diff --git a/.github/renovate.json5 b/.github/renovate.json5 index cc1fefc..d880c30 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,4 +1,5 @@ { + extends: ["helpers:pinGitHubActionDigests"], schedule: [ 'before 5am on the first day of the month', ], @@ -64,7 +65,7 @@ matchDepNames: [ 'prek', ], - extractVersion: '^(?\\d+\\.\\d+\\.\\d+)', + extractVersion: '^v(?\\d+\\.\\d+\\.\\d+)', schedule: [ '* * * * *', ], diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 6e0a8a0..08d1666 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -1,4 +1,4 @@ -name: Security audit +name: Audit permissions: contents: read @@ -22,19 +22,37 @@ concurrency: cancel-in-progress: true jobs: - security_audit: + audit: + permissions: + contents: none + name: Audit + needs: [advisories, cargo_deny, actions] + runs-on: ubuntu-latest + if: "always()" + steps: + - name: Failed + run: exit 1 + if: "contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')" + advisories: permissions: issues: write # to create issues (actions-rs/audit-check) checks: write # to create check (actions-rs/audit-check) runs-on: ubuntu-latest # Prevent sudden announcement of a new advisory from failing ci: continue-on-error: true + strategy: + matrix: + checks: + - advisories steps: - name: Checkout repository - uses: actions/checkout@v6 - - uses: actions-rs/audit-check@v1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2 with: - token: ${{ secrets.GITHUB_TOKEN }} + command: check ${{ matrix.checks }} + rust-version: stable cargo_deny: permissions: @@ -46,8 +64,25 @@ jobs: checks: - bans licenses sources steps: - - uses: actions/checkout@v6 - - uses: EmbarkStudios/cargo-deny-action@v2 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2 with: command: check ${{ matrix.checks }} rust-version: stable + + actions: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 77c8433..9722b03 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,13 +45,15 @@ jobs: CARGO_PROFILE_DEV_DEBUG: line-tables-only steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: ${{ matrix.rust }} - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-hack + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: taiki-e/install-action@4448ce47d533cbe63d6dfafa732cf574a34606b5 # cargo-hack - name: Build run: cargo test --workspace --no-run - name: Test @@ -64,13 +66,15 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-hack + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: taiki-e/install-action@4448ce47d533cbe63d6dfafa732cf574a34606b5 # cargo-hack - name: Default features run: cargo hack check --each-feature --locked --rust-version --ignore-private --workspace --all-targets --keep-going minimal-versions: @@ -81,13 +85,15 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install stable Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - name: Install nightly Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: nightly - name: Downgrade dependencies to minimal versions @@ -98,12 +104,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: "Is lockfile updated?" run: cargo update --workspace --locked docs: @@ -111,12 +119,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: "1.94" # STABLE - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Check documentation env: RUSTDOCFLAGS: -D warnings @@ -126,13 +136,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: "1.94" # STABLE components: rustfmt - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Check formatting run: cargo fmt --check clippy: @@ -142,13 +154,15 @@ jobs: security-events: write # to upload sarif results steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: "1.94" # STABLE components: clippy - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install SARIF tools run: cargo install clippy-sarif --locked - name: Install SARIF tools @@ -161,7 +175,7 @@ jobs: | sarif-fmt continue-on-error: true - name: Upload - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 with: sarif_file: clippy-results.sarif wait-for-processing: true @@ -172,17 +186,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-tarpaulin run: cargo install cargo-tarpaulin - name: Gather coverage run: cargo tarpaulin --output-dir coverage --out lcov - name: Publish to Coveralls - uses: coverallsapp/github-action@master + uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/committed.yml b/.github/workflows/committed.yml index 9138a8e..755a367 100644 --- a/.github/workflows/committed.yml +++ b/.github/workflows/committed.yml @@ -21,8 +21,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Actions Repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Lint Commits - uses: crate-ci/committed@master + uses: crate-ci/committed@4cd58ed75e5f581ba45f42ef52e055cc001def37 # master diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 98a7546..e268449 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -22,7 +22,9 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: j178/prek-action@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - prek-version: '0.2.27' + persist-credentials: false + - uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1 + with: + prek-version: '0.3.8' diff --git a/.github/workflows/rust-next.yml b/.github/workflows/rust-next.yml index e8ef68d..f77799d 100644 --- a/.github/workflows/rust-next.yml +++ b/.github/workflows/rust-next.yml @@ -33,13 +33,15 @@ jobs: CARGO_PROFILE_DEV_DEBUG: line-tables-only steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: ${{ matrix.rust }} - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-hack + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: taiki-e/install-action@4448ce47d533cbe63d6dfafa732cf574a34606b5 # cargo-hack - name: Build run: cargo test --workspace --no-run - name: Test @@ -54,13 +56,15 @@ jobs: CARGO_RESOLVER_INCOMPATIBLE_RUST_VERSIONS: allow steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-hack + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: taiki-e/install-action@4448ce47d533cbe63d6dfafa732cf574a34606b5 # cargo-hack - name: Update dependencies run: cargo update - name: Build diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index cf4c1bf..addbe4b 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Actions Repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Spell Check Repo - uses: crate-ci/typos@master + uses: crate-ci/typos@8f11c0dc0f31c780c45b3dd5b72ff4b48a350b75 # master diff --git a/.github/workflows/template.yml b/.github/workflows/template.yml index 1d4fd85..c51104f 100644 --- a/.github/workflows/template.yml +++ b/.github/workflows/template.yml @@ -28,12 +28,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Configure git run: | - git config --global user.name '${{ github.actor }}' + git config --global user.name '${GITHUB_ACTOR}' git config --global user.email '<>' - name: Fetch template run: "git remote add template ${{ env.TEMPLATE_URL }} && git fetch template ${{ env.TEMPLATE_BRANCH }}" diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..45aa9c9 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,4 @@ +rules: + superfluous-actions: + # https://github.com/zizmorcore/zizmor/issues/1817 + disable: true diff --git a/Cargo.toml b/Cargo.toml index a4780b4..15e6d5f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -118,7 +118,7 @@ pre-release-replacements = [ {file="CHANGELOG.md", search="\\.\\.\\.HEAD", replace="...{{tag_name}}", exactly=1}, {file="CHANGELOG.md", search="ReleaseDate", replace="{{date}}", min=1}, {file="CHANGELOG.md", search="", replace="\n## [Unreleased] - ReleaseDate\n", exactly=1}, - {file="CHANGELOG.md", search="", replace="\n[Unreleased]: https://github.com/rust-cli/roff-rs/compare/{{tag_name}}...HEAD", exactly=1}, + {file="CHANGELOG.md", search="", replace="\n[Unreleased]: {{repository}}/compare/{{tag_name}}...HEAD", exactly=1}, ] [dependencies] diff --git a/src/lib.rs b/src/lib.rs index 7947627..41fc803 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -17,7 +17,6 @@ //! [ROFF]: https://en.wikipedia.org/wiki/Roff_(software) //! [groff(7)]: https://manpages.debian.org/bullseye/groff/groff.7.en.html -#![cfg_attr(docsrs, feature(doc_auto_cfg))] #![cfg_attr(docsrs, feature(doc_cfg))] #![warn(missing_docs)] #![warn(clippy::print_stderr)]