Release 2.75.4

.github/workflows/ci.yml

@@ -33,20 +33,20 @@ concurrency:
 
 jobs:
   miri:
-    uses: taiki-e/github-actions/.github/workflows/miri.yml@606d6c78d69927c489d319133073a03157928a7a # main
+    uses: taiki-e/github-actions/.github/workflows/miri.yml@dec917193d835117a7238865adf83273d9fcd27a # main
     with:
       # NB: sync with test job's --exclude option
       args: --exclude install-action-internal-codegen
   msrv:
-    uses: taiki-e/github-actions/.github/workflows/msrv.yml@606d6c78d69927c489d319133073a03157928a7a # main
+    uses: taiki-e/github-actions/.github/workflows/msrv.yml@dec917193d835117a7238865adf83273d9fcd27a # main
   test-manifest-schema:
-    uses: taiki-e/github-actions/.github/workflows/test.yml@606d6c78d69927c489d319133073a03157928a7a # main
+    uses: taiki-e/github-actions/.github/workflows/test.yml@dec917193d835117a7238865adf83273d9fcd27a # main
     with:
       # NB: sync with miri job's --exclude option
       test-args: --exclude install-action-internal-codegen
       no-std: false
   tidy:
-    uses: taiki-e/github-actions/.github/workflows/tidy.yml@606d6c78d69927c489d319133073a03157928a7a # main
+    uses: taiki-e/github-actions/.github/workflows/tidy.yml@dec917193d835117a7238865adf83273d9fcd27a # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # unused (used in `codegen-automerge: true` case)

.github/workflows/manifest.yml

@@ -33,7 +33,7 @@ concurrency:
 
 jobs:
   manifest:
-    uses: taiki-e/github-actions/.github/workflows/gen.yml@7e4093bf4e87dd120ac0c3be2e47ebe7f737a47d # main
+    uses: taiki-e/github-actions/.github/workflows/gen.yml@dec917193d835117a7238865adf83273d9fcd27a # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # for gh pr review --approve

.github/workflows/release.yml

@@ -39,7 +39,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/install-action@7a562dfa955aa2e4d5b0fd6ebd57ff9715c07b0b # v2.73.0
+      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
         with:
           tool: parse-changelog
           fallback: none
@@ -208,7 +208,7 @@ jobs:
       contents: write # for taiki-e/create-gh-release-action
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/install-action@7a562dfa955aa2e4d5b0fd6ebd57ff9715c07b0b # v2.73.0
+      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
         with:
           tool: parse-changelog
           fallback: none
@@ -304,6 +304,50 @@ jobs:
             )
           fi
 
+          major_version_tag="v${version%%.*}"
+          (
+            set -x
+            git tag "${tag}"
+            git branch "releases/${major_version_tag}"
+            git tag -f "${major_version_tag}"
+          )
+          refs=("refs/heads/${BRANCH}" "refs/tags/${tag}" "refs/heads/releases/${major_version_tag}" "+refs/tags/${major_version_tag}")
+
+          tools=()
+          for tool in tools/codegen/base/*.json; do
+            tool="${tool##*/}"
+            tools+=("${tool%.*}")
+          done
+          # Aliases.
+          # NB: Update case for aliases in main.sh, tool input option in test-alias job
+          # in .github/workflows/ci.yml, and match for alias for tools/codegen/src/tools-markdown.rs.
+          tools+=(
+            nextest
+            taplo-cli
+            typos-cli
+            wasm-bindgen-cli
+            wasmtime-cli
+          )
+          # Non-manifest-based tools.
+          tools+=(valgrind)
+
+          branches=()
+          for tool in "${tools[@]}"; do
+            (
+              set -x
+              git checkout -b "releases/${tool}"
+              sed -E "${in_place[@]}" action.yml \
+                -e "s/required: true/required: false/g" \
+                -e "s/# default: #publish:tool/default: ${tool}/g"
+              git add action.yml
+              git commit -m "${tool}"
+              git tag -f "${tool}"
+              git checkout refs/tags/"${tag}"
+            )
+            refs+=("+refs/heads/releases/${tool}" "+refs/tags/${tool}")
+            branches+=("releases/${tool}")
+          done
+
           prev_credential_helper=$(git config get --local credential.helper || true)
           if [[ -n "${prev_credential_helper}" ]]; then
             printf 'credential helper is already set (%s)\n' "${prev_credential_helper}"
@@ -326,46 +370,6 @@ jobs:
 
