Enable zizmor

Author: simolus3

.github/dependabot.yml

@@ -8,6 +8,8 @@ updates:
       all-github-actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "pub"
     versioning-strategy: "increase-if-necessary"
     directory: "/"
@@ -17,3 +19,5 @@ updates:
       all-pub-dependencies:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7

.github/workflows/compile_sqlite.yml

@@ -13,12 +13,16 @@ on:
         description: "ID of the artifact containing libraries compiled with sanitizers"
         value: ${{ jobs.build_with_sanitizers.outputs.libs }}
 
+permissions: {}
+
 jobs:
   download_sqlite:
     runs-on: ubuntu-slim
     name: Download SQLite sources
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/cache@v5
         id: cache_build
         with:
@@ -51,6 +55,8 @@ jobs:
     name: Compile sqlite3
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/cache@v5
         id: cache_build
         with:
@@ -95,6 +101,8 @@ jobs:
       libs: ${{ steps.upload.outputs.artifact-id }}
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/cache@v5
         id: cache_build
         with:
@@ -110,11 +118,9 @@ jobs:
       - uses: dart-lang/setup-dart@v1
         if: steps.cache_build.outputs.cache-hit != 'true'
 
-      - uses: dtolnay/rust-toolchain@stable
+      - name: Install rust
         if: steps.cache_build.outputs.cache-hit != 'true'
-        with:
-          toolchain: nightly
-          components: rust-src
+        run: rustup toolchain install nightly --component rust-src
 
       - name: Install LLVM toolchain
         shell: bash
@@ -147,6 +153,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/cache@v5
         id: cache_build
         with:
@@ -156,19 +164,19 @@ jobs:
       # clang 18 that ships on ubuntu crashes when compiling the wasm sources
       - name: Install LLVM and Clang
         if: steps.cache_build.outputs.cache-hit != 'true'
-        uses: KyleMayes/install-llvm-action@v2.0.9
+        uses: KyleMayes/install-llvm-action@ebc0426251bc40c7cd31162802432c68818ab8f0 #v2.0.9
         with:
           version: "21"
 
       - name: Download WASI SDK
         if: steps.cache_build.outputs.cache-hit != 'true'
         run: |
-          ls -al ${{ env.LLVM_PATH }}
+          ls -al ${LLVM_PATH}
 
           curl -L https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-27/wasi-sdk-27.0-x86_64-linux.deb -o wasi-sdk.deb
           sudo dpkg -i wasi-sdk.deb
           sudo mkdir /usr/lib/llvm-18/lib/clang/18/lib/wasi
-          sudo cp -r /opt/wasi-sdk/lib/clang/20/lib/* ${{ env.LLVM_PATH }}/lib/clang/21/lib/
+          sudo cp -r /opt/wasi-sdk/lib/clang/20/lib/* ${LLVM_PATH}/lib/clang/21/lib/
 
