CI: Harden GH Actions (#421)

* ci: Reference rust-toolchain action by master-branch commit hash * ci: Remove issue write permissions from cargo-deny (don't believe it actually was ever used)
orion-rs · Jan 19, 2025 · fbebac0 · fbebac0
1 parent 865c7c0
commit fbebac0
Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/.github/workflows/audit_check.yml b/.github/workflows/audit_check.yml
@@ -1,4 +1,5 @@
 name: cargo deny (licenses, advisories, sources)
+
 permissions:
   contents: read
 

diff --git a/.github/workflows/daily_tests.yml b/.github/workflows/daily_tests.yml
@@ -22,7 +22,7 @@ jobs:
           persist-credentials: false
 
       - name: Install toolchain
-        uses: dtolnay/rust-toolchain@master
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
         with:
           toolchain: ${{ matrix.toolchain }}
 

diff --git a/.github/workflows/lints.yml b/.github/workflows/lints.yml
@@ -15,8 +15,9 @@ jobs:
           persist-credentials: false
 
       - name: Install stable toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
         with:
+          toolchain: stable
           components: rustfmt, clippy
 
       - name: Run cargo fmt

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -35,7 +35,7 @@ jobs:
           persist-credentials: false
 
       - name: Install toolchain
-        uses: dtolnay/rust-toolchain@master
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
         with:
           toolchain: ${{ matrix.toolchain }}
 
@@ -73,7 +73,7 @@ jobs:
           persist-credentials: false
 
       - name: Install toolchain
-        uses: dtolnay/rust-toolchain@master
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
         with:
           toolchain: nightly
           targets: x86_64-unknown-linux-gnu
@@ -135,7 +135,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: dtolnay/rust-toolchain@master
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
         with:
           toolchain: stable
           targets: ${{ matrix.arch }}
@@ -150,7 +150,9 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
+        with:
+          toolchain: stable
 
       - run: cargo doc --no-deps --all-features
 
@@ -162,6 +164,8 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
+        with:
+          toolchain: stable
 
       - run: cargo test --benches