           (
             set -x
-            git tag "${tag}"
-            retry git push origin HEAD
-
-            major_version_tag="v${version%%.*}"
-            git branch "releases/${major_version_tag}"
-            git tag -f "${major_version_tag}"
-            refs=("refs/tags/${tag}" "refs/heads/releases/${major_version_tag}" "+refs/tags/${major_version_tag}")
-
-            tools=()
-            for tool in tools/codegen/base/*.json; do
-              tool="${tool##*/}"
-              tools+=("${tool%.*}")
-            done
-            # Aliases.
-            # NB: Update case for aliases in main.sh, tool input option in test-alias job
-            # in .github/workflows/ci.yml, and match for alias for tools/codegen/src/tools-markdown.rs.
-            tools+=(
-              nextest
-              taplo-cli
-              typos-cli
-              wasm-bindgen-cli
-              wasmtime-cli
-            )
-            # Non-manifest-based tools.
-            tools+=(valgrind)
-
-            branches=()
-            for tool in "${tools[@]}"; do
-              git checkout -b "releases/${tool}"
-              sed -E "${in_place[@]}" action.yml \
-                -e "s/required: true/required: false/g" \
-                -e "s/# default: #publish:tool/default: ${tool}/g"
-              git add action.yml
-              git commit -m "${tool}"
-              git tag -f "${tool}"
-              git checkout refs/tags/"${tag}"
-              refs+=("+refs/heads/releases/${tool}" "+refs/tags/${tool}")
-              branches+=("releases/${tool}")
-            done
-
             retry git push origin --atomic "${refs[@]}"
             git branch -d "releases/${major_version_tag}"
             git branch -D "${branches[@]}"
@@ -432,7 +436,7 @@ jobs:
 
   release-manifest-schema:
     if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action-manifest-schema'
-    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@606d6c78d69927c489d319133073a03157928a7a # main
+    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@dec917193d835117a7238865adf83273d9fcd27a # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action
       id-token: write # for rust-lang/crates-io-auth-action

.github/zizmor.yml

@@ -2,5 +2,5 @@
 # https://docs.zizmor.sh/configuration/
 
 rules:
-  anonymous-definition: { disable: true }
+  anonymous-definition: { disable: true } # This is pedantic/auditor only audit and requires explicitly naming each job, but is usually redundant.
   dependabot-cooldown: { config: { days: 14 } }

CHANGELOG.md

@@ -10,9 +10,21 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+## [2.75.4] - 2026-04-10
+
+- Enhance security when cargo-binstall fallback is enabled. ([08a38582](https://github.com/taiki-e/install-action/commit/08a38582e35739e1fda5e4cd298e348536a1ddaa), [ba626b4d](https://github.com/taiki-e/install-action/commit/ba626b4d71edcae17f6ca956b7b81e925b2d24ef))
+
+- Update `martin@latest` to 1.5.0.
+
+- Update `uv@latest` to 0.11.5.
+
+- Update `syft@latest` to 1.42.4.
+
+- Update `dprint@latest` to 0.54.0.
+
 ## [2.75.3] - 2026-04-09
 
-- Enhance security when cargo-binstall fallback is disabled.
+- Enhance security when cargo-binstall fallback is disabled. ([77557fa3](https://github.com/taiki-e/install-action/commit/77557fa3993e075c27572045b0d159865c23016b))
 
 - Update `rclone@latest` to 1.73.4.
 
@@ -6185,7 +6197,8 @@ Note: This release is considered a breaking change because installing on version
 
 Initial release
 
-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.75.3...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.75.4...HEAD
+[2.75.4]: https://github.com/taiki-e/install-action/compare/v2.75.3...v2.75.4
 [2.75.3]: https://github.com/taiki-e/install-action/compare/v2.75.2...v2.75.3
 [2.75.2]: https://github.com/taiki-e/install-action/compare/v2.75.1...v2.75.2
 [2.75.1]: https://github.com/taiki-e/install-action/compare/v2.75.0...v2.75.1

README.md

@@ -102,6 +102,10 @@ See the [development guide](DEVELOPMENT.md) for how to add support for new tool.
 
