ci: add zizmor workflow and harden actions

.github/workflows/build.yml

@@ -12,13 +12,23 @@ on:
       - released
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 env:
   # See https://github.com/nodejs/release#release-schedule
   # Node.js v20 EOL = 2026-04-30. v22 EOL = 2027-04-30. v23 EOL = 2025-06-01. v24 EOL = 2028-04-30. v25 EOL = 2026-06-01.
   # Node.js 20-24 can build with GCC 10 (bullseye)
   NODE_BUILD_CMD_LEGACY: npx --no-install prebuild -r node -t 20.0.0 -t 22.0.0 -t 23.0.0 -t 24.0.0 --include-regex '_sqlite3'
   # Node.js 25+ requires GCC 11+ for <source_location> header (bookworm)
   NODE_BUILD_CMD_MODERN: npx --no-install prebuild -r node -t 25.0.0 --include-regex '_sqlite3'
+  NODE_IMAGE_ALPINE: node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293
+  NODE_IMAGE_BOOKWORM: node:20-bookworm@sha256:8f693eaa7e0a8e71560c9a82b55fd54c2ae920a2ba5d2cde28bac7d1c01c9ba5
+  NODE_IMAGE_BULLSEYE: node:20-bullseye@sha256:c0122351f25f04facee976f9db7214789eabadb489f4e4aea9cd00a0d6af77c4
 
 jobs:
   test:
@@ -40,9 +50,12 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node }}
+          package-manager-cache: false
       - if: ${{ startsWith(matrix.os, 'windows') }}
         run: pip.exe install setuptools
       - if: ${{ startsWith(matrix.os, 'macos') }}
@@ -89,9 +102,12 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
         with:
           bun-version: ${{ matrix.bun }}
+          no-cache: true
       - if: ${{ startsWith(matrix.os, 'macos') }}
         run: brew install python-setuptools
       - if: ${{ !startsWith(matrix.os, 'macos') }}
@@ -135,10 +151,13 @@ jobs:
       - prebuild-linux-arm-node-modern
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org
+          package-manager-cache: false
       - name: Upgrade npm for OIDC support
         run: npm install -g npm@latest
       - run: npm publish --provenance
@@ -155,59 +174,99 @@ jobs:
     name: Prebuild on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     needs: test
+    permissions:
+      contents: write # Required to upload prebuild artifacts to the GitHub release.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 20
+          package-manager-cache: false
       - if: ${{ startsWith(matrix.os, 'windows') }}
         run: pip.exe install setuptools
       - if: ${{ startsWith(matrix.os, 'macos') }}
         run: brew install python-setuptools
       - run: npm install --ignore-scripts
-      - run: ${{ env.NODE_BUILD_CMD_LEGACY }} -u ${{ secrets.GITHUB_TOKEN }}
-      - run: ${{ env.NODE_BUILD_CMD_MODERN }} -u ${{ secrets.GITHUB_TOKEN }}
+      - name: Prebuild Node 20-24
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: $NODE_BUILD_CMD_LEGACY -u "$GH_TOKEN"
+      - name: Prebuild Node 25+
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: $NODE_BUILD_CMD_MODERN -u "$GH_TOKEN"
       - if: matrix.os == 'windows-2022'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          ${{ env.NODE_BUILD_CMD_LEGACY }} --arch ia32 -u ${{ secrets.GITHUB_TOKEN }}
-          ${{ env.NODE_BUILD_CMD_MODERN }} --arch ia32 -u ${{ secrets.GITHUB_TOKEN }}
-          ${{ env.NODE_BUILD_CMD_LEGACY }} --arch arm64 -u ${{ secrets.GITHUB_TOKEN }}
-          ${{ env.NODE_BUILD_CMD_MODERN }} --arch arm64 -u ${{ secrets.GITHUB_TOKEN }}
+          $NODE_BUILD_CMD_LEGACY --arch ia32 -u "$GH_TOKEN"
+          $NODE_BUILD_CMD_MODERN --arch ia32 -u "$GH_TOKEN"
+          $NODE_BUILD_CMD_LEGACY --arch arm64 -u "$GH_TOKEN"
+          $NODE_BUILD_CMD_MODERN --arch arm64 -u "$GH_TOKEN"
 
   prebuild-linux-x64:
     if: ${{ github.event_name == 'release' }}
     name: Prebuild on Linux x64
     runs-on: ubuntu-latest
-    container: node:20-bullseye
+    container: node:20-bullseye@sha256:c0122351f25f04facee976f9db7214789eabadb489f4e4aea9cd00a0d6af77c4
     needs: test
+    permissions:
+      contents: write # Required to upload prebuild artifacts to the GitHub release.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - run: npm install --ignore-scripts
-      - run: ${{ env.NODE_BUILD_CMD_LEGACY }} -u ${{ secrets.GITHUB_TOKEN }}
+      - name: Prebuild Node 20-24
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: $NODE_BUILD_CMD_LEGACY -u "$GH_TOKEN"
 
   prebuild-linux-x64-node-modern:
     if: ${{ github.event_name == 'release' }}
     name: Prebuild on Linux x64 (Node 25+)
     runs-on: ubuntu-latest
-    container: node:20-bookworm
+    container: node:20-bookworm@sha256:8f693eaa7e0a8e71560c9a82b55fd54c2ae920a2ba5d2cde28bac7d1c01c9ba5
     needs: test
+    permissions:
+      contents: write # Required to upload prebuild artifacts to the GitHub release.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - run: npm install --ignore-scripts
-      - run: ${{ env.NODE_BUILD_CMD_MODERN }} -u ${{ secrets.GITHUB_TOKEN }}
+      - name: Prebuild Node 25+
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: $NODE_BUILD_CMD_MODERN -u "$GH_TOKEN"
 