           curl -L https://github.com/WebAssembly/binaryen/releases/download/version_124/binaryen-version_124-x86_64-linux.tar.gz -o binaryen.tar.gz
           tar --extract --gzip --file binaryen.tar.gz
@@ -196,17 +204,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/cache@v5
         id: cache_build
         with:
           path: sqlite3_connection_pool/out
           key: pool-helper-${{ runner.os }}-${{ hashFiles('sqlite3_connection_pool/src/**', 'sqlite3_connection_pool/Cargo.toml', 'sqlite3_connection_pool/.cargo/**') }}
-      - uses: dtolnay/rust-toolchain@stable
+      - name: Install rust
         if: steps.cache_build.outputs.cache-hit != 'true'
-        with:
-          toolchain: nightly
-          components: rust-src
-          targets: aarch64-unknown-linux-gnu,x86_64-unknown-linux-gnu,riscv64gc-unknown-linux-gnu,armv7-unknown-linux-gnueabihf,aarch64-linux-android,armv7-linux-androideabi,x86_64-linux-android
+        run: |
+          rustup toolchain install nightly --component rust-src
+          rustup target add --toolchain nightly aarch64-unknown-linux-gnu
+          rustup target add --toolchain nightly x86_64-unknown-linux-gnu
+          rustup target add --toolchain nightly riscv64gc-unknown-linux-gnu
+
+          rustup target add --toolchain nightly armv7-unknown-linux-gnueabihf
+          rustup target add --toolchain nightly aarch64-linux-android
+          rustup target add --toolchain nightly armv7-linux-androideabi
+          rustup target add --toolchain nightly x86_64-linux-android
+      - name: Install rust
+        if: steps.cache_build.outputs.cache-hit != 'true'
+        run: rustup toolchain install nightly --component rust-src
       - run: cargo install cargo-ndk
         if: steps.cache_build.outputs.cache-hit != 'true'
       - name: Install cross-compiling GCC
@@ -251,17 +270,19 @@ jobs:
     runs-on: macos-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/cache@v5
         id: cache_build
         with:
           path: sqlite3_connection_pool/out
           key: pool-helper-${{ runner.os }}-${{ hashFiles('sqlite3_connection_pool/src/**', 'sqlite3_connection_pool/Cargo.toml', 'sqlite3_connection_pool/.cargo/**') }}
-      - uses: dtolnay/rust-toolchain@stable
+      - name: Install rust
         if: steps.cache_build.outputs.cache-hit != 'true'
-        with:
-          toolchain: nightly
-          components: rust-src
-          targets: x86_64-apple-darwin,aarch64-apple-darwin
+        run: |
+          rustup toolchain install nightly --component rust-src
+          rustup target add --toolchain nightly x86_64-apple-darwin
+          rustup target add --toolchain nightly aarch64-apple-darwin
       - name: Build for macOS and iOS
         if: steps.cache_build.outputs.cache-hit != 'true'
         working-directory: sqlite3_connection_pool
@@ -289,17 +310,19 @@ jobs:
     runs-on: windows-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/cache@v5
         id: cache_build
         with:
           path: sqlite3_connection_pool/out
           key: pool-helper-${{ runner.os }}-${{ hashFiles('sqlite3_connection_pool/src/**', 'sqlite3_connection_pool/Cargo.toml', 'sqlite3_connection_pool/.cargo/**') }}
-      - uses: dtolnay/rust-toolchain@stable
+      - name: Install rust
         if: steps.cache_build.outputs.cache-hit != 'true'
-        with:
-          toolchain: nightly
-          components: rust-src
-          targets: x86_64-pc-windows-msvc,aarch64-pc-windows-msvc
+        run: |
+          rustup toolchain install nightly --component rust-src
+          rustup target add --toolchain nightly x86_64-pc-windows-msvc
+          rustup target add --toolchain nightly aarch64-pc-windows-msvc
       - name: Build for Windows
         if: steps.cache_build.outputs.cache-hit != 'true'
         working-directory: sqlite3_connection_pool
@@ -339,6 +362,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: actions/download-artifact@v8
         with:

.github/workflows/main.yml

@@ -6,11 +6,28 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions: {}
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 jobs:
   fetch_sqlite:
     if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)
     uses: ./.github/workflows/compile_sqlite.yml
 
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # To report results
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+
   analyze:
     if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)
     timeout-minutes: 5
@@ -22,6 +39,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: dart-lang/setup-dart@v1
       with:
         sdk: ${{ matrix.dart }}
@@ -67,6 +86,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: dart-lang/setup-dart@v1
       with:
         sdk: ${{ matrix.dart }}
@@ -168,6 +189,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: dart-lang/setup-dart@v1
     - name: Download compiled sqlite3
       uses: actions/download-artifact@v8
@@ -202,6 +225,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: dart-lang/setup-dart@v1
       - name: Download compiled sqlite3
         uses: actions/download-artifact@v8
@@ -278,7 +303,9 @@ jobs:
           xcrun simctl boot $IPHONE
 
       - uses: actions/checkout@v6
-      - uses: subosito/flutter-action@v2
+        with:
+          persist-credentials: false
+      - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 #v2.23.0
 
       - name: Flutter version
         run: flutter --version
@@ -343,7 +370,7 @@ jobs:
           flutter test integration_test -d linux
 
       - name: SQLite Android emulator tests
-        uses: reactivecircus/android-emulator-runner@v2
+        uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2.37.0
         if: runner.os == 'linux'
         with:
           api-level: 34
@@ -369,7 +396,7 @@ jobs:
           flutter test integration_test -Dsqlite3.multipleciphers=true -d macos
 
