I think I would do it only immediately before moving the book under rust-lang.
Implementing all the actions by ourselves means that we have to maintain them in the meantime. For now we can save that effort.

Furthermore, I am not sure that all the repositories under rust-lang are not using external actions. This is just an example.
We need to ask clarifications about this.

So for the moment I would close this issue.

I think it's actually important to not close this. Also in the PR I did I showed how to do it without external actions. We don't need to reimplement actions ourselves. A bit of copy & pasting from the PR and a bit of own work and this should be fine.

Yeah, the problem with copy pasting is that you have to maintain it.
From a security point of view, what's the difference with fixing the version of the github action with the release version or the commit hash for example?

From a security point of view, what's the difference with fixing the version of the github action with the release version or the commit hash for example?

I don't understand that question, could you rephrase it please? I mean a Github action has access to environment variables, if this will make it into rust-lang they sure want to keep track of which actions have access to these and that there are no malicious one's under it. To check/code review each of those actions is also a bit much, no?

I don't understand that question, could you rephrase it please?

Isn't copy pasting source code the same as using a specific commit?