   prebuild-alpine:
     if: ${{ github.event_name == 'release' }}
     name: Prebuild on alpine
     runs-on: ubuntu-latest
-    container: node:20-alpine
+    container: node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293
     needs: test
+    permissions:
+      contents: write # Required to upload prebuild artifacts to the GitHub release.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - run: apk add build-base git python3 py3-setuptools libstdc++ readline-dev ncurses-dev --update-cache
       - run: npm install --ignore-scripts
-      - run: ${{ env.NODE_BUILD_CMD_LEGACY }} -u ${{ secrets.GITHUB_TOKEN }}
-      - run: ${{ env.NODE_BUILD_CMD_MODERN }} -u ${{ secrets.GITHUB_TOKEN }}
+      - name: Prebuild Node 20-24
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: $NODE_BUILD_CMD_LEGACY -u "$GH_TOKEN"
+      - name: Prebuild Node 25+
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: $NODE_BUILD_CMD_MODERN -u "$GH_TOKEN"
 
   prebuild-alpine-arm:
     if: ${{ github.event_name == 'release' }}
@@ -220,16 +279,23 @@ jobs:
     name: Prebuild on alpine (${{ matrix.arch }})
     runs-on: ubuntu-latest
     needs: test
+    permissions:
+      contents: write # Required to upload prebuild artifacts to the GitHub release.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
-      - run: |
-          docker run --rm -v $(pwd):/tmp/project --entrypoint /bin/sh --platform linux/${{ matrix.arch }} node:20-alpine -c "\
+        with:
+          persist-credentials: false
+      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - env:
+          ARCH: ${{ matrix.arch }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          docker run --rm -e GH_TOKEN -e NODE_BUILD_CMD_LEGACY -e NODE_BUILD_CMD_MODERN -v "$(pwd):/tmp/project" --entrypoint /bin/sh --platform "linux/$ARCH" "$NODE_IMAGE_ALPINE" -c "\
           apk add build-base git python3 py3-setuptools libstdc++ readline-dev ncurses-dev --update-cache && \
           cd /tmp/project && \
           npm install --ignore-scripts && \
-          ${{ env.NODE_BUILD_CMD_LEGACY }} -u ${{ secrets.GITHUB_TOKEN }} && \
-          ${{ env.NODE_BUILD_CMD_MODERN }} -u ${{ secrets.GITHUB_TOKEN }}"
+          \$NODE_BUILD_CMD_LEGACY -u \"\$GH_TOKEN\" && \
+          \$NODE_BUILD_CMD_MODERN -u \"\$GH_TOKEN\""
 
   prebuild-linux-arm:
     if: ${{ github.event_name == 'release' }}
@@ -242,14 +308,21 @@ jobs:
     name: Prebuild on Linux (${{ matrix.arch }})
     runs-on: ubuntu-latest
     needs: test
+    permissions:
+      contents: write # Required to upload prebuild artifacts to the GitHub release.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
-      - run: |
-          docker run --rm -v $(pwd):/tmp/project --entrypoint /bin/sh --platform linux/${{ matrix.arch }} node:20-bullseye -c "\
+        with:
+          persist-credentials: false
+      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - env:
+          ARCH: ${{ matrix.arch }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          docker run --rm -e GH_TOKEN -e NODE_BUILD_CMD_LEGACY -v "$(pwd):/tmp/project" --entrypoint /bin/sh --platform "linux/$ARCH" "$NODE_IMAGE_BULLSEYE" -c "\
           cd /tmp/project && \
           npm install --ignore-scripts && \
-          ${{ env.NODE_BUILD_CMD_LEGACY }} -u ${{ secrets.GITHUB_TOKEN }}"
+          \$NODE_BUILD_CMD_LEGACY -u \"\$GH_TOKEN\""
 
   prebuild-linux-arm-node-modern:
     if: ${{ github.event_name == 'release' }}
@@ -262,11 +335,18 @@ jobs:
     name: Prebuild on Linux (${{ matrix.arch }}) (Node 25+)
     runs-on: ubuntu-latest
     needs: test
+    permissions:
+      contents: write # Required to upload prebuild artifacts to the GitHub release.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
-      - run: |
-          docker run --rm -v $(pwd):/tmp/project --entrypoint /bin/sh --platform linux/${{ matrix.arch }} node:20-bookworm -c "\
+        with:
+          persist-credentials: false
+      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - env:
+          ARCH: ${{ matrix.arch }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          docker run --rm -e GH_TOKEN -e NODE_BUILD_CMD_MODERN -v "$(pwd):/tmp/project" --entrypoint /bin/sh --platform "linux/$ARCH" "$NODE_IMAGE_BOOKWORM" -c "\
           cd /tmp/project && \
           npm install --ignore-scripts && \
-          ${{ env.NODE_BUILD_CMD_MODERN }} -u ${{ secrets.GITHUB_TOKEN }}"
+          \$NODE_BUILD_CMD_MODERN -u \"\$GH_TOKEN\""

.github/workflows/zizmor.yml

@@ -0,0 +1,34 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions: {}
+
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required to upload SARIF results.
+      contents: read # Required to check out private repository contents.
+      actions: read # Required to read private workflow run metadata.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          version: v1.25.2
+          persona: auditor

.gitignore

@@ -2,7 +2,6 @@
 logs
 *.log
 npm-debug.log*
-package-lock.json
 yarn.lock
 
 # Runtime data

.npmrc

@@ -1,5 +1,3 @@
-package-lock=false
-
 # Supply-chain hardening: only install npm versions published >=7 days ago,
 # so freshly-compromised releases are likely caught/yanked before we pull them.
 # https://snyk.io/blog/tanstack-npm-packages-compromised/