Files
pnpm/.github/actions/rustup/action.yml
Zoltan Kochan d2b64b6689 ci(pacquet): fix all zizmor code-scanning findings (#11641)
* ci(pacquet): fix all zizmor code-scanning findings

Resolves the 90 alerts opened by zizmor against the imported pacquet-*
workflows and shared composite actions:

- unpinned-uses: pin every third-party action to a SHA + version comment
  (matching SHAs already used elsewhere in the repo where applicable;
  taiki-e/install-action collapsed onto v2.78.0 with explicit `tool:` input).
- artipacked: add `persist-credentials: false` to every actions/checkout.
- template-injection: pass `inputs.*` and `steps.*.outputs.*` through `env:`
  in binstall/rustup composite actions and pacquet-release-to-npm.yml.
- excessive-permissions: add top-level `permissions: contents: read` to
  pacquet-release-to-npm.yml; move issues/pull-requests writes from the
  workflow level to the benchmark-compare job in pacquet-micro-benchmark.yml.
- dangerous-triggers: keep workflow_run in pacquet-integrated-benchmark-
  comment.yml but suppress with a documented zizmor: ignore — the trigger
  is the recommended pattern for posting comments back to fork PRs.
- superfluous-actions: keep softprops/action-gh-release with a zizmor:
  ignore (matches release.yml).

Verified by running `zizmor .github` locally with no remaining findings.

* ci(pacquet): point SHA pins at the patch-version tag

Swatinem/rust-cache and montudor/action-zip were pinned to the SHA the
major-version alias (`v2`, `v1`) resolves to, but the version comments
claimed `v2.9.1` / `v1.0.0`. zizmor's online `ref-version-mismatch`
audit flagged the inconsistency. Repoint at the SHAs the patch-version
tags actually annotate so the pin and the comment agree.
2026-05-14 19:33:30 +02:00

91 lines
2.1 KiB
YAML

name: Rustup
description: Install Rust with minimal profile and additional components
inputs:
# See https://rust-lang.github.io/rustup/concepts/components.html
clippy:
default: false
required: false
type: boolean
fmt:
default: false
required: false
type: boolean
docs:
default: false
required: false
type: boolean
restore-cache:
default: true
required: false
type: boolean
save-cache:
default: false
required: false
type: boolean
shared-key:
default: 'warm'
required: false
type: string
runs:
using: composite
steps:
- name: Print Inputs
shell: bash
env:
CLIPPY: ${{ inputs.clippy }}
FMT: ${{ inputs.fmt }}
DOCS: ${{ inputs.docs }}
RESTORE_CACHE: ${{ inputs.restore-cache }}
SAVE_CACHE: ${{ inputs.save-cache }}
run: |
echo "clippy: $CLIPPY"
echo "fmt: $FMT"
echo "docs: $DOCS"
echo "restore-cache: $RESTORE_CACHE"
echo "save-cache: $SAVE_CACHE"
- name: Remove `profile` line on MacOS
shell: bash
if: runner.os == 'macOS'
run: sed -i '' '/profile/d' rust-toolchain.toml
- name: Remove `profile` line on non-MacOS
shell: bash
if: runner.os != 'macOS'
run: sed -i '/profile/d' rust-toolchain.toml
- name: Set minimal
shell: bash
run: rustup set profile minimal
- name: Add Clippy
shell: bash
if: ${{ inputs.clippy == 'true' }}
run: rustup component add clippy
- name: Add Rustfmt
shell: bash
if: ${{ inputs.fmt == 'true' }}
run: rustup component add rustfmt
- name: Add docs
shell: bash
if: ${{ inputs.docs == 'true' }}
run: rustup component add rust-docs
- name: Install
shell: bash
run: |
rustup show
git restore .
- name: Cache on ${{ github.ref_name }}
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
if: ${{ inputs.restore-cache == 'true' }}
with:
shared-key: ${{ inputs.shared-key }}
save-if: ${{ inputs.save-cache == 'true' }}