The v3 action inputs (check:, from:) no longer match the v4 API.
Switch to v4 with command: check and pass the git range as a positional
args value (SHA..HEAD) which is what cog check accepts.
- cargo deny: add MPL-2.0 and BSD-3-Clause to allow list (colored via
simple_logger/mockito; encoding_rs via reqwest)
- conventional commits: use explicit SHA of last pre-conventional commit
instead of from_latest_tag (no tags exist yet in the repo)
- MSRV: raise rust-version 1.80 -> 1.88 to match the actual minimum
required by the dependency tree (simple_logger -> time 0.3 -> 1.88)
- MSRV CI: update toolchain pin to 1.88 to match
- macOS test: remove Swatinem/rust-cache from test matrix job to avoid
stale cache corrupting the cargo binary path on arm64 runners
- Replace serde_yml with serde_norway (RUSTSEC-2025-0068: serde_yml is
unsound and archived; serde_norway is the recommended maintained fork)
- Remove unused toml dependency (was resolving to v1.1.2 which requires
edition2024/Rust 1.85, breaking the MSRV 1.80 check)
- Run cargo fmt to fix formatting diffs caught by lint job
- Fix cog commit check to use from_latest_tag so pre-conventional-commits
history does not cause the check to fail
- Remove semver job: dredge is a binary-only crate with no lib target,
cargo-semver-checks cannot check it
Updates the github workflows to separate the clippy analysis from the rest. This way the clippy analysis can be done on a schedule. Also update the clippy analysis to upload the results to GitHub as security issues.
Anthony Oteri
dependabot[bot]
Anthony Oteri