diff --git a/.github/workflows/action-on-PR-labeled.yml b/.github/workflows/action-on-PR-labeled.yml index 4cd49bf3d40de..4026e6aa15bfc 100644 --- a/.github/workflows/action-on-PR-labeled.yml +++ b/.github/workflows/action-on-PR-labeled.yml @@ -7,19 +7,21 @@ on: pull_request_target: types: - labeled - -permissions: - pull-requests: 'write' + branches: + - "main" jobs: comment-on-migration-guide-label: + permissions: + pull-requests: "write" runs-on: ubuntu-latest if: github.event.label.name == 'M-Migration-Guide' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 2 + persist-credentials: false - name: Get changes id: get_changes shell: bash {0} @@ -30,7 +32,7 @@ jobs: env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 if: steps.get_changes.outputs.found_changes == '0' with: script: | @@ -43,13 +45,16 @@ jobs: Please review the [instructions for writing migration guides](https://github.com/bevyengine/bevy/tree/main/release-content/migration_guides.md), then expand or revise the content in the [migration guides directory](https://github.com/bevyengine/bevy/tree/main/release-content/migration-guides) to reflect your changes.` }) comment-on-release-note-label: + permissions: + pull-requests: "write" runs-on: ubuntu-latest if: github.event.label.name == 'M-Release-Note' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 2 + persist-credentials: false - name: Get changes id: get_changes shell: bash {0} @@ -60,7 +65,7 @@ jobs: env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 if: steps.get_changes.outputs.found_changes == '0' with: script: | diff --git a/.github/workflows/ci-comment-failures.yml b/.github/workflows/ci-comment-failures.yml index 9abb1a8a593c8..a6f61d9e8c816 100644 --- a/.github/workflows/ci-comment-failures.yml +++ b/.github/workflows/ci-comment-failures.yml @@ -1,11 +1,7 @@ name: CI - PR Comments - # This workflow has write permissions on the repo - # It must not checkout a PR and run untrusted code - -# Also requesting write permissions on PR to be able to comment -permissions: - pull-requests: 'write' +# This workflow has write permissions on the repo +# It must not checkout a PR and run untrusted code on: workflow_run: @@ -14,16 +10,17 @@ on: - completed jobs: - missing-examples: + permissions: + pull-requests: "write" runs-on: ubuntu-latest if: > github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure' steps: - - name: 'Download artifact' + - name: "Download artifact" id: find-artifact - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: result-encoding: string script: | @@ -63,7 +60,7 @@ jobs: fi - name: "Comment on PR" if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -87,14 +84,16 @@ jobs: } missing-features: + permissions: + pull-requests: "write" runs-on: ubuntu-latest if: > github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure' steps: - - name: 'Download artifact' + - name: "Download artifact" id: find-artifact - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: result-encoding: string script: | @@ -134,7 +133,7 @@ jobs: fi - name: "Comment on PR" if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -158,14 +157,16 @@ jobs: } msrv: + permissions: + pull-requests: "write" runs-on: ubuntu-latest if: > github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure' steps: - - name: 'Download artifact' + - name: "Download artifact" id: find-artifact - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: result-encoding: string script: | @@ -205,7 +206,7 @@ jobs: fi - name: "Comment on PR" if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 382fee3372a70..d7f3bc4fc5a36 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,8 +32,10 @@ jobs: runs-on: ${{ matrix.os }} timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable--${{ hashFiles('**/Cargo.toml') }}- @@ -47,7 +49,9 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps - name: Build & run tests @@ -60,8 +64,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable--${{ hashFiles('**/Cargo.toml') }}- @@ -75,8 +81,9 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: + toolchain: stable components: rustfmt, clippy - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps @@ -92,8 +99,10 @@ jobs: runs-on: macos-latest timeout-minutes: 60 steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-${{ env.NIGHTLY_TOOLCHAIN }}--${{ hashFiles('**/Cargo.toml') }}- @@ -107,7 +116,7 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@master + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: toolchain: ${{ env.NIGHTLY_TOOLCHAIN }} components: miri @@ -128,8 +137,10 @@ jobs: timeout-minutes: 30 needs: ci steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable--${{ hashFiles('**/Cargo.toml') }}- @@ -143,7 +154,7 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: toolchain: stable - name: Install Linux dependencies @@ -157,8 +168,10 @@ jobs: timeout-minutes: 30 needs: ci steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable-x86_64-unknown-none-${{ hashFiles('**/Cargo.toml') }}- @@ -172,8 +185,9 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: + toolchain: stable targets: x86_64-unknown-none - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps @@ -185,8 +199,10 @@ jobs: timeout-minutes: 30 needs: ci steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable-thumbv6m-none-eabi-${{ hashFiles('**/Cargo.toml') }}- @@ -200,8 +216,9 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: + toolchain: stable targets: thumbv6m-none-eabi - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps @@ -213,8 +230,10 @@ jobs: timeout-minutes: 30 needs: ci steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable-x86_64-unknown-none-${{ hashFiles('**/Cargo.toml') }}- @@ -228,8 +247,9 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: + toolchain: stable targets: x86_64-unknown-none - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps @@ -241,8 +261,10 @@ jobs: timeout-minutes: 30 needs: build steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable-wasm32-unknown-unknown-${{ hashFiles('**/Cargo.toml') }}- @@ -256,8 +278,9 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: + toolchain: stable target: wasm32-unknown-unknown - name: Check wasm env: @@ -269,8 +292,10 @@ jobs: timeout-minutes: 30 needs: build steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-${{ env.NIGHTLY_TOOLCHAIN }}-wasm32-unknown-unknown-${{ hashFiles('**/Cargo.toml') }}- @@ -284,7 +309,7 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@master + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: toolchain: ${{ env.NIGHTLY_TOOLCHAIN }} targets: wasm32-unknown-unknown @@ -300,12 +325,13 @@ jobs: needs: check-missing-features-in-docs if: always() steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 + persist-credentials: false - name: Run Markdown Lint - uses: super-linter/super-linter/slim@v8.3.1 + uses: super-linter/super-linter/slim@47984f49b4e87383eed97890fe2dca6063bbd9c3 # v8.3.1 env: MULTI_STATUS: false VALIDATE_ALL_CODEBASE: false @@ -316,7 +342,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Install taplo run: curl -fsSL https://github.com/tamasfe/taplo/releases/download/0.10.0/taplo-linux-x86_64.gz | gzip -d - | install -m 755 /dev/stdin /usr/local/bin/taplo - name: Run Taplo @@ -335,9 +363,11 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for typos - uses: crate-ci/typos@v1.40.0 + uses: crate-ci/typos@2d0ce569feab1f8752f1dde43cc2f2aa53236e06 # v1.40.0 - name: Typos info if: failure() run: | @@ -351,8 +381,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable--${{ hashFiles('**/Cargo.toml') }}- @@ -366,7 +398,9 @@ jobs: ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps with: @@ -390,8 +424,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: check for missing metadata id: missing-metadata run: cargo run -p build-templated-pages -- check-missing examples @@ -414,7 +452,7 @@ jobs: - name: log failed task - missing update if: ${{ failure() && github.event_name == 'pull_request' && steps.missing-update.conclusion == 'failure' }} run: touch ./missing-examples/missing-update - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ failure() && github.event_name == 'pull_request' }} with: name: missing-examples @@ -425,8 +463,12 @@ jobs: timeout-minutes: 30 needs: check-missing-examples-in-docs steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: check for missing features id: missing-features run: cargo run -p build-templated-pages -- check-missing features @@ -449,7 +491,7 @@ jobs: - name: log failed task - missing update if: ${{ failure() && github.event_name == 'pull_request' && steps.missing-update.conclusion == 'failure' }} run: touch ./missing-features/missing-update - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ failure() && github.event_name == 'pull_request' }} with: name: missing-features @@ -460,17 +502,21 @@ jobs: timeout-minutes: 30 needs: build steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: get MSRV id: msrv run: | msrv=`cargo metadata --no-deps --format-version 1 | jq --raw-output '.packages[] | select(.name=="bevy") | .rust_version'` echo "msrv=$msrv" >> $GITHUB_OUTPUT - - uses: dtolnay/rust-toolchain@master + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: toolchain: ${{ steps.msrv.outputs.msrv }} - - uses: actions/cache/restore@v5 + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-${{ steps.msrv.outputs.msrv }}--${{ hashFiles('**/Cargo.toml') }}- @@ -494,7 +540,7 @@ jobs: run: | mkdir -p ./msrv echo ${{ github.event.number }} > ./msrv/NR - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ failure() && github.event_name == 'pull_request' && steps.check.conclusion == 'failure' }} with: name: msrv @@ -504,7 +550,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for internal Bevy imports shell: bash run: | @@ -526,8 +574,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Check Release Content shell: bash run: | diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 6e8f5c8b1bd98..0445b4f6b9a36 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -26,8 +26,12 @@ jobs: check-advisories: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Install cargo-deny run: cargo install cargo-deny - name: Check for security advisories and unmaintained crates @@ -36,8 +40,12 @@ jobs: check-bans: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Install cargo-deny run: cargo install cargo-deny - name: Check for banned and duplicated dependencies @@ -46,8 +54,12 @@ jobs: check-licenses: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Install cargo-deny run: cargo install cargo-deny - name: Check for unauthorized licenses @@ -56,8 +68,12 @@ jobs: check-sources: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Install cargo-deny run: cargo install cargo-deny - name: Checked for unauthorized crate sources diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0b661e9986949..a369060558ef8 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -3,7 +3,7 @@ name: Deploy Docs on: push: branches: - - 'main' + - "main" # Allows running the action manually. workflow_dispatch: @@ -35,9 +35,11 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - - uses: dtolnay/rust-toolchain@master + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: toolchain: ${{ env.NIGHTLY_TOOLCHAIN }} @@ -86,10 +88,10 @@ jobs: rm target/doc/.lock - name: Upload site artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: target/doc - name: Deploy to Github Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/example-run-report.yml b/.github/workflows/example-run-report.yml index c59404ab7baea..29bf571b8a786 100644 --- a/.github/workflows/example-run-report.yml +++ b/.github/workflows/example-run-report.yml @@ -5,7 +5,6 @@ name: Example Run - PR Comments # Also requesting write permissions on PR to be able to comment permissions: - pull-requests: "write" contents: "read" on: @@ -25,7 +24,7 @@ jobs: steps: - name: "Download artifact" id: find-artifact - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: result-encoding: string script: | @@ -54,7 +53,7 @@ jobs: mkdir screenshots mv screenshots-* screenshots/ - name: save screenshots - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: screenshots-macos path: screenshots @@ -81,12 +80,16 @@ jobs: secrets: inherit comment-on-pr: + permissions: + pull-requests: "write" name: Comment on PR runs-on: ubuntu-latest needs: [make-macos-screenshots-available, compare-macos-screenshots] if: ${{ always() && needs.compare-macos-screenshots.result == 'failure' }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: "Check if PR already has label" id: check-label env: diff --git a/.github/workflows/example-run.yml b/.github/workflows/example-run.yml index abe60dfe4bed7..eb517f395e687 100644 --- a/.github/workflows/example-run.yml +++ b/.github/workflows/example-run.yml @@ -23,12 +23,16 @@ jobs: runs-on: macos-14 timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Disable audio # Disable audio through a patch. on github m1 runners, audio timeouts after 15 minutes run: git apply --ignore-whitespace tools/example-showcase/disable-audio.patch - - uses: actions/cache/restore@v5 + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable--${{ hashFiles('**/Cargo.toml') }}- @@ -58,7 +62,7 @@ jobs: mkdir traces && mv trace*.json