taiki-e · dependabot · May 5, 2026 · May 5, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -21,7 +21,7 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: weekly
+      interval: monthly
     cooldown:
       default-days: 14
     commit-message:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,7 +1,6 @@
 name: CI
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -36,9 +35,9 @@ concurrency:
 jobs:
   msrv:
     needs: tidy
-    uses: taiki-e/github-actions/.github/workflows/msrv.yml@d34e3b863da529f7c30e571fec0170fbf64fa40c # main
+    uses: taiki-e/github-actions/.github/workflows/msrv.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
   tidy:
-    uses: taiki-e/github-actions/.github/workflows/tidy.yml@d34e3b863da529f7c30e571fec0170fbf64fa40c # main
+    uses: taiki-e/github-actions/.github/workflows/tidy.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # unused (used in `codegen-automerge: true` case)
@@ -64,36 +63,33 @@ jobs:
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON(needs.prepare.outputs.test-matrix) }}
-    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
+    runs-on: ${{ matrix.os || 'ubuntu-24.04' }}
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/github-actions/free-device-space@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/github-actions/free-device-space@2474ed4664eb8903c151603a9d841512c069f7f6 # main # zizmor: ignore[stale-action-refs]
         if: startsWith(matrix.target, 'hexagon')
       # - run: sudo apt-get -o Acquire::Retries=10 -qq update && sudo apt-get -o Acquire::Retries=10 -o Dpkg::Use-Pty=0 install -y --no-install-recommends moreutils
       #   if: startsWith(matrix.os, 'ubuntu') || matrix.os == ''
       # - run: brew install moreutils
       #   if: startsWith(matrix.os, 'macos')
       # - run: C:/msys64/usr/bin/pacman -S --noconfirm moreutils
       #   if: startsWith(matrix.os, 'windows')
-      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
-        with:
-          tool: cargo-hack,cargo-minimal-versions
-          fallback: none
-      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
           # 0.4.8 fails with at least nightly-2023-05-09 to nightly-2024-01-05
           tool: cargo-careful${{ (startsWith(matrix.rust, 'nightly-2023') || startsWith(matrix.rust, 'nightly-2024')) && '@0.4.7' || '' }}
           fallback: none
         if: startsWith(matrix.rust, 'nightly') && !(startsWith(matrix.os, 'ubuntu') && contains(matrix.os, '-arm'))
-      - uses: taiki-e/cache-cargo-install-action@a8b9ecf8e0c0ea09d7481cfc583a5203ecd585b5 # v3.0.5
+      - uses: taiki-e/cache-cargo-install-action@f9eed3e4680f27610dc6d8c67be1b88593f7dade # v3.0.6
         with:
           # 0.4.8 fails with at least nightly-2023-05-09 to nightly-2024-01-05
           tool: cargo-careful${{ (startsWith(matrix.rust, 'nightly-2023') || startsWith(matrix.rust, 'nightly-2024')) && '@0.4.7' || '' }}
         if: startsWith(matrix.rust, 'nightly') && startsWith(matrix.os, 'ubuntu') && contains(matrix.os, '-arm')
-      - uses: taiki-e/github-actions/install-rust@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
-          toolchain: ${{ matrix.rust }}
+          tool: rust@${{ matrix.rust }},cargo-hack,cargo-minimal-versions
+          fallback: none
       - id: prepare
         run: |
           if [[ -z "${TARGET}" ]]; then
@@ -107,9 +103,11 @@ jobs:
           fi
         env:
           TARGET: ${{ matrix.target }}
-      - uses: taiki-e/setup-cross-toolchain-action@d62f33b587e73b0004731caebc7d2d46b18a7567 # v1.39.2
+      - uses: taiki-e/setup-cross-toolchain-action@129361238c06ff2cc1c4ca5c5d2217af441ffdf6 # v1.40.1
         with:
           target: ${{ matrix.target }}
+          # TODO(loongarch): wrong result
+          qemu: ${{ startsWith(matrix.target, 'loongarch64-') && '10.2' || '' }}
         if: steps.prepare.outputs.target-not-host == 'true' && !startsWith(matrix.target, 'csky-')
       # TODO: not yet supported in setup-cross-toolchain-action
       - run: |
@@ -153,6 +151,9 @@ jobs:
         env:
           TARGET: ${{ matrix.target }}
         if: startsWith(matrix.target, 'csky-')
+      - run: |
+          printf 'QEMU_CPU=\n' >>"${GITHUB_ENV}"
+        if: startsWith(matrix.target, 'loongarch64-')
