From 950b40845c4f92a02daff9aa5c89755518608fa4 Mon Sep 17 00:00:00 2001 From: ndonkoHenri Date: Wed, 17 Jun 2026 19:14:35 +0200 Subject: [PATCH 1/5] initial commit --- .github/workflows/ci.yml | 114 ++++++++++++++++++++++++------------- .github/workflows/docs.yml | 5 +- 2 files changed, 79 insertions(+), 40 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1dbfd39668..42e8e188b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,10 +26,6 @@ on: - '.fvmrc' workflow_dispatch: -permissions: - id-token: write - contents: write - concurrency: group: ci-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -53,10 +49,12 @@ jobs: python-version: [ "3.10", "3.11", "3.12", "3.13", "3.14" ] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: ${{ matrix.python-version }} @@ -86,7 +84,7 @@ jobs: - name: Upload docs-coverage logs if: matrix.python-version == '3.12' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: docs-coverage path: sdk/python/docstr_coverage.log @@ -97,12 +95,16 @@ jobs: docs_build: name: Build Documentation runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 @@ -110,7 +112,9 @@ jobs: run: corepack enable - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Build website run: | @@ -125,6 +129,7 @@ jobs: name: Build Flet Flutter package runs-on: ubuntu-latest permissions: + contents: read id-token: write # Required for authentication using OIDC outputs: PKG_VER: ${{ steps.versions.outputs.PKG_VER }} @@ -132,23 +137,26 @@ jobs: PYPI_VER: ${{ steps.versions.outputs.PYPI_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # fetch all history fetch-tags: true # ensure tags are available + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Compute versions id: versions run: source "${SCRIPTS}/update_build_version.sh" - name: Setup Dart (OIDC for pub.dev) - uses: dart-lang/setup-dart@e630b99d28a3b71860378cafdc2a067c71107f94 + uses: dart-lang/setup-dart@65eb853c7ba17dde3be364c3d2858773e7144260 # v1.7.2 - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' cache: true @@ -176,14 +184,20 @@ jobs: name: Package templates runs-on: ubuntu-latest needs: build_flet_package + permissions: + contents: read env: PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Patch build template flet version shell: bash @@ -208,7 +222,7 @@ jobs: zip -r "$GITHUB_WORKSPACE/flet-app-templates.zip" app/ - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: template-artifacts path: | @@ -224,19 +238,23 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read env: PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} BUILD_NUM: ${{ needs.build_flet_package.outputs.BUILD_NUM }} PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv uses: astral-sh/setup-uv@v6 - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' cache: true @@ -263,7 +281,7 @@ jobs: 7z a "${ROOT}/client/flet-windows.zip" "flet" - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: windows-artifacts if-no-files-found: error @@ -279,19 +297,25 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read env: PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} BUILD_NUM: ${{ needs.build_flet_package.outputs.BUILD_NUM }} PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' cache: true @@ -304,7 +328,7 @@ jobs: tar -czvf flet-macos.tar.gz -C build/macos/Build/Products/Release Flet.app - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: macos-artifacts if-no-files-found: error @@ -443,19 +467,23 @@ jobs: apt-get install -y git curl unzip xz-utils zip ca-certificates jq tzdata - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Get Flutter version from ".fvmrc" - uses: kuhnroyal/flutter-fvm-config-action/config@v3 + uses: kuhnroyal/flutter-fvm-config-action/config@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 id: fvm-config-action with: path: '.fvmrc' - name: Setup Flutter - uses: subosito/flutter-action@v2 + uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0 with: flutter-version: ${{ steps.fvm-config-action.outputs.FLUTTER_VERSION }} channel: ${{ matrix.arch == 'arm64' && 'master' || 'stable' }} # https://github.com/subosito/flutter-action/issues/345#issuecomment-2657332687 @@ -537,7 +565,7 @@ jobs: build_flutter "flet-desktop" - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: linux-${{ matrix.distro_id }}-${{ matrix.arch }}-artifacts if-no-files-found: error @@ -557,13 +585,17 @@ jobs: PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' cache: true @@ -622,7 +654,7 @@ jobs: uv build --package flet-web --sdist - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: web-artifacts if-no-files-found: error @@ -645,13 +677,15 @@ jobs: PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 fetch-tags: true - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Setup Flutter uses: kuhnroyal/flutter-fvm-config-action/setup@v3 @@ -703,7 +737,7 @@ jobs: done - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: flet-python-extensions if-no-files-found: error @@ -724,7 +758,9 @@ jobs: - build_flet_package steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv uses: astral-sh/setup-uv@v6 @@ -740,7 +776,7 @@ jobs: uv build --package flet-desktop - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: flet-cli-desktop-python-distribution path: | @@ -776,7 +812,7 @@ jobs: fi - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: dist merge-multiple: true diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index eb1b594afd..8df42dab2e 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -9,7 +9,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@v4 @@ -21,6 +23,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Build website run: | From 0aad3c0a58b78e50d97959498347343c2d2c29e2 Mon Sep 17 00:00:00 2001 From: ndonkoHenri Date: Wed, 17 Jun 2026 19:20:38 +0200 Subject: [PATCH 2/5] improvements --- .github/workflows/ci.yml | 23 +++++++-- .github/workflows/docs.yml | 6 ++- .github/workflows/flet-build-image.yml | 47 ++++++++++++------- .github/workflows/flet-build-test.yml | 21 ++++++--- .github/workflows/macos-integration-tests.yml | 10 ++-- .github/workflows/release-pr-changelog.yml | 5 +- 6 files changed, 80 insertions(+), 32 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 42e8e188b4..634bdb8523 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,6 +43,8 @@ jobs: python_tests: name: Python ${{ matrix.python-version }} tests runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: @@ -346,6 +348,8 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read strategy: matrix: include: @@ -581,6 +585,8 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read env: PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} steps: @@ -672,6 +678,8 @@ jobs: needs: - python_tests - build_flet_package + permissions: + contents: read env: PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} PKG_VER: ${{ needs.build_flet_package.outputs.PKG_VER }} @@ -681,6 +689,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 @@ -688,7 +697,7 @@ jobs: enable-cache: false - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' cache: true @@ -801,11 +810,15 @@ jobs: - build_flet_extensions - build_flet_cli_desktop if: ${{ startsWith(github.ref, 'refs/tags/') }} + permissions: + contents: write steps: - name: Detect pre-release id: prerelease + env: + REF_NAME: ${{ github.ref_name }} run: | - if [[ "${{ github.ref_name }}" == *".dev"* ]]; then + if [[ "$REF_NAME" == *".dev"* ]]; then echo "is_prerelease=true" >> $GITHUB_OUTPUT else echo "is_prerelease=false" >> $GITHUB_OUTPUT @@ -843,15 +856,17 @@ jobs: if: startsWith(github.ref, 'refs/tags/') needs: - release + permissions: + id-token: write steps: - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: ignore-empty-workdir: true cache-dependency-glob: "" - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: dist merge-multiple: true diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 8df42dab2e..bffca8580a 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -3,6 +3,9 @@ name: Build docs on: workflow_dispatch: +permissions: + contents: read + jobs: build: name: Build Documentation @@ -22,8 +25,9 @@ jobs: run: corepack enable - name: Setup uv - uses: astral-sh/setup-uv@v6 uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: false - name: Build website run: | diff --git a/.github/workflows/flet-build-image.yml b/.github/workflows/flet-build-image.yml index f64a3f13ba..2b5052530b 100644 --- a/.github/workflows/flet-build-image.yml +++ b/.github/workflows/flet-build-image.yml @@ -11,10 +11,6 @@ on: type: boolean default: true -permissions: - contents: read - packages: write - env: IMAGE: ghcr.io/${{ github.repository_owner }}/flet-build @@ -22,17 +18,23 @@ jobs: resolve_version: name: Resolve Flutter version runs-on: ubuntu-latest + permissions: + contents: read outputs: flutter_version: ${{ steps.v.outputs.value }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Resolve version id: v + env: + FLUTTER_VERSION_INPUT: ${{ inputs.flutter_version }} run: | - if [ -n "${{ inputs.flutter_version }}" ]; then - v="${{ inputs.flutter_version }}" + if [ -n "$FLUTTER_VERSION_INPUT" ]; then + v="$FLUTTER_VERSION_INPUT" else v="$(jq -r .flutter .fvmrc)" fi @@ -51,11 +53,16 @@ jobs: - platform: linux/arm64 runner: ubuntu-24.04-arm runs-on: ${{ matrix.runner }} + permissions: + contents: read + packages: write env: FLUTTER_VERSION: ${{ needs.resolve_version.outputs.flutter_version }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Compute platform pair id: pair @@ -64,10 +71,10 @@ jobs: echo "value=${p//\//-}" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -75,7 +82,7 @@ jobs: - name: Build & push by digest id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: docker/flet-build file: docker/flet-build/Dockerfile @@ -88,13 +95,15 @@ jobs: provenance: false - name: Export digest + env: + BUILD_DIGEST: ${{ steps.build.outputs.digest }} run: | mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" + digest="$BUILD_DIGEST" touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: flet-build-digests-${{ steps.pair.outputs.value }} path: /tmp/digests/* @@ -107,21 +116,23 @@ jobs: - resolve_version - build runs-on: ubuntu-latest + permissions: + packages: write env: FLUTTER_VERSION: ${{ needs.resolve_version.outputs.flutter_version }} steps: - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: /tmp/digests pattern: flet-build-digests-* merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -139,8 +150,10 @@ jobs: - name: Create & push manifest working-directory: /tmp/digests + env: + TAG_FLAGS: ${{ steps.tags