Merge pull request #88 from ocean/claude/zizmor-security-improvements-TYtjO

ocean · web-flow · commit 166dc9d6ee1e · 2026-03-20T17:14:45.000+11:00
security: apply zizmor GitHub Actions security improvements
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -14,6 +14,7 @@ updates:
       semver-major-days: 10
       semver-minor-days: 5
       semver-patch-days: 2
+      default-days: 7
   # Enable version checks and updates for Rust dependencies.
   - package-ecosystem: "cargo"
     directory: "/native/ecto_libsql/"
@@ -23,10 +24,13 @@ updates:
       semver-major-days: 10
       semver-minor-days: 5
       semver-patch-days: 2
+      default-days: 7
   # Enable version updates for GitHub Actions.
   - package-ecosystem: "github-actions"
     # Workflow files stored in the default location of `.github/workflows`
     # You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,7 +1,6 @@
 name: CI
 permissions:
   contents: read
-  pull-requests: write
 
 on:
   pull_request:
@@ -26,16 +25,18 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: ${{ matrix.rust }}
-          components: rustfmt, clippy
+        run: |
+          rustup update ${{ matrix.rust }}
+          rustup default ${{ matrix.rust }}
+          rustup component add rustfmt clippy
 
       - name: Cache Rust dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ~/.cargo/bin/
@@ -76,15 +77,18 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Rust nightly
-        uses: dtolnay/rust-toolchain@nightly
-        with:
-          components: llvm-tools-preview
+        run: |
+          rustup update nightly
+          rustup default nightly
+          rustup component add llvm-tools-preview
 
       - name: Cache Rust dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ~/.cargo/bin/
@@ -119,21 +123,21 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: stable
+        run: rustup update stable && rustup default stable
 
       - name: Set up Elixir
-        uses: erlef/setup-beam@v1
+        uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
         with:
           elixir-version: ${{ matrix.elixir }}
           otp-version: ${{ matrix.otp }}
 
       - name: Cache Mix dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             deps
@@ -176,21 +180,21 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: stable
+        run: rustup update stable && rustup default stable
 
       - name: Set up Elixir
-        uses: erlef/setup-beam@v1
+        uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
         with:
           elixir-version: ${{ matrix.elixir }}
           otp-version: ${{ matrix.otp }}
 
       - name: Cache Mix dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             deps
@@ -215,19 +219,21 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Rust
-        uses: dtolnay/rust-toolchain@stable
+        run: rustup update stable && rustup default stable
 
       - name: Set up Elixir
-        uses: erlef/setup-beam@v1
+        uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
         with:
           elixir-version: "1.18.0"
           otp-version: "27.0"
 
       - name: Cache Mix dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             deps
@@ -237,7 +243,7 @@ jobs:
             ${{ runner.os }}-integration-mix-
 
       - name: Cache Rust dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ~/.cargo/bin/
@@ -286,16 +292,17 @@ jobs:
   turso-remote-tests:
     name: Turso Remote Database Tests
     runs-on: ubuntu-latest
+    environment: test
     needs: [rust-checks, elixir-tests-latest, elixir-tests-compatibility]
     # Only run on PRs to main
     if: github.event_name == 'pull_request' && github.base_ref == 'main'
-    env:
-      TURSO_DB_URI: ${{ secrets.TURSO_DB_URI }}
-      TURSO_AUTH_TOKEN: ${{ secrets.TURSO_AUTH_TOKEN }}
 
     steps:
       - name: Check if secrets are available
         id: check-secrets
+        env:
+          TURSO_DB_URI: ${{ secrets.TURSO_DB_URI }}
+          TURSO_AUTH_TOKEN: ${{ secrets.TURSO_AUTH_TOKEN }}
         run: |
           if [ -z "$TURSO_DB_URI" ] || [ -z "$TURSO_AUTH_TOKEN" ]; then
             echo "Secrets not available, skipping tests"
@@ -307,22 +314,24 @@ jobs:
 
       - name: Checkout code
         if: steps.check-secrets.outputs.skip != 'true'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Rust
         if: steps.check-secrets.outputs.skip != 'true'
-        uses: dtolnay/rust-toolchain@stable
+        run: rustup update stable && rustup default stable
 
       - name: Set up Elixir
         if: steps.check-secrets.outputs.skip != 'true'
-        uses: erlef/setup-beam@v1
+        uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
         with:
           elixir-version: "1.18.0"
           otp-version: "27.0"
 
       - name: Cache Mix dependencies
         if: steps.check-secrets.outputs.skip != 'true'
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             deps
@@ -333,7 +342,7 @@ jobs:
 