       - run: |
           target_lower="${TARGET//-/_}"
           target_lower="${target_lower//./_}"
@@ -544,7 +545,7 @@ jobs:
             runner: native
             os: ubuntu-24.04-arm
             container: debian:13-slim
-    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
+    runs-on: ${{ matrix.os || 'ubuntu-24.04' }}
     timeout-minutes: 60
     container:
       image: ${{ matrix.container }}
@@ -555,28 +556,26 @@ jobs:
           apt-get -o Acquire::Retries=10 -qq update
           apt-get -o Acquire::Retries=10 -o Dpkg::Use-Pty=0 install -y --no-install-recommends gcc libc6-dev
           # apt-get -o Acquire::Retries=10 -o Dpkg::Use-Pty=0 install -y --no-install-recommends moreutils
-      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
-        with:
-          tool: cargo-hack
-          fallback: none
-      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
           # 0.4.8 fails with at least nightly-2023-05-09 to nightly-2024-01-05
           tool: cargo-careful${{ (startsWith(matrix.rust, 'nightly-2023') || startsWith(matrix.rust, 'nightly-2024')) && '@0.4.7' || '' }}
           fallback: none
         if: startsWith(matrix.rust, 'nightly') && !(startsWith(matrix.os, 'ubuntu') && contains(matrix.os, '-arm'))
-      - uses: taiki-e/github-actions/install-rust@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
-          toolchain: stable
+          tool: rust@stable
+          fallback: none
         if: startsWith(matrix.rust, 'nightly') && startsWith(matrix.os, 'ubuntu') && contains(matrix.os, '-arm')
-      - uses: taiki-e/cache-cargo-install-action@a8b9ecf8e0c0ea09d7481cfc583a5203ecd585b5 # v3.0.5
+      - uses: taiki-e/cache-cargo-install-action@f9eed3e4680f27610dc6d8c67be1b88593f7dade # v3.0.6
         with:
           # 0.4.8 fails with at least nightly-2023-05-09 to nightly-2024-01-05
           tool: cargo-careful${{ (startsWith(matrix.rust, 'nightly-2023') || startsWith(matrix.rust, 'nightly-2024')) && '@0.4.7' || '' }}
         if: startsWith(matrix.rust, 'nightly') && startsWith(matrix.os, 'ubuntu') && contains(matrix.os, '-arm')
-      - uses: taiki-e/github-actions/install-rust@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
-          toolchain: ${{ matrix.rust }}
+          tool: rust@${{ matrix.rust }},cargo-hack
+          fallback: none
       - id: prepare
         run: |
           if [[ -z "${TARGET}" ]]; then
@@ -590,7 +589,7 @@ jobs:
           fi
         env:
           TARGET: ${{ matrix.target }}
-      - uses: taiki-e/setup-cross-toolchain-action@d62f33b587e73b0004731caebc7d2d46b18a7567 # v1.39.2
+      - uses: taiki-e/setup-cross-toolchain-action@129361238c06ff2cc1c4ca5c5d2217af441ffdf6 # v1.40.1
         with:
           target: ${{ matrix.target }}
           runner: ${{ matrix.runner }}
@@ -658,16 +657,13 @@ jobs:
           - name: nightly, --tests
             rust: nightly
             tests: 1
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/github-actions/install-rust@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
-        with:
-          toolchain: ${{ matrix.rust }}
-      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
-          tool: cargo-hack
+          tool: rust@${{ matrix.rust }},cargo-hack
           fallback: none
       - run: tools/build.sh
         env:
@@ -693,18 +689,14 @@ jobs:
           # - nightly-2025-08-06 # Rust 1.91, LLVM 20
           # - nightly-2026-01-28 # Rust 1.95, LLVM 21
           - nightly
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/github-actions/install-rust@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
-          toolchain: ${{ matrix.rust }}
-      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
-        with:
-          tool: cargo-hack,espup
+          tool: rust@${{ matrix.rust }}${{ matrix.rust == 'stable' && ',cargo-hack,espup' || '' }}
           fallback: none
-        if: matrix.rust == 'stable'
       - run: |
           retry() {
             for i in {1..10}; do
@@ -825,13 +817,14 @@ jobs:
           # TODO: "unhandled instruction: 0x4508 0xD103" in atomic_sub in Arc::drop (as of Valgrind 3.26)
           # - target: thumbv7neon-unknown-linux-gnueabihf
