apache · Xuanwo · Feb 26, 2026 · Feb 11, 2026 · Feb 11, 2026 · Feb 11, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -22,9 +22,13 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for rust
   - package-ecosystem: "cargo"
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/aliyun_oss.yml b/.github/workflows/aliyun_oss.yml
@@ -35,7 +35,9 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Test
         working-directory: ./services/aliyun-oss
         run: cargo test --no-fail-fast

diff --git a/.github/workflows/aws_v4.yml b/.github/workflows/aws_v4.yml
@@ -33,12 +33,16 @@ env:
   RUST_LOG: DEBUG
   RUST_BACKTRACE: full
 
+permissions: {}
+
 jobs:
   # Unit tests - always run, no secrets needed
   unit_test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Run unit tests
         working-directory: ./services/aws-v4
         run: |
@@ -70,14 +74,16 @@ jobs:
     if: needs.check_secrets.outputs.has_secrets == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup 1Password Connect
-        uses: 1password/load-secrets-action/configure@v3.1.0
+        uses: 1password/load-secrets-action/configure@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           connect-host: ${{ secrets.OP_CONNECT_HOST }}
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
-        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3
+        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           export-env: true
         env:
@@ -100,14 +106,16 @@ jobs:
     if: needs.check_secrets.outputs.has_secrets == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup 1Password Connect
-        uses: 1password/load-secrets-action/configure@v3.1.0
+        uses: 1password/load-secrets-action/configure@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           connect-host: ${{ secrets.OP_CONNECT_HOST }}
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
-        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3
+        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           export-env: true
         env:
@@ -127,15 +135,17 @@ jobs:
     if: needs.check_secrets.outputs.has_secrets == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup 1Password Connect
-        uses: 1password/load-secrets-action/configure@v3.1.0
+        uses: 1password/load-secrets-action/configure@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           connect-host: ${{ secrets.OP_CONNECT_HOST }}
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
         id: load_secret
-        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3
+        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         env:
           REQSIGN_AWS_V4_TEST_ENV: on
           REQSIGN_AWS_V4_TEST_PROFILE: on
@@ -146,12 +156,12 @@ jobs:
           mkdir -p ~/.aws
           cat > ~/.aws/credentials << EOF
           [default]
-          aws_access_key_id = ${{ steps.load_secrets.outputs.AWS_ACCESS_KEY_ID }}
-          aws_secret_access_key = ${{ steps.load_secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+          aws_access_key_id = ${STEPS_LOAD_SECRETS_OUTPUTS_AWS_ACCESS_KEY_ID}
+          aws_secret_access_key = ${STEPS_LOAD_SECRETS_OUTPUTS_AWS_SECRET_ACCESS_KEY}
 
           [test-profile]
-          aws_access_key_id = ${{ steps.load_secrets.outputs.AWS_ACCESS_KEY_ID }}
-          aws_secret_access_key = ${{ steps.load_secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+          aws_access_key_id = ${STEPS_LOAD_SECRETS_OUTPUTS_AWS_ACCESS_KEY_ID}
+          aws_secret_access_key = ${STEPS_LOAD_SECRETS_OUTPUTS_AWS_SECRET_ACCESS_KEY}
           EOF
 
           cat > ~/.aws/config << EOF
@@ -162,6 +172,9 @@ jobs:
           region = us-west-1
           output = json
           EOF
+        env:
+          STEPS_LOAD_SECRETS_OUTPUTS_AWS_ACCESS_KEY_ID: ${{ steps.load_secrets.outputs.AWS_ACCESS_KEY_ID }}
+          STEPS_LOAD_SECRETS_OUTPUTS_AWS_SECRET_ACCESS_KEY: ${{ steps.load_secrets.outputs.AWS_SECRET_ACCESS_KEY }}
       - name: Test ProfileCredentialProvider
         working-directory: ./services/aws-v4
         run: |
@@ -175,14 +188,16 @@ jobs:
     if: needs.check_secrets.outputs.has_secrets == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup 1Password Connect
-        uses: 1password/load-secrets-action/configure@v3.1.0
+        uses: 1password/load-secrets-action/configure@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           connect-host: ${{ secrets.OP_CONNECT_HOST }}
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
-        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3
+        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           export-env: true
         env:
@@ -207,9 +222,11 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Get GitHub OIDC token
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: idtoken
         with:
           script: |
@@ -222,12 +239,12 @@ jobs:
 
