Skip to content

chore(deps): update github-actions #201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update github-actions #201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/pnpm/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ inputs:
runs:
using: composite
steps:
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ inputs['node-version'] }}
# pnpm is installed in the next step; opt out of setup-node v6's
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/zigbuild/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ runs:
version: ${{ inputs.zig-version }}

- name: Install cargo-zigbuild
uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486 # v2.75.18
uses: taiki-e/install-action@25435dc8dd3baed7417e0c96d3fe89013a5b2e09 # v2.81.3
env:
GITHUB_TOKEN: ${{ github.token }}
with:
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/benchmark.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,11 @@ jobs:
- name: Checkout Branch
uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.3.0
version: 11.5.1

- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version-file: .node-version
cache: pnpm
Expand All @@ -47,7 +47,7 @@ jobs:
cache-key: benchmark
cache-save-if: ${{ github.ref_name == 'main' }}

- uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486 # v2.75.18
- uses: taiki-e/install-action@25435dc8dd3baed7417e0c96d3fe89013a5b2e09 # v2.81.3
with:
tool: cargo-codspeed

Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ jobs:
steps:
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- uses: crate-ci/typos@aca895bf05aec0cb7dffa6f94495e923224d9f17 # v1.46.2
- uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1.47.2
with:
files: .

Expand All @@ -118,7 +118,7 @@ jobs:
- uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
with:
cache: false
- uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486 # v2.75.18
- uses: taiki-e/install-action@25435dc8dd3baed7417e0c96d3fe89013a5b2e09 # v2.81.3
with:
tool: cargo-deny

Expand All @@ -142,7 +142,7 @@ jobs:
with:
cache: false
if: steps.filter.outputs.src == 'true'
- uses: cargo-bins/cargo-binstall@d125de8b4538541574fd9357b6feb61c8486464b # main
- uses: cargo-bins/cargo-binstall@30b5ca8b54e1dcffd9548bc87ede1531310fdc67 # main
if: steps.filter.outputs.src == 'true'
- run: cargo binstall --no-confirm cargo-shear@1
if: steps.filter.outputs.src == 'true'
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/codecov.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
cache-save-if: ${{ github.ref_name == 'main' }}
components: llvm-tools-preview

- uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486 # v2.75.18
- uses: taiki-e/install-action@25435dc8dd3baed7417e0c96d3fe89013a5b2e09 # v2.81.3
with:
tool: cargo-llvm-cov

Expand Down Expand Up @@ -70,7 +70,7 @@ jobs:

- name: Upload to codecov.io
if: env.CODECOV_TOKEN
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,12 @@ jobs:
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Initialize CodeQL
uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
with:
languages: ${{ matrix.language }}
build-mode: none

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3
uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
with:
category: "/language:${{ matrix.language }}"
2 changes: 1 addition & 1 deletion .github/workflows/release-npm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ jobs:
# if: ${{ github.event_name == 'workflow_dispatch' }}
steps:
- name: Checkout Repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
# This makes Actions fetch only one branch to release
fetch-depth: 1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-plz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
# push release tag
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
Comment thread
coderabbitai[bot] marked this conversation as resolved.
with:
fetch-depth: 0
ref: ${{ inputs.commit }}
Comment on lines +29 to 32

@coderabbitai coderabbitai Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify checkout credential persistence posture and push usage in workflows.
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows
rg -n -C2 'persist-credentials:\s*false' .github/workflows
rg -n -C2 'git push|git tag' .github/workflows

Repository: rstackjs/rspack-resolver

Length of output: 1491

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,140p' .github/workflows/release-plz.yml | nl -ba

Repository: rstackjs/rspack-resolver

Length of output: 111

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Also inspect other workflow occurrences of the same pinned checkout SHA for context
rg -n "uses:\s*actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" .github/workflows -n

Repository: rstackjs/rspack-resolver

Length of output: 425

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== release-plz.yml (lines 1-120) with line numbers via cat -n ==="
cat -n .github/workflows/release-plz.yml | sed -n '1,120p'

echo "=== persist-credentials occurrences ==="
rg -n "persist-credentials" .github/workflows

Repository: rstackjs/rspack-resolver

Length of output: 2486

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Focus on the pinned checkout usage in release-plz.yml
rg -n "release-plz\.yml|actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" .github/workflows/release-plz.yml || true

# Show the exact job/steps around the checkout and push
rg -n -C3 "name: Checkout|uses:\s*actions/checkout|git tag v\$version|git push" .github/workflows/release-plz.yml

Repository: rstackjs/rspack-resolver

Length of output: 588

🌐 Web query:

actions/checkout persist-credentials default value v6

💡 Result:

For actions/checkout v6, the input persist-credentials has no explicit default value; it’s defined as '' (empty string) in the action metadata, with comments indicating default behavior is enabled (i.e., “Default: true”).[1][2] So, “persist-credentials default value v6” resolves to: empty-string ('') in the action.yml, which corresponds to the documented default behavior of true.[1][2] Note: the docs state that when enabled, the auth token is persisted in the local git config to allow authenticated git commands, and removed during post-job cleanup; you can opt out with persist-credentials: false.[2][3]

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "GITHUB_TOKEN|secrets\.GITHUB_TOKEN|persist-credentials" .github/workflows/release-plz.yml .github/workflows

Repository: rstackjs/rspack-resolver

Length of output: 50

Reduce checkout credential persistence in release-plz.yml (lines 29-32, 54-63).
actions/checkout@v6 defaults to persisting credentials for the whole job; this workflow doesn’t need git auth until the “Push tag” step, so set persist-credentials: false and authenticate the tag push explicitly.

Suggested hardening diff 
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
           ref: ${{ inputs.commit }}
+          persist-credentials: false
@@
       - name: Push tag
         run: |
           version=$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[] | select(.name == "rspack_resolver") | .version')
           echo tagging v$version
           git config --global --add safe.directory /github/workspace
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]`@users.noreply.github.com`"
           git status
           git tag v$version -m v$version
-          git push origin v$version
+          git push https://x-access-token:${GITHUB_TOKEN}`@github.com/`${GITHUB_REPOSITORY}.git v$version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 29-32: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-plz.yml around lines 29 - 32, The checkout action
is currently persisting git credentials for the whole job; change the two
actions/checkout uses to include persist-credentials: false, and add an explicit
authentication step immediately before the "Push tag" step (e.g., set the origin
remote URL to include the GITHUB_TOKEN or run a git auth helper using
secrets.GITHUB_TOKEN or inputs.token) so only the tag push step has credentials.
Update both occurrences of actions/checkout@... in the workflow and add a short
pre-push auth step named or placed right before the "Push tag" step to
authenticate explicitly.

Source: Linters/SAST tools

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/reusable-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
runner-labels: ${{ steps.upload-artifact.outputs.runner-labels || inputs.runner }}
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
ref: ${{ inputs.ref }}

Expand Down
Loading