step-security · Raj-StepSecurity · Dec 12, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/.github/workflows/buildjet.yml b/.github/workflows/buildjet.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   buildjet:
     strategy:
@@ -25,7 +27,9 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - run: rustup toolchain install stable --profile minimal --no-self-update
 

diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
@@ -23,7 +23,9 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js 20.x
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   coverage:
     strategy:
@@ -25,11 +27,15 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - run: rustup toolchain install stable --profile minimal --component llvm-tools-preview --no-self-update
 
-      - uses: taiki-e/install-action@ef59e9fa397c19f99f2dda1d9857c0c704c41966 # cargo-llvm-cov
+      - uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-llvm-cov
 
       - uses: ./
         with:

diff --git a/.github/workflows/git-registry.yml b/.github/workflows/git-registry.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   git-registry:
     strategy:
@@ -26,7 +28,9 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - run: rustup toolchain install stable --profile minimal --no-self-update
 

diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   install:
     strategy:
@@ -25,7 +27,9 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - run: rustup toolchain install stable --profile minimal --no-self-update
 

diff --git a/.github/workflows/multi-job-cache.yml b/.github/workflows/multi-job-cache.yml
@@ -0,0 +1,75 @@
+name: multi-job-cache
+
+on: [push, pull_request]
+
+permissions: {}
+
+jobs:
+  multi-job-cache-1:
+    if: github.repository == 'step-security/rust-cache'
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ${{ github.actor == 'dependabot[bot]' && fromJSON('["ubuntu-latest"]') || fromJSON('["ubuntu-latest", "macos-latest", "windows-latest"]') }}
+
+    name: Test multi-job cache (1) on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+
+    env:
+      CARGO_TERM_COLOR: always
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: install rust toolchain
+        run: rustup toolchain install stable --profile minimal --target wasm32-unknown-unknown --no-self-update
+
+      - name: cache
+        uses: ./
+        with:
+          workspaces: |
+            tests
+          add-job-id-key: "false"
+          add-rust-environment-hash-key: "false"
+
+      - name: cargo check (tests)
+        working-directory: tests
+        run: cargo check
+
+  multi-job-cache-2:
+    if: github.repository == 'step-security/rust-cache'
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    name: Test multi-job cache (2) on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+
+    env:
+      CARGO_TERM_COLOR: always
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: install rust toolchain
+        run: rustup toolchain install stable --profile minimal --target wasm32-unknown-unknown --no-self-update
+
+      - name: cache
+        uses: ./
+        with:
+          workspaces: |
+            tests/wasm-workspace
+          add-job-id-key: "false"
+          add-rust-environment-hash-key: "false"
+
+      - name: cargo check (tests/wasm-workspace)
+        working-directory: tests/wasm-workspace
+        run: cargo check
+
diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   simple:
     strategy:
@@ -25,7 +27,9 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - run: rustup toolchain install stable --profile minimal --no-self-update
 

diff --git a/.github/workflows/target-dir.yml b/.github/workflows/target-dir.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   target-dir:
     strategy:
@@ -25,7 +27,9 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - run: rustup toolchain install stable --profile minimal --no-self-update
 

diff --git a/.github/workflows/workspaces.yml b/.github/workflows/workspaces.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   workspaces:
     strategy:
@@ -25,7 +27,9 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - run: rustup toolchain install stable --profile minimal --target wasm32-unknown-unknown --no-self-update
 

diff --git a/README.md b/README.md
@@ -28,6 +28,16 @@ sensible defaults.
     # default: empty
     key: ""
 
+    # If the automatic `job`-based cache key should include the job id.
+    # default: "true"
+    add-job-id-key: ""
+
+    # Weather the a hash of the rust environment should be included in the cache key.
+    # This includes a hash of all Cargo.toml/Cargo.lock files, rust-toolchain files,
+    # and .cargo/config.toml files (if present), as well as the specified 'env-vars'.
+    # default: "true"
+    add-rust-environment-hash-key: ""
+
     # A whitespace separated list of env-var *prefixes* who's value contributes
     # to the environment cache key.
     # The env-vars are matched by *prefix*, so the default `RUST` var will
@@ -121,12 +131,14 @@ This action currently caches the following files/directories:
 
 This cache is automatically keyed by:
 
-- the github [`job_id`](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id),
+- the github [`job_id`](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id)
+(if `add-job-id-key` is `"true"`),
 - the rustc release / host / hash,
-- the value of some compiler-specific environment variables (eg. RUSTFLAGS, etc), and
-- a hash of all `Cargo.lock` / `Cargo.toml` files found anywhere in the repository (if present).
-- a hash of all `rust-toolchain` / `rust-toolchain.toml` files in the root of the repository (if present).
-- a hash of all `.cargo/config.toml` files in the root of the repository (if present).
+- the following values, if `add-rust-environment-hash-key` is `"true"`:
+  - the value of some compiler-specific environment variables (eg. RUSTFLAGS, etc), and
+  - a hash of all `Cargo.lock` / `Cargo.toml` files found anywhere in the repository (if present).
+  - a hash of all `rust-toolchain` / `rust-toolchain.toml` files in the root of the repository (if present).
+  - a hash of all `.cargo/config.toml` files in the root of the repository (if present).
 
 An additional input `key` can be provided if the builtin keys are not sufficient.
 

diff --git a/action.yml b/action.yml
@@ -11,6 +11,14 @@ inputs:
   key:
     description: "An additional cache key that is added alongside the automatic `job`-based cache key and can be used to further differentiate jobs."
     required: false
+  add-job-id-key:
+    description: "If the automatic `job`-based cache key should include the job id. Defaults to true."
+    required: false
+    default: "true"
+  add-rust-environment-hash-key:
+    description: "Weather the a hash of the rust environment should be included in the cache key. This includes a hash of all Cargo.toml/Cargo.lock files, rust-toolchain files, and .cargo/config.toml files (if present), as well as the specified 'env-vars'. Defaults to true."
+    required: false
+    default: "true"
   env-vars:
     description: "Additional environment variables to include in the cache key, separated by spaces."
     required: false