From 27ac526432b8e2de40b5bd253f85818f22dd502e Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Fri, 28 Feb 2025 15:20:12 +0100
Subject: [PATCH 1/6] chore: Bump Rust toolchain to 1.84.1

---
 .github/workflows/build.yml | 2 +-
 rust-toolchain.toml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b1a682d62..a74380a0f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,7 +17,7 @@ env:
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: '0'
   CARGO_PROFILE_DEV_DEBUG: '0'
-  RUST_TOOLCHAIN_VERSION: "1.82.0"
+  RUST_TOOLCHAIN_VERSION: "1.84.1"
   RUSTFLAGS: "-D warnings"
   RUSTDOCFLAGS: "-D warnings"
   RUST_LOG: "info"
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
index 2e2b8c852..fcb78ec56 100644
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,2 +1,2 @@
 [toolchain]
-channel = "1.82.0"
+channel = "1.84.1"

From c1c64f504432ed123bc69f36f5701cf7ff2b2eb3 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Fri, 28 Feb 2025 15:20:41 +0100
Subject: [PATCH 2/6] ci: Bump workflow actions

---
 .github/workflows/build.yml          | 24 ++++++++++++------------
 .github/workflows/daily_security.yml |  2 +-
 .github/workflows/pr_pre-commit.yaml |  4 ++--
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a74380a0f..51e64c8a9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,11 +30,11 @@ jobs:
     env:
       RUSTC_BOOTSTRAP: 1
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
-      - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
+      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
         with:
           key: udeps
       - run: cargo install --locked cargo-udeps@0.1.50
@@ -53,8 +53,8 @@ jobs:
     continue-on-error: ${{ matrix.checks == 'advisories' }}
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-      - uses: EmbarkStudios/cargo-deny-action@3f4a782664881cf5725d0ffd23969fcce89fd868 # v1.6.3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: EmbarkStudios/cargo-deny-action@0484eedcba649433ebd03d9b7c9c002746bbc4b9 # v2.0.6
         with:
           command: check ${{ matrix.checks }}
 
@@ -62,12 +62,12 @@ jobs:
     name: Run Rustfmt
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
           components: rustfmt
-      - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
+      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
         with:
           key: fmt
       - run: cargo fmt --all -- --check
@@ -80,14 +80,14 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: recursive
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
           components: clippy
-      - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
+      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
         with:
           key: clippy
       - name: Run clippy action to produce annotations
@@ -112,12 +112,12 @@ jobs:
     name: Run RustDoc
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
           components: rustfmt
-      - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
+      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
         with:
           key: doc
       - run: cargo doc --document-private-items
@@ -130,7 +130,7 @@ jobs:
       - run_rustdoc
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
@@ -138,7 +138,7 @@ jobs:
           # for our cases.
           # See: https://github.com/dtolnay/trybuild/issues/236#issuecomment-1620950759
           components: rust-src
-      - uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
+      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
         with:
           key: test
       - run: cargo test --all-features
diff --git a/.github/workflows/daily_security.yml b/.github/workflows/daily_security.yml
index 80a434347..d6f35bfbb 100644
--- a/.github/workflows/daily_security.yml
+++ b/.github/workflows/daily_security.yml
@@ -10,7 +10,7 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml
index 73590cf69..5ffb192bb 100644
--- a/.github/workflows/pr_pre-commit.yaml
+++ b/.github/workflows/pr_pre-commit.yaml
@@ -13,10 +13,10 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: stackabletech/actions/run-pre-commit@9bd13255f286e4b7a654617268abe1b2f37c3e0a # v0.3.0
+      - uses: stackabletech/actions/run-pre-commit@2d3d7ddad981ae09901d45a0f6bf30c2658b1b78 # v0.7.0
         with:
           rust: ${{ env.RUST_TOOLCHAIN_VERSION }}
           # rust-src is required for trybuild stderr output comparison to work

From ac8c443bffe3273cb9781bcce66dca32fc56eec5 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Fri, 28 Feb 2025 15:33:47 +0100
Subject: [PATCH 3/6] ci: Harden workflows

---
 .github/workflows/build.yml          | 13 +++++++++++++
 .github/workflows/daily_security.yml |  4 ++++
 .github/workflows/pr_pre-commit.yaml |  4 +++-
 .github/workflows/publish-docs.yml   |  4 ++++
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 51e64c8a9..06b233c67 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,6 +22,8 @@ env:
   RUSTDOCFLAGS: "-D warnings"
   RUST_LOG: "info"
 
