudo apt-get install -y cmake libxml2-dev - run: cargo ci-test @@ -57,19 +59,23 @@ jobs: if: github.actor != 'dependabot[bot]' environment: github-actions steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: mozilla-actions/sccache-action@v0.0.9 - - uses: taiki-e/install-action@cargo-llvm-cov - - uses: taiki-e/install-action@nextest + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable + - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 + - uses: taiki-e/install-action@80e6af7a2ec7f280fffe2d0a9d3a12a9d11d86e9 # v2 + with: + tool: cargo-llvm-cov + - uses: taiki-e/install-action@80e6af7a2ec7f280fffe2d0a9d3a12a9d11d86e9 # v2 + with: + tool: nextest - name: Install build dependencies run: sudo apt-get update && sudo apt-get install -y cmake libxml2-dev - name: Generate coverage run: cargo llvm-cov nextest --all --no-tests=pass --lcov --output-path lcov.info - name: Upload to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: lcov.info fail_ci_if_error: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index af28d68..91bded9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -24,14 +24,14 @@ jobs: app-id: ${{ secrets.FG_LABS_BOT_APP_ID }} private-key: ${{ secrets.FG_LABS_BOT_PRIVATE_KEY }} - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 token: ${{ steps.app-token.outputs.token }} - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - name: Create or update release PR - uses: release-plz/action@v0.5 + uses: release-plz/action@1528104d2ca23787631a1c1f022abb64b34c1e11 # v0.5.128 with: command: release-pr env: @@ -47,13 +47,13 @@ jobs: app-id: ${{ secrets.FG_LABS_BOT_APP_ID }} private-key: ${{ secrets.FG_LABS_BOT_PRIVATE_KEY }} - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 submodules: recursive token: ${{ steps.app-token.outputs.token }} - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - name: Install build dependencies run: sudo apt-get update && sudo apt-get install -y cmake libxml2-dev - name: Create GitHub release