diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ecda3f1cf6..3fd6fe2a5d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,10 +26,6 @@ on: - '.fvmrc' workflow_dispatch: -permissions: - id-token: write - contents: write - concurrency: group: ci-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -47,18 +43,23 @@ jobs: python_tests: name: Python ${{ matrix.python-version }} tests runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: python-version: [ "3.10", "3.11", "3.12", "3.13", "3.14" ] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: ${{ matrix.python-version }} + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Run tests shell: bash @@ -85,7 +86,7 @@ jobs: - name: Upload docs-coverage logs if: matrix.python-version == '3.12' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: docs-coverage path: sdk/python/docstr_coverage.log @@ -96,20 +97,27 @@ jobs: docs_build: name: Build Documentation runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 + package-manager-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Enable Corepack run: corepack enable - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build website run: | @@ -124,6 +132,7 @@ jobs: name: Build Flet Flutter package runs-on: ubuntu-latest permissions: + contents: read id-token: write # Required for authentication using OIDC outputs: PKG_VER: ${{ steps.versions.outputs.PKG_VER }} @@ -131,26 +140,29 @@ jobs: PYPI_VER: ${{ steps.versions.outputs.PYPI_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # fetch all history fetch-tags: true # ensure tags are available + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Compute versions id: versions run: source "${SCRIPTS}/update_build_version.sh" - name: Setup Dart (OIDC for pub.dev) - uses: dart-lang/setup-dart@e630b99d28a3b71860378cafdc2a067c71107f94 + uses: dart-lang/setup-dart@65eb853c7ba17dde3be364c3d2858773e7144260 # v1.7.2 - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Run tests shell: bash @@ -175,14 +187,20 @@ jobs: name: Package templates runs-on: ubuntu-latest needs: build_flet_package + permissions: + contents: read env: PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch build template flet version shell: bash @@ -207,7 +225,7 @@ jobs: zip -r "$GITHUB_WORKSPACE/flet-app-templates.zip" app/ - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: template-artifacts path: | @@ -223,22 +241,28 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read env: PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} BUILD_NUM: ${{ needs.build_flet_package.outputs.BUILD_NUM }} PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build Flutter Windows client env: @@ -262,7 +286,7 @@ jobs: 7z a "${ROOT}/client/flet-windows.zip" "flet" - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: windows-artifacts if-no-files-found: error @@ -278,22 +302,28 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read env: PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} BUILD_NUM: ${{ needs.build_flet_package.outputs.BUILD_NUM }} PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build Flutter macOS client shell: bash @@ -303,7 +333,7 @@ jobs: tar -czvf flet-macos.tar.gz -C build/macos/Build/Products/Release Flet.app - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: macos-artifacts if-no-files-found: error @@ -321,6 +351,8 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read strategy: matrix: include: @@ -442,23 +474,27 @@ jobs: apt-get install -y git curl unzip xz-utils zip ca-certificates jq tzdata - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Get Flutter version from ".fvmrc" - uses: kuhnroyal/flutter-fvm-config-action/config@v3 + uses: kuhnroyal/flutter-fvm-config-action/config@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 id: fvm-config-action with: path: '.fvmrc' - name: Setup Flutter - uses: subosito/flutter-action@v2 + uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0 with: flutter-version: ${{ steps.fvm-config-action.outputs.FLUTTER_VERSION }} channel: ${{ matrix.arch == 'arm64' && 'master' || 'stable' }} # https://github.com/subosito/flutter-action/issues/345#issuecomment-2657332687 - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Mark git safe directories shell: bash @@ -536,7 +572,7 @@ jobs: build_flutter "flet-desktop" - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: linux-${{ matrix.distro_id }}-${{ matrix.arch }}-artifacts if-no-files-found: error @@ -552,20 +588,26 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read env: PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch