Skip to content

gha: harden#384

Open
cyphar wants to merge 1 commit into
mainfrom
gha-hardening
Open

gha: harden#384
cyphar wants to merge 1 commit into
mainfrom
gha-hardening

Conversation

@cyphar
Copy link
Copy Markdown
Owner

@cyphar cyphar commented Jun 1, 2026

Given the recent slew of supply-chain attacks, it seems far more prudent to avoiding using actions that aren't strictly necessary and to apply a few other proactive hardenings.

@cyphar cyphar changed the title gha: harden against gha: harden Jun 1, 2026
@cyphar cyphar force-pushed the gha-hardening branch 2 times, most recently from 55b27ae to ed66008 Compare June 1, 2026 07:53
@cyphar
gha: switch to rustup and cargo
55ec821 
Given the recent slew of supply-chain attacks, it seems far more prudent
to avoiding using actions that aren't strictly necessary.

dtolnay/rust-toolchain has a few helpers but ultimately you can just use
stock rustup directly in the modern GHA environment, and installing
stuff with "cargo install" is preferable than magic actions. (The
tag-name-argument actions are most concerning because they are more
annoying to deal with when switching to commit-hash-pinned use lines.)

Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cyphar