ci: use composite action and pin SHAs

Author: robinhundt

.github/actions/setup/action.yml

@@ -0,0 +1,34 @@
+name: 'CI Setup'
+description: 'Checks out code, installs Rust toolchain, and sets up cache'
+
+inputs:
+  nightly:
+    description: 'Use nightly toolchain'
+    type: boolean
+    default: false
+  components:
+    description: 'Rust components to install'
+    required: false
+    default: ''
+  cache:
+    description: 'Whether to enable rust-cache'
+    type: boolean
+    default: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install toolchain
+      uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561
+      id: toolchain
+      with:
+        toolchain: ${{ inputs.nightly == true && 'nightly-2026-01-20' || 'stable' }}
+        components: ${{ inputs.components }}
+
+    - name: Check version
+      shell: bash
+      run: cargo --version
+
+    - name: Cache
+      if: ${{ inputs.cache == true }}
+      uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # 2.8.2

.github/workflows/bench.yml

@@ -23,24 +23,30 @@ jobs:
     runs-on: "ubicloud-standard-4"
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           submodules: recursive
           ref: ${{ github.event.inputs.ref }}
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Install nightly
-        uses: dtolnay/rust-toolchain@master
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561
         id: toolchain
         with:
           toolchain: stable
-      - name: Override default toolchain
-        run: rustup override set ${{steps.toolchain.outputs.name}}
+
       - run: cargo --version
+
       - name: Install bencher
-        uses: bencherdev/bencher@main
+        uses: bencherdev/bencher@8151077aa7b1bceaac11c4b308265417cae60e2b # 0.5.10
+
       - name: CPU information
         run: lscpu
+
       - name: Cache
-        uses: ubicloud/rust-cache@v2
+        uses: ubicloud/rust-cache@65b3ff06b9bcc69d88c25e212f1ae3d14a0953c3
+
       - name: Run benchmarks
         run: |
           bencher run \

.github/workflows/pull_request.yml

@@ -16,54 +16,58 @@ jobs:
       matrix:
         os: [ "ubuntu-latest", "windows-latest", "macos-latest" ]
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
+      - &checkout
+        name: Check out repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           submodules: recursive
-      - name: Install nightly
-        uses: dtolnay/rust-toolchain@master
-        id: toolchain
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup
+        uses: ./.github/actions/setup
         with:
-          toolchain: nightly-2025-11-21
-          components: "rustfmt, miri"
-      - name: Override default toolchain
-        run: rustup override set ${{steps.toolchain.outputs.name}}
-      - run: cargo --version
+          nightly: true
+          components: "miri"
+
       - name: Install NASM
         if: ${{ matrix.os == 'windows-latest' }}
         uses: ilammy/setup-nasm@v1
-      - name: Cache
-        uses: Swatinem/rust-cache@v2
+
       - name: Run tests
         run: cargo test --workspace --verbose --all-features --no-fail-fast
+
       - name: Run miri test
         env:
           RUSTFLAGS: "-C target-cpu=native"
           MIRIFLAGS: "-Zmiri-disable-isolation"
         run: cargo miri t -p cryprot-codes -p cryprot-core 
+
   lint:
     name: Lint
     runs-on: "ubuntu-latest"
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-        with:
-          submodules: recursive
-      - name: Install nightly
-        uses: dtolnay/rust-toolchain@master
-        id: toolchain
+      - *checkout
+
+      - name: Setup
+        uses: ./.github/actions/setup
         with:
-          toolchain: nightly-2025-11-21
-          components: "clippy, rustfmt"
-      - name: Override default toolchain
-        run: rustup override set ${{steps.toolchain.outputs.name}}
-      - run: cargo --version
-      - name: Cache
-        uses: Swatinem/rust-cache@v2
+          nightly: true
+          components: "rustfmt"
+
       - name: Check formatting
-        run: cargo fmt --all --check
+        # some fmt options we use are unstable
+        run: cargo +nightly fmt --all --check
+
+      # use stable toolchain for clippy to avoid CI failures due to unfinished lints
+      - name: Install toolchain
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561
+        with:
+          toolchain: "stable"
+          components: "clippy"
+
       - name: Check Clippy
-        run: cargo clippy --workspace --all-features --examples --lib -- -D warnings
+        run: cargo +stable clippy --workspace --all-features --examples --lib -- -D warnings
 