+permissions: {}
+
 jobs:
   # Identify unused dependencies
   run_udeps:
@@ -31,6 +33,8 @@ jobs:
       RUSTC_BOOTSTRAP: 1
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
@@ -54,6 +58,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: EmbarkStudios/cargo-deny-action@0484eedcba649433ebd03d9b7c9c002746bbc4b9 # v2.0.6
         with:
           command: check ${{ matrix.checks }}
@@ -63,6 +69,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
@@ -82,6 +90,7 @@ jobs:
           sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: recursive
       - uses: dtolnay/rust-toolchain@master
         with:
@@ -113,6 +122,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
@@ -131,6 +142,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
diff --git a/.github/workflows/daily_security.yml b/.github/workflows/daily_security.yml
index d6f35bfbb..e071feea7 100644
--- a/.github/workflows/daily_security.yml
+++ b/.github/workflows/daily_security.yml
@@ -6,11 +6,15 @@ on:
     - cron: '15 4 * * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml
index 5ffb192bb..cad006a1b 100644
--- a/.github/workflows/pr_pre-commit.yaml
+++ b/.github/workflows/pr_pre-commit.yaml
@@ -7,7 +7,8 @@ on:
 env:
   CARGO_TERM_COLOR: always
   RUST_TOOLCHAIN_VERSION: "nightly-2025-01-15"
-  HADOLINT_VERSION: "v1.17.6"
+
+permissions: {}
 
 jobs:
   pre-commit:
@@ -15,6 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
       - uses: stackabletech/actions/run-pre-commit@2d3d7ddad981ae09901d45a0f6bf30c2658b1b78 # v0.7.0
         with:
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index e16f83eaa..b4c15fd46 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -15,12 +15,16 @@ on:
 env:
   RUST_TOOLCHAIN_VERSION: "1.82.0"
 
+permissions: {}
+
 jobs:
   build-docs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: dtolnay/rust-toolchain@master
         with:

From c9ae4d0c66c98c4c0ea0a009b07503597eac1815 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Fri, 28 Feb 2025 15:35:59 +0100
Subject: [PATCH 4/6] ci: Bump cargo-udeps to 0.1.55

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 06b233c67..6dde1df81 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -41,7 +41,7 @@ jobs:
       - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
         with:
           key: udeps
-      - run: cargo install --locked cargo-udeps@0.1.50
+      - run: cargo install --locked cargo-udeps@0.1.55
       - run: cargo udeps --all-targets --all-features
 
   run_cargodeny:

From ab0a0ab8d04c9a206f118add081bff7bba56baa7 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Fri, 28 Feb 2025 16:10:08 +0100
Subject: [PATCH 5/6] chore: Apply suggestion

Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
---
 .github/workflows/publish-docs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index b4c15fd46..3ab7055da 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -13,7 +13,7 @@ on:
       - crates/**
 
 env:
-  RUST_TOOLCHAIN_VERSION: "1.82.0"
+  RUST_TOOLCHAIN_VERSION: "1.84.1"
 
 permissions: {}
 

From 17929365e5af66f656642c7b3a93548380940db4 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Fri, 28 Feb 2025 16:12:19 +0100
Subject: [PATCH 6/6] chore: Update issue template

---
 .github/ISSUE_TEMPLATE/release-workspace-members.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/release-workspace-members.md b/.github/ISSUE_TEMPLATE/release-workspace-members.md
index 78ef518e4..8eb00310b 100644
--- a/.github/ISSUE_TEMPLATE/release-workspace-members.md
+++ b/.github/ISSUE_TEMPLATE/release-workspace-members.md
@@ -39,6 +39,7 @@ Replace the items in the task lists below with the applicable Pull Requests
 2. Adjust the version `RUST_TOOLCHAIN_VERSION` in the workflows:
      - `.github/workflows/build.yml`
      - `.github/workflows/pre_commit.yaml`
+     - `.github/workflows/publish-docs.yaml`
 3. Add a changelog entry.
 4. Update any actions (using the Git commit hash) in the workflows. Hint: Also
    make sure that the `cargo-udeps` action is up-to-date, otherwise the CI might