fix(security): SHA-pin GitHub Actions in rust-ci.yml

Jonathan D.A. Jewell · claude · Jonathan D.A. Jewell · commit d5fa7c5fdc0e · 2025-12-15T21:51:22.000Z
- dtolnay/rust-toolchain@stable -> @6d9817901c499d6b02debbb57edb38d33daa680b - Swatinem/rust-cache@v2 -> @ad397744b0d591a723ab90405b7247fac0e6b8db - codecov/codecov-action@v5 -> @671740ac38dd9b0130fbe1cec585b89eea48d3de Addresses OpenSSF Scorecard Pinned-Dependencies check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml
@@ -16,10 +16,10 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
         with:
           components: rustfmt, clippy
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2
 
       - name: Check formatting
         run: cargo fmt --all -- --check
@@ -39,7 +39,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
       - name: Install cargo-audit
         run: cargo install cargo-audit
       - name: Security audit
@@ -53,11 +53,11 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
       - name: Install tarpaulin
         run: cargo install cargo-tarpaulin
       - name: Generate coverage
         run: cargo tarpaulin --out Xml
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
         with:
           files: cobertura.xml
diff --git a/STATE.scm b/STATE.scm
@@ -151,6 +151,14 @@
 
 (define session-history
   '((snapshots
+     ((date . "2025-12-15")
+      (session . "security-fixes")
+      (accomplishments
+       ("SHA-pinned dtolnay/rust-toolchain@stable in rust-ci.yml"
+        "SHA-pinned Swatinem/rust-cache@v2 in rust-ci.yml"
+        "SHA-pinned codecov/codecov-action@v5 in rust-ci.yml"
+        "OpenSSF Scorecard Pinned-Dependencies compliance"))
+      (notes . "Fixed unpinned GitHub Actions for OpenSSF Scorecard compliance"))
      ((date . "2025-12-15")
       (session . "initial-state-creation")
       (accomplishments
