diff --git a/.github/actions/android/action.yml b/.github/actions/android/action.yml index 0603fafa..6f050aea 100644 --- a/.github/actions/android/action.yml +++ b/.github/actions/android/action.yml @@ -39,9 +39,12 @@ runs: if: ${{ inputs.sign-publication == '1' }} run: | cd android - ./gradlew build zipPublication -PgpgKey=${{ inputs.gpg-key }} -PgpgPassword=${{ inputs.gpg-password }} + ./gradlew build zipPublication -PgpgKey=${INPUTS_GPG_KEY} -PgpgPassword=${INPUTS_GPG_PASSWORD} ls -lh build/outputs/aar find build/repository + env: + INPUTS_GPG_KEY: ${{ inputs.gpg-key }} + INPUTS_GPG_PASSWORD: ${{ inputs.gpg-password }} - name: Build library without signing shell: bash diff --git a/.github/actions/linux/action.yml b/.github/actions/linux/action.yml index 8d64e654..67da9e34 100644 --- a/.github/actions/linux/action.yml +++ b/.github/actions/linux/action.yml @@ -5,11 +5,9 @@ runs: using: "composite" steps: - name: Install Rust Nightly - uses: dtolnay/rust-toolchain@stable - with: - toolchain: nightly-2026-04-10 - components: rust-src - targets: aarch64-unknown-linux-gnu,x86_64-unknown-linux-gnu,i686-unknown-linux-gnu,riscv64gc-unknown-linux-gnu,armv7-unknown-linux-gnueabihf + shell: bash + run: + rustup install --target aarch64-unknown-linux-gnu,x86_64-unknown-linux-gnu,i686-unknown-linux-gnu,riscv64gc-unknown-linux-gnu,armv7-unknown-linux-gnueabihf - name: Install cross-compiling GCC shell: bash diff --git a/.github/actions/macos/action.yml b/.github/actions/macos/action.yml index 797c1ad8..4e07d7c2 100644 --- a/.github/actions/macos/action.yml +++ b/.github/actions/macos/action.yml @@ -5,11 +5,9 @@ runs: using: "composite" steps: - name: Install Rust Nightly - uses: dtolnay/rust-toolchain@stable - with: - toolchain: nightly-2026-04-10 - components: rust-src - targets: x86_64-apple-darwin,aarch64-apple-darwin + shell: bash + run: + rustup install --target x86_64-apple-darwin,aarch64-apple-darwin - name: Build binaries shell: bash diff --git a/.github/actions/upload/action.yml b/.github/actions/upload/action.yml deleted file mode 100644 index 60f4d239..00000000 --- a/.github/actions/upload/action.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "Upload binary file" -description: "Upload binary file to GitHub releases" -inputs: - repo-token: - required: true - description: "The secret created for the workflow run" - file-name: - required: true - description: "The file name to be uploaded" - tag: - required: false - description: "The short ref name of the branch or tag that triggered the workflow run." - default: ${{ github.ref_name }} -runs: - using: "composite" - steps: - - name: Upload binary - shell: bash - env: - GH_TOKEN: ${{ github.token }} - GH_REPO: ${{ github.repository }} - run: | - gh release upload "${{ inputs.tag }}" "${{ inputs.file-name }}" diff --git a/.github/actions/wasm/action.yml b/.github/actions/wasm/action.yml index d490c627..408f1a8e 100644 --- a/.github/actions/wasm/action.yml +++ b/.github/actions/wasm/action.yml @@ -5,15 +5,8 @@ runs: using: "composite" steps: - name: Install Rust Nightly - uses: dtolnay/rust-toolchain@stable - with: - toolchain: nightly-2026-04-10 - components: rust-src - - - name: Setup emsdk - uses: mymindstorm/setup-emsdk@v14 - with: - version: 4.0.10 + shell: bash + run: rustup install - name: Build WASM shell: bash @@ -23,7 +16,4 @@ runs: with: name: wasm-library retention-days: 14 - path: | - libpowersync-async.wasm - libpowersync.wasm - libpowersync-wasm.a + path: libpowersync-wasm.a diff --git a/.github/actions/windows/action.yml b/.github/actions/windows/action.yml index 1b1f2152..4ecf5f1d 100644 --- a/.github/actions/windows/action.yml +++ b/.github/actions/windows/action.yml @@ -5,11 +5,8 @@ runs: using: "composite" steps: - name: Install Rust Nightly - uses: dtolnay/rust-toolchain@stable - with: - toolchain: nightly-2026-04-10 - components: rust-src - targets: x86_64-pc-windows-msvc,aarch64-pc-windows-msvc,i686-pc-windows-msvc + shell: powershell + run: rustup install --target x86_64-pc-windows-msvc,aarch64-pc-windows-msvc,i686-pc-windows-msvc - name: Build binaries shell: bash diff --git a/.github/actions/xcframework/action.yml b/.github/actions/xcframework/action.yml index 54bf450c..6ec6afbc 100644 --- a/.github/actions/xcframework/action.yml +++ b/.github/actions/xcframework/action.yml @@ -17,12 +17,12 @@ runs: x86_64-apple-ios - name: setup-cocoapods - uses: maxim-lobanov/setup-cocoapods@v1 + uses: maxim-lobanov/setup-cocoapods@8e97e1e98e6ccf42564fdf5622c8feec74199377 # v1.4.0 with: version: 1.16.2 - name: Set up XCode - uses: maxim-lobanov/setup-xcode@v1 + uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1.7.0 with: # TODO: Update to latest-stable once GH installs iOS 26 simulators xcode-version: '^16.4.0' diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..1bb34e19 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: weekly + cooldown: + default-days: 7 + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c2a7f493..3f7c6323 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,28 +4,34 @@ on: tags: - v[0-9]+.[0-9]+.[0-9]+ +permissions: {} + jobs: draft_release: name: Create Draft GitHub Release runs-on: ubuntu-latest outputs: tag: ${{ steps.tag.outputs.tag }} + permissions: + contents: write # Needed to create a release steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v6 with: + persist-credentials: false fetch-depth: 0 - name: Set tag name id: tag run: | - tag=$(basename "${{ github.ref }}") + tag=$(basename "${GITHUB_REF}") echo "tag=$tag" >> $GITHUB_OUTPUT - name: Create Release env: GH_TOKEN: ${{ github.token }} GH_REPO: ${{ github.repository }} + STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }} run: | - tag="${{ steps.tag.outputs.tag }}" + tag="${STEPS_TAG_OUTPUTS_TAG}" body="Release $tag" gh release create --draft "$tag" --title "$tag" --notes "$body" @@ -33,7 +39,9 @@ jobs: name: Building Linux libraries runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build Linux uses: ./.github/actions/linux @@ -41,7 +49,9 @@ jobs: name: Building macOS libraries runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build macOS uses: ./.github/actions/macos @@ -49,7 +59,9 @@ jobs: name: Building Windows libraries runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build Windows uses: ./.github/actions/windows @@ -57,7 +69,9 @@ jobs: name: Building Android libraries runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build Android uses: ./.github/actions/android with: @@ -68,7 +82,9 @@ jobs: name: Basic WASM build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build wasm uses: ./.github/actions/wasm @@ -77,28 +93,31 @@ jobs: name: Build XCFramework runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build XCFramework uses: ./.github/actions/xcframework publish_android: - permissions: - contents: read - packages: write name: Publish Android needs: [ draft_release, libs_android ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/download-artifact@v4 with: name: android-library - name: Publish to Maven Central + env: + AUTH_TOKEN: ${{ secrets.CENTRAL_AUTH }} run: | curl --request POST \ - --header 'Authorization: Bearer ${{ secrets.CENTRAL_AUTH }}' \ + --header "Authorization: Bearer $AUTH_TOKEN" \ --form bundle=@powersync_android.zip \ 'https://central.sonatype.com/api/v1/publisher/upload?publishingType=AUTOMATIC' @@ -107,7 +126,9 @@ jobs: needs: [ draft_release, libs_xcframework ] runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Download libs uses: actions/download-artifact@v5 @@ -132,17 +153,21 @@ jobs: env: GH_TOKEN: ${{ github.token }} GH_REPO: ${{ github.repository }} + NEEDS_DRAFT_RELEASE_OUTPUTS_TAG: ${{ needs.draft_release.outputs.tag }} + STEPS_FILENAME_OUTPUTS_FILENAME: ${{ steps.fileName.outputs.fileName }} run: | - gh release upload "${{ needs.draft_release.outputs.tag }}" ${{ steps.fileName.outputs.fileName }} + gh release upload "${NEEDS_DRAFT_RELEASE_OUTPUTS_TAG}" ${STEPS_FILENAME_OUTPUTS_FILENAME} # For SPM package - name: Generate and add checksum to output id: checksum run: | - CHECKSUM=$(swift package compute-checksum ${{ steps.fileName.outputs.fileName }}) + CHECKSUM=$(swift package compute-checksum ${STEPS_FILENAME_OUTPUTS_FILENAME}) echo "checksum=$CHECKSUM" >> $GITHUB_OUTPUT + env: + STEPS_FILENAME_OUTPUTS_FILENAME: ${{ steps.fileName.outputs.fileName }} - name: Dispatch release to SPM package - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.SWIFT_PUBLISH_TOKEN }} repository: powersync-ja/powersync-sqlite-core-swift @@ -160,9 +185,13 @@ jobs: name: Publish Desktop libraries needs: [ draft_release, libs_linux, libs_macos, libs_windows ] runs-on: ubuntu-latest + permissions: + contents: write # Needed to upload binaries to release. steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Download Linux libraries uses: actions/download-artifact@v5 @@ -195,51 +224,45 @@ jobs: env: GH_TOKEN: ${{ github.token }} GH_REPO: ${{ github.repository }} + TAG: ${{ needs.draft_release.outputs.tag }} run: | - gh release upload "${{ needs.draft_release.outputs.tag }}" *.dll - gh release upload "${{ needs.draft_release.outputs.tag }}" *.dylib - gh release upload "${{ needs.draft_release.outputs.tag }}" *.so - gh release upload "${{ needs.draft_release.outputs.tag }}" static_libs.zip + gh release upload "${TAG}" *.dll + gh release upload "${TAG}" *.dylib + gh release upload "${TAG}" *.so + gh release upload "${TAG}" static_libs.zip publish_wasm: name: Publish WASM builds needs: [ draft_release, libs_wasm ] runs-on: ubuntu-latest + permissions: + contents: write # Needed to upload binaries to release. steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Download wasm bundle uses: actions/download-artifact@v5 with: name: wasm-library - - name: Upload libpowersync.wasm - uses: ./.github/actions/upload - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - file-name: libpowersync.wasm - tag: ${{ needs.draft_release.outputs.tag }} - - - name: Upload libpowersync-async.wasm - uses: ./.github/actions/upload - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - file-name: libpowersync-async.wasm - tag: ${{ needs.draft_release.outputs.tag }} - - - name: Upload libpowersync-wasm.a - uses: ./.github/actions/upload - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - file-name: libpowersync-wasm.a - tag: ${{ needs.draft_release.outputs.tag }} + - name: Upload wasm binaries + env: + GH_TOKEN: ${{ github.token }} + GH_REPO: ${{ github.repository }} + TAG: ${{ needs.draft_release.outputs.tag }} + run: | + gh release upload "${TAG}" libpowersync-wasm.a publish_crates_io: runs-on: ubuntu-latest permissions: id-token: write # Required for OIDC token exchange steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: rust-lang/crates-io-auth-action@v1 id: auth @@ -257,7 +280,7 @@ jobs: create_sdk_issue: name: "Create issue for SDK updates" permissions: - issues: write + issues: write # To create issue runs-on: macos-latest needs: - draft_release diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index fdf042f6..9c37e1f5 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -3,13 +3,34 @@ on: pull_request: name: "tests" +permissions: {} + +concurrency: + group: packages-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: + zizmor: + permissions: + security-events: write # Needed to upload findings as code scanning results. + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + persona: pedantic + libs_linux: name: Building Linux libraries if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build Linux libraries uses: ./.github/actions/linux @@ -18,7 +39,9 @@ jobs: if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build macOS uses: ./.github/actions/macos @@ -27,7 +50,9 @@ jobs: if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build Windows uses: ./.github/actions/windows @@ -37,7 +62,9 @@ jobs: if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build Android uses: ./.github/actions/android with: @@ -48,7 +75,9 @@ jobs: if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build wasm uses: ./.github/actions/wasm @@ -58,7 +87,9 @@ jobs: if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Build XCFramework uses: ./.github/actions/xcframework @@ -71,7 +102,9 @@ jobs: matrix: os: [ubuntu-24.04, macos-latest] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Ubuntu setup if: matrix.os == 'ubuntu-24.04' @@ -79,10 +112,7 @@ jobs: sudo apt install libreadline-dev - name: Install Rust Nightly - uses: dtolnay/rust-toolchain@stable - with: - toolchain: nightly-2026-04-10 - components: rust-src,rustfmt,clippy + run: rustup install - name: Check formatting run: cargo fmt --all --check @@ -117,7 +147,9 @@ jobs: os: [ubuntu-24.04, ubuntu-arm64, macos-latest, windows-latest, windows-11-arm] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: dart-lang/setup-dart@v1 @@ -162,11 +194,13 @@ jobs: build_stable_rust: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: dart-lang/setup-dart@v1 - name: Install Rust Stable - uses: dtolnay/rust-toolchain@stable + run: rustup install stable - name: Setup Dart tests working-directory: dart @@ -197,12 +231,11 @@ jobs: include: - os: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Install Rust Nightly - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@v6 with: - toolchain: nightly-2026-04-10 - components: rust-src + persist-credentials: false + - name: Install Rust + run: rustup install - name: Install valgrind run: sudo apt update && sudo apt install -y valgrind diff --git a/.github/zizmor.yaml b/.github/zizmor.yaml new file mode 100644 index 00000000..bb0bc7e1 --- /dev/null +++ b/.github/zizmor.yaml @@ -0,0 +1,16 @@ +# Configuration for https://zizmor.sh/, a static analysis tool for GitHub actions. +rules: + unpinned-uses: + config: + policies: + "actions/*": ref-pin + "dart-lang/*": ref-pin + "rust-lang/*": ref-pin + "gradle/actions/wrapper-validation": ref-pin + anonymous-definition: + disable: true + concurrency-limits: + ignore: + # We don't need to limit concurrency for publishing, as only maintainers can + # push tags. + - release.yml:2:1 diff --git a/rust-toolchain.toml b/rust-toolchain.toml index feecada9..25f871d6 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -1,2 +1,3 @@ [toolchain] channel = "nightly-2026-04-10" +components = [ "rust-src", "rustfmt", "clippy" ] diff --git a/tool/build_wasm.sh b/tool/build_wasm.sh index 72536a8f..7fe36328 100755 --- a/tool/build_wasm.sh +++ b/tool/build_wasm.sh @@ -1,33 +1,5 @@ #!/bin/bash set -e -emcc --version - -# Normal build -# target/wasm32-unknown-emscripten/wasm/powersync.wasm -RUSTFLAGS="-C link-arg=-sSIDE_MODULE=2" \ - cargo build \ - -p powersync_loadable \ - --profile wasm \ - --no-default-features \ - --features "static nightly" \ - -Z build-std=panic_abort,core,alloc \ - --target wasm32-unknown-emscripten - -cp "target/wasm32-unknown-emscripten/wasm/powersync.wasm" "libpowersync.wasm" - -# Asyncify -# target/wasm32-unknown-emscripten/wasm_asyncify/powersync.wasm -RUSTFLAGS="-C link-arg=-sSIDE_MODULE=2 -C link-arg=-sASYNCIFY=1 -C link-arg=-sJSPI_IMPORTS=@wasm/asyncify_imports.json" \ - cargo build \ - -p powersync_loadable \ - --profile wasm_asyncify \ - --no-default-features \ - --features "static nightly" \ - -Z build-std=panic_abort,core,alloc \ - --target wasm32-unknown-emscripten - -cp "target/wasm32-unknown-emscripten/wasm_asyncify/powersync.wasm" "libpowersync-async.wasm" - # Static lib. # Works for both sync and asyncify builds. diff --git a/wasm/asyncify_imports.json b/wasm/asyncify_imports.json deleted file mode 100644 index ccfdb138..00000000 --- a/wasm/asyncify_imports.json +++ /dev/null @@ -1,14 +0,0 @@ -[ - "sqlite3_close", - "sqlite3_finalize", - "sqlite3_open_v2", - "sqlite3_prepare", - "sqlite3_prepare16", - "sqlite3_prepare_v2", - "sqlite3_prepare16_v2", - "sqlite3_prepare_v3", - "sqlite3_prepare16_v3", - "sqlite3_reset", - "sqlite3_step", - "sqlite3_exec" -]