             console.log('GitHub OIDC token obtained and saved');
       - name: Setup 1Password Connect
-        uses: 1password/load-secrets-action/configure@v3.1.0
+        uses: 1password/load-secrets-action/configure@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           connect-host: ${{ secrets.OP_CONNECT_HOST }}
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
-        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3
+        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           export-env: true
         env:
@@ -247,7 +264,9 @@ jobs:
   test_imds_provider:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Start amazon-ec2-metadata-mock
         run: |
           # Download ec2-metadata-mock binary
@@ -323,7 +342,9 @@ jobs:
   test_ecs_provider:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Mock ECS Credentials Server
         run: |
           # Start the mock server in background using the maintained script
@@ -372,7 +393,9 @@ jobs:
   test_sso_provider:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup SSO Mock Environment
         run: |
           # Create test home directory structure
@@ -451,7 +474,9 @@ jobs:
   test_process_provider:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup process credential helper
         run: |
           # Create test home directory
@@ -512,7 +537,9 @@ jobs:
   test_cognito_provider:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Start Cognito Identity Mock Server
         run: |
           # Start the mock server
@@ -555,14 +582,16 @@ jobs:
     if: needs.check_secrets.outputs.has_secrets == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup 1Password Connect
-        uses: 1password/load-secrets-action/configure@v3.1.0
+        uses: 1password/load-secrets-action/configure@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           connect-host: ${{ secrets.OP_CONNECT_HOST }}
           connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
       - name: Load secrets
-        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3
+        uses: 1password/load-secrets-action@8d0d610af187e78a2772c2d18d627f4c52d3fbfb # v3.1.0
         with:
           export-env: true
         env:
@@ -608,21 +637,21 @@ jobs:
           echo "#### Core Tests" >> $GITHUB_STEP_SUMMARY
           echo "| Test | Result |" >> $GITHUB_STEP_SUMMARY
           echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Unit Tests | ${{ needs.unit_test.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Unit Tests | ${NEEDS_UNIT_TEST_RESULT} |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
 
