Pin GitHub Actions to commit SHAs

[shaanmajid]

Summary

Follow-up from #578; pins GitHub Actions to full commit SHAs with version comments.

Unpinned refs are vulnerable to being moved or force-pushed to commits with malicious changes if the target action repo is compromised. For example, the tj-actions/changed-files supply chain attack (GHSA-mrrh-fwg8-r2c3) involved an attacker moving version tags to point at a malicious commit, leaking CI secrets from thousands of repos. Repos that had pinned to a commit SHA were unaffected.

Changes

• Removed unpinned-uses rule suppression in .github/zizmor.yml
• Pinned all action references in test.yml and zizmor.yml to commit SHAs with full semver comments
• Updated dist-workspace.toml with SHA-pinned action refs (with semver comments) and regenerated release.yml via dist generate
  • Note: release.yml itself lacks semver comments since cargo-dist doesn't propagate them, but dist-workspace.toml has them human reference)
• Switched taiki-e/install-action@nextest to taiki-e/install-action@<sha> # v2.68.22 with explicit tool: cargo-nextest
  • The @nextest convenience tag is a non-semver ref that can't be SHA-pinned in a Dependabot-compatible way, so we expand it to the equivalent semver-tagged version with an explicit tool input
• Left dtolnay/rust-toolchain@stable unpinned with a zizmor: ignore[unpinned-uses] inline suppression
  • This action has no semver tags (only branches like stable, nightly, 1.100.0), so Dependabot behavior is unreliable.
  • Perhaps a follow-up could replace this with rust-toolchain.toml + rustup show (the pattern used by uv, ruff, etc.), eliminating the third-party dependency entirely.

Maintenance

• Dependabot will update SHA-pinned actions and their semver comments in tandem
• zizmor's ref-version-mismatch audit (enabled by default) verifies that version comments actually match the pinned SHA, so any potential comment drift will be caught in CI

[indirect]

Thanks!

[indirect]

For the record, I have also been investigating removing the rust-toolchain action, since I would prefer to not install Rust twice, once from the action and then once again based on our rust-toolchain.toml file. So I would welcome a PR to make that change as well!

[deivid-rodriguez]

Any reason for not adding the version as a comment like in test.yml?

[shaanmajid]

'release.yml' is autogenerated, but the comments are included in 'dist-workspace.yml'

[deivid-rodriguez]

Aaaah right, that makes sense! Not sure if possible/desierable but we could potentially request whatever library generates release.yml to keep version comments if they exist in dist-workspace.yml.

[shaanmajid]

Yeah, I was thinking about leaving a feature request for cargo-dist. Will do shortly :)