From 3b5929ab7e15e0a6f1226e7f85a5b31d49c9631f Mon Sep 17 00:00:00 2001
From: Frank Elsinga <frank@elsinga.de>
Date: Mon, 8 Jun 2026 00:28:35 +0200
Subject: [PATCH 1/4] improve supply chain security

---
 .github/dependabot.yml   |  4 +++
 .github/workflows/ci.yml | 57 ++++++++++++++++++++++++----------------
 2 files changed, 39 insertions(+), 22 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f07da5f..afd3b17 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,6 +5,8 @@ updates:
   - package-ecosystem: github-actions
     directory: '/'
     schedule: { interval: weekly }
+    cooldown:
+      default-days: 7
     groups:
       all-actions-version-updates:
         applies-to: version-updates
@@ -18,6 +20,8 @@ updates:
     directory: '/'
     schedule: { interval: daily, time: '02:00' }
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
     groups:
       all-cargo-version-updates:
         applies-to: version-updates
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f69a138..9f3faa0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,8 @@ defaults:
 jobs:
   test:
     name: Test ${{ matrix.os }} (${{ matrix.simd_mode }})
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -23,38 +25,42 @@ jobs:
     env:
       FASTPFOR_SIMD_MODE: ${{ matrix.simd_mode }}
     steps:
-      - uses: actions/checkout@v6
-        with: { submodules: recursive }
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with: {persist-credentials: false, submodules: recursive}
       - if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
         with:
           prefix-key: "v0-${{ matrix.simd_mode }}"
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
         with: { tool: 'just,cargo-binstall' }
       - run: just ci-test
 
   test-nightly:
     name: Nightly-specific tests
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-        with: { submodules: recursive }
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with: {persist-credentials: false, submodules: recursive}
       - if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
-        uses: Swatinem/rust-cache@v2
-      - uses: taiki-e/install-action@v2
+        uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
+      - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
         with: { tool: 'just' }
       - run: rustup install nightly --profile minimal
       - run: just test-publish
 
   test-msrv:
     name: Test MSRV
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-        with: { submodules: recursive }
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with: {persist-credentials: false, submodules: recursive}
       - if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
-        uses: Swatinem/rust-cache@v2
-      - uses: taiki-e/install-action@v2
+        uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
+      - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
         with: { tool: 'just' }
       - name: Read MSRV
         id: msrv
@@ -67,6 +73,8 @@ jobs:
 
   fuzz:
     name: Fuzz
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     env:
       # The number of seconds to run the fuzz target.
@@ -79,13 +87,13 @@ jobs:
           - fuzz_target: decode_oracle
           - fuzz_target: decode_arbitrary
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with: {persist-credentials: false, submodules: recursive}
       # Install the nightly Rust channel.
       - run: rustup toolchain install nightly
       - run: rustup default nightly
       # Install and cache `cargo-fuzz`.
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
         with:
           tool: cargo-binstall
       - run: cargo binstall -y cargo-fuzz@0.13.1 # Pinned to avoid breakage.
@@ -94,7 +102,7 @@ jobs:
       - run: cargo fuzz build --target x86_64-unknown-linux-gnu ${{ matrix.fuzz_target }}
       - run: cargo fuzz run --target x86_64-unknown-linux-gnu ${{ matrix.fuzz_target }} -- -max_total_time=${{ env.FUZZ_TIME }}
       # Upload fuzzing artifacts on failure for post-mortem debugging.
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: failure()
         with:
           name: fuzzing-artifacts-${{ matrix.fuzz_target }}-${{ github.sha }}
@@ -102,18 +110,20 @@ jobs:
 
   coverage:
     name: Code Coverage
+    permissions:
+      contents: read
     if: github.event_name != 'release'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-        with: { submodules: recursive }
-      - uses: Swatinem/rust-cache@v2
-      - uses: taiki-e/install-action@v2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with: {persist-credentials: false, submodules: recursive}
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
+      - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
         with: { tool: 'just,cargo-llvm-cov' }
       - name: Generate code coverage
         run: just ci-coverage
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: target/llvm-cov/codecov.info
@@ -121,6 +131,7 @@ jobs:
   # This job checks if any of the previous jobs failed or were canceled.
   # This approach also allows some jobs to be skipped if they are not needed.
   ci-passed:
+    permissions: {}
     needs: [ test, test-nightly, test-msrv, fuzz ]
     if: always()
     runs-on: ubuntu-latest
@@ -134,11 +145,13 @@ jobs:
     # Some dependencies of the `ci-passed` job might be skipped, but we still want to run if the `ci-passed` job succeeded.
     if: always() && startsWith(github.ref, 'refs/tags/') && needs.ci-passed.result == 'success'
     name: Publish to crates.io
+    permissions:
+      contents: read
     needs: [ ci-passed ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-        with: { submodules: recursive }
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with: {persist-credentials: false, submodules: recursive}
       - name: Publish to crates.io
         run: cargo publish
         env:

