Update scripts and CI config

taiki-e · taiki-e · commit fca130068407 · 2026-04-10T22:14:32.000+09:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -18,3 +18,7 @@ updates:
     commit-message:
       prefix: ''
     labels: []
+    groups:
+      github-actions:
+        patterns:
+          - '*'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -34,13 +34,13 @@ concurrency:
 
 jobs:
   miri:
-    uses: taiki-e/github-actions/.github/workflows/miri.yml@main
+    uses: taiki-e/github-actions/.github/workflows/miri.yml@dec917193d835117a7238865adf83273d9fcd27a # main
   msrv:
-    uses: taiki-e/github-actions/.github/workflows/msrv.yml@main
+    uses: taiki-e/github-actions/.github/workflows/msrv.yml@dec917193d835117a7238865adf83273d9fcd27a # main
   release-dry-run:
-    uses: taiki-e/github-actions/.github/workflows/release-dry-run.yml@main
+    uses: taiki-e/github-actions/.github/workflows/release-dry-run.yml@dec917193d835117a7238865adf83273d9fcd27a # main
   tidy:
-    uses: taiki-e/github-actions/.github/workflows/tidy.yml@main
+    uses: taiki-e/github-actions/.github/workflows/tidy.yml@dec917193d835117a7238865adf83273d9fcd27a # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # unused (used in `codegen-automerge: true` case)
@@ -63,8 +63,8 @@ jobs:
     runs-on: ${{ matrix.os || 'ubuntu-latest' }}
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
-      - uses: taiki-e/github-actions/install-rust@main
+      - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
+      - uses: taiki-e/github-actions/install-rust@dec917193d835117a7238865adf83273d9fcd27a # main # zizmor: ignore[stale-action-refs]
         with:
           toolchain: ${{ matrix.rust }}
       - run: cargo test --workspace --all-features
@@ -77,7 +77,7 @@ jobs:
           rustup toolchain remove 1.63 1.64 1.65
           cargo hack check --rust-version --workspace --locked
           cargo uninstall cargo-hack
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
         with:
           tool: cargo-hack,cargo-minimal-versions
           fallback: none
@@ -102,8 +102,10 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
-      - uses: taiki-e/github-actions/install-rust@nightly
+      - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
+      - uses: taiki-e/github-actions/install-rust@dec917193d835117a7238865adf83273d9fcd27a # main # zizmor: ignore[stale-action-refs]
+        with:
+          toolchain: nightly
       - run: cargo test --workspace --all-features
         env:
           CARGO_HACK_TEST_TOOLCHAIN: ${{ matrix.rust }}
@@ -119,7 +121,7 @@ jobs:
     timeout-minutes: 60
     container: alpine
     steps:
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
       - name: Install Rust
         run: apk --no-cache add cargo
       - run: cargo test --workspace --all-features
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,13 +26,14 @@ concurrency:
 jobs:
   release:
     if: github.repository_owner == 'taiki-e'
-    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@main
+    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@dec917193d835117a7238865adf83273d9fcd27a # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action / taiki-e/upload-rust-binary-action
       id-token: write # for rust-lang/crates-io-auth-action / actions/attest
       attestations: write # for actions/attest
     secrets:
-      PUSH_TOKEN: ${{ secrets.PUSH_TOKEN }}
+      PUSH_TOKEN_APP_CLIENT_ID: ${{ secrets.PUSH_TOKEN_APP_CLIENT_ID }}
+      PUSH_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PUSH_TOKEN_APP_PRIVATE_KEY }}
     with:
       version: ${{ inputs.version }}
       bin: cargo-hack
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -2,9 +2,5 @@
 # https://docs.zizmor.sh/configuration/
 
 rules:
-  anonymous-definition: { disable: true }
+  anonymous-definition: { disable: true } # This is pedantic/auditor only audit and requires explicitly naming each job, but is usually redundant.
   dependabot-cooldown: { config: { days: 14 } }
-  unpinned-uses:
-    config:
-      policies:
-        taiki-e/*: any
diff --git a/tools/tidy.sh b/tools/tidy.sh
@@ -27,15 +27,14 @@ fi
 if [[ -n "${TIDY_DEV:-}" ]]; then
   image="ghcr.io/taiki-e/tidy:latest"
 else
-  image="ghcr.io/taiki-e/tidy@sha256:4552cbce9426e102f9650cd9f8381e836fc8fda081dcbddcc7f31b15d48d1654"
+  image="ghcr.io/taiki-e/tidy@sha256:bce85a4321f80c09f2b68420e9149bcf7c085130ab1e1fca54443f76833cd184"
 fi
 user="$(id -u):$(id -g)"
 workdir=$(pwd)
 tmp=$(mktemp -d)
 trap -- 'rm -rf -- "${tmp:?}"' EXIT
-mkdir -p -- "${tmp}/zizmor"
-touch -- "${tmp}/dummy"
-mkdir -- "${tmp}/dummy-dir"
+mkdir -p -- "${tmp}"/{pwsh-cache,pwsh-local,zizmor-cache,dummy-dir,tmp}
+touch -- "${tmp}"/dummy
 code=0
 color=''
 if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
@@ -84,22 +83,25 @@ docker_run() {
 set +e
 docker_run \
   --mount "type=bind,source=${workdir},target=${workdir}" --workdir "${workdir}" \
+  --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
+  --mount "type=bind,source=${tmp}/pwsh-cache,target=/.cache/powershell" \
+  --mount "type=bind,source=${tmp}/pwsh-local,target=/.local/share/powershell" \
   --network=none \
   "${image}" \
   /checks/offline.sh
 # Some good audits requires access to GitHub API.
 docker_run \
   --mount "type=bind,source=${workdir},target=${workdir},readonly" --workdir "${workdir}" \
-  --mount "type=bind,source=${tmp}/zizmor,target=/.cache/zizmor" \
+  --mount "type=bind,source=${tmp}/zizmor-cache,target=/.cache/zizmor" \
   --env GH_TOKEN --env GITHUB_TOKEN --env ZIZMOR_GITHUB_TOKEN \
   "${image}" \
   /checks/zizmor.sh
 # We use remote dictionary.
 docker_run \
   --mount "type=bind,source=${workdir},target=${workdir},readonly" --workdir "${workdir}" \
-  --mount "type=bind,source=${workdir}/.cspell.json,target=${workdir}/.cspell.json" \
   --mount "type=bind,source=${workdir}/.github/.cspell/project-dictionary.txt,target=${workdir}/.github/.cspell/project-dictionary.txt" \
   --mount "type=bind,source=${workdir}/.github/.cspell/rust-dependencies.txt,target=${workdir}/.github/.cspell/rust-dependencies.txt" \
+  --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
   "${image}" \
   /checks/cspell.sh
 
