From 75662d8370021c268f629e2abbe142c86b7c9cb6 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 7 Jan 2026 22:33:13 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/ci.yml | 32 ++++++++++++++++---------------- .github/workflows/codeql.yml | 2 +- .github/workflows/pr-checks.yml | 2 +- .github/workflows/release.yml | 8 ++++---- .github/workflows/security.yml | 2 +- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d4f75f8..b1579e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,7 +43,7 @@ jobs: - name: Check for code changes id: filter - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 with: filters: | code: @@ -69,7 +69,7 @@ jobs: submodules: recursive - name: Install Rust nightly toolchain - uses: dtolnay/rust-toolchain@nightly + uses: dtolnay/rust-toolchain@881ba7bf39a41cda34ac9e123fb41b44ed08232f # nightly with: components: rustfmt @@ -96,7 +96,7 @@ jobs: submodules: recursive - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable with: components: clippy @@ -106,7 +106,7 @@ jobs: sudo apt-get install -y -qq protobuf-compiler mold - name: Cache Rust dependencies - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: clippy save-if: false @@ -137,7 +137,7 @@ jobs: submodules: recursive - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@master + uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master with: toolchain: "1.88" @@ -147,7 +147,7 @@ jobs: sudo apt-get install -y -qq protobuf-compiler - name: Cache Rust dependencies - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: msrv @@ -177,7 +177,7 @@ jobs: submodules: recursive - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable - name: Install system dependencies run: | @@ -188,7 +188,7 @@ jobs: uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Cache Rust dependencies - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: build save-if: ${{ github.ref == 'refs/heads/main' }} @@ -226,7 +226,7 @@ jobs: submodules: recursive - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable - name: Install system dependencies (Linux) if: runner.os == 'Linux' @@ -250,7 +250,7 @@ jobs: tool: cargo-nextest - name: Cache Rust dependencies - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: test-${{ matrix.os }} save-if: ${{ github.ref == 'refs/heads/main' }} @@ -280,7 +280,7 @@ jobs: submodules: recursive - name: Install Rust nightly toolchain - uses: dtolnay/rust-toolchain@nightly + uses: dtolnay/rust-toolchain@881ba7bf39a41cda34ac9e123fb41b44ed08232f # nightly - name: Install system dependencies run: | @@ -288,7 +288,7 @@ jobs: sudo apt-get install -y -qq protobuf-compiler - name: Cache Rust dependencies - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: docs @@ -319,7 +319,7 @@ jobs: submodules: recursive - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable with: components: llvm-tools-preview @@ -334,7 +334,7 @@ jobs: tool: cargo-llvm-cov - name: Cache Rust dependencies - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: build save-if: false @@ -364,10 +364,10 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable - name: Cache Rust dependencies - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: dependencies diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 07c87e5..eafb0cc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,7 +39,7 @@ jobs: - name: Check for changes id: filter - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 with: filters: | rust: diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index f838726..13a57a1 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -24,7 +24,7 @@ jobs: egress-policy: audit - name: Validate PR title - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 + uses: step-security/action-semantic-pull-request@bc0cf74f5be4ce34accdec1ae908dff38dc5def1 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5ca67c6..2ad8a30 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -50,7 +50,7 @@ jobs: - name: Create Release id: create_release - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 + uses: step-security/action-gh-release@5f6a6ab53a5a2c000ff3a16fad038291e5b97ce7 # v2.4.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -102,7 +102,7 @@ jobs: submodules: recursive - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable with: targets: ${{ matrix.target }} @@ -139,7 +139,7 @@ jobs: fi - name: Cache Rust dependencies - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: release-${{ matrix.os }}-${{ matrix.target }} @@ -195,7 +195,7 @@ jobs: submodules: recursive - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable - name: Install system dependencies run: | diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f851182..7cd4cb1 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -29,7 +29,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check for dependency changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 id: filter with: filters: |