 The `@v<major>` and `@<tool_name>` tags are updated with each release. If you want to enhance workflow stability and security against supply chain attacks, consider using the `@v<major>.<minor>.<patch>` tag or their hash to pin the version and regularly updating with [dependency cooldown]. Since all releases are immutable, pinning the version in either way should have the same effect. Pinning `@<tool_name>` tags by hash is strongly discouraged, as it causes the workflow to reference a [commit that is not present on the repository](https://docs.zizmor.sh/audits/#impostor-commit) when a new version is released.
 
+The default fallback (cargo-binstall) is often affected by GitHub's API rate limits, so we [pass the `${{ github.token }}` to cargo-binstall](https://github.com/taiki-e/install-action/issues/561). Disabling the cargo-binstall fallback prevent passing token so helps enhance security.
+
+See the [Supported tools section](#supported-tools) for how to ensure that fallback is not used.
+
 <!-- omit in toc -->
 ### Security on installation from GitHub Releases
 
@@ -124,8 +128,6 @@ When installing with `tool: <tool_name>` or `tool: <tool_name>@<omitted_version>
 
 See the linked documentation for information on security when installed using [snap](https://snapcraft.io/docs) or [cargo-binstall](https://github.com/cargo-bins/cargo-binstall#faq).
 
-The default fallback (cargo-binstall) is often affected by GitHub's API rate limits, so we pass the `${{ github.token }}` to cargo-binstall. Disabling the cargo-binstall fallback prevent passing token so helps enhance security.
-
 See the [Supported tools section](#supported-tools) for how to ensure that fallback is not used.
 
