From e9bd5a84d98d72e8dc6e103c1ee3224b169cd6a6 Mon Sep 17 00:00:00 2001 From: Woody Gilk Date: Tue, 23 Jun 2026 06:30:41 -0500 Subject: [PATCH 1/2] ci(workflows): set least-privilege token permissions Add a top-level contents:read block to ci.yml and scope release.yml so only the release job gets contents:write. --- .github/workflows/ci.yml | 3 +++ .github/workflows/release.yml | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 16bd02a..f8b7d0e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, synchronize, reopened] +permissions: + contents: read + jobs: test: runs-on: blacksmith-2vcpu-ubuntu-2404 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 10ece11..fd596e3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,7 +6,7 @@ on: - "[0-9]+.[0-9]+.[0-9]*" permissions: - contents: write + contents: read jobs: build: @@ -78,6 +78,8 @@ jobs: name: Create release needs: build runs-on: blacksmith-2vcpu-ubuntu-2404 + permissions: + contents: write steps: - name: Download all artifacts From 43cdf52ed1d065ff85d14504e410b2e34e088d04 Mon Sep 17 00:00:00 2001 From: Woody Gilk Date: Tue, 23 Jun 2026 06:41:21 -0500 Subject: [PATCH 2/2] fix(deps): resolve cargo audit advisories Bump quinn-proto 0.11.14 -> 0.11.15 to fix RUSTSEC-2026-0185 (remote memory exhaustion, high severity). Ignore RUSTSEC-2026-0173 in .cargo/audit.toml: the unmaintained proc-macro-error2 is transitive via tabled and validator, which are at their latest versions with no upgrade path yet. --- .cargo/audit.toml | 11 +++++++++++ Cargo.lock | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 .cargo/audit.toml diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 0000000..3b2313c --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,11 @@ +# cargo-audit configuration +# https://github.com/rustsec/rustsec/blob/main/cargo-audit/audit.toml.example + +[advisories] +ignore = [ + # proc-macro-error2 is unmaintained. It is pulled in transitively by + # tabled and validator (both at their latest published versions), so + # there is no upgrade path to remove it. Revisit when either crate + # drops the dependency. + "RUSTSEC-2026-0173", +] diff --git a/Cargo.lock b/Cargo.lock index e168630..8a6cd88 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1710,9 +1710,9 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.14" +version = "0.11.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" +checksum = "4fcb935c5bec503c2f0e306bdd3e58bb9029dcb14fa8d9ac76e3a5256ac0763e" dependencies = [ "aws-lc-rs", "bytes",