       - name: sqlite3mc Android emulator tests
-        uses: reactivecircus/android-emulator-runner@v2
+        uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2.37.0
         if: runner.os == 'linux'
         with:
           api-level: 34

.github/workflows/release.yml

@@ -8,18 +8,22 @@ on:
       - 'sqlite3_web-[0-9]+.[0-9]+.[0-9]+*'
       - 'sqlite3_connection_pool-[0-9]+.[0-9]+.[0-9]+*'
 
+permissions: {}
+
 jobs:
   fetch_sqlite:
     uses: ./.github/workflows/compile_sqlite.yml
 
   prepare_release:
     needs: [fetch_sqlite]
     permissions:
-      packages: write
-      contents: write
+      packages: write # Needed to upload release assets
+      contents: write # Needed to upload release assets
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: dart-lang/setup-dart@v1
     - name: Pub get
       run: dart pub get
@@ -33,12 +37,14 @@ jobs:
       if: "${{ startsWith(github.ref_name, 'sqlite3-') }}"
       id: tag
       run: |
-        tag=$(basename "${{ github.ref }}")
+        tag=$(basename "${GITHUB_REF}")
         echo "tag=$tag" >> $GITHUB_OUTPUT
 
     - name: Verify asset hashes
       if: "${{ startsWith(github.ref_name, 'sqlite3-') }}"
-      run: dart run tool/write_asset_hashes.dart "${{ steps.tag.outputs.tag }}"
+      run: dart run tool/write_asset_hashes.dart "${STEPS_TAG_OUTPUTS_TAG}"
+      env:
+        STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }}
     - name: List libraries
       run: ls -al sqlite-compiled
 
@@ -47,8 +53,9 @@ jobs:
       env:
         GH_TOKEN: ${{ github.token }}
         GH_REPO: ${{ github.repository }}
+        STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }}
       run: |
-        tag="${{ steps.tag.outputs.tag }}"
+        tag="${STEPS_TAG_OUTPUTS_TAG}"
         body="Pending release for $tag"
         gh release create --draft "$tag" --title "$tag" --notes "$body"
 
@@ -57,7 +64,7 @@ jobs:
   publish_sqlite3:
     needs: [prepare_release]
     permissions:
-      id-token: write
+      id-token: write # Needed to create OIDC token for pub.dev
     if: "${{ startsWith(github.ref_name, 'sqlite3-') }}"
     uses: dart-lang/setup-dart/.github/workflows/publish.yml@v1
     with:
@@ -67,7 +74,7 @@ jobs:
   publish_sqlite3_test:
     needs: [prepare_release]
     permissions:
-      id-token: write
+      id-token: write # Needed to create OIDC token for pub.dev
     if: "${{ startsWith(github.ref_name, 'sqlite3_test-') }}"
     uses: dart-lang/setup-dart/.github/workflows/publish.yml@v1
     with:
@@ -77,7 +84,7 @@ jobs:
   publish_sqlite3_web:
     needs: [prepare_release]
     permissions:
-      id-token: write
+      id-token: write # Needed to create OIDC token for pub.dev
     if: "${{ startsWith(github.ref_name, 'sqlite3_web-') }}"
     uses: dart-lang/setup-dart/.github/workflows/publish.yml@v1
     with:
@@ -87,14 +94,16 @@ jobs:
   publish_sqlite3_connection_pool:
     needs: [fetch_sqlite, prepare_release]
     permissions:
-      id-token: write
+      id-token: write # Needed to create OIDC token for pub.dev
     if: "${{ startsWith(github.ref_name, 'sqlite3_connection_pool-') }}"
     runs-on: ubuntu-latest
     environment: 'pub.dev'
     # This can't use the workflow because we need to download assets to include in
     # the package.
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - uses: dart-lang/setup-dart@v1 # This will request an OIDC token for pub.dev
 
     - name: Download connection pool libraries

.github/zizmor.yaml

@@ -0,0 +1,14 @@
+# Configuration for https://zizmor.sh/, a static analysis tool for GitHub actions.
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "dart-lang/*": ref-pin
+        "actions/*": ref-pin
+  anonymous-definition:
+    disable: true
+  concurrency-limits:
+    ignore:
+      # We don't need to limit concurrency for publishing, as only maintainers can
+      # push tags.
+      - release.yml:3:1