 ## Compatibility

main.sh

@@ -236,7 +236,7 @@ read_manifest() {
   local version="$2"
   local manifest
   rust_crate=$(jq -r '.rust_crate' "${manifest_dir}/${tool}.json")
-  manifest=$(jq -r ".[\"${version}\"]" "${manifest_dir}/${tool}.json")
+  manifest=$(jq -r --arg version "${version}" '.[$version]' "${manifest_dir}/${tool}.json")
   if [[ "${manifest}" == "null" ]]; then
     download_info="null"
     return 0
@@ -245,7 +245,7 @@ read_manifest() {
   if [[ "${exact_version}" == "null" ]]; then
     exact_version="${version}"
   else
-    manifest=$(jq -r ".[\"${exact_version}\"]" "${manifest_dir}/${tool}.json")
+    manifest=$(jq -r --arg version "${exact_version}" '.[$version]' "${manifest_dir}/${tool}.json")
     if [[ "${rust_crate}" != "null" ]]; then
       # TODO: don't hardcode tool name and use 'immediate_yank_reflection' field in base manifest.
       case "${tool}" in
@@ -253,7 +253,7 @@ read_manifest() {
           crate_info=$(retry curl --user-agent "${ACTION_USER_AGENT}" --proto '=https' --tlsv1.2 -fsSL --retry 10 "https://crates.io/api/v1/crates/${rust_crate}" || true)
           if [[ -n "${crate_info}" ]]; then
             while true; do
-              yanked=$(jq -r ".versions[] | select(.num == \"${exact_version}\") | .yanked" <<<"${crate_info}")
+              yanked=$(jq -r --arg version "${exact_version}" '.versions[] | select(.num == $version) | .yanked' <<<"${crate_info}")
               if [[ "${yanked}" != "true" ]]; then
                 break
               fi
@@ -263,7 +263,7 @@ read_manifest() {
               fi
               info "${tool}@${exact_version} is yanked; downgrade to ${previous_stable_version}"
               exact_version="${previous_stable_version}"
-              manifest=$(jq -r ".[\"${exact_version}\"]" "${manifest_dir}/${tool}.json")
+              manifest=$(jq -r --arg version "${exact_version}" '.[$version]' "${manifest_dir}/${tool}.json")
             done
           fi
           ;;
@@ -277,14 +277,14 @@ read_manifest() {
       # usually preferred over linux-gnu binaries because they can avoid glibc version issues.
       # (rustc enables statically linking for linux-musl by default, except for mips.)
       host_platform="${host_arch}_linux_musl"
-      download_info=$(jq -r ".${host_platform}" <<<"${manifest}")
+      download_info=$(jq -r --arg p "${host_platform}" '.[$p]' <<<"${manifest}")
       if [[ "${download_info}" == "null" ]]; then
         # Even if host_env is musl, we won't issue an error here because it seems that in
         # some cases linux-gnu binaries will work on linux-musl hosts.
         # https://wiki.alpinelinux.org/wiki/Running_glibc_programs
         # TODO: However, a warning may make sense.
         host_platform="${host_arch}_linux_gnu"
-        download_info=$(jq -r ".${host_platform}" <<<"${manifest}")
+        download_info=$(jq -r --arg p "${host_platform}" '.[$p]' <<<"${manifest}")
       elif [[ "${host_env}" == "gnu" ]]; then
         # TODO: don't hardcode tool name and use 'prefer_linux_gnu' field in base manifest.
         case "${tool}" in
@@ -296,7 +296,7 @@ read_manifest() {
               # musl build of nextest is slow, so use glibc build if host_env is gnu.
               # https://github.com/taiki-e/install-action/issues/13
               host_platform="${host_arch}_linux_gnu"
-              download_info=$(jq -r ".${host_platform}" <<<"${manifest}")
+              download_info=$(jq -r --arg p "${host_platform}" '.[$p]' <<<"${manifest}")
             fi
             ;;
         esac
@@ -306,10 +306,10 @@ read_manifest() {
       # Binaries compiled for x86_64 macOS will usually also work on AArch64 macOS.
       # Binaries compiled for x86_64 Windows will usually also work on AArch64 Windows 11+.
       host_platform="${host_arch}_${host_os}"
-      download_info=$(jq -r ".${host_platform}" <<<"${manifest}")
+      download_info=$(jq -r --arg p "${host_platform}" '.[$p]' <<<"${manifest}")
       if [[ "${download_info}" == "null" ]] && [[ "${host_arch}" != "x86_64" ]]; then
         host_platform="x86_64_${host_os}"
-        download_info=$(jq -r ".${host_platform}" <<<"${manifest}")
+        download_info=$(jq -r --arg p "${host_platform}" '.[$p]' <<<"${manifest}")
       fi
       ;;
     *) bail "unsupported OS type '${host_os}' for ${tool}" ;;
@@ -327,7 +327,7 @@ read_download_info() {
   bin_in_archive=()
   if [[ "${url}" == "null" ]]; then
     local template
-    template=$(jq -c ".template.${host_platform}" "${manifest_dir}/${tool}.json")
+    template=$(jq -c --arg p "${host_platform}" '.template[$p]' "${manifest_dir}/${tool}.json")
     template="${template//\$\{version\}/${exact_version}}"
     url=$(jq -r '.url' <<<"${template}")
     tmp=$(jq -r '.bin' <<<"${template}")
@@ -627,6 +627,15 @@ case "${fallback}" in
   *) bail "'fallback' input option must be 'none', 'cargo-binstall', or 'cargo-install': '${fallback}'" ;;
 esac
 
+# Unlike gh command, cargo-binstall reads GITHUB_TOKEN first via cli parser, and then reads GH_TOKEN.
+# https://github.com/cargo-bins/cargo-binstall/blob/v1.17.9/crates/bin/src/args.rs#L704
+token="${GITHUB_TOKEN:-"${GH_TOKEN:-"${DEFAULT_GITHUB_TOKEN:-}"}"}"
+# This prevents tokens from being displayed to subprocesses via environment variables.
+# Since the tokens remain in the parent process's environment variables, and since unset may not
+# immediately cleanse memory, setting `fallback: none` (which prevents the tokens from being set
+# in the first place) remains the best practice from a security standpoint, as readme says.
+unset GITHUB_TOKEN GH_TOKEN DEFAULT_GITHUB_TOKEN
+
 case "${host_os}" in
   linux)
     if ! type -P jq >/dev/null || ! type -P curl >/dev/null || ! type -P tar >/dev/null; then
@@ -917,13 +926,15 @@ if [[ ${#unsupported_tools[@]} -gt 0 ]]; then
   case "${fallback}" in
     cargo-binstall)
       install_cargo_binstall
-      if [[ -z "${GITHUB_TOKEN:-}" ]] && [[ -n "${DEFAULT_GITHUB_TOKEN:-}" ]]; then
-        export GITHUB_TOKEN="${DEFAULT_GITHUB_TOKEN}"
-      fi
       # By default, cargo-binstall enforce downloads over secure transports only.
       # As a result, http will be disabled, and it will also set
       # min tls version to be 1.2
-      cargo-binstall binstall --force --no-confirm --locked "${unsupported_tools[@]}"
+      binstall_args=(--force --no-confirm --locked "${unsupported_tools[@]}")
+      if [[ -n "${token}" ]]; then
+        cargo-binstall binstall --github-token "${token}" "${binstall_args[@]}"
+      else
+        cargo-binstall binstall "${binstall_args[@]}"
+      fi
       if ! type -P cargo >/dev/null; then
         _bin_dir=$(canonicalize_windows_path "${home}/.cargo/bin")
         # TODO: avoid this when already added

