fix release tag

Bump toml from 0.9.7 to 0.9.8 in the cargo-updates group

.github/codeql/codeql-config.yaml

@@ -0,0 +1,5 @@
+name: "codeql-config"
+
+extractor-options:
+  rust:
+    cargo_target: x86_64-unknown-uefi

.github/dependabot.yaml

@@ -26,3 +26,16 @@ updates:
     cargo-dev-updates:
       dependency-type: development
       applies-to: version-updates
+- package-ecosystem: docker
+  directory: /
+  schedule:
+    interval: weekly
+  cooldown:
+    default-days: 7
+  groups:
+    docker-updates:
+      dependency-type: production
+      applies-to: version-updates
+    docker-dev-updates:
+      dependency-type: development
+      applies-to: version-updates

.github/workflows/ci-code.yaml

@@ -26,10 +26,9 @@ jobs:
       with:
         persist-credentials: false
 
-    - name: 'install nightly rust toolchain with rustfmt'
+    - name: 'install rust toolchain with rustfmt'
       run: |
-        rustup update --no-self-update nightly
-        rustup default nightly
+        cargo version
         rustup component add rustfmt
 
     - name: 'cargo fmt'
@@ -57,10 +56,9 @@ jobs:
       with:
         persist-credentials: false
 
-    - name: 'install nightly rust toolchain'
+    - name: 'install rust toolchain'
       run: |
-        rustup update --no-self-update nightly
-        rustup default nightly
+        cargo version
 
     - name: cargo build
       run: cargo build --target "${TARGET_ARCH}-unknown-uefi"
@@ -87,10 +85,9 @@ jobs:
       with:
         persist-credentials: false
 
-    - name: 'install nightly rust toolchain with clippy'
+    - name: 'install rust toolchain with clippy'
       run: |
-        rustup update --no-self-update nightly
-        rustup default stable
+        cargo version
         rustup component add clippy
 
     - name: cargo clippy

.github/workflows/codeql.yaml

@@ -0,0 +1,53 @@
+name: codeql
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+  - cron: '33 16 * * 0'
+
+permissions:
+  contents: read # Needed to checkout the repository.
+
+jobs:
+  analyze:
+    name: analyze (${{ matrix.language }})
+    runs-on: 'ubuntu-latest'
+    permissions:
+      security-events: write # Needed to upload results.
+      packages: read # Needed to fetch internal or private CodeQL packs.
+      actions: read # Needed to read workflows.
+      contents: read # Needed to checkout the repository.
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: rust
+          build-mode: none
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - name: checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      with:
+        persist-credentials: false
+
+    - name: initialize codeql
+      uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 #v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yaml
+
+    - name: perform codeql analysis
+      uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 #v4
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/publish.yaml

@@ -1,9 +1,12 @@
 name: publish
 
 on:
-  release:
-    types:
-    - created
+  workflow_dispatch:
+    inputs:
+      release-tag:
+        description: 'Release Tag'
+        required: true
+        type: string
 
   push:
     branches:
@@ -39,10 +42,9 @@ jobs:
       with:
         persist-credentials: false
 
-    - name: 'install nightly rust toolchain'
+    - name: 'install rust toolchain'
       run: |
-        rustup update --no-self-update nightly
-        rustup default nightly
+        cargo version
 
     - name: 'assemble artifacts'
       run: ./hack/assemble.sh
@@ -65,10 +67,18 @@ jobs:
       with:
         app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
         private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
+      if: ${{ github.event.inputs.release-tag != '' }}
 
     - name: 'upload release artifacts'
       run: ./hack/ci/upload-release-assets.sh
       env:
         GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
-        RELEASE_TAG: "${{ github.event.release.tag_name }}"
-      if: ${{ github.event_name == 'release' }}
+        RELEASE_TAG: "${{ github.event.inputs.release-tag }}"
+      if: ${{ github.event.inputs.release-tag != '' }}
+
+    - name: 'mark release as published'
+      run: gh release edit "${RELEASE_TAG}" --draft=false --verify-tag
+      env:
+        GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
+        RELEASE_TAG: "${{ github.event.inputs.release-tag }}"
+      if: ${{ github.event.inputs.release-tag != '' }}

Cargo.lock

@@ -252,9 +252,9 @@ dependencies = [
 
 [[package]]
 name = "serde_spanned"
-version = "1.0.2"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5417783452c2be558477e104686f7de5dae53dba813c28435e0e70f82d9b04ee"
+checksum = "e24345aa0fe688594e73770a5f6d1b216508b4f93484c0026d521acd30134392"
 dependencies = [
  "serde_core",
 ]
@@ -277,9 +277,9 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "0.9.7"
+version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00e5e5d9bf2475ac9d4f0d9edab68cc573dc2fd644b0dba36b0c30a92dd9eaa0"
+checksum = "f0dc8b1fb61449e27716ec0e1bdf0f6b8f3e8f6b05391e8497b8b6d7804ea6d8"
 dependencies = [
  "indexmap",
  "serde_core",
@@ -292,27 +292,27 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "0.7.2"
+version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32f1085dec27c2b6632b04c80b3bb1b4300d6495d1e129693bdda7d91e72eec1"
+checksum = "f2cdb639ebbc97961c51720f858597f7f24c4fc295327923af55b74c3c724533"
 dependencies = [
  "serde_core",
 ]
 
 [[package]]
 name = "toml_parser"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4cf893c33be71572e0e9aa6dd15e6677937abd686b066eac3f8cd3531688a627"
+checksum = "c0cbe268d35bdb4bb5a56a2de88d0ad0eb70af5384a99d648cd4b3d04039800e"
 dependencies = [
  "winnow",
 ]
 
 [[package]]
 name = "toml_writer"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d163a63c116ce562a22cda521fcc4d79152e7aba014456fb5eb442f6d6a10109"
+checksum = "df8b2b54733674ad286d16267dcfc7a71ed5c776e4ac7aa3c3e2561f7c637bf2"
 
 [[package]]
 name = "ucs2"

Cargo.toml

@@ -9,7 +9,7 @@ edition = "2024"
 
 [dependencies]
 anyhow = "1.0.100"
-toml = "0.9.7"
+toml = "0.9.8"
 log = "0.4.28"
 
 [dependencies.image]

Dockerfile

@@ -2,7 +2,7 @@
 ARG RUST_PROFILE=release
 ARG RUST_TARGET_SUBDIR=release
 
-FROM --platform=$BUILDPLATFORM rustlang/rust:nightly-alpine@sha256:b8107fa66d3e5ad7f729d3347c7feedbd3f4b60b01006edce39eb6b994ff00bd AS build
+FROM --platform=$BUILDPLATFORM rustlang/rust:nightly-alpine@sha256:141e9a7f13f77237dd4d462364c3a1b21cb8a6791d8924c409573e77b788af5e AS build
 RUN apk --no-cache add musl-dev busybox-static
 ARG RUST_PROFILE
 RUN adduser -S -s /bin/sh build