Skip to content

Commit 6a61bea

Browse files
SachaMorardclaude
SachaMorard
and
claude
committed
ci: pin GitHub Actions to commit SHAs
Addresses security finding f66f3510: unpinned third-party actions in publish.yml (dtolnay/rust-toolchain@stable, katyo/publish-crates@v2) could exfiltrate CRATES_IO_TOKEN if an upstream maintainer is compromised. - Pin every `uses:` in check.yml and publish.yml to a commit SHA with a trailing version comment. - Replace katyo/publish-crates@v2 with a direct `cargo publish` run step using CARGO_REGISTRY_TOKEN, removing the action that actually handles the token from the trust boundary. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 6dbc741 commit 6a61bea

2 files changed

Lines changed: 19 additions & 18 deletions

File tree

.github/workflows/check.yml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -21,27 +21,27 @@ jobs:
2121
os: [ubuntu-latest, macos-latest, windows-latest]
2222
rust: [stable, beta]
2323
steps:
24-
- uses: actions/checkout@v4
24+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2525

2626
- name: Install Rust
27-
uses: dtolnay/rust-toolchain@master
27+
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master branch
2828
with:
2929
toolchain: ${{ matrix.rust }}
3030

3131
- name: Cache cargo registry
32-
uses: actions/cache@v4
32+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
3333
with:
3434
path: ~/.cargo/registry
3535
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
3636

3737
- name: Cache cargo index
38-
uses: actions/cache@v4
38+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
3939
with:
4040
path: ~/.cargo/git
4141
key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
4242

4343
- name: Cache cargo build
44-
uses: actions/cache@v4
44+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
4545
with:
4646
path: target
4747
key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
@@ -56,10 +56,10 @@ jobs:
5656
name: Clippy
5757
runs-on: ubuntu-latest
5858
steps:
59-
- uses: actions/checkout@v4
59+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
6060

6161
- name: Install Rust
62-
uses: dtolnay/rust-toolchain@stable
62+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable branch
6363
with:
6464
components: clippy
6565

@@ -70,10 +70,10 @@ jobs:
7070
name: Format
7171
runs-on: ubuntu-latest
7272
steps:
73-
- uses: actions/checkout@v4
73+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
7474

7575
- name: Install Rust
76-
uses: dtolnay/rust-toolchain@stable
76+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable branch
7777
with:
7878
components: rustfmt
7979

@@ -84,10 +84,10 @@ jobs:
8484
name: Build
8585
runs-on: ubuntu-latest
8686
steps:
87-
- uses: actions/checkout@v4
87+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
8888

8989
- name: Install Rust
90-
uses: dtolnay/rust-toolchain@stable
90+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable branch
9191

9292
- name: Build
9393
run: cargo build --release --all-features
@@ -96,10 +96,10 @@ jobs:
9696
name: Documentation
9797
runs-on: ubuntu-latest
9898
steps:
99-
- uses: actions/checkout@v4
99+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
100100

101101
- name: Install Rust
102-
uses: dtolnay/rust-toolchain@stable
102+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable branch
103103

104104
- name: Check documentation
105105
run: cargo doc --no-deps --all-features

.github/workflows/publish.yml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,9 @@ jobs:
99
permissions:
1010
contents: read
1111
steps:
12-
- uses: actions/checkout@v4
13-
- uses: dtolnay/rust-toolchain@stable
14-
- uses: katyo/publish-crates@v2
15-
with:
16-
registry-token: ${{ secrets.CRATES_IO_TOKEN }}
12+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
13+
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable branch
14+
- name: Publish to crates.io
15+
run: cargo publish
16+
env:
17+
CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}

0 commit comments

Comments
 (0)