chore: Update actions

larseggert · larseggert · commit e649fb5d9f53 · 2026-04-14T11:30:16.000+03:00
And add a Claude action
diff --git a/.github/actions/check-android/action.yml b/.github/actions/check-android/action.yml
@@ -32,7 +32,7 @@ runs:
         distribution: zulu
         java-version: 23
 
-    - uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2
+    - uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
       with:
         accept-android-sdk-licenses: true
         log-accepted-android-sdk-licenses: false
@@ -43,14 +43,14 @@ runs:
         WD: ${{ inputs.working-directory }}
       run: cd "$WD" && sdkmanager --install "ndk;$NDK_VERSION"
 
-    - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+    - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
       with:
         version: stable
         targets: ${{ inputs.target }}
         tools: cargo-ndk@^4
         token: ${{ inputs.github-token }}
 
-    - uses: mozilla/actions/nss@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+    - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
       if: ${{ inputs.minimum-nss-version != '' }}
       with:
         minimum-version: ${{ inputs.minimum-nss-version }}
diff --git a/.github/actions/check-vm/action.yml b/.github/actions/check-vm/action.yml
@@ -103,7 +103,7 @@ runs:
         echo "envs=CARGO_TERM_COLOR RUST_BACKTRACE RUST_LOG RUST_TEST_TIME_UNIT RUST_TEST_TIME_INTEGRATION RUST_TEST_TIME_DOCTEST WD" >> "$GITHUB_OUTPUT"
 
     - if: ${{ inputs.platform == 'freebsd' }}
-      uses: vmactions/freebsd-vm@4807432c7cab1c3f97688665332c0b932062d31f # v1.4.3
+      uses: vmactions/freebsd-vm@7ca82f79fe3078fecded6d3a2bff094995447bbd # v1.4.4
       with:
         usesh: true
         disable-cache: true
@@ -112,7 +112,7 @@ runs:
         run: ${{ steps.prep.outputs.run }}
 
     - if: ${{ inputs.platform == 'openbsd' }}
-      uses: vmactions/openbsd-vm@3fafb45f2e2e696249c583835939323fe1c3448c # v1.3.7
+      uses: vmactions/openbsd-vm@9004791062e748d95cc87e499e77485f91888ce1 # v1.3.8
       with:
         usesh: true
         disable-cache: true
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   actionlint:
-    uses: mozilla/actions/.github/workflows/actionlint.yml@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+    uses: mozilla/actions/.github/workflows/actionlint.yml@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
     permissions:
       contents: read
       security-events: write # Required for zizmor to upload SARIF results.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -36,7 +36,7 @@ jobs:
           persist-credentials: false
 
       - id: toolchains
-        uses: mozilla/actions/toolchains@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+        uses: mozilla/actions/toolchains@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
 
   check:
     name: Run checks
@@ -79,14 +79,14 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version: ${{ matrix.rust-toolchain }}
           components: ${{ matrix.rust-toolchain == 'stable' && 'llvm-tools' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'rust-src ' || '' }}
           tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful ' || '' }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: mozilla/actions/nss@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version-file: min_version.txt
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -139,7 +139,7 @@ jobs:
 
       - name: Save simulation seeds artifact
         if: ${{ always() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: simulation-seeds-${{ matrix.os }}-${{ matrix.rust-toolchain }}-${{ matrix.type }}
           path: simulation-seeds
@@ -152,7 +152,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version: stable
           tools: cargo-hack
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -0,0 +1,25 @@
+name: Claude Code Review
+on:
+  # Use pull_request_target to allow secrets access for fork PRs.
+  # The reusable workflow only runs for trusted contributors (OWNER/MEMBER/COLLABORATOR).
+  pull_request_target: # zizmor: ignore[dangerous-triggers] See rationale above.
+    branches: ["main"]
+    types: [opened, synchronize, ready_for_review, reopened]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  claude-review:
+    uses: mozilla/actions/.github/workflows/claude-review.yml@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
+    permissions:
+      contents: read
+      pull-requests: write # Required to post review comments.
+      issues: read # Required to read issue context via MCP tools.
+      actions: read # Required to read workflow run context via MCP tools.
+    secrets:
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml
@@ -23,7 +23,7 @@ jobs:
           persist-credentials: false
 
       - id: toolchains
-        uses: mozilla/actions/toolchains@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+        uses: mozilla/actions/toolchains@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
 
   clippy:
     name: cargo clippy
@@ -43,14 +43,14 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version: ${{ matrix.rust-toolchain }}
           components: clippy
           tools: cargo-hack
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: mozilla/actions/nss@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version-file: min_version.txt
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
@@ -13,4 +13,4 @@ permissions:
 
 jobs:
   deny:
-    uses: mozilla/actions/.github/workflows/deny.yml@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+    uses: mozilla/actions/.github/workflows/deny.yml@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -20,4 +20,4 @@ permissions:
 
 jobs:
   dependency-review:
-    uses: mozilla/actions/.github/workflows/dependency-review.yml@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+    uses: mozilla/actions/.github/workflows/dependency-review.yml@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
diff --git a/.github/workflows/machete.yml b/.github/workflows/machete.yml
@@ -13,4 +13,4 @@ permissions:
 
 jobs:
   machete:
-    uses: mozilla/actions/.github/workflows/machete.yml@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+    uses: mozilla/actions/.github/workflows/machete.yml@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
diff --git a/.github/workflows/mutants.yml b/.github/workflows/mutants.yml
@@ -29,12 +29,12 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: mozilla/actions/nss@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version-file: min_version.txt
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version: nightly
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -64,12 +64,12 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: mozilla/actions/nss@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version-file: neqo-crypto/min_version.txt
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version: nightly
           tools: cargo-mutants
@@ -89,7 +89,7 @@ jobs:
           # This seems to be a GitHub-internal protection feature that we can't control:
           # https://github.com/actions/runner-images/issues/6680
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: mutants.out-${{ matrix.shard }}
@@ -120,7 +120,7 @@ jobs:
             rm -f mutants.out/shard-*/"$category.txt"
           done
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         id: upload
         with:
           name: mutants.out
diff --git a/.github/workflows/rustfmt.yml b/.github/workflows/rustfmt.yml
@@ -13,4 +13,4 @@ permissions:
 
 jobs:
   format:
-    uses: mozilla/actions/.github/workflows/rustfmt.yml@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+    uses: mozilla/actions/.github/workflows/rustfmt.yml@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
diff --git a/.github/workflows/sanitize.yml b/.github/workflows/sanitize.yml
@@ -38,14 +38,14 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: mozilla/actions/rust@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version: nightly
           components: rust-src
           tools: cargo-hack
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: mozilla/actions/nss@b6b1031d2072eb8c2b181887cb5e194ebcc5caab # v1.0.4
+      - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
           version-file: min_version.txt
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -81,7 +81,7 @@ jobs:
 
       - name: Save simulation seeds artifact
         if: ${{ env.DUMP_SIMULATION_SEEDS }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: simulation-seeds-${{ matrix.os }}-sanitizer-${{ matrix.sanitizer }}
           path: ${{ env.DUMP_SIMULATION_SEEDS }}
