From eabb2173bad721666577cd2255bd6ad0f0151368 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 7 Jan 2026 22:25:47 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 22 +++++++++++----------- .github/workflows/codeql.yml | 2 +- .github/workflows/release.yml | 12 ++++++------ .github/workflows/security.yml | 2 +- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 88cca733..afb207cb 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -52,7 +52,7 @@ jobs: mold --version - name: Cache Rust dependencies - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: benchmark-4-core diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ac548b55..870718b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,7 @@ jobs: - name: Check for code changes id: filter - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 with: filters: | code: @@ -118,7 +118,7 @@ jobs: sudo dpkg -i foundationdb-clients_7.3.69-1_amd64.deb - name: Cache Rust dependencies - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: ubuntu-latest-x86_64-unknown-linux-gnu save-if: false @@ -180,7 +180,7 @@ jobs: uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Cache Rust dependencies - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: ubuntu-latest-x86_64-unknown-linux-gnu save-if: ${{ github.ref == 'refs/heads/main' }} @@ -234,7 +234,7 @@ jobs: tool: cargo-nextest - name: Restore build cache - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: ubuntu-latest-x86_64-unknown-linux-gnu save-if: false # Don't save, only restore from build job @@ -246,7 +246,7 @@ jobs: run: cargo test --workspace --doc - name: Publish test results - uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f # v2.22.0 + uses: step-security/publish-unit-test-result-action@914f0f642c242f38335a491805adfc9bd64b1cbb # v2.21.1 if: always() with: files: target/nextest/ci/junit.xml @@ -281,7 +281,7 @@ jobs: - name: Check if inferadb-engine-core was modified id: check-core - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 with: filters: | core: @@ -322,7 +322,7 @@ jobs: - name: Restore build cache if: steps.check-core.outputs.core == 'true' - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: ubuntu-latest-x86_64-unknown-linux-gnu save-if: false @@ -352,7 +352,7 @@ jobs: - name: Check if inferadb-engine-wasm was modified id: check-wasm - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 with: filters: | wasm: @@ -393,7 +393,7 @@ jobs: - name: Restore build cache if: steps.check-wasm.outputs.wasm == 'true' - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: ubuntu-latest-x86_64-unknown-linux-gnu save-if: false # Don't save, only restore from build job @@ -459,7 +459,7 @@ jobs: tool: cargo-llvm-cov - name: Restore registry cache - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: ubuntu-latest-x86_64-unknown-linux-gnu # Only restore registry cache - llvm-cov uses its own target directory @@ -498,7 +498,7 @@ jobs: toolchain: stable - name: Cache Rust dependencies - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 - name: Check outdated dependencies run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c30d4fb3..317d5c3c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,7 +40,7 @@ jobs: - name: Check for changes id: filter - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 with: filters: | rust: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b2e29467..75b8db55 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -95,7 +95,7 @@ jobs: mold --version - name: Cache Rust dependencies - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: docs-4-core @@ -214,7 +214,7 @@ jobs: fi - name: Cache Rust dependencies - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + uses: step-security/rust-cache@f8fba7098297c8c53a7c9a30575ec2ad4ad85056 # v2.8.2 with: shared-key: release-${{ matrix.os }}-${{ matrix.target }} @@ -292,18 +292,18 @@ jobs: submodules: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + uses: step-security/setup-buildx-action@8c8aef2d414c0b66518fee2b7084e0986f82d7ac # v3.11.1 # Login to Docker Hub - name: Login to Docker Hub - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} # Login to GitHub Container Registry - name: Login to GitHub Container Registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -323,7 +323,7 @@ jobs: type=raw,value=latest - name: Build and push - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 with: context: . platforms: linux/amd64,linux/arm64 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 81d621b6..911e56d2 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -29,7 +29,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check for dependency changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5 id: filter with: filters: |