dfinity / rust-dogecoin / 24235167691
84%

DEFAULT BRANCH: doge-master
Ran
Jobs 1
Files 97
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 83.525% (-0.03%) from 83.557%
24235167691

push

github

web-flow 
chore: pin GitHub Actions to commit SHAs (#31)

## Pin GitHub Actions to commit SHAs

GitHub Actions referenced by tag (e.g. `actions/checkout@v4`) use a
mutable pointer — the tag owner can move it to a different commit at any
time, including a malicious one. This is the attack vector used in the
tj-actions/changed-files incident (CVE-2025-30066).

Pinning to a full 40-character commit SHA makes the reference immutable.
The `# tag` comment preserves human readability so reviewers can tell
which version is pinned.

Important: a SHA can also originate from a forked repository. A
malicious actor can fork an action, push a compromised commit to the
fork, and the SHA will resolve — but it won't exist in the upstream
canonical repo. Each SHA in this PR was verified against the action's
canonical repository (not a fork).

### Changes

- `actions/checkout@v4` ->
`actions/checkout@<a class=hub.com/dfinity/rust-dogecoin/commit/34e114876b0b11c390a56381ad16ebd13914f8d5">34e114876 # v4.3.1`
  - Version: v4.3.1 | Latest: v6.0.2 | Release age: 90d
- Commit:
https://github.com/actions/checkout/commit/34e114876b0b11c390a56381ad16ebd13914f8d5

- `dtolnay/rust-toolchain@stable` ->
`dtolnay/rust-toolchain@<a class=hub.com/dfinity/rust-dogecoin/commit/29eef336d9b2848a0b548edc03f92a220660cdb8">29eef336d #
stable`
  - Version: stable | Latest: v1 | Release age: 1364d
- Commit:
https://github.com/dtolnay/rust-toolchain/commit/29eef336d9b2848a0b548edc03f92a220660cdb8

- `taiki-e/install-action@cargo-llvm-cov` ->
`taiki-e/install-action@<a class=hub.com/dfinity/rust-dogecoin/commit/d3ea2d8a04fb383a850d99dfc6d6e5d41414d476">d3ea2d8a0 #
cargo-llvm-cov`
  - Version: cargo-llvm-cov | Latest: v2.75.4 | Release age: 7d
- Commit:
https://github.com/taiki-e/install-action/commit/d3ea2d8a04fb383a850d99dfc6d6e5d41414d476
- Warnings: Latest release v2.75.4 is only 0 day(s) old (< 7 days).
Using previous safe release.

- `actions/cache@v4` ->
`actions/cache@<a class=hub.com/dfinity/rust-dogecoin/commit/0057852bfaa89a56745cba8c7296529d2fc39830">0057852bf # v4.3.0`
  - Version: v4.3.0 | Latest: v5.0.4 | Release age: 22d
- Commit:
https://github.com/actions/cache/commit/0057852bfaa89a56745cba8c7296529d2fc39830

- `... (continued)

18058 of 21620 relevant lines covered (83.52%)

16568.19 hits per line

Coverage Regressions

Lines Coverage File
7
84.88
 -0.49% bitcoin/src/psbt/mod.rs
Jobs
ID Job ID Ran Files Coverage
1 24235167691.1 97
83.52
 GitHub Action Run
Source Files on build 24235167691