ci: harden GitHub Actions workflows (#146)

* Add zizmor and actionlint CI job for GitHub Actions auditing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Configure dependabot for github-actions and bundler with cooldowns

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Pin GitHub Actions to SHA hashes with pinact

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Suppress unpinned-images for service containers

Digest pinning for service container images is nontrivial and low
value for CI test databases.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix artipacked and excessive-permissions findings

Add persist-credentials: false to test job checkout. Set workflow-level
permissions to deny-all and add scoped contents: read to each job.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Pin sqlite3 to ~> 1.4 for Rails 6.x compatibility

Rails 6.0/6.1 requires sqlite3 ~> 1.4, but without a constraint in the
gemspec, bundler resolves sqlite3 2.x on Ruby 3.0+ which is incompatible.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: flavorjones

.github/dependabot.yml

@@ -0,0 +1,23 @@
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: bundler
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      semver-major-days: 7
+      semver-minor-days: 3
+      semver-patch-days: 2
+      default-days: 7

.github/workflows/ci.yml

@@ -2,9 +2,32 @@ name: CI
 
 on: [push, pull_request]
 
+permissions: {}
+
 jobs:
+  lint-actions:
+    name: GitHub Actions audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run actionlint
+        uses: rhysd/actionlint@393031adb9afb225ee52ae2ccd7a5af5525e03e8 # v1.7.11
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          advanced-security: false
+
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -19,13 +42,13 @@ jobs:
 
     services:
       mysql:
-        image: mysql
+        image: mysql # zizmor: ignore[unpinned-images] -- version tag is fine for service containers
         env:
           MYSQL_ALLOW_EMPTY_PASSWORD: yes
         ports:
           - 3306:3306
       postgres:
-        image: postgres
+        image: postgres # zizmor: ignore[unpinned-images] -- version tag is fine for service containers
         env:
           POSTGRES_PASSWORD: password
           POSTGRES_HOST_AUTH_METHOD: trust
@@ -39,9 +62,11 @@ jobs:
       DB_HOST: 127.0.0.1
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      with:
+        persist-credentials: false
 
-    - uses: ruby/setup-ruby@v1
+    - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true

marginalia.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency "rake"
   gem.add_development_dependency "mysql2"
   gem.add_development_dependency "pg"
-  gem.add_development_dependency "sqlite3"
+  gem.add_development_dependency "sqlite3", "~> 1.4"
   gem.add_development_dependency "minitest"
   gem.add_development_dependency "mocha"
   gem.add_development_dependency "sidekiq"