traces/ mkdir screenshots && mv screenshots-* screenshots/ - name: save traces - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: example-traces-macos path: traces @@ -67,11 +71,11 @@ jobs: run: | echo ${{ github.event.number }} > ./screenshots/PR - name: save screenshots - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: screenshots-macos path: screenshots - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ failure() && github.event_name == 'pull_request' }} with: name: example-run-macos @@ -94,7 +98,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps # At some point this may be merged into `install-linux-deps`, but for now it is its own step. @@ -102,8 +108,10 @@ jobs: run: | sudo add-apt-repository ppa:kisak/turtle -y sudo apt-get install --no-install-recommends libxkbcommon-x11-0 xvfb libgl1-mesa-dri libxcb-xfixes0-dev mesa-vulkan-drivers - - uses: dtolnay/rust-toolchain@stable - - uses: actions/cache/restore@v5 + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable--${{ hashFiles('**/Cargo.toml') }}- @@ -133,16 +141,16 @@ jobs: mkdir traces && mv trace*.json traces/ mkdir screenshots && mv screenshots-* screenshots/ - name: save traces - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: example-traces-linux path: traces - name: save screenshots - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: screenshots-linux path: screenshots - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ failure() && github.event_name == 'pull_request' }} with: name: example-run-linux @@ -164,9 +172,13 @@ jobs: runs-on: windows-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable--${{ hashFiles('**/Cargo.toml') }}- @@ -197,16 +209,16 @@ jobs: mkdir traces && mv trace*.json traces/ mkdir screenshots && mv screenshots-* screenshots/ - name: save traces - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: example-traces-windows path: traces - name: save screenshots - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: screenshots-windows path: screenshots - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ failure() && github.event_name == 'pull_request' }} with: name: example-run-windows diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index a70d79e39abe5..e96c1c5b613bd 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -15,7 +15,9 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: true - name: Install cargo-release run: cargo install cargo-release @@ -53,7 +55,7 @@ jobs: --exclude no_std_library - name: Create PR - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0 with: delete-branch: true base: "main" diff --git a/.github/workflows/codeql.yml b/.github/workflows/security-static-analysis.yml similarity index 76% rename from .github/workflows/codeql.yml rename to .github/workflows/security-static-analysis.yml index 7da24599cb15d..f2edfd5ffcd99 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/security-static-analysis.yml @@ -1,4 +1,4 @@ -name: "CodeQL" +name: "Security Static Analysis" on: push: @@ -7,8 +7,8 @@ on: branches: ["main"] jobs: - analyze: - name: Analyze (${{ matrix.language }}) + codeql-analyze: + name: CodeQL Analyze (${{ matrix.language }}) # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql # - https://gh.io/supported-runners-and-hardware-resources @@ -36,11 +36,13 @@ jobs: build-mode: none steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -68,6 +70,21 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: category: "/language:${{matrix.language}}" + + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 diff --git a/.github/workflows/send-screenshots-to-pixeleagle.yml b/.github/workflows/send-screenshots-to-pixeleagle.yml index f3aa43afbf606..f57402a9f1ce9 100644 --- a/.github/workflows/send-screenshots-to-pixeleagle.yml +++ b/.github/workflows/send-screenshots-to-pixeleagle.yml @@ -40,7 +40,7 @@ jobs: - name: Download artifact if: ${{ fromJSON(env.PIXELEAGLE_TOKEN_EXISTS) }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: ${{ inputs.artifact }} diff --git a/.github/workflows/update-caches.yml b/.github/workflows/update-caches.yml index 4ccafc0cf8f28..950ebe60c6c60 100644 --- a/.github/workflows/update-caches.yml +++ b/.github/workflows/update-caches.yml @@ -29,8 +29,12 @@ jobs: NIGHTLY_TOOLCHAIN: ${{ steps.env.outputs.NIGHTLY_TOOLCHAIN }} MSRV: ${{ steps.msrv.outputs.MSRV }} steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: get MSRV id: msrv run: | @@ -94,14 +98,15 @@ jobs: shell: bash - name: Checkout Bevy main branch - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: "bevyengine/bevy" ref: "main" + persist-credentials: false - name: Setup Rust id: rust - uses: dtolnay/rust-toolchain@master + uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: toolchain: ${{ matrix.toolchain }} target: ${{ matrix.target }} @@ -118,7 +123,7 @@ jobs: x264: true # Fetch the cache using the complete key - to avoid rebuilding the cache if nothing changed - - uses: actions/cache/restore@v5 + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: cache with: path: | @@ -141,7 +146,7 @@ jobs: - name: Save cache if: steps.cache.outputs.cache-hit != 'true' - uses: actions/cache/save@v5 + uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | ~/.cargo/bin/ diff --git a/.github/workflows/validation-jobs.yml b/.github/workflows/validation-jobs.yml index 784907ff0e588..f814342f9ae6d 100644 --- a/.github/workflows/validation-jobs.yml +++ b/.github/workflows/validation-jobs.yml @@ -29,11 +29,15 @@ jobs: runs-on: macos-14 timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - - uses: actions/cache/restore@v5 + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable-aarch64-apple-ios-sim-${{ hashFiles('**/Cargo.toml') }}- @@ -59,17 +63,21 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0 with: java-version: "17" distribution: "temurin" - - uses: actions/cache/restore@v5 + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable-aarch64-linux-android-${{ hashFiles('**/Cargo.toml') }}- @@ -101,13 +109,16 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: target: wasm32-unknown-unknown + toolchain: stable - - uses: actions/cache/restore@v5 + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable-wasm32-unknown-unknown-${{ hashFiles('**/Cargo.toml') }}- @@ -147,7 +158,7 @@ jobs: xvfb-run cargo run -p build-wasm-example -- --browsers chromium --browsers firefox --frames 25 --test 2d_shapes lighting text_debug breakout - name: Save screenshots - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: screenshots-wasm path: .github/start-wasm-example/screenshot-*.png @@ -161,8 +172,12 @@ jobs: crate: [bevy_ecs, bevy_reflect, bevy] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps - name: Build @@ -189,11 +204,13 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@master + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: toolchain: ${{ env.NIGHTLY_TOOLCHAIN }} - - uses: actions/cache/restore@v5 + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-${{ env.NIGHTLY_TOOLCHAIN }}--${{ hashFiles('**/Cargo.toml') }}- @@ -219,9 +236,13 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable - - uses: actions/cache/restore@v5 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: stable + - uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: # key won't match, will rely on restore-keys key: ${{ runner.os }}-stable--${{ hashFiles('**/Cargo.toml') }}- diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index 87b0b8193d70e..9f0c80e469e37 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -42,8 +42,12 @@ jobs: if: github.repository == 'bevyengine/bevy' timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@beta + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: beta - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps - name: Build & run tests @@ -58,9 +62,12 @@ jobs: if: github.repository == 'bevyengine/bevy' timeout-minutes: 30 steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@beta + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 with: + toolchain: beta components: rustfmt, clippy - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps @@ -79,8 +86,12 @@ jobs: timeout-minutes: 30 needs: test steps: - - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@beta + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 + with: + toolchain: beta - name: Install Linux dependencies uses: ./.github/actions/install-linux-deps - name: Check compile test diff --git a/.github/workflows/welcome.yml b/.github/workflows/welcome.yml index cf1f49cf4b51e..4dcdbf67486e1 100644 --- a/.github/workflows/welcome.yml +++ b/.github/workflows/welcome.yml @@ -7,6 +7,8 @@ on: pull_request_target: types: - opened + branches: + - "main" jobs: welcome: @@ -14,7 +16,7 @@ jobs: permissions: pull-requests: write steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | // Get a list of all issues created by the PR opener