manifests/dprint.json

@@ -28,7 +28,10 @@
   },
   "license_markdown": "[MIT](https://github.com/dprint/dprint/blob/main/LICENSE)",
   "latest": {
-    "version": "0.53.2"
+    "version": "0.54.0"
+  },
+  "0.54": {
+    "version": "0.54.0"
   },
   "0.54.0": {
     "x86_64_linux_musl": {

manifests/martin.json

@@ -32,10 +32,13 @@
   },
   "license_markdown": "[MIT](https://github.com/maplibre/martin/blob/main/LICENSE-MIT) OR [Apache-2.0](https://github.com/maplibre/martin/blob/main/LICENSE-APACHE)",
   "latest": {
-    "version": "1.4.0"
+    "version": "1.5.0"
   },
   "1": {
-    "version": "1.4.0"
+    "version": "1.5.0"
+  },
+  "1.5": {
+    "version": "1.5.0"
   },
   "1.5.0": {
     "x86_64_linux_musl": {

manifests/syft.json

@@ -36,13 +36,13 @@
   },
   "license_markdown": "[Apache-2.0](https://github.com/anchore/syft/blob/main/LICENSE)",
   "latest": {
-    "version": "1.42.3"
+    "version": "1.42.4"
   },
   "1": {
-    "version": "1.42.3"
+    "version": "1.42.4"
   },
   "1.42": {
-    "version": "1.42.3"
+    "version": "1.42.4"
   },
   "1.42.4": {
     "x86_64_linux_musl": {

manifests/uv.json

@@ -69,10 +69,10 @@
   },
   "license_markdown": "[Apache-2.0](https://github.com/astral-sh/uv/blob/main/LICENSE-APACHE) OR [MIT](https://github.com/astral-sh/uv/blob/main/LICENSE-MIT)",
   "latest": {
-    "version": "0.11.4"
+    "version": "0.11.5"
   },
   "0.11": {
-    "version": "0.11.4"
+    "version": "0.11.5"
   },
   "0.11.6": {
     "x86_64_linux_musl": {

tools/ci/tool-list.sh

@@ -147,12 +147,12 @@ for manifest in tools/codegen/base/*.json; do
   fi
   case "${host_os}" in
     linux*)
-      if [[ "${host_arch}" != "x86_64" ]] && [[ "$(jq -r ".platform.${host_arch}_${host_os}_gnu" "${manifest}")" == "null" ]] && [[ "$(jq -r ".platform.${host_arch}_${host_os}_musl" "${manifest}")" == "null" ]]; then
+      if [[ "${host_arch}" != "x86_64" ]] && [[ "$(jq -r --arg p "${host_arch}_${host_os}_gnu" '.platform[$p]' "${manifest}")" == "null" ]] && [[ "$(jq -r --arg p "${host_arch}_${host_os}_musl" '.platform[$p]' "${manifest}")" == "null" ]]; then
         continue
       fi
       ;;
     *)
-      if [[ "$(jq -r ".platform.x86_64_${host_os}" "${manifest}")" == "null" ]] && [[ "$(jq -r ".platform.${host_arch}_${host_os}" "${manifest}")" == "null" ]]; then
+      if [[ "$(jq -r --arg p "x86_64_${host_os}" '.platform[$p]' "${manifest}")" == "null" ]] && [[ "$(jq -r --arg p "${host_arch}_${host_os}" '.platform[$p]' "${manifest}")" == "null" ]]; then
         continue
       fi
       ;;