From 7a17d85c16bcfbd5415cf656f25eefc02c3af514 Mon Sep 17 00:00:00 2001
From: Vincent Mutolo <vince@mutolo.org>
Date: Mon, 17 May 2021 13:23:53 -0400
Subject: [PATCH 1/4] restrict permissions for GitHub actions

This commit introduces two changes. First, the actions are changed to only have
read access to repositories. Second, we specify that GitHub should not persist
the authorization token for write access to a repository on disk (see the
option `persist-credentials: false`).
---
 .github/workflows/code_coverage.yml  |  4 ++++
 .github/workflows/daily_tests.yml    |  5 +++++
 .github/workflows/lints.yml          |  5 +++++
 .github/workflows/security_audit.yml |  5 +++++
 .github/workflows/test.yml           | 16 ++++++++++++++++
 5 files changed, 35 insertions(+)

diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml
index 047bd3e7..b29b8017 100644
--- a/.github/workflows/code_coverage.yml
+++ b/.github/workflows/code_coverage.yml
@@ -4,6 +4,8 @@ on:
       - master
 
 name: Code coverage
+permissions:
+  contents: read
 
 jobs:
   check:
@@ -12,6 +14,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
diff --git a/.github/workflows/daily_tests.yml b/.github/workflows/daily_tests.yml
index 779294f1..d21d3837 100644
--- a/.github/workflows/daily_tests.yml
+++ b/.github/workflows/daily_tests.yml
@@ -1,4 +1,7 @@
 name: Daily tests
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 0 * * *' # Midnight of each day
@@ -15,6 +18,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Install toolchain
         uses: actions-rs/toolchain@v1
diff --git a/.github/workflows/lints.yml b/.github/workflows/lints.yml
index a8aadbb4..f42f9e2a 100644
--- a/.github/workflows/lints.yml
+++ b/.github/workflows/lints.yml
@@ -1,12 +1,17 @@
 on: [push, pull_request]
 
 name: Lints
+permissions:
+  contents: read
 
 jobs:
   lints:
     name: rustfmt and clippy
     runs-on: ubuntu-latest
     steps:
+      with:
+        persist-credentials: false
+        
       - name: Checkout sources
         uses: actions/checkout@v2
 
diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
index f185e7b7..9c176793 100644
--- a/.github/workflows/security_audit.yml
+++ b/.github/workflows/security_audit.yml
@@ -1,4 +1,7 @@
 name: Security Audit
+permissions:
+  contents: read
+
 on:
   push:
     # Check immediately if dependencies are altered
@@ -15,6 +18,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5cd5fde8..098e8314 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,6 +11,8 @@ on:
 # NOTE: Should we use fail-fast: false?
 
 name: Tests
+permissions:
+  contents: read
 
 jobs:
   test:
@@ -30,6 +32,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       
       - name: Install toolchain
         uses: actions-rs/toolchain@v1
@@ -92,6 +96,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Install toolchain
         uses: actions-rs/toolchain@v1
@@ -115,6 +121,8 @@ jobs:
           - nightly
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - uses: actions-rs/toolchain@v1
       with:
         profile: minimal
@@ -138,6 +146,8 @@ jobs:
           - mips64-unknown-linux-gnuabi64
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
@@ -160,6 +170,8 @@ jobs:
           - wasm32-unknown-unknown
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
@@ -175,6 +187,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
@@ -197,6 +211,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - uses: EmbarkStudios/cargo-deny-action@v1
       with:
         command: check ${{ matrix.checks }}

From 78ac7fbea6ba23e3b256c08e3df5d0488313404a Mon Sep 17 00:00:00 2001
From: Vincent Mutolo <vince@mutolo.org>
Date: Mon, 17 May 2021 14:26:21 -0400
Subject: [PATCH 2/4] pin action versions by SHA1 instead of git tag

---
 .github/workflows/code_coverage.yml  |  8 ++---
 .github/workflows/daily_tests.yml    |  6 ++--
 .github/workflows/lints.yml          |  8 ++---
 .github/workflows/security_audit.yml |  6 ++--
 .github/workflows/test.yml           | 48 ++++++++++++++--------------
 5 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml
index b29b8017..ad092f96 100644
--- a/.github/workflows/code_coverage.yml
+++ b/.github/workflows/code_coverage.yml
@@ -13,25 +13,25 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           persist-credentials: false
 
       - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           override: true
 
       - name: Run cargo-tarpaulin
-        uses: actions-rs/tarpaulin@v0.1
+        uses: actions-rs/tarpaulin@60f0b12e5beec09ccca51758913f82d01889151c
         with:
           timeout: '120'
           out-type: 'Xml'
           args: '-- --test-threads 1'
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@a1ed4b322b4b38cb846afb5a0ebfa17086917d27
         with:
           token: ${{secrets.CODECOV_TOKEN}}
           fail_ci_if_error: true
\ No newline at end of file
diff --git a/.github/workflows/daily_tests.yml b/.github/workflows/daily_tests.yml
index d21d3837..5f619c65 100644
--- a/.github/workflows/daily_tests.yml
+++ b/.github/workflows/daily_tests.yml
@@ -17,18 +17,18 @@ jobs:
           - nightly
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           persist-credentials: false
 
       - name: Install toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           profile: minimal
           toolchain: ${{ matrix.rust }}
           override: true
       - name: Run cargo test - release
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --release --all-features
\ No newline at end of file
diff --git a/.github/workflows/lints.yml b/.github/workflows/lints.yml
index f42f9e2a..31280261 100644
--- a/.github/workflows/lints.yml
+++ b/.github/workflows/lints.yml
@@ -13,10 +13,10 @@ jobs:
         persist-credentials: false
         
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
 
       - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           profile: minimal
           toolchain: stable
@@ -24,13 +24,13 @@ jobs:
           components: rustfmt, clippy
 
       - name: Run cargo fmt
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: fmt
           args: --all -- --check
 
       - name: Run cargo clippy
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: clippy
           args: -- -D warnings
\ No newline at end of file
diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
index 9c176793..f891a0fd 100644
--- a/.github/workflows/security_audit.yml
+++ b/.github/workflows/security_audit.yml
@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           persist-credentials: false
       - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           override: true
@@ -30,7 +30,7 @@ jobs:
         run: cargo install cargo-audit
 
       - name: Run cargo audit
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: audit
           args: --deny warnings
\ No newline at end of file
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 098e8314..b033e89b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -31,19 +31,19 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           persist-credentials: false
       
       - name: Install toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           profile: minimal
           toolchain: ${{ matrix.rust }}
           override: true
       
       - name: Test debug-mode, default features
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
 
@@ -54,19 +54,19 @@ jobs:
           args: --features serde
       
       - name: Test debug-mode, no default features
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --no-default-features --tests
       
       - name: Test debug-mode, alloc feature
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --no-default-features --features alloc --tests
       
       - name: Test release-mode, default features
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --release
@@ -78,13 +78,13 @@ jobs:
           args: --release --features serde
       
       - name: Test release-mode, no default features
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --release --no-default-features --tests
       
       - name: Test release-mode, alloc feature
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --release --no-default-features --features alloc --tests
@@ -95,12 +95,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           persist-credentials: false
 
       - name: Install toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: nightly
           target: x86_64-unknown-linux-gnu
@@ -120,16 +120,16 @@ jobs:
           - stable
           - nightly
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
       with:
         persist-credentials: false
-    - uses: actions-rs/toolchain@v1
+    - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
       with:
         profile: minimal
         toolchain: ${{ matrix.rust }}
         target: thumbv7em-none-eabi
         override: true
-    - uses: actions-rs/cargo@v1
+    - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
       with:
         use-cross: true
         command: build
@@ -145,15 +145,15 @@ jobs:
           - armv7-unknown-linux-gnueabihf
           - mips64-unknown-linux-gnuabi64
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           persist-credentials: false
-      - uses: actions-rs/toolchain@v1
+      - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           target: ${{ matrix.arch }}
           override: true
-      - uses: actions-rs/cargo@v1
+      - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           use-cross: true
           command: test
@@ -169,15 +169,15 @@ jobs:
         arch:
           - wasm32-unknown-unknown
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           persist-credentials: false
-      - uses: actions-rs/toolchain@v1
+      - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           target: ${{ matrix.arch }}
           override: true
-      - uses: actions-rs/cargo@v1
+      - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: check
           args: --no-default-features --target ${{ matrix.arch }}
@@ -186,14 +186,14 @@ jobs:
     name: Build documentation
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           persist-credentials: false
-      - uses: actions-rs/toolchain@v1
+      - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           override: true
-      - uses: actions-rs/cargo@v1
+      - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: doc
           args: --no-deps --all-features
@@ -210,9 +210,9 @@ jobs:
     continue-on-error: ${{ matrix.checks == 'advisories' }}
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
       with:
         persist-credentials: false
-    - uses: EmbarkStudios/cargo-deny-action@v1
+    - uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d
       with:
         command: check ${{ matrix.checks }}

