[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
build(deps): bump the actions-updates group across 1 directory with 3 updates (#467 )
2025-08-03 13:11:31 +00:00 · 2025-06-06 18:22:03 +00:00 · 2025-03-05 14:26:50 +00:00 · 2025-01-07 06:38:16 +00:00
4 changed files with 27 additions and 21 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -6,13 +6,16 @@ on:
  merge_group:
    branches:
    - main
+permissions:
+  contents: read
+
 jobs:
  rustfmt:
    name: rustfmt
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
@ -33,7 +36,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
@ -55,7 +58,7 @@ jobs:
    name: full build linux-${{ matrix.arch }}
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
@ -83,7 +86,7 @@ jobs:
    name: full test linux-${{ matrix.arch }}
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
@ -110,7 +113,7 @@ jobs:
    name: full clippy linux-${{ matrix.arch }}
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@ -6,6 +6,9 @@ on:
 concurrency:
  group: "${{ github.workflow }}"
  cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
  release-plz:
    name: release-plz
@ -15,11 +18,11 @@ jobs:
      contents: write
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: generate cultivator token
-      uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
      id: generate-token
      with:
        app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
@ -37,7 +40,7 @@ jobs:
    - name: install linux dependencies
      run: ./hack/ci/install-linux-deps.sh
    - name: release-plz
-      uses: MarcoIeni/release-plz-action@db75300cf27adcd986d6f0cf4a72a4ffcc11dae5 # v0.5.86
+      uses: MarcoIeni/release-plz-action@476794ede164c5137bfc3a1dc6ed3675275690f9 # v0.5.99
      env:
        GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
        CARGO_REGISTRY_TOKEN: "${{ secrets.KRATA_RELEASE_CARGO_TOKEN }}"
--- a/Cargo.lock
+++ b/Cargo.lock
@ -77,9 +77,9 @@ dependencies = [

 [[package]]
 name = "async-trait"
-version = "0.1.83"
+version = "0.1.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd"
+checksum = "3f934833b4b7233644e5848f235df3f57ed8c80f1528a26c3dfa13d2147fa056"
 dependencies = [
 "proc-macro2",
 "quote",
@ -185,9 +185,9 @@ dependencies = [

 [[package]]
 name = "env_logger"
-version = "0.11.5"
+version = "0.11.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e13fa619b91fb2381732789fc5de83b45675e882f66623b7d8cb4f643017018d"
+checksum = "dcaee3d8e3cfc3fd92428d477bc97fc29ec8716d180c0d74c643bb26166660e0"
 dependencies = [
 "anstream",
 "anstyle",
@ -342,9 +342,9 @@ dependencies = [

 [[package]]
 name = "libc"
-version = "0.2.168"
+version = "0.2.169"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5aaeb2981e0606ca11d79718f8bb01164f1d6ed75080182d3abf017e6d244b6d"
+checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"

 [[package]]
 name = "lock_api"
@ -573,18 +573,18 @@ dependencies = [

 [[package]]
 name = "thiserror"
-version = "2.0.7"
+version = "2.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93605438cbd668185516ab499d589afb7ee1859ea3d5fc8f6b0755e1c7443767"
+checksum = "f072643fd0190df67a8bab670c20ef5d8737177d6ac6b2e9a236cb096206b2cc"
 dependencies = [
 "thiserror-impl",
 ]

 [[package]]
 name = "thiserror-impl"
-version = "2.0.7"
+version = "2.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1d8749b4531af2117677a5fcd12b1348a3fe2b81e36e61ffeac5c4aa3273e36"
+checksum = "7b50fa271071aae2e6ee85f842e2e28ba8cd2c5fb67f11fcb1fd70b276f9e7d4"
 dependencies = [
 "proc-macro2",
 "quote",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -16,11 +16,11 @@ license = "GPL-2.0-or-later"
 repository = "https://github.com/edera-dev/krata"

 [workspace.dependencies]
-async-trait = "0.1.83"
+async-trait = "0.1.85"
 bit-vec = "0.8.0"
 byteorder = "1"
 elf = "0.7.4"
-env_logger = "0.11.5"
+env_logger = "0.11.6"
 flate2 = "1.0"
 indexmap = "2.6.0"
 libc = "0.2"
@ -29,7 +29,7 @@ memchr = "2"
 nix = "0.29.0"
 regex = "1.11.1"
 slice-copy = "0.3.0"
-thiserror = "2.0.7"
+thiserror = "2.0.9"
 xz2 = "0.1"

 [workspace.dependencies.tokio]