       - name: Cache Rust dependencies
         if: steps.check-secrets.outputs.skip != 'true'
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ~/.cargo/bin/
@@ -355,6 +364,9 @@ jobs:
 
       - name: Run Turso remote tests
         if: steps.check-secrets.outputs.skip != 'true'
+        env:
+          TURSO_DB_URI: ${{ secrets.TURSO_DB_URI }}
+          TURSO_AUTH_TOKEN: ${{ secrets.TURSO_AUTH_TOKEN }}
         run: mix test test/turso_remote_test.exs --trace
 
   all-checks-pass:
@@ -374,21 +386,28 @@ jobs:
     steps:
       - name: Check if all jobs passed
         run: |
-          if [ "${{ needs.rust-checks.result }}" != "success" ] || \
-             [ "${{ needs.rust-fuzz.result }}" != "success" ] || \
-             [ "${{ needs.elixir-tests-latest.result }}" != "success" ] || \
-             [ "${{ needs.elixir-tests-compatibility.result }}" != "success" ] || \
-             [ "${{ needs.integration-test.result }}" != "success" ]; then
+          if [ "${NEEDS_RUST_CHECKS_RESULT}" != "success" ] || \
+             [ "${NEEDS_RUST_FUZZ_RESULT}" != "success" ] || \
+             [ "${NEEDS_ELIXIR_TESTS_LATEST_RESULT}" != "success" ] || \
+             [ "${NEEDS_ELIXIR_TESTS_COMPATIBILITY_RESULT}" != "success" ] || \
+             [ "${NEEDS_INTEGRATION_TEST_RESULT}" != "success" ]; then
             echo "One or more checks failed"
             exit 1
           fi
           echo "All checks passed successfully!"
 
           # Note: Turso remote tests are optional and don't block the build
-          if [ "${{ needs.turso-remote-tests.result }}" == "success" ]; then
+          if [ "${NEEDS_TURSO_REMOTE_TESTS_RESULT}" == "success" ]; then
             echo "Turso remote tests also passed!"
-          elif [ "${{ needs.turso-remote-tests.result }}" == "skipped" ]; then
+          elif [ "${NEEDS_TURSO_REMOTE_TESTS_RESULT}" == "skipped" ]; then
             echo "Turso remote tests were skipped (not on PR to main or credentials not available)"
-          elif [ "${{ needs.turso-remote-tests.result }}" == "failure" ]; then
+          elif [ "${NEEDS_TURSO_REMOTE_TESTS_RESULT}" == "failure" ]; then
             echo "WARNING: Turso remote tests failed (but not blocking the build)"
           fi
+        env:
+          NEEDS_RUST_CHECKS_RESULT: ${{ needs.rust-checks.result }}
+          NEEDS_RUST_FUZZ_RESULT: ${{ needs.rust-fuzz.result }}
+          NEEDS_ELIXIR_TESTS_LATEST_RESULT: ${{ needs.elixir-tests-latest.result }}
+          NEEDS_ELIXIR_TESTS_COMPATIBILITY_RESULT: ${{ needs.elixir-tests-compatibility.result }}
+          NEEDS_INTEGRATION_TEST_RESULT: ${{ needs.integration-test.result }}
+          NEEDS_TURSO_REMOTE_TESTS_RESULT: ${{ needs.turso-remote-tests.result }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -48,7 +48,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Extract and validate project version
         shell: bash
@@ -83,13 +85,14 @@ jobs:
           echo "PROJECT_VERSION=$VERSION" >> $GITHUB_ENV
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: ${{ matrix.job.target }}
+        run: |
+          rustup update stable
+          rustup default stable
+          rustup target add ${{ matrix.job.target }}
 
       - name: Build the project
         id: build-crate
-        uses: philss/rustler-precompiled-action@v1.1.4
+        uses: philss/rustler-precompiled-action@853ac56183f29a080304df3ff8a194b5bbdc24cc # v1.1.4
         with:
           project-name: ecto_libsql
           project-version: ${{ env.PROJECT_VERSION }}
@@ -99,14 +102,14 @@ jobs:
           project-dir: "."
 
       - name: Artifact upload
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: ${{ steps.build-crate.outputs.file-name }}
           path: ${{ steps.build-crate.outputs.file-path }}
 
       - name: Publish archives and packages
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            ${{ steps.build-crate.outputs.file-path }}
         if: startsWith(github.ref, 'refs/tags/') && inputs.test_only != 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_FILE_PATH: ${{ steps.build-crate.outputs.file-path }}
+        run: gh release upload "${GITHUB_REF_NAME}" "${RELEASE_FILE_PATH}" --clobber