From 4e4a58465c13f4dbf264ed7af5965f96c740fd31 Mon Sep 17 00:00:00 2001
From: Vincent Mutolo <vince@mutolo.org>
Date: Mon, 17 May 2021 14:43:47 -0400
Subject: [PATCH 3/4] remove codecov token

It shouldn't be necessary for public repositories.
---
 .github/workflows/code_coverage.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml
index ad092f96..9f886557 100644
--- a/.github/workflows/code_coverage.yml
+++ b/.github/workflows/code_coverage.yml
@@ -33,5 +33,4 @@ jobs:
       - name: Upload to codecov.io
         uses: codecov/codecov-action@a1ed4b322b4b38cb846afb5a0ebfa17086917d27
         with:
-          token: ${{secrets.CODECOV_TOKEN}}
           fail_ci_if_error: true
\ No newline at end of file

From 1423d6c10d47bc2c904647f09f2cbef28b9ca56d Mon Sep 17 00:00:00 2001
From: Vince Mutolo <vince@mutolo.org>
Date: Sat, 23 Oct 2021 13:42:51 -0400
Subject: [PATCH 4/4] update git tags for GitHub actions

---
 .github/workflows/code_coverage.yml  |  4 ++--
 .github/workflows/daily_tests.yml    |  2 +-
 .github/workflows/lints.yml          |  2 +-
 .github/workflows/security_audit.yml |  2 +-
 .github/workflows/test.yml           | 14 +++++++-------
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml
index 9f886557..c7ce9b20 100644
--- a/.github/workflows/code_coverage.yml
+++ b/.github/workflows/code_coverage.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
           persist-credentials: false
 
@@ -31,6 +31,6 @@ jobs:
           args: '-- --test-threads 1'
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@a1ed4b322b4b38cb846afb5a0ebfa17086917d27
+        uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b
         with:
           fail_ci_if_error: true
\ No newline at end of file
diff --git a/.github/workflows/daily_tests.yml b/.github/workflows/daily_tests.yml
index 5f619c65..b9e25711 100644
--- a/.github/workflows/daily_tests.yml
+++ b/.github/workflows/daily_tests.yml
@@ -17,7 +17,7 @@ jobs:
           - nightly
     steps:
       - name: Checkout sources
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/lints.yml b/.github/workflows/lints.yml
index 31280261..c983d58f 100644
--- a/.github/workflows/lints.yml
+++ b/.github/workflows/lints.yml
@@ -13,7 +13,7 @@ jobs:
         persist-credentials: false
         
       - name: Checkout sources
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
 
       - name: Install stable toolchain
         uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
index f891a0fd..dbe44ea7 100644
--- a/.github/workflows/security_audit.yml
+++ b/.github/workflows/security_audit.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
           persist-credentials: false
       - name: Install stable toolchain
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b033e89b..d82d9c1f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -31,7 +31,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
           persist-credentials: false
       
@@ -95,7 +95,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
           persist-credentials: false
 
@@ -120,7 +120,7 @@ jobs:
           - stable
           - nightly
     steps:
-    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+    - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
       with:
         persist-credentials: false
     - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
@@ -145,7 +145,7 @@ jobs:
           - armv7-unknown-linux-gnueabihf
           - mips64-unknown-linux-gnuabi64
     steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+      - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
           persist-credentials: false
       - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
@@ -169,7 +169,7 @@ jobs:
         arch:
           - wasm32-unknown-unknown
     steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+      - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
           persist-credentials: false
       - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
@@ -186,7 +186,7 @@ jobs:
     name: Build documentation
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+      - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
         with:
           persist-credentials: false
       - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
@@ -210,7 +210,7 @@ jobs:
     continue-on-error: ${{ matrix.checks == 'advisories' }}
 
     steps:
-    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+    - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
       with:
         persist-credentials: false
     - uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d