From e90415d61efd508e0fb8890401cf7536e504c802 Mon Sep 17 00:00:00 2001 From: Jure Rotar Date: Tue, 19 May 2026 09:53:09 +0200 Subject: [PATCH 1/5] chore: added zizmor to GH Actions ci workflow --- .github/workflows/ci.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 37062d8..e59b48a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,6 +51,20 @@ jobs: - name: Run format check run: npx oxfmt . --check + zizmor: + name: Zizmor GitHub Actions check + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@v0.5.3 + test-browser: name: Run browser tests runs-on: ubuntu-latest From 72c4730041fe7a833c7460b33b87440c0b42db71 Mon Sep 17 00:00:00 2001 From: Jure Rotar Date: Fri, 22 May 2026 10:06:13 +0200 Subject: [PATCH 2/5] chore: actions now use pinned versions --- .github/actions/node-setup/action.yml | 4 +--- .github/workflows/build-wasm.yml | 8 ++++---- .github/workflows/ci.yml | 22 ++++++++++------------ .github/workflows/publish.yml | 6 ++---- 4 files changed, 17 insertions(+), 23 deletions(-) diff --git a/.github/actions/node-setup/action.yml b/.github/actions/node-setup/action.yml index 2822d5e..1ee7317 100644 --- a/.github/actions/node-setup/action.yml +++ b/.github/actions/node-setup/action.yml @@ -8,11 +8,9 @@ runs: using: 'composite' steps: - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ inputs.node-version }} - cache: 'npm' - cache-dependency-path: package-lock.json - name: Install dependencies shell: bash diff --git a/.github/workflows/build-wasm.yml b/.github/workflows/build-wasm.yml index 4af90ad..0a2b836 100644 --- a/.github/workflows/build-wasm.yml +++ b/.github/workflows/build-wasm.yml @@ -17,7 +17,7 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -53,11 +53,11 @@ jobs: - name: Set up Buildx Docker CLI plugin if: steps.check-branch.outputs.skip != 'true' - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Build Docker image if: steps.check-branch.outputs.skip != 'true' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . load: true @@ -92,7 +92,7 @@ jobs: - name: Create Pull Request if: steps.check-branch.outputs.skip != 'true' && steps.git-check.outputs.changes == 'true' - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e59b48a..4a357f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,9 +24,9 @@ jobs: contents: read steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + persist-credentials: false - name: Set up Node.js uses: ./.github/actions/node-setup @@ -41,9 +41,9 @@ jobs: contents: read steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + persist-credentials: false - name: Setup environment (node + install) uses: ./.github/actions/node-setup @@ -58,12 +58,12 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor - uses: zizmorcore/zizmor-action@v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 test-browser: name: Run browser tests @@ -72,9 +72,9 @@ jobs: contents: read steps: - name: Checkout repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 + persist-credentials: false - name: Setup environment (node + install) uses: ./.github/actions/node-setup @@ -87,7 +87,7 @@ jobs: >> $GITHUB_OUTPUT - name: Cache Playwright browsers - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 id: playwright-cache with: path: ~/.cache/ms-playwright @@ -118,9 +118,7 @@ jobs: node-version: [20, 22, 23, 24, 25] steps: - name: Checkout repo - uses: actions/checkout@v6 - with: - fetch-depth: 0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup environment (node + install) uses: ./.github/actions/node-setup diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7eef672..f195d96 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,9 +16,7 @@ jobs: id-token: write steps: - name: Checkout repo - uses: actions/checkout@v6 - with: - fetch-depth: 0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup environment (node + install) uses: ./.github/actions/node-setup @@ -29,7 +27,7 @@ jobs: run: npm run prepublishOnly - name: Configure npm for OIDC trusted publishing - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 registry-url: https://registry.npmjs.org From 0dc5ff1be38f659c1654abe402ecee6c5420768d Mon Sep 17 00:00:00 2001 From: Jure Rotar Date: Fri, 22 May 2026 10:09:52 +0200 Subject: [PATCH 3/5] chore: explicit package manager cache disable --- .github/actions/node-setup/action.yml | 1 + .github/workflows/publish.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/actions/node-setup/action.yml b/.github/actions/node-setup/action.yml index 1ee7317..1850e96 100644 --- a/.github/actions/node-setup/action.yml +++ b/.github/actions/node-setup/action.yml @@ -11,6 +11,7 @@ runs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ inputs.node-version }} + package-manager-cache: false - name: Install dependencies shell: bash diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f195d96..99b4a34 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -30,6 +30,7 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 + package-manager-cache: false registry-url: https://registry.npmjs.org - name: Publish to npm From e72b53399dbb8e668c23cc158cbb12283f9794ae Mon Sep 17 00:00:00 2001 From: Jure Rotar Date: Fri, 22 May 2026 10:16:05 +0200 Subject: [PATCH 4/5] test: testing stricter zizmor persona --- .github/workflows/ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4a357f3..473bc53 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,6 +55,8 @@ jobs: name: Zizmor GitHub Actions check runs-on: ubuntu-latest permissions: + actions: read + contents: read security-events: write steps: - name: Checkout repository @@ -64,6 +66,11 @@ jobs: - name: Run zizmor uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + online-audits: true + persona: auditor + min-severity: informational + min-confidence: low test-browser: name: Run browser tests From 52970871660c4580750b37785141639722d58518 Mon Sep 17 00:00:00 2001 From: Jure Rotar Date: Fri, 22 May 2026 10:25:15 +0200 Subject: [PATCH 5/5] chore: removed peter-evans/create-pull-request, added permission comment --- .github/workflows/build-wasm.yml | 40 ++++++++++++++++++++------------ .github/workflows/ci.yml | 1 + 2 files changed, 26 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-wasm.yml b/.github/workflows/build-wasm.yml index 0a2b836..31e0e73 100644 --- a/.github/workflows/build-wasm.yml +++ b/.github/workflows/build-wasm.yml @@ -92,18 +92,28 @@ jobs: - name: Create Pull Request if: steps.check-branch.outputs.skip != 'true' && steps.git-check.outputs.changes == 'true' - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: - 'chore: update SQLite Wasm binaries from ${{ steps.resolve-ref.outputs.sqlite_ref }} - (${{ steps.resolve-ref.outputs.sqlite_sha }})' - title: - 'chore: update SQLite Wasm binaries from ${{ steps.resolve-ref.outputs.sqlite_ref }}' - body: | - This PR updates the SQLite Wasm binaries in `src/bin` by building them from SQLite reference `${{ steps.resolve-ref.outputs.sqlite_ref }}` (commit `${{ steps.resolve-ref.outputs.sqlite_sha }}`). - - Triggered by manual workflow dispatch. - branch: ${{ steps.resolve-ref.outputs.branch_name }} - base: main - delete-branch: true + env: + BRANCH_NAME: ${{ steps.resolve-ref.outputs.branch_name }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SQLITE_REF: ${{ steps.resolve-ref.outputs.sqlite_ref }} + SQLITE_SHA: ${{ steps.resolve-ref.outputs.sqlite_sha }} + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + git switch -c "$BRANCH_NAME" + git commit -m "chore: update SQLite Wasm binaries from ${SQLITE_REF} (${SQLITE_SHA})" + gh auth setup-git + git push origin "HEAD:${BRANCH_NAME}" + + cat > pr-body.md <