From 72a57dd9e97cd7e07570e8036adc217695ec1cb9 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Mon, 30 Jun 2025 16:53:39 +0200
Subject: [PATCH 1/6] ci: clean up formatting

---
 .github/workflows/rust.yml | 102 ++++++++++++++++++-------------------
 1 file changed, 51 insertions(+), 51 deletions(-)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index e96e2611ff..232ae7f6dd 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -2,7 +2,7 @@ name: CI
 
 on:
   push:
-    branches: ['main', '0.8.x']
+    branches: ["main", "0.8.x"]
   pull_request:
   merge_group:
   schedule:
@@ -10,8 +10,8 @@ on:
 
 jobs:
   test-freebsd:
-  # see https://github.com/actions/runner/issues/385
-  # use https://github.com/vmactions/freebsd-vm for now
+    # see https://github.com/actions/runner/issues/385
+    # use https://github.com/vmactions/freebsd-vm for now
     name: test on freebsd
     runs-on: ubuntu-latest
     steps:
@@ -210,8 +210,8 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: EmbarkStudios/cargo-deny-action@v2
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2
 
   test-android:
     runs-on: ubuntu-latest
@@ -228,52 +228,52 @@ jobs:
             emulator-arch: x86_64
 
     steps:
-    - name: Set API level environment variable
-      run: echo "API_LEVEL=${{ matrix.api-level }}" >> $GITHUB_ENV
-
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Install JDK
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'zulu'
-        java-version: '21'
-
-    - name: Install Android SDK
-      uses: android-actions/setup-android@v3
-
-    - name: Install Android NDK
-      run: sdkmanager --install "ndk;25.2.9519653"
-
-    - name: Install Rust
-      uses: dtolnay/rust-toolchain@stable
-      with:
-        toolchain: stable
-        target: ${{ matrix.target }}
-
-    - uses: Swatinem/rust-cache@v2
-
-    - name: Install cargo-ndk
-      run: cargo install cargo-ndk
-
-    - name: Build unit tests for Android
-      run: cargo ndk -t ${{ matrix.target }} test --no-run
-
-    - name: Enable KVM group perms
-      run: |
-        echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
-        sudo udevadm control --reload-rules
-        sudo udevadm trigger --name-match=kvm
-
-    - name: Set up Android Emulator and run tests
-      env:
-        TARGET: ${{ matrix.target }}
-      uses: reactivecircus/android-emulator-runner@v2
-      with:
-        api-level: ${{ matrix.api-level }}
-        arch: ${{ matrix.emulator-arch }}
-        script: .github/workflows/rust-android-run-tests-on-emulator.sh
+      - name: Set API level environment variable
+        run: echo "API_LEVEL=${{ matrix.api-level }}" >> $GITHUB_ENV
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: "zulu"
+          java-version: "21"
+
+      - name: Install Android SDK
+        uses: android-actions/setup-android@v3
+
+      - name: Install Android NDK
+        run: sdkmanager --install "ndk;25.2.9519653"
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+          target: ${{ matrix.target }}
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo-ndk
+        run: cargo install cargo-ndk
+
+      - name: Build unit tests for Android
+        run: cargo ndk -t ${{ matrix.target }} test --no-run
+
+      - name: Enable KVM group perms
+        run: |
+          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
+          sudo udevadm control --reload-rules
+          sudo udevadm trigger --name-match=kvm
+
+      - name: Set up Android Emulator and run tests
+        env:
+          TARGET: ${{ matrix.target }}
+        uses: reactivecircus/android-emulator-runner@v2
+        with:
+          api-level: ${{ matrix.api-level }}
+          arch: ${{ matrix.emulator-arch }}
+          script: .github/workflows/rust-android-run-tests-on-emulator.sh
 
   features:
     strategy:

From 63a413185d371b7d94ac876321b3f44b0f9e7be8 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Mon, 30 Jun 2025 17:07:43 +0200
Subject: [PATCH 2/6] ci: address actionlint warnings