From b1d156f21163d019a113afb510e89dbf28df3d7f Mon Sep 17 00:00:00 2001
From: Frank Elsinga <frank@elsinga.de>
Date: Mon, 8 Jun 2026 00:38:56 +0200
Subject: [PATCH 2/4] pin two more

---
 .github/workflows/ci.yml         | 2 +-
 .github/workflows/dependabot.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9f3faa0..1c80508 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -66,7 +66,7 @@ jobs:
         id: msrv
         run: echo "value=$(just get-msrv)" >> $GITHUB_OUTPUT
       - name: Install MSRV Rust ${{ steps.msrv.outputs.value }}
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
         with:
           toolchain: ${{ steps.msrv.outputs.value }}
       - run: just ci_mode=0 ci-test-msrv  # Ignore warnings in MSRV
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index b8c6334..71e879f 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve Dependabot PRs

From a7c6006aaead0041a481cb1bae7c62ed16cf27e8 Mon Sep 17 00:00:00 2001
From: Yuri Astrakhan <yuriastrakhan@gmail.com>
Date: Sun, 7 Jun 2026 22:15:36 -0400
Subject: [PATCH 3/4] Fix formatting of 'with' parameters in CI workflow

---
 .github/workflows/ci.yml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c80508..a114c84 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ jobs:
       FASTPFOR_SIMD_MODE: ${{ matrix.simd_mode }}
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with: {persist-credentials: false, submodules: recursive}
+        with: { persist-credentials: false, submodules: recursive }
       - if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
         uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
         with:
@@ -42,7 +42,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with: {persist-credentials: false, submodules: recursive}
+        with: { persist-credentials: false, submodules: recursive }
       - if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
         uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
       - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
@@ -57,7 +57,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with: {persist-credentials: false, submodules: recursive}
+        with: { persist-credentials: false, submodules: recursive }
       - if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
         uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
       - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
@@ -88,14 +88,13 @@ jobs:
           - fuzz_target: decode_arbitrary
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with: {persist-credentials: false, submodules: recursive}
+        with: { persist-credentials: false, submodules: recursive }
       # Install the nightly Rust channel.
       - run: rustup toolchain install nightly
       - run: rustup default nightly
       # Install and cache `cargo-fuzz`.
       - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
-        with:
-          tool: cargo-binstall
+        with: { tool: 'cargo-binstall' }
       - run: cargo binstall -y cargo-fuzz@0.13.1 # Pinned to avoid breakage.
       # Build and then run the fuzz target.
       #  --target x86_64-unknown-linux-gnu is necessary to not default to musl, which is not supported by cargo-fuzz.
@@ -116,7 +115,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with: {persist-credentials: false, submodules: recursive}
+        with: { persist-credentials: false, submodules: recursive }
       - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
       - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2.81.7
         with: { tool: 'just,cargo-llvm-cov' }
@@ -151,7 +150,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with: {persist-credentials: false, submodules: recursive}
+        with: { persist-credentials: false, submodules: recursive }
       - name: Publish to crates.io
         run: cargo publish
         env:

From 75badad1e9dbbdab0072cded151d1adc5e2b579b Mon Sep 17 00:00:00 2001
From: Yuri Astrakhan <yuriastrakhan@gmail.com>
Date: Sun, 7 Jun 2026 22:16:25 -0400
Subject: [PATCH 4/4] Consolidate cooldown configuration for dependencies

---
 .github/dependabot.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index afd3b17..90b6254 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,8 +5,7 @@ updates:
   - package-ecosystem: github-actions
     directory: '/'
     schedule: { interval: weekly }
-    cooldown:
-      default-days: 7
+    cooldown: { default-days: 7 }
     groups:
       all-actions-version-updates:
         applies-to: version-updates
@@ -20,8 +19,7 @@ updates:
     directory: '/'
     schedule: { interval: daily, time: '02:00' }
     open-pull-requests-limit: 10
-    cooldown:
-      default-days: 7
+    cooldown: { default-days: 7 }
     groups:
       all-cargo-version-updates:
         applies-to: version-updates