From 5f6e7e291215d663e3fb6bdba479c118f40842c9 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 24 Jun 2026 16:45:49 +0200 Subject: [PATCH 1/8] ci: Replace dtolnay/rust-toolchain with rustup command This remediates both: - https://docs.zizmor.sh/audits/#unpinned-uses (one pointed to `master`). - https://docs.zizmor.sh/audits/#superfluous-actions --- .github/workflows/build.yaml | 18 ++++-------------- .github/workflows/pr_pre-commit.yaml | 5 +---- .github/workflows/release.yaml | 18 ++++-------------- 3 files changed, 9 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3dbcaf1..c2362b5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,9 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo test --all-features clippy: @@ -26,10 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: clippy + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo clippy --all-targets -- -D warnings fmt: @@ -37,10 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component rustfmt - run: cargo fmt --all -- --check docs: @@ -48,9 +40,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo doc --document-private-items build: diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml index 87ee7ba..77deb65 100644 --- a/.github/workflows/pr_pre-commit.yaml +++ b/.github/workflows/pr_pre-commit.yaml @@ -19,10 +19,7 @@ jobs: - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.12' - - uses: dtolnay/rust-toolchain@master - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt,clippy + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component rustfmt,clippy - name: Setup Hadolint shell: bash run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7884b58..03b87bb 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,9 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo test --all-features clippy: @@ -25,10 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: clippy + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo clippy --all-targets -- -D warnings fmt: @@ -36,10 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo fmt --all -- --check docs: @@ -47,9 +39,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo doc --document-private-items docker-image: From b1e92c484c88a0cd0ad44bc3263a31c014ef7235 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 24 Jun 2026 16:53:29 +0200 Subject: [PATCH 2/8] ci: Do not persist credentials on checkout This remediates https://docs.zizmor.sh/audits/#artipacked --- .github/workflows/build.yaml | 12 ++++++++++++ .github/workflows/pr_pre-commit.yaml | 1 + .github/workflows/release.yaml | 10 ++++++++++ 3 files changed, 23 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c2362b5..0b0c247 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo test --all-features @@ -24,6 +26,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo clippy --all-targets -- -D warnings @@ -32,6 +36,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component rustfmt - run: cargo fmt --all -- --check @@ -40,6 +46,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo doc --document-private-items @@ -56,6 +64,8 @@ jobs: - ubicloud-standard-8-arm steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - name: Build and (optionally) push container image id: build uses: stackabletech/actions/build-container-image@013e6482fbc0edf2d38cf9220fc931f6a81336fb # v0.0.6 @@ -86,6 +96,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + persist-credentials: false - name: Publish and Sign Image Index Manifest to oci.stackable.tech uses: stackabletech/actions/publish-index-manifest@013e6482fbc0edf2d38cf9220fc931f6a81336fb # v0.0.6 diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml index 77deb65..ab3f2d3 100644 --- a/.github/workflows/pr_pre-commit.yaml +++ b/.github/workflows/pr_pre-commit.yaml @@ -16,6 +16,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.12' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 03b87bb..6f1b1e0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,6 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo test --all-features @@ -23,6 +25,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo clippy --all-targets -- -D warnings @@ -31,6 +35,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo fmt --all -- --check @@ -39,6 +45,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo doc --document-private-items @@ -50,6 +58,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + with: + persist-credentials: false - name: Set up Cosign uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Login to Stackable Harbor From 7c4f59e2de8975627422a367c590cb9b50910c57 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 24 Jun 2026 16:56:22 +0200 Subject: [PATCH 3/8] ci: Default to no scopes This remediates https://docs.zizmor.sh/audits/#excessive-permissions --- .github/workflows/build.yaml | 2 ++ .github/workflows/pr_pre-commit.yaml | 2 ++ .github/workflows/release.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0b0c247..dbc5e6c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -4,6 +4,8 @@ on: branches: [main] pull_request: +permissions: {} + env: RUST_TOOLCHAIN_VERSION: "1.94.0" RUSTFLAGS: "-D warnings" diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml index ab3f2d3..9568ae8 100644 --- a/.github/workflows/pr_pre-commit.yaml +++ b/.github/workflows/pr_pre-commit.yaml @@ -4,6 +4,8 @@ name: pre-commit on: pull_request: +permissions: {} + env: CARGO_TERM_COLOR: always RUST_TOOLCHAIN_VERSION: "1.94.0" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6f1b1e0..ac040a7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,6 +3,8 @@ on: push: tags: ['v[0-9]+.