---
 .github/workflows/rust.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 232ae7f6dd..54663e6b12 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -125,13 +125,13 @@ jobs:
       - run: cargo build --locked --all-targets
       - run: cargo test --locked
       - run: cargo test --locked -p quinn-udp --features fast-apple-datapath
-        if: ${{ runner.os }} == "macOS"
+        if: ${{ runner.os == 'macOS' }}
       - run: cargo test --locked -- --ignored stress
       - run: cargo test --locked --manifest-path fuzz/Cargo.toml
-        if: ${{ matrix.rust }} == "stable"
+        if: ${{ matrix.rust == 'stable' }}
       - run: cargo test --locked -p quinn-udp --benches
       - run: cargo test --locked -p quinn-udp --benches --features fast-apple-datapath
-        if: ${{ runner.os }} == "macOS"
+        if: ${{ runner.os == 'macOS' }}
 
   test-aws-lc-rs:
     runs-on: ubuntu-latest
@@ -229,7 +229,7 @@ jobs:
 
     steps:
       - name: Set API level environment variable
-        run: echo "API_LEVEL=${{ matrix.api-level }}" >> $GITHUB_ENV
+        run: echo "API_LEVEL=\"${{ matrix.api-level }}\"" >> $GITHUB_ENV
 
       - name: Checkout code
         uses: actions/checkout@v4

From 4de91418ec2e078ea10b438f812eff9de96dbe7e Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Mon, 30 Jun 2025 16:53:08 +0200
Subject: [PATCH 3/6] ci: add actionlint job

---
 .github/workflows/rust.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 54663e6b12..946f79d6c7 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -289,3 +289,17 @@ jobs:
       - uses: dtolnay/rust-toolchain@stable
       - uses: taiki-e/install-action@cargo-hack
       - run: cargo hack check --feature-powerset --depth 3 --optional-deps --no-dev-deps --ignore-private --skip "${{env.SKIP_FEATURES}}"
+
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        env:
+          ACTIONLINT: ${{ steps.get_actionlint.outputs.executable }}
+        run: $ACTIONLINT -color
+        shell: bash

From f57ff901e82746b9d438a84e2ec17ab8370294f3 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Mon, 30 Jun 2025 17:20:11 +0200
Subject: [PATCH 4/6] ci: reduce permissions in workflow

---
 .github/workflows/rust.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 946f79d6c7..bc658df5c8 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -8,6 +8,8 @@ on:
   schedule:
     - cron: "21 3 * * 5"
 
+permissions: {}
+
 jobs:
   test-freebsd:
     # see https://github.com/actions/runner/issues/385

From 3bb8df92b238298128a4505634d9dea9536678f4 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Mon, 30 Jun 2025 17:15:26 +0200
Subject: [PATCH 5/6] ci: avoid persisting credentials

---
 .github/workflows/rust.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index bc658df5c8..d2e4f3d93b 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -213,6 +213,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: EmbarkStudios/cargo-deny-action@v2
 
   test-android:
@@ -235,6 +237,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install JDK
         uses: actions/setup-java@v4
@@ -296,6 +300,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Download actionlint
         id: get_actionlint
         run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)

From 7f535f065804cc687ab5c4099cef6c86e8586610 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Mon, 30 Jun 2025 16:50:59 +0200
Subject: [PATCH 6/6] ci: add zizmor job

---
 .github/workflows/rust.yml | 13 +++++++++++++
 .github/zizmor.yml         |  5 +++++
 2 files changed, 18 insertions(+)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index d2e4f3d93b..c134c6a9d6 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -311,3 +311,16 @@ jobs:
           ACTIONLINT: ${{ steps.get_actionlint.outputs.executable }}
         run: $ACTIONLINT -color
         shell: bash
+
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000000..25e669c5da
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        *: ref-pin