Secure defaults for GitHub Actions suggestions in The Cargo Book

[hashcatHitman]

Problem

There are example workflows provided in several places in The Cargo Book, such as:

• https://doc.rust-lang.org/cargo/guide/continuous-integration.html#github-actions
• https://doc.rust-lang.org/cargo/guide/continuous-integration.html#verifying-latest-dependencies
• https://doc.rust-lang.org/cargo/guide/continuous-integration.html#verifying-rust-version

These all use actions/checkout@v4. I'd suggest increasing this to at least actions/checkout@v6, as the checkout action was made more misuse-resistant (specifically with regards to ARTIPACKED) as of v6.

I think this change is worth making because defaults are important, and many people will just copy the workflows as-is and think nothing more of it.

Proposed Solution

I'd suggest increasing this to at least actions/checkout@v6, as the checkout action was made more misuse-resistant (specifically with regards to ARTIPACKED) as of v6.

In general, I'd advocate for using zizmor when possible to make proposed workflows more secure whenever possible.

Notes

I am not affiliated with zizmor, I just think it is a good tool.

[epage]

I noticed that they were behind recently. I didn't think anything too much of it because people really need to have some kind of updater runner for these.

My main concern is if we update, that is meaning we need to regularly update and that could get tricky.

One option is we split these out and use includes to pull them in. I'm assuming zizmor would need them to be complete snippets though, rather than just fragments. If that gets too noisy, one option is we can include a range of lines but I have a book that does that and it is easy to update the included file without knowing you need to update the book and it can be hard to verify after the fact that the include is right. You need to compare an old and new version of the generated website to each other.

[weihanglo]

I think we can still do a simple update this time? It is not necessary to block it until we have a perfect solution.

[epage]

That sets a precedence though of what level of support we are providing these snippets

[weihanglo]

IMHO we don't need to be worried about that. Incremental doc improvement is better than nothing. As maintainers we provide the snippet as-is. If contributor comes we accept. If none it falls behind.

If we are worried that we may forget the perfect solution after a simple update, then we keep the issue open.

[AMDmi3]

IMHO we don't need to be worried about that. Incremental doc improvement is better than nothing. As maintainers we provide the snippet as-is. If contributor comes we accept. If none it falls behind.

I agree and don't see a need to overengineer and overthink here.