           #   os: ubuntu-24.04-arm
-    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
+    runs-on: ${{ matrix.os || 'ubuntu-24.04' }}
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/github-actions/install-rust@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
-          toolchain: nightly
+          tool: rust@nightly
+          fallback: none
       - id: prepare
         run: |
           if [[ -z "${TARGET}" ]]; then
@@ -845,7 +838,7 @@ jobs:
         env:
           TARGET: ${{ matrix.target }}
       # - run: apt-get -o Acquire::Retries=10 -qq update && apt-get -o Acquire::Retries=10 -o Dpkg::Use-Pty=0 install -y --no-install-recommends moreutils
-      - uses: taiki-e/setup-cross-toolchain-action@d62f33b587e73b0004731caebc7d2d46b18a7567 # v1.39.2
+      - uses: taiki-e/setup-cross-toolchain-action@129361238c06ff2cc1c4ca5c5d2217af441ffdf6 # v1.40.1
         with:
           target: ${{ matrix.target }}
           runner: valgrind
@@ -937,19 +930,20 @@ jobs:
             arch: riscv64
           - target: s390x-unknown-linux-gnu
             arch: s390x
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/github-actions/install-rust@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
-          toolchain: nightly
+          tool: rust@nightly
+          fallback: none
       # - run: sudo apt-get -o Acquire::Retries=10 -qq update && apt-get -o Acquire::Retries=10 -o Dpkg::Use-Pty=0 install -y --no-install-recommends moreutils
-      - uses: taiki-e/setup-cross-toolchain-action@d62f33b587e73b0004731caebc7d2d46b18a7567 # v1.39.2
+      - uses: taiki-e/setup-cross-toolchain-action@129361238c06ff2cc1c4ca5c5d2217af441ffdf6 # v1.40.1
         with:
           target: ${{ matrix.target }}
           runner: valgrind
-      - uses: taiki-e/github-actions/setup-docker@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
+      - uses: taiki-e/github-actions/setup-docker@2474ed4664eb8903c151603a9d841512c069f7f6 # main # zizmor: ignore[stale-action-refs]
         with:
           buildx: false
           qemu: ${{ matrix.arch }}
@@ -1015,30 +1009,28 @@ jobs:
           done
           cat -- ./run
           chmod +x ./run
+          # https://github.com/taiki-e/dockerfiles/pkgs/container/valgrind
+          valgrind_version='3.26.0'
           docker run --rm --init --user "$(id -u)":"$(id -g)" \
             --mount "type=bind,source=${workspace_dir},target=${workspace_dir}" --workdir "${workspace_dir}" \
             -e CI -e GITHUB_ACTIONS \
             -e RUST_BACKTRACE -e RUST_TEST_THREADS \
             -e ATOMIC_MAYBE_UNINIT_DENY_WARNINGS \
-            --platform=linux/"${ARCH}" ghcr.io/taiki-e/valgrind:"${ARCH}"-cross \
+            --platform=linux/"${ARCH}" ghcr.io/taiki-e/valgrind:"${valgrind_version}-${ARCH}"-cross \
             ./run
         env:
           TARGET: ${{ matrix.target }}
           ARCH: ${{ matrix.arch }}
 
   asm-test:
     needs: tidy
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     timeout-minutes: 60
     steps:
       - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
-      - uses: taiki-e/github-actions/install-rust@d34e3b863da529f7c30e571fec0170fbf64fa40c # main # zizmor: ignore[stale-action-refs]
-        with:
-          toolchain: nightly
-          component: rust-src
-      - uses: taiki-e/install-action@b8be7f5e140177087325943c4a8e169d01c59b3d # v2.75.3
+      - uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2.77.0
         with:
-          tool: espup
+          tool: rust@nightly+rust-src,espup
           fallback: none
       - run: |
           retry() {

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,7 +1,6 @@
 name: Release
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -26,7 +25,7 @@ concurrency:
 jobs:
   release:
     if: github.repository_owner == 'taiki-e'
-    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@d34e3b863da529f7c30e571fec0170fbf64fa40c # main
+    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@2474ed4664eb8903c151603a9d841512c069f7f6 # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action
       id-token: write # for rust-lang/crates-io-auth-action

diff --git a/tools/tidy.sh b/tools/tidy.sh
@@ -9,13 +9,22 @@ cd -- "$(dirname -- "$0")"/..
