From a35ca7cfb15a22e5d249f2f831f83dc55ac092d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jun 2026 09:38:25 +0000 Subject: [PATCH 1/2] chore(ci): bump the github-actions group with 5 updates Updates the requirements on [actions/checkout](https://github.com/actions/checkout), [dtolnay/rust-toolchain](https://github.com/dtolnay/rust-toolchain), [pnpm/action-setup](https://github.com/pnpm/action-setup), [taiki-e/install-action](https://github.com/taiki-e/install-action) and [softprops/action-gh-release](https://github.com/softprops/action-gh-release) to permit the latest version. Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/df4cb1c069e1874edd31b4311f1884172cec0e10...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0) Updates `dtolnay/rust-toolchain` to e081816240890017053eacbb1bdf337761dc5582 - [Release notes](https://github.com/dtolnay/rust-toolchain/releases) - [Commits](https://github.com/dtolnay/rust-toolchain/commits/e081816240890017053eacbb1bdf337761dc5582) Updates `pnpm/action-setup` from 6.0.8 to 6.0.9 - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](https://github.com/pnpm/action-setup/compare/0e279bb959325dab635dd2c09392533439d90093...0ebf47130e4866e96fce0953f49152a61190b271) Updates `taiki-e/install-action` from 2.81.10 to 2.82.2 - [Release notes](https://github.com/taiki-e/install-action/releases) - [Commits](https://github.com/taiki-e/install-action/compare/v2.81.10...v2.82.2) Updates `softprops/action-gh-release` from 3.0.0 to 3.0.1 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/b4309332981a82ec1c5618f44dd2e27cc8bfbfda...718ea10b132b3b2eba29c1007bb80653f286566b) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: dtolnay/rust-toolchain dependency-version: e081816240890017053eacbb1bdf337761dc5582 dependency-type: direct:production dependency-group: github-actions - dependency-name: pnpm/action-setup dependency-version: 6.0.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: taiki-e/install-action dependency-version: 2.82.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: softprops/action-gh-release dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/apidocs-drift.yml | 6 +++--- .github/workflows/builtins-drift.yml | 2 +- .github/workflows/ci.yml | 16 ++++++++-------- .github/workflows/cli-binaries.yml | 4 ++-- .github/workflows/coreutils-args-drift.yml | 6 +++--- .github/workflows/coverage.yml | 14 +++++++------- .github/workflows/fuzz.yml | 4 ++-- .github/workflows/js.yml | 8 ++++---- .github/workflows/nightly.yml | 10 +++++----- .github/workflows/publish-js.yml | 22 +++++++++++----------- .github/workflows/publish-python.yml | 10 +++++----- .github/workflows/publish.yml | 6 +++--- .github/workflows/python.yml | 12 ++++++------ .github/workflows/release.yml | 4 ++-- .github/workflows/site.yml | 6 +++--- 15 files changed, 65 insertions(+), 65 deletions(-) diff --git a/.github/workflows/apidocs-drift.yml b/.github/workflows/apidocs-drift.yml index ab4231a87..26b802577 100644 --- a/.github/workflows/apidocs-drift.yml +++ b/.github/workflows/apidocs-drift.yml @@ -39,7 +39,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -70,7 +70,7 @@ jobs: timeout-minutes: 25 steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -82,7 +82,7 @@ jobs: workspaces: crates/bashkit-js - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: diff --git a/.github/workflows/builtins-drift.yml b/.github/workflows/builtins-drift.yml index f56c42282..281948060 100644 --- a/.github/workflows/builtins-drift.yml +++ b/.github/workflows/builtins-drift.yml @@ -36,7 +36,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 509459caa..55e92f66a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -48,7 +48,7 @@ jobs: name: Audit runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -65,7 +65,7 @@ jobs: command: check licenses sources - name: Install cargo-vet - uses: taiki-e/install-action@7a79fe8c3a13344501c80d99cae481c1c9085912 # v2 + uses: taiki-e/install-action@9e1e5806d4a4822de933115878265be9aaa786d9 # v2 with: tool: cargo-vet @@ -76,7 +76,7 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -102,7 +102,7 @@ jobs: - name: Install uutils coreutils multicall for differential tests id: install_uutils continue-on-error: true - uses: taiki-e/install-action@7a79fe8c3a13344501c80d99cae481c1c9085912 # v2 + uses: taiki-e/install-action@9e1e5806d4a4822de933115878265be9aaa786d9 # v2 with: tool: coreutils - name: Verify uutils on PATH @@ -146,7 +146,7 @@ jobs: # `head.repo.fork != true` check passes for same-repo PRs and for # workflow_call events where pull_request context is absent. steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -240,10 +240,10 @@ jobs: name: Fuzz Compile Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust nightly - uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly + uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly - name: Install cargo-fuzz uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3 diff --git a/.github/workflows/cli-binaries.yml b/.github/workflows/cli-binaries.yml index de840e66a..479d3d364 100644 --- a/.github/workflows/cli-binaries.yml +++ b/.github/workflows/cli-binaries.yml @@ -34,7 +34,7 @@ jobs: fi echo "tag=$INPUT_TAG" >> "$GITHUB_OUTPUT" - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ steps.validate.outputs.tag }} fetch-depth: 0 @@ -84,7 +84,7 @@ jobs: archive: bashkit-x86_64-unknown-linux-gnu.tar.gz steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ needs.validate-tag.outputs.tag }} persist-credentials: false diff --git a/.github/workflows/coreutils-args-drift.yml b/.github/workflows/coreutils-args-drift.yml index 9497045ab..19cdfa476 100644 --- a/.github/workflows/coreutils-args-drift.yml +++ b/.github/workflows/coreutils-args-drift.yml @@ -45,7 +45,7 @@ jobs: utils: ${{ steps.regen.outputs.utils }} steps: - name: Checkout bashkit - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: bashkit persist-credentials: false @@ -57,7 +57,7 @@ jobs: uses: ./bashkit/.github/actions/free-disk-space - name: Checkout uutils/coreutils - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: uutils/coreutils path: uutils @@ -232,7 +232,7 @@ jobs: pull-requests: write steps: - name: Checkout bashkit - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: bashkit persist-credentials: false diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 82f888020..a141ec638 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -37,7 +37,7 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-tarpaulin - uses: taiki-e/install-action@3d6bdc41132a93ae9dbd2217ccd2bcb56d84eaa8 # cargo-tarpaulin + uses: taiki-e/install-action@9e1e5806d4a4822de933115878265be9aaa786d9 # cargo-tarpaulin # `rg` differential tests compare against real ripgrep. Pin the # binary so coverage does not depend on the runner image package set. @@ -73,7 +73,7 @@ jobs: # GitHub's 6 h default (a GIL deadlock once did exactly that). timeout-minutes: 30 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -83,7 +83,7 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-llvm-cov - uses: taiki-e/install-action@7a79fe8c3a13344501c80d99cae481c1c9085912 # v2 + uses: taiki-e/install-action@9e1e5806d4a4822de933115878265be9aaa786d9 # v2 with: tool: cargo-llvm-cov @@ -122,7 +122,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -132,12 +132,12 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-llvm-cov - uses: taiki-e/install-action@7a79fe8c3a13344501c80d99cae481c1c9085912 # v2 + uses: taiki-e/install-action@9e1e5806d4a4822de933115878265be9aaa786d9 # v2 with: tool: cargo-llvm-cov - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 with: version: 10.33.0 diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index dc6a7d75b..244093b6f 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -29,10 +29,10 @@ jobs: target: [parser_fuzz, lexer_fuzz, arithmetic_fuzz, glob_fuzz] steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust nightly - uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly + uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly - name: Install cargo-fuzz run: cargo install cargo-fuzz --locked diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index 27869a4f8..d49d6e983 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -37,7 +37,7 @@ jobs: name: TypeScript type-check runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -45,7 +45,7 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 with: version: 10.33.0 @@ -105,7 +105,7 @@ jobs: run: "deno run -A" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -113,7 +113,7 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 with: version: 10.33.0 diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 2387ab2ca..fca4b33ca 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -20,10 +20,10 @@ jobs: name: Miri runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust nightly with Miri - uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly + uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly with: components: miri @@ -44,7 +44,7 @@ jobs: name: Security Analysis runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 @@ -78,7 +78,7 @@ jobs: # the last two nightly runs cancelled mid-suite at exactly 30 min. timeout-minutes: 90 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # `-Z build-std` rebuilds std + every dep + every bashkit test with # ASAN instrumentation. Target dir grows past the default runner's @@ -87,7 +87,7 @@ jobs: uses: ./.github/actions/free-disk-space - name: Install Rust nightly - uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly + uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly with: components: rust-src diff --git