chore(deps): bump sebastienrousseau/pipelines/.github/workflows/rust-ci.yml from 99a39f7d02e76beb2b935fa07b7cd6a46d8bbc65 to 3df3a03745c05e13331e8f2cf9d46e2ea27b6358

[dependabot]

Bumps sebastienrousseau/pipelines/.github/workflows/rust-ci.yml from 99a39f7d02e76beb2b935fa07b7cd6a46d8bbc65 to 3df3a03745c05e13331e8f2cf9d46e2ea27b6358.

Changelog

Sourced from sebastienrousseau/pipelines/.github/workflows/rust-ci.yml's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog.

[0.0.2] - 2026-04-04

Added

• Go CI workflow (go-ci.yml): vet, staticcheck, test, coverage, cross-platform
• Go security audit in security.yml using govulncheck
• Go release in release.yml with cross-compilation support
• SLSA Build Level 3 attestations on all release artifacts via actions/attest-build-provenance
• Sigstore container signing in docker.yml via cosign (keyless OIDC)
• Trusted Publishing for PyPI (pypa/gh-action-pypi-publish with OIDC)
• npm provenance via --provenance flag on publish
• SBOM generation (SPDX) for all release languages, not just Docker
• OpenSSF Scorecard workflow (scorecard.yml) for self-assessment
• ARM64 runner support via runner input on all CI and security workflows
• SECURITY.md — vulnerability reporting and security policy
• CHANGELOG.md — this file
• CONTRIBUTING.md — contribution guide
• examples/ — complete caller workflow examples for all languages

Changed

• All actions pinned by commit SHA — no more mutable @v4/@v5 tags (supply chain hardening post-CVE-2025-30066)
• Top-level permissions: {} on every workflow with granular job-level overrides (principle of least privilege)
• Python CI default package manager changed to uv
• Node.js default version updated to 22
• Python default version updated to 3.12
• taiki-e/install-action uses @v2 with explicit tool: input instead of tool-specific tags

Security

• All 34 GitHub Actions pinned by full SHA — prevents tag-mutation supply chain attacks
• Added persist-credentials: false to all checkouts — tokens not stored in git config
• Added id-token: write permissions for OIDC/Sigstore flows
• Removed safety from Python audit (deprecated, replaced by pip-audit)

[0.0.1] - 2026-03-29

Added

• Initial release with Rust, Python, and Node.js CI workflows
• Docker build and push pipeline
• Documentation build and deploy pipeline
• Security scanning (CodeQL, language-specific audits)
• Release automation for crates.io, PyPI, and npm

... (truncated)

Commits

• 3df3a03 chore(deps): bump Swatinem/rust-cache to v2.9.1 (#2)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.