 #    GITHUB_TOKEN=$(gh auth token) ./tools/tidy.sh
 #
 # Note: This script requires the following tools:
-# - docker
+# - docker or podman (or compatible CLI specified by TIDY_DOCKER_PATH. when both available and TIDY_DOCKER_PATH is not set, docker is preferred)
 #
 # This script is shared by projects under github.com/taiki-e, so there may also
 # be checks for files not included in this repository, but they will be skipped
 # if the corresponding files do not exist.
 # It is not intended for manual editing.
 
+bail() {
+  if [[ -n "${GITHUB_ACTIONS:-}" ]]; then
+    printf '::error::%s\n' "$*"
+  else
+    printf >&2 'error: %s\n' "$*"
+  fi
+  exit 1
+}
+
 if [[ $# -gt 0 ]]; then
   cat <<EOF
 USAGE:
@@ -24,10 +33,11 @@ EOF
   exit 1
 fi
 
+image='ghcr.io/taiki-e/tidy'
 if [[ -n "${TIDY_DEV:-}" ]]; then
-  image="ghcr.io/taiki-e/tidy:latest"
+  image+=':latest'
 else
-  image="ghcr.io/taiki-e/tidy@sha256:71def761a5585e83a2672c4051aee13cd886ad5571215aee52f193454bb3cdff"
+  image+='@sha256:4d7ec52a86bd3c0a2d96627b0ec3aa534afc02c2d56fc9a898df64e29aa03312'
 fi
 user="$(id -u):$(id -g)"
 workdir=$(pwd)
@@ -40,8 +50,12 @@ color=''
 if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
   color=1
 fi
+# Refs:
+# - https://docs.docker.com/reference/cli/docker/container/run/
+# - https://docs.podman.io/en/latest/markdown/podman-run.1.html
+# - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
 common_args=(
-  run --rm --init -i --user "${user}"
+  run --rm --init
   --cap-drop=all
   --security-opt=no-new-privileges
   --read-only
@@ -59,6 +73,30 @@ common_args=(
   --env TIDY_EXPECTED_SHELL_FILE_COUNT
   --env TIDY_EXPECTED_DOCKER_FILE_COUNT
 )
+if [[ -n "${TIDY_DOCKER_PATH:-}" ]]; then
+  docker="${TIDY_DOCKER_PATH}"
+elif type -P docker >/dev/null; then
+  docker='docker'
+elif type -P podman >/dev/null; then
+  docker='podman'
+else
+  bail 'this script requires docker or podman'
+fi
+rootless=''
+if [[ "$("${docker}" --version)" == *'podman'* ]]; then
+  if [[ "$("${docker}" info)" == *'rootless: true'* ]]; then
+    rootless=1
+  fi
+elif [[ "$("${docker}" info -f '{{println .SecurityOptions}}')" == *'rootless'* ]]; then
+  rootless=1
+fi
+if [[ -n "${rootless}" ]]; then
+  printf 'docker path: %s\n' "${docker} (rootless)"
+else
+  printf 'docker path: %s\n' "${docker}"
+  common_args+=(--user "${user}")
+fi
+
 # Map ignored files (e.g., .env) to dummy files.
 while IFS= read -r path; do
   if [[ -d "${path}" ]]; then
@@ -73,7 +111,7 @@ while IFS= read -r path; do
 done < <(git status --porcelain --ignored | grep -E '^!!' | cut -d' ' -f2)
 
 docker_run() {
-  docker "${common_args[@]}" "$@"
+  "${docker}" "${common_args[@]}" "$@"
   code2="$?"
   if [[ ${code} -eq 0 ]] && [[ ${code2} -ne 0 ]]; then
     code="${code2}"