a/.github/workflows/publish-js.yml b/.github/workflows/publish-js.yml index 71083131a..9b83b1084 100644 --- a/.github/workflows/publish-js.yml +++ b/.github/workflows/publish-js.yml @@ -33,7 +33,7 @@ jobs: name: Verify publish source runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -81,10 +81,10 @@ jobs: # build: pnpm exec napi build --platform --release --target wasm32-wasip1-threads && pnpm run build:cjs && pnpm run build:ts steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 with: version: 10.33.0 @@ -171,10 +171,10 @@ jobs: node: ["20", "22", "24"] runs-on: ${{ matrix.settings.host }} steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 with: version: 10.33.0 @@ -275,10 +275,10 @@ jobs: node: ["20", "22", "24"] runs-on: ${{ contains(matrix.target, 'aarch64') && 'ubuntu-24.04-arm' || 'ubuntu-latest' }} steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 with: version: 10.33.0 @@ -383,9 +383,9 @@ jobs: # needs: [build-js] # runs-on: ubuntu-latest # steps: - # - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + # - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - name: Setup pnpm - # uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + # uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 # with: # version: 10.33.0 # - name: Setup node @@ -430,7 +430,7 @@ jobs: id-token: write steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Verify publish source is on main run: | @@ -443,7 +443,7 @@ jobs: echo "Publish source verified on origin/main: $SOURCE_SHA" - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 with: version: 10.33.0 diff --git a/.github/workflows/publish-python.yml b/.github/workflows/publish-python.yml index e42008ee4..98debcd80 100644 --- a/.github/workflows/publish-python.yml +++ b/.github/workflows/publish-python.yml @@ -27,7 +27,7 @@ jobs: name: Build sdist runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: @@ -90,7 +90,7 @@ jobs: runs-on: ${{ matrix.runs-on }} steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: @@ -125,7 +125,7 @@ jobs: RUST_NIGHTLY: "nightly-2026-05-29" PYODIDE_BUILD_VERSION: "0.34.4" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Python 3.13 -> pyodide-build's modern config (Pyodide 0.29.x, Emscripten # 4.0.9), whose binaryen understands modern LLVM's wasm target-features and @@ -140,7 +140,7 @@ jobs: - name: Install nightly Rust with the Emscripten target # @nightly matches the repo's other nightly jobs; the exact nightly is # pinned via the toolchain: input below. - uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly + uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly with: toolchain: ${{ env.RUST_NIGHTLY }} targets: wasm32-unknown-emscripten @@ -168,7 +168,7 @@ jobs: needs: [build, build-sdist, build-emscripten] runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Verify publish source is on main release tag env: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 53fdbd8a5..9113a4176 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest environment: release steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -98,7 +98,7 @@ jobs: needs: publish-bashkit environment: release steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false @@ -131,7 +131,7 @@ jobs: runs-on: ubuntu-latest needs: [publish-bashkit, publish-bashkit-cli] steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index b22cff18a..8a87a3b25 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -40,7 +40,7 @@ jobs: name: Lint & Format runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 @@ -67,7 +67,7 @@ jobs: matrix: python-version: ["3.9", "3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: @@ -105,7 +105,7 @@ jobs: name: Examples runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: @@ -157,7 +157,7 @@ jobs: name: Build wheel runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: @@ -196,7 +196,7 @@ jobs: RUST_NIGHTLY: "nightly-2026-05-29" PYODIDE_BUILD_VERSION: "0.34.4" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Python 3.13 selects pyodide-build's modern config (Pyodide 0.29.x, # Emscripten 4.0.9), whose binaryen understands the wasm target-features @@ -213,7 +213,7 @@ jobs: - name: Install nightly Rust with the Emscripten target # @nightly matches the repo's other nightly jobs (fuzz.yml, nightly.yml, # ci.yml); the exact nightly is pinned via the toolchain: input below. - uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly + uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly with: toolchain: ${{ env.RUST_NIGHTLY }} targets: wasm32-unknown-emscripten diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f474e127e..ed1cf3320 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: # Only run if manually triggered OR commit message starts with "chore(release): prepare v" if: "${{ github.event_name == 