 
   docs:
@@ -73,20 +77,13 @@ jobs:
       # deny rustdoc warnings
       RUSTDOCFLAGS: -D warnings
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-        with:
-          submodules: recursive
-      - name: Install nightly
-        uses: dtolnay/rust-toolchain@master
-        id: toolchain
+      - *checkout
+
+      - name: Setup
+        uses: ./.github/actions/setup
         with:
-          toolchain: nightly-2025-11-21
-          components: rust-docs
-      - name: Override default toolchain
-        run: rustup override set ${{steps.toolchain.outputs.name}}
-      - run: cargo --version
-      - name: Cache
-        uses: Swatinem/rust-cache@v2
+          nightly: true
+          components: "rust-docs"
+
       - name: Check docs
         run: cargo doc --workspace --verbose --all-features --no-deps -Zunstable-options -Zrustdoc-scrape-examples

.github/workflows/push.yml

@@ -11,18 +11,16 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           submodules: recursive
-      - name: Install nightly
-        uses: dtolnay/rust-toolchain@master
-        id: toolchain
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup
+        uses: ./.github/actions/setup
         with:
-          toolchain: nightly-2025-11-21
-      - name: Override default toolchain
-        run: rustup override set ${{steps.toolchain.outputs.name}}
-      - run: cargo --version
-      - name: Cache
-        uses: Swatinem/rust-cache@v2
+          nightly: true
+
       - name: Test
         run: cargo test --workspace --verbose --all-features --no-fail-fast

.github/workflows/release-plz.yml

@@ -18,14 +18,15 @@ jobs:
       contents: write
     steps:
       - &checkout
-        name: Checkout repository
-        uses: actions/checkout@v6
+        name: Check out repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
           fetch-depth: 0
           persist-credentials: false
-      - &install-rust
-        name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
       - &get-release-app-token
         # Generating a GitHub token, so that PRs and tags created by
         # the release-plz-action can trigger actions workflows.
@@ -56,7 +57,10 @@ jobs:
       cancel-in-progress: false
     steps:
       - *checkout
-      - *install-rust
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
       - *get-release-app-token
       - name: Run release-plz
         uses: release-plz/action@487eb7b5c085a664d5c5ca05f4159bd9b591182a # 0.5.120

.github/workflows/rustdoc.yml

@@ -17,20 +17,17 @@ jobs:
       RUSTDOCFLAGS: -D warnings
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
         with:
-          submodules: recursive
-      - name: Install nightly
-        uses: dtolnay/rust-toolchain@master
-        id: toolchain
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup
+        uses: ./.github/actions/setup
         with:
-          toolchain: nightly-2025-11-21
-          components: rust-docs
-      - name: Override default toolchain
-        run: rustup override set ${{steps.toolchain.outputs.name}}
-      - run: cargo --version
-      - name: Cache
-        uses: Swatinem/rust-cache@v2
+          nightly: true
+          components: "rust-docs"
+
       - name: Create Docs
         # rustdoc-map allows us to link to doc.rs for dependencies
         run: cargo doc --workspace --verbose --all-features --no-deps -Zunstable-options -Zrustdoc-scrape-examples -Zrustdoc-map
@@ -40,29 +37,24 @@ jobs:
             echo "::warning title=Invalid file permissions automatically fixed::$line"
           done
       - name: Upload Pages artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # 4.0.0
         with:
           path: "target/doc/"
 
-  # Deploy job
   deploy:
-    # Add a dependency to the build job
     needs: build
 
-    # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
     permissions:
-      pages: write      # to deploy to Pages
-      id-token: write   # to verify the deployment originates from an appropriate source
+      pages: write
+      id-token: write
 
-    # Deploy to the github-pages environment
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
 
-    # Specify runner + deployment step
     runs-on: ubuntu-latest
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4 # or specific "vX.X.X" version tag for this action
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # 4.0.5