ci: pin all actions to verified SHAs and clear zizmor findings

Pin every action to a commit SHA whose tag comment matches (verified via gh api),
add least-privilege permissions, set persist-credentials: false, and replace the
archived actions-rs/cargo with a plain cargo test. zizmor clean at default persona.
This commit is contained in:
Christian Visintin
2026-06-07 16:46:56 +02:00
parent c652ca18b8
commit cdd4c60805
7 changed files with 45 additions and 19 deletions

View File

@@ -14,12 +14,17 @@ on:
env:
CARGO_TERM_COLOR: always
permissions:
contents: read
jobs:
build-macos:
runs-on: macos-latest
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@stable
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
with:
toolchain: stable
components: rustfmt, clippy