'workflow_dispatch' || startsWith(github.event.head_commit.message, 'chore(release): prepare v') }}" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -100,7 +100,7 @@ jobs: fi - name: Create GitHub Release - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3 with: tag_name: ${{ steps.version.outputs.tag }} name: Release ${{ steps.version.outputs.tag }} diff --git a/.github/workflows/site.yml b/.github/workflows/site.yml index 26a811068..19c708c5e 100644 --- a/.github/workflows/site.yml +++ b/.github/workflows/site.yml @@ -38,7 +38,7 @@ jobs: name: Docs Routes runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: @@ -54,9 +54,9 @@ jobs: name: Site Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 with: version: 10.11.1 - name: Setup Node.js From 38b6b2e1d10bbcedcfc34000c2d47c17180046f7 Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Mon, 22 Jun 2026 19:58:37 +0000 Subject: [PATCH 2/2] chore(ci): keep branch-pinned toolchain/tarpaulin refs on rebump dependabot collapsed two branch-semantic action refs onto version-tag SHAs, which silently breaks the jobs that rely on the ref name: - dtolnay/rust-toolchain@ selects the nightly channel; pointing it at the 1.95.0 tag SHA switched fuzz/miri/emscripten/ASAN jobs to stable -> 'can't find crate for core' on wasm32 targets. - taiki-e/install-action@cargo-tarpaulin auto-installs tarpaulin; the v2 tag SHA does not -> 'no such command: tarpaulin' in coverage. Restore those two refs to their branch-pinned SHAs while keeping the safe bumps (actions/checkout v7, pnpm/action-setup, action-gh-release, and the install-action calls that pass an explicit tool:). --- .github/workflows/ci.yml | 2 +- .github/workflows/coverage.yml | 2 +- .github/workflows/fuzz.yml | 2 +- .github/workflows/nightly.yml | 4 ++-- .github/workflows/publish-python.yml | 2 +- .github/workflows/python.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 55e92f66a..734b573d2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -243,7 +243,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust nightly - uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly + uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly - name: Install cargo-fuzz uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3 diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index a141ec638..2fa6bc4d4 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -37,7 +37,7 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-tarpaulin - uses: taiki-e/install-action@9e1e5806d4a4822de933115878265be9aaa786d9 # cargo-tarpaulin + uses: taiki-e/install-action@3d6bdc41132a93ae9dbd2217ccd2bcb56d84eaa8 # cargo-tarpaulin # `rg` differential tests compare against real ripgrep. Pin the # binary so coverage does not depend on the runner image package set. diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 244093b6f..262299d6e 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -32,7 +32,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust nightly - uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly + uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly - name: Install cargo-fuzz run: cargo install cargo-fuzz --locked diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index fca4b33ca..4d476b3c9 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install Rust nightly with Miri - uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly + uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly with: components: miri @@ -87,7 +87,7 @@ jobs: uses: ./.github/actions/free-disk-space - name: Install Rust nightly - uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly + uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly with: components: rust-src diff --git a/.github/workflows/publish-python.yml b/.github/workflows/publish-python.yml index 98debcd80..c5b838a83 100644 --- a/.github/workflows/publish-python.yml +++ b/.github/workflows/publish-python.yml @@ -140,7 +140,7 @@ jobs: - name: Install nightly Rust with the Emscripten target # @nightly matches the repo's other nightly jobs; the exact nightly is # pinned via the toolchain: input below. - uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly + uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly with: toolchain: ${{ env.RUST_NIGHTLY }} targets: wasm32-unknown-emscripten diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 8a87a3b25..4ae38ebdd 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -213,7 +213,7 @@ jobs: - name: Install nightly Rust with the Emscripten target # @nightly matches the repo's other nightly jobs (fuzz.yml, nightly.yml, # ci.yml); the exact nightly is pinned via the toolchain: input below. - uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # nightly + uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly with: toolchain: ${{ env.RUST_NIGHTLY }} targets: wasm32-unknown-emscripten