[0-9]+.[0-9]+'] +permissions: {} + env: RUST_TOOLCHAIN_VERSION: "1.94.0" RUSTFLAGS: "-D warnings" From 9142ce7295138831c6a8555ae4ffe542ba64ef35 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 24 Jun 2026 17:05:20 +0200 Subject: [PATCH 4/8] ci: Bump actions/checkout --- .github/workflows/build.yaml | 12 ++++++------ .github/workflows/pr_pre-commit.yaml | 2 +- .github/workflows/release.yaml | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index dbc5e6c..8ad522a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -17,7 +17,7 @@ jobs: name: Run tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" @@ -27,7 +27,7 @@ jobs: name: Check clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy @@ -37,7 +37,7 @@ jobs: name: Check formatting runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component rustfmt @@ -47,7 +47,7 @@ jobs: name: Generate docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" @@ -65,7 +65,7 @@ jobs: - ubuntu-latest - ubicloud-standard-8-arm steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Build and (optionally) push container image @@ -97,7 +97,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml index 9568ae8..e0faa69 100644 --- a/.github/workflows/pr_pre-commit.yaml +++ b/.github/workflows/pr_pre-commit.yaml @@ -15,7 +15,7 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ac040a7..8b680a7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -16,7 +16,7 @@ jobs: name: Run tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" @@ -26,7 +26,7 @@ jobs: name: Check clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy @@ -36,7 +36,7 @@ jobs: name: Check formatting runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy @@ -46,7 +46,7 @@ jobs: name: Generate docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" @@ -59,7 +59,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Set up Cosign From e2db6c8a791d502f84b86ec86e87c6aaa0978399 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 24 Jun 2026 17:10:49 +0200 Subject: [PATCH 5/8] ci: Bump docker/login-action Note: I think we can replace this by using the stackabletech/actions --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8b680a7..0d102b3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -65,7 +65,7 @@ jobs: - name: Set up Cosign uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Login to Stackable Harbor - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: oci.stackable.tech username: robot$stackable+github-action-build From 30e690f6454f520a4882b0ef7a899cd07c996e69 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 24 Jun 2026 17:12:46 +0200 Subject: [PATCH 6/8] ci: Bump sigstore/cosign-installer Note: I think we can replace this by using the stackabletech/actions --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0d102b3..110f727 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -63,7 +63,7 @@ jobs: with: persist-credentials: false - name: Set up Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Login to Stackable Harbor uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: From 8f9b08bcaa2337c1b77572a31f2ec872bc7094a0 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 24 Jun 2026 17:15:38 +0200 Subject: [PATCH 7/8] ci: Bump actions/setup-python --- .github/workflows/pr_pre-commit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml index e0faa69..75856ed 100644 --- a/.github/workflows/pr_pre-commit.yaml +++ b/.github/workflows/pr_pre-commit.yaml @@ -19,7 +19,7 @@ jobs: with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.12' - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component rustfmt,clippy From 8ea140ecccde817a819f1006cf8ab7ca9db1ab99 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 25 Jun 2026 09:20:38 +0200 Subject: [PATCH 8/8] ci: Bump stackabletech/actions Note: I checked the documented inputs/outputs for any changes, but it looks like none are needed. --- .github/workflows/build.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8ad522a..c4b860c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -70,7 +70,7 @@ jobs: persist-credentials: false - name: Build and (optionally) push container image id: build - uses: stackabletech/actions/build-container-image@013e6482fbc0edf2d38cf9220fc931f6a81336fb # v0.0.6 + uses: stackabletech/actions/build-container-image@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 with: image-name: trino-lb image-index-manifest-tag: dev @@ -78,7 +78,7 @@ jobs: - name: Publish Container Image on oci.stackable.tech if: github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: stackabletech/actions/publish-image@013e6482fbc0edf2d38cf9220fc931f6a81336fb # v0.0.6 + uses: stackabletech/actions/publish-image@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 with: image-registry-uri: oci.stackable.tech image-registry-username: robot$stackable+github-action-build @@ -102,7 +102,7 @@ jobs: persist-credentials: false - name: Publish and Sign Image Index Manifest to oci.stackable.tech - uses: stackabletech/actions/publish-index-manifest@013e6482fbc0edf2d38cf9220fc931f6a81336fb # v0.0.6 + uses: stackabletech/actions/publish-index-manifest@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 with: image-registry-uri: oci.stackable.tech image-registry-username: robot$stackable+github-action-build