Update GH actions (#17)

Author: marlonbaeten

.github/dependabot.yml

@@ -8,3 +8,5 @@ updates:
       cargo-dependencies:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7

.github/workflows/build.yml

@@ -10,12 +10,10 @@ on:
       - main
   workflow_dispatch:
 
-permissions:
-  contents: write
-  packages: write
-
 jobs:
   check-version:
+    permissions:
+      contents: read
     if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     outputs:
@@ -24,22 +22,26 @@ jobs:
       should_run: ${{ steps.decide.outputs.should_run }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
+          persist-credentials: false
 
       - name: Read version
         id: version
+        shell: bash
         run: |
           version=$(awk -F' *= *' '$1 == "version" { gsub(/"/, "", $2); print $2; exit }' Cargo.toml)
           echo "version=$version" >> "$GITHUB_OUTPUT"
 
       - name: Check release existence
         id: release_check
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         with:
           script: |
-            const tag = `${{ steps.version.outputs.version }}`;
+            const tag = process.env.VERSION;
             try {
               await github.rest.repos.getReleaseByTag({
                 owner: context.repo.owner,
@@ -57,28 +59,35 @@ jobs:
 
       - name: Decide run
         id: decide
+        shell: bash
+        env:
+          RELEASE_EXISTS: ${{ steps.release_check.outputs.release_exists }}
         run: |
-          if [[ "${{ steps.release_check.outputs.release_exists }}" == "false" ]]; then
+          if [[ "$RELEASE_EXISTS" == "false" ]]; then
             echo "should_run=true" >> "$GITHUB_OUTPUT"
           else
             echo "should_run=false" >> "$GITHUB_OUTPUT"
           fi
 
   build-database:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: check-version
     if: needs.check-version.outputs.should_run == 'true'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
+          persist-credentials: false
 
-      - name: Set up Rust
-        uses: dtolnay/rust-toolchain@stable
+      - name: Setup Rust
+        shell: bash
+        run: rustup update stable && rustup default stable
 
       - name: Cache cargo
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.cargo/registry
@@ -87,33 +96,37 @@ jobs:
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Create data directory
+        shell: bash
         run: mkdir -p data
 
       - name: Restore bag.bin cache
         id: bag_cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: data/bag.bin
           key: bag-bin-${{ needs.check-version.outputs.version }}
 
       - name: Create bag.bin
         if: steps.bag_cache.outputs.cache-hit != 'true'
+        shell: bash
         run: cargo run --release --bin create-db --features "create"
 
       - name: Save bag.bin cache
         if: steps.bag_cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: data/bag.bin
           key: bag-bin-${{ needs.check-version.outputs.version }}
 
       - name: Upload bag.bin
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: bag.bin
           path: data/bag.bin
 
   build:
+    permissions:
+      contents: read
     needs: [ check-version, build-database ]
     if: needs.check-version.outputs.should_run == 'true'
     runs-on: ${{ matrix.os }}
@@ -135,66 +148,77 @@ jobs:
             artifact: bag-service-macos-arm64
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
+          persist-credentials: false
 
       - name: Download bag.bin
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bag.bin
           path: data
 
-      - name: Set up Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: ${{ matrix.target }}
+      - name: Setup Rust
+        shell: bash
+        run: >
+          rustup update stable &&
+          rustup default stable &&
+          rustup target add --toolchain stable ${{ matrix.target }}
 
       - name: Optionally install musl-tools
         if: matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'arm64-unknown-linux-musl'
+        shell: bash
         run: sudo apt-get install -y musl-tools
 
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
 
       - name: Build
+        shell: bash
         env:
           CC_aarch64_unknown_linux_musl: ${{ matrix.target == 'aarch64-unknown-linux-musl' && 'musl-gcc' || '' }}
         run: cargo build --release --bin bag-service --target ${{ matrix.target }}
 
       - name: Package
+        shell: bash
         run: |
           mkdir -p dist
           cp target/${{ matrix.target }}/release/bag-service dist/${{ matrix.artifact }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ matrix.artifact }}
           path: dist/${{ matrix.artifact }}
 
   docker:
+    permissions:
+      contents: read
+      packages: write
     needs:
       - check-version
       - build
     if: needs.check-version.outputs.should_run == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Download linux x64 artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bag-service-linux-x64
           path: dist
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           file: Dockerfile
           push: true
@@ -203,44 +227,49 @@ jobs:
           tags: "ghcr.io/tweedegolf/bag-address-lookup:${{ needs.check-version.outputs.version }},ghcr.io/tweedegolf/bag-address-lookup:latest"
 
   release:
+    permissions:
+      contents: write
     needs:
       - check-version
       - build
     if: needs.check-version.outputs.should_run == 'true'
     runs-on: ubuntu-latest
     steps:
       - name: Download linux x64 artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bag-service-linux-x64
           path: dist
 
       - name: Download linux arm64 artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bag-service-linux-arm64
           path: dist
 
       - name: Download macos x64 artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bag-service-macos-x64
           path: dist
 
       - name: Download macos arm64 artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bag-service-macos-arm64
           path: dist
 
       - name: Create release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ needs.check-version.outputs.version }}
-          name: Version ${{ needs.check-version.outputs.version }}
-          generate_release_notes: true
-          files: |
-            dist/bag-service-linux-x64
-            dist/bag-service-linux-arm64
-            dist/bag-service-macos-x64
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ needs.check-version.outputs.version }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          gh release create "$VERSION" \
+            --title "Version $VERSION" \
+            --generate-notes \
+            dist/bag-service-linux-x64 \
+            dist/bag-service-linux-arm64 \
+            dist/bag-service-macos-x64 \
             dist/bag-service-macos-arm64

.github/workflows/check.yml

@@ -7,23 +7,31 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          components: rustfmt, clippy
+          persist-credentials: false
+
+      - name: Setup Rust
+        shell: bash
+        run: >
+          rustup update stable &&
+          rustup default stable &&
+          rustup component add --toolchain stable rustfmt clippy
 
       - name: Create an empty database file
         run: mkdir -p data && touch data/bag.bin
 
       - name: Cache cargo
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.cargo/registry

.github/workflows/monthly-release.yml

@@ -14,15 +14,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: true
 
-      - name: Set up Rust
-        uses: dtolnay/rust-toolchain@stable
+      - name: Setup Rust
+        shell: bash
+        run: rustup update stable && rustup default stable
 
       - name: Cache cargo
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.cargo/registry
@@ -61,15 +62,17 @@ jobs:
         run: cargo test --all-features
 
       - name: Commit version bump
+        env:
+          VERSION: ${{ steps.bump.outputs.version }}
         run: |
           git add Cargo.toml Cargo.lock
-          git commit -m "chore: monthly release v${{ steps.bump.outputs.version }}"
+          git commit -m "chore: monthly release v${VERSION}"
 
       - name: Push
         run: git push origin HEAD:main
 
       - name: Trigger build workflow
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             await github.rest.actions.createWorkflowDispatch({