openssf scorecard suggested improvements

.github/workflows/cflite_batch.yml

@@ -4,7 +4,9 @@ on:
   schedule:
     - cron: '0 3 * * 1'  # Weekly on Monday at 03:00 UTC
 
-permissions: read-all
+permissions:
+  contents: read
+  security-events: write
 
 jobs:
   BatchFuzzing:
@@ -17,14 +19,14 @@ jobs:
     steps:
       - name: Build Fuzzers (${{ matrix.sanitizer }})
         id: build
-        uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+        uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
         with:
           language: rust
           sanitizer: ${{ matrix.sanitizer }}
 
       - name: Run Fuzzers (${{ matrix.sanitizer }})
         id: run
-        uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+        uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           fuzz-seconds: 3600

.github/workflows/cflite_pr.yml

@@ -5,7 +5,9 @@ on:
     branches:
       - main
 
-permissions: read-all
+permissions:
+  contents: read
+  security-events: write
 
 jobs:
   PR:
@@ -21,7 +23,7 @@ jobs:
     steps:
       - name: Build Fuzzers (${{ matrix.sanitizer }})
         id: build
-        uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+        uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
         with:
           language: rust
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -29,7 +31,7 @@ jobs:
 
       - name: Run Fuzzers (${{ matrix.sanitizer }})
         id: run
-        uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+        uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           fuzz-seconds: 300

Makefile

@@ -708,23 +708,17 @@ fuzz:
 	@echo "🐛 Running fuzz targets (cargo-fuzz required, nightly Rust required)…"
 	@command -v cargo-fuzz >/dev/null 2>&1 || { \
 		echo "📦 installing cargo-fuzz …"; \
-		cargo install cargo-fuzz; \
+		cargo install --locked cargo-fuzz; \
 	}
 	@rustup toolchain list | grep -q nightly || { \
 		echo "📦 installing nightly toolchain …"; \
 		rustup toolchain install nightly; \
 	}
 	@fuzz_seconds=$${FUZZ_SECONDS:-60}; \
-	NIGHTLY_PATH="$$HOME/.rustup/toolchains/nightly-$$(rustc -vV | awk '/^host:/{print $$2}')/bin"; \
-	if [ ! -d "$$NIGHTLY_PATH" ]; then \
-		echo "❌ Nightly toolchain not found at $$NIGHTLY_PATH"; \
-		exit 1; \
-	fi; \
-	export PATH="$$NIGHTLY_PATH:$$PATH"; \
-	echo "Using rustc: $$(which rustc) ($$(rustc --version))"; \
+	echo "Using nightly rustc: $$(rustup run nightly rustc --version)"; \
 	for target in fuzz_entropy fuzz_location fuzz_base64 fuzz_span; do \
 		echo "▶ fuzzing $$target for $${fuzz_seconds}s …"; \
-		cargo fuzz run $$target -- \
+		cargo +nightly fuzz run $$target -- \
 			-max_total_time=$${fuzz_seconds} \
 			-max_len=4096 || { echo "❌ $$target found a crash"; exit 1; }; \
 		echo "✅ $$target passed"; \

src/reporter.rs

@@ -601,7 +601,7 @@ impl DetailsReporter {
             let atime = cmd
                 .committer_timestamp
                 .format(gix::date::time::format::SHORT.clone())
-                .unwrap_or_else(|_| cmd.committer_timestamp.seconds.to_string());
+                .unwrap_or_else(|_| "<unknown>".to_string());
 
             let git_metadata = serde_json::json!({
                 "repository_url": repository_url,