Skip to content

chore(ci): Pin GitHub Actions to commit SHAs#16868

Merged
weihanglo merged 1 commit intorust-lang:masterfrom
Turbo87:pin-action-hashes
Apr 10, 2026
Merged

chore(ci): Pin GitHub Actions to commit SHAs#16868
weihanglo merged 1 commit intorust-lang:masterfrom
Turbo87:pin-action-hashes

Conversation

@Turbo87
Copy link
Copy Markdown
Member

@Turbo87 Turbo87 commented Apr 10, 2026

Pin all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us.

  • actions/checkout → v6.0.2
  • actions/upload-artifact → v6.0.0
  • EmbarkStudios/cargo-deny-action → v2.0.15
  • taiki-e/install-action → v2.75.4
  • crate-ci/typos → v1.44.0

taiki-e/install-action was previously referenced via the @cargo-hack tool-specific tag, which is force-updated on every release. Pinning it requires switching to the versioned v2.75.4 tag and passing tool: cargo-hack explicitly, since the versioned action.yml does not default the tool input.

See https://docs.zizmor.sh/audits/#unpinned-uses (and #16867 (comment))

@Turbo87
chore(ci): Pin GitHub Actions to commit SHAs
9bb840f 
Pin all third-party actions to immutable commit SHAs, with the
resolved version tag in a trailing comment. This prevents upstream
tags from silently changing under us.

- actions/checkout → v6.0.2
- actions/upload-artifact → v6.0.0
- EmbarkStudios/cargo-deny-action → v2.0.15
- taiki-e/install-action → v2.75.4
- crate-ci/typos → v1.44.0

`taiki-e/install-action` was previously referenced via the
`@cargo-hack` tool-specific tag, which is force-updated on every
release. Pinning it requires switching to the versioned `v2.75.4`
tag and passing `tool: cargo-hack` explicitly, since the versioned
action.yml does not default the tool input.

See https://docs.zizmor.sh/audits/#unpinned-uses
@rustbot rustbot added A-infrastructure Area: infrastructure around the cargo repo, ci, releases, etc. S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Apr 10, 2026
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Apr 10, 2026

r? @ehuss

rustbot has assigned @ehuss.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: @ehuss, @epage, @weihanglo
  • @ehuss, @epage, @weihanglo expanded to ehuss, epage, weihanglo
  • Random selection from ehuss, epage, weihanglo

weihanglo
weihanglo approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@weihanglo weihanglo left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I didn't know Renovate support it

doc for prosperity: https://docs.renovatebot.com/modules/manager/github-actions/#digest-pinning-and-updating

View changes since this review

@weihanglo weihanglo added this pull request to the merge queue Apr 10, 2026
@Turbo87
Copy link
Copy Markdown
Member Author

Turbo87 commented Apr 10, 2026

yeah, dependabot too AFAIK (see https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/keeping-your-actions-up-to-date-with-dependabot), but admittedly I don't have first-hand experience with that one

Merged via the queue into rust-lang:master with commit 53e1d9d Apr 10, 2026
29 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Apr 10, 2026
@weihanglo weihanglo mentioned this pull request Apr 18, 2026
Merged
rust-bors bot pushed a commit to rust-lang/rust that referenced this pull request Apr 18, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
cb7913a 
Update cargo submodule

26 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..3bf1388b8823ec4eab622340036593381d8871aa
2026-04-09 13:10:20 +0000 to 2026-04-17 23:27:26 +0000
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)

r? ghost
rust-bors bot pushed a commit to rust-lang/rust that referenced this pull request Apr 18, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
296747c 
Update cargo submodule

28 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..7ecf0285ebb408d596e4a8ac76a0980d8edb7005
2026-04-09 13:10:20 +0000 to 2026-04-18 15:34:11 +0000
- fix: use `portable-atomic` for 64-bit atomics (rust-lang/cargo#16906)
- fix: rename incorrectly documented target-spec-json to json-target-sp… (rust-lang/cargo#16905)
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)
rust-bors bot pushed a commit to rust-lang/rust that referenced this pull request Apr 19, 2026
@bors
Auto merge of #155470 - weihanglo:update-cargo, r=weihanglo
ec2d669 
Update cargo submodule

28 commits in eb94155a9a60943bd7b1cb04abec42f5d0de6ddc..7ecf0285ebb408d596e4a8ac76a0980d8edb7005
2026-04-09 13:10:20 +0000 to 2026-04-18 15:34:11 +0000
- fix: use `portable-atomic` for 64-bit atomics (rust-lang/cargo#16906)
- fix: rename incorrectly documented target-spec-json to json-target-sp… (rust-lang/cargo#16905)
- Add global HTTP timeout tracking to http_async (rust-lang/cargo#16903)
- feat(config): Stabilize `resolver.lockfile-path` config (rust-lang/cargo#16694)
- chore(deps): update msrv (1 version) to v1.95 (rust-lang/cargo#16897)
- fix: rebuild rustdoc json for different versions of a same crate (rust-lang/cargo#16773)
- Add effective_url to http_async (rust-lang/cargo#16899)
- Make crate downloads process as a queue rather than a stack (rust-lang/cargo#16898)
- fix: sparse registry fetch progress reporting (rust-lang/cargo#16900)
- chore: bump to 0.98.0; update changelog (rust-lang/cargo#16892)
- docs(semver-check): update diagnostics to Rust 1.95 (rust-lang/cargo#16895)
- docs(ref): Better highlight 'package --list' for include/exclude (rust-lang/cargo#16891)
- docs: `include` doesnt apply gitignore from repo (rust-lang/cargo#16890)
- fix: Update `bash` and `zsh` Autocompletion Documents to add `-m` (rust-lang/cargo#16888)
- Add `-m` shorthand for `--manifest-path` (rust-lang/cargo#16858)
- Fix a typo (rust-lang/cargo#16885)
- Always take a shared lock on `.cargo-lock` (rust-lang/cargo#16886)
- fix(toml): Teach users how to pin edition (rust-lang/cargo#16851)
- fix: Prefer defined lint levels over default (rust-lang/cargo#16879)
- chore(deps): bump rand from 0.10.0 to 0.10.1 (rust-lang/cargo#16883)
- fix(lints): Ignore unused_crate_dependencies status (rust-lang/cargo#16877)
- Copy cargo clean target-dir validation tests to clean_new_layout.rs (rust-lang/cargo#16878)
- cargo clean: Add target directory validation (rust-lang/cargo#16712)
- Docs: "api" in the configuration should not include a trailing slash (rust-lang/cargo#16869)
- fix(core): use `closest_msg` to suggest similar member name for mistyped `-p` (rust-lang/cargo#16844)
- chore(ci): Pin GitHub Actions to commit SHAs (rust-lang/cargo#16868)
- chore(ci): Update `actions/checkout` from v5 to v6 (rust-lang/cargo#16867)
- Add test for cargo install with github fastpath (rust-lang/cargo#16866)
@rustbot rustbot added this to the 1.97.0 milestone Apr 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@ehuss ehuss

Labels

A-infrastructure Area: infrastructure around the cargo repo, ci, releases, etc.

Projects

None yet

Milestone

1.97.0

Development

Successfully merging this pull request may close these issues.

4 participants

@Turbo87 @rustbot @weihanglo @ehuss