Merge pull request #46 from berquist/update-ci

CI: install GSL, add zizmor, add pre-commit

.github/workflows/ci.yml

@@ -11,9 +11,21 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  prechecks:
+    uses: ./.github/workflows/pre-commit.yml
+  separate-zizmor:
+    uses: ./.github/workflows/zizmor.yml
+  all-prechecks:
+    needs: [prechecks, separate-zizmor]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Success
+        run: "true"
   nix:
+    needs: [all-prechecks]
     uses: ./.github/workflows/nix.yml
   unit-tests:
+    needs: [all-prechecks]
     uses: ./.github/workflows/test.yml
   docker:
     needs: [nix, unit-tests]

.github/workflows/pre-commit.yml

@@ -0,0 +1,22 @@
+---
+name: pre-commit
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+
+concurrency:
+  group: style-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/test.yml

@@ -10,6 +10,8 @@ concurrency:
   group: test-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   build_and_test:
     name: build and test
@@ -22,11 +24,14 @@ jobs:
           - nightly
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: clean up cargo bin dir for rustup
         run: |
           rm "${HOME}"/.cargo/bin/cargo-fmt
           rm "${HOME}"/.cargo/bin/rust-analyzer
           rm "${HOME}"/.cargo/bin/rustfmt
+      - run: sudo apt-get install -y --no-install-recommends libgsl-dev
       - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }}
       - run: cargo build --verbose
       - run: cargo test --verbose

.github/workflows/zizmor.yml

@@ -0,0 +1,39 @@
+---
+# derived from https://woodruffw.github.io/zizmor/usage/#use-in-github-actions
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+
+concurrency:
+  group: zizmor-${{github.ref}}-${{github.event.pull_request.number || github.run_number}}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor

.github/zizmor.yml

@@ -0,0 +1,5 @@
+---
+rules:
+  excessive-permissions:
+    ignore:
+      - ci.yml