           echo "#### Integration Tests (with real AWS credentials)" >> $GITHUB_STEP_SUMMARY
-          if [[ "${{ needs.check_secrets.outputs.has_secrets }}" == "true" ]]; then
+          if [[ "${NEEDS_CHECK_SECRETS_OUTPUTS_HAS_SECRETS}" == "true" ]]; then
             echo "✅ **Integration tests with real AWS credentials were executed**" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
             echo "| Test | Result |" >> $GITHUB_STEP_SUMMARY
             echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Signing Tests | ${{ needs.signing_test.result }} |" >> $GITHUB_STEP_SUMMARY
-            echo "| EnvCredentialProvider | ${{ needs.test_env_provider.result }} |" >> $GITHUB_STEP_SUMMARY
-            echo "| ProfileCredentialProvider | ${{ needs.test_profile_provider.result }} |" >> $GITHUB_STEP_SUMMARY
-            echo "| AssumeRoleCredentialProvider | ${{ needs.test_assume_role_provider.result }} |" >> $GITHUB_STEP_SUMMARY
-            echo "| AssumeRoleWithWebIdentityCredentialProvider | ${{ needs.test_web_identity_provider.result }} |" >> $GITHUB_STEP_SUMMARY
-            echo "| S3ExpressSessionProvider | ${{ needs.test_s3_express_provider.result }} |" >> $GITHUB_STEP_SUMMARY
+            echo "| Signing Tests | ${NEEDS_SIGNING_TEST_RESULT} |" >> $GITHUB_STEP_SUMMARY
+            echo "| EnvCredentialProvider | ${NEEDS_TEST_ENV_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+            echo "| ProfileCredentialProvider | ${NEEDS_TEST_PROFILE_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+            echo "| AssumeRoleCredentialProvider | ${NEEDS_TEST_ASSUME_ROLE_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+            echo "| AssumeRoleWithWebIdentityCredentialProvider | ${NEEDS_TEST_WEB_IDENTITY_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+            echo "| S3ExpressSessionProvider | ${NEEDS_TEST_S3_EXPRESS_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
           else
             echo "⚠️ **Integration tests were skipped** (forked repository or no secrets available)" >> $GITHUB_STEP_SUMMARY
           fi
@@ -633,8 +662,35 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "| Provider | Mock Server | Result |" >> $GITHUB_STEP_SUMMARY
           echo "|----------|-------------|--------|" >> $GITHUB_STEP_SUMMARY
-          echo "| IMDSv2CredentialProvider | amazon-ec2-metadata-mock | ${{ needs.test_imds_provider.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| ECSCredentialProvider | Python mock (port 51679) | ${{ needs.test_ecs_provider.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| SSOCredentialProvider | Python mock (port 8080) | ${{ needs.test_sso_provider.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| ProcessCredentialProvider | Python credential helper | ${{ needs.test_process_provider.result }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| CognitoIdentityCredentialProvider | Python mock (port 8443) | ${{ needs.test_cognito_provider.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| IMDSv2CredentialProvider | amazon-ec2-metadata-mock | ${NEEDS_TEST_IMDS_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+          echo "| ECSCredentialProvider | Python mock (port 51679) | ${NEEDS_TEST_ECS_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+          echo "| SSOCredentialProvider | Python mock (port 8080) | ${NEEDS_TEST_SSO_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+          echo "| ProcessCredentialProvider | Python credential helper | ${NEEDS_TEST_PROCESS_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+          echo "| CognitoIdentityCredentialProvider | Python mock (port 8443) | ${NEEDS_TEST_COGNITO_PROVIDER_RESULT} |" >> $GITHUB_STEP_SUMMARY
+
+        env:
+          NEEDS_UNIT_TEST_RESULT: ${{ needs.unit_test.result }}
+
+          NEEDS_CHECK_SECRETS_OUTPUTS_HAS_SECRETS: ${{ needs.check_secrets.outputs.has_secrets }}
+
+          NEEDS_SIGNING_TEST_RESULT: ${{ needs.signing_test.result }}
+
+          NEEDS_TEST_ENV_PROVIDER_RESULT: ${{ needs.test_env_provider.result }}
+
+          NEEDS_TEST_PROFILE_PROVIDER_RESULT: ${{ needs.test_profile_provider.result }}
+
+          NEEDS_TEST_ASSUME_ROLE_PROVIDER_RESULT: ${{ needs.test_assume_role_provider.result }}
+
+          NEEDS_TEST_WEB_IDENTITY_PROVIDER_RESULT: ${{ needs.test_web_identity_provider.result }}
+
+          NEEDS_TEST_S3_EXPRESS_PROVIDER_RESULT: ${{ needs.test_s3_express_provider.result }}
+
+          NEEDS_TEST_IMDS_PROVIDER_RESULT: ${{ needs.test_imds_provider.result }}
+
+          NEEDS_TEST_ECS_PROVIDER_RESULT: ${{ needs.test_ecs_provider.result }}
+
+          NEEDS_TEST_SSO_PROVIDER_RESULT: ${{ needs.test_sso_provider.result }}
+
+          NEEDS_TEST_PROCESS_PROVIDER_RESULT: ${{ needs.test_process_provider.result }}
+
+          NEEDS_TEST_COGNITO_PROVIDER_RESULT: ${{ needs.test_cognito_provider.result }}