Python and Flutter versions shell: bash @@ -621,7 +663,7 @@ jobs: uv build --package flet-web --sdist - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: web-artifacts if-no-files-found: error @@ -639,24 +681,29 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read env: PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Analyze and Build Flutter & Python packages shell: bash @@ -702,7 +749,7 @@ jobs: done - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: flet-python-extensions if-no-files-found: error @@ -716,6 +763,8 @@ jobs: build_flet_cli_desktop: name: Build flet, flet-cli and flet-desktop Python packages runs-on: ubuntu-latest + permissions: + contents: read env: PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} needs: @@ -723,10 +772,14 @@ jobs: - build_flet_package steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build Python packages shell: bash @@ -739,7 +792,7 @@ jobs: uv build --package flet-desktop - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: flet-cli-desktop-python-distribution path: | @@ -764,24 +817,28 @@ jobs: - build_flet_extensions - build_flet_cli_desktop if: ${{ startsWith(github.ref, 'refs/tags/') }} + permissions: + contents: write steps: - name: Detect pre-release id: prerelease + env: + REF_NAME: ${{ github.ref_name }} run: | - if [[ "${{ github.ref_name }}" == *".dev"* ]]; then + if [[ "$REF_NAME" == *".dev"* ]]; then echo "is_prerelease=true" >> $GITHUB_OUTPUT else echo "is_prerelease=false" >> $GITHUB_OUTPUT fi - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: dist merge-multiple: true - name: Create/Update GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -806,15 +863,18 @@ jobs: if: startsWith(github.ref, 'refs/tags/') needs: - release + permissions: + id-token: write steps: - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: ignore-empty-workdir: true cache-dependency-glob: "" + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: dist merge-multiple: true diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index eb1b594afd..f938d79b80 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -3,24 +3,32 @@ name: Build docs on: workflow_dispatch: +permissions: + contents: read + jobs: build: name: Build Documentation runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 + package-manager-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Enable Corepack run: corepack enable - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build website run: | diff --git a/.github/workflows/flet-build-image.yml b/.github/workflows/flet-build-image.yml index f64a3f13ba..2b5052530b 100644 --- a/.github/workflows/flet-build-image.yml +++ b/.github/workflows/flet-build-image.yml @@ -11,10 +11,6 @@ on: type: boolean default: true -permissions: - contents: read - packages: write - env: IMAGE: ghcr.io/${{ github.repository_owner }}/flet-build @@ -22,17 +18,23 @@ jobs: resolve_version: name: Resolve Flutter version runs-on: ubuntu-latest + permissions: + contents: read outputs: flutter_version: ${{ steps.v.outputs.value }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Resolve version id: v + env: + FLUTTER_VERSION_INPUT: ${{ inputs.flutter_version }} run: | - if [ -n "${{ inputs.flutter_version }}" ]; then - v="${{ inputs.flutter_version }}" + if [ -n "$FLUTTER_VERSION_INPUT" ]; then + v="$FLUTTER_VERSION_INPUT" else v="$(jq -r .flutter .fvmrc)" fi @@ -51,11 +53,16 @@ jobs: - platform: linux/arm64 runner: ubuntu-24.04-arm runs-on: ${{ matrix.runner }} + permissions: + contents: read + packages: write env: FLUTTER_VERSION: ${{ needs.resolve_version.outputs.flutter_version }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Compute platform pair id: pair @@ -64,10 +71,10 @@ jobs: echo "value=${p//\//-}" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -75,7 +82,7 @@ jobs: - name: Build & push by digest id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: docker/flet-build file: docker/flet-build/Dockerfile @@ -88,13 +95,15 @@ jobs: provenance: false - name: Export digest + env: + BUILD_DIGEST: ${{ steps.build.outputs.digest }} run: | mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" + digest="$BUILD_DIGEST" touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: flet-build-digests-${{ steps.pair.outputs.value }} path: /tmp/digests/* @@ -107,21 +116,23 @@ jobs: - resolve_version - build runs-on: ubuntu-latest + permissions: + packages: write env: FLUTTER_VERSION: ${{ needs.resolve_version.outputs.flutter_version }} steps: - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: /tmp/digests pattern: flet-build-digests-* merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -139,8 +150,10 @@ jobs: - name: Create & push manifest working-directory: /tmp/digests + env: + TAG_FLAGS: ${{ steps.tags.outputs.flags }} run: | - docker buildx imagetools create ${{ steps.tags.outputs.flags }} \ + docker buildx imagetools create $TAG_FLAGS \ $(printf "${IMAGE}@sha256:%s " *) - name: Inspect image diff --git a/.github/workflows/flet-build-test-matrix.yml b/.github/workflows/flet-build-test-matrix.yml index 00a8318c36..8d139861e3 100644 --- a/.github/workflows/flet-build-test-matrix.yml +++ b/.github/workflows/flet-build-test-matrix.yml @@ -32,6 +32,8 @@ jobs: build: name: Build (${{ matrix.name }}) runs-on: ${{ matrix.runner }} + permissions: + contents: read strategy: fail-fast: false matrix: @@ -140,13 +142,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch versions shell: bash @@ -165,20 +170,22 @@ jobs: sudo apt-get clean - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build app shell: bash working-directory: sdk/python/examples/apps/flet_build_test + env: + PYTHON_VERSION: ${{ inputs.python_version }} run: | echo "FLET_BUILD_EXTRA_ARGS='${FLET_BUILD_EXTRA_ARGS}'" - uv run ${{ matrix.build_cmd }} --python-version ${{ inputs.python_version }} --yes --verbose --build-number ${{ github.run_number }} $FLET_BUILD_EXTRA_ARGS + uv run ${{ matrix.build_cmd }} --python-version "$PYTHON_VERSION" --yes --verbose --build-number ${{ github.run_number }} $FLET_BUILD_EXTRA_ARGS - name: Upload Artifact - uses: actions/upload-artifact@v5.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.artifact_name }}-py${{ inputs.python_version }} path: sdk/python/examples/apps/flet_build_test/${{ matrix.artifact_path }} diff --git a/.github/workflows/flet-build-test.yml b/.github/workflows/flet-build-test.yml index df9312743d..e7857ac3dd 100644 --- a/.github/workflows/flet-build-test.yml +++ b/.github/workflows/flet-build-test.yml @@ -48,6 +48,9 @@ concurrency: group: ci-${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.ref_name }} cancel-in-progress: true +permissions: + contents: read + env: ROOT: "${{ github.workspace }}" SDK_PYTHON: "${{ github.workspace }}/sdk/python" @@ -94,6 +97,8 @@ jobs: pack: name: Pack (${{ matrix.name }}) runs-on: ${{ matrix.runner }} + permissions: + contents: read env: FLET_DESKTOP_FLAVOR: full strategy: @@ -111,19 +116,22 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch versions shell: bash @@ -185,7 +193,7 @@ jobs: uv run --with pyinstaller flet pack src/main.py --yes --name flet-pack-test --distpath dist $FLET_PACK_EXTRA_ARGS - name: Upload Artifact - uses: actions/upload-artifact@v5.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.name }}-pack-artifact path: sdk/python/examples/apps/flet_build_test/dist diff --git a/.github/workflows/macos-integration-tests.yml b/.github/workflows/macos-integration-tests.yml index 396e5f1be5..ea67f495e3 100644 --- a/.github/workflows/macos-integration-tests.yml +++ b/.github/workflows/macos-integration-tests.yml @@ -35,6 +35,8 @@ env: jobs: test-macos: runs-on: macos-26 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -55,16 +57,20 @@ jobs: name: ${{ matrix.suite }} Integration Tests steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Show tool versions run: | @@ -91,7 +97,7 @@ jobs: - name: Upload artifact if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: integration-test-failures-macos-${{ env.SAFE_SUITE }} path: sdk/python/packages/flet/integration_tests/${{ matrix.suite }}/**/*_actual.png diff --git a/.github/workflows/release-pr-changelog.yml b/.github/workflows/release-pr-changelog.yml index f3b6d4aea8..084bde013f 100644 --- a/.github/workflows/release-pr-changelog.yml +++ b/.github/workflows/release-pr-changelog.yml @@ -18,11 +18,14 @@ jobs: changelog_record: name: Require changelog record runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 + persist-credentials: false - name: Verify root changelog update shell: bash diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..e9ba32c042 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,28 @@ +name: zizmor - GitHub Actions Security Analysis + +on: + push: + pull_request: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + # Fork PRs get a read-only token (no security-events: write), so the + # SARIF upload would fail. Skip it for forks — they still get inline + # annotations; pushes and same-repo PRs upload to code scanning. + advanced-security: ${{ github.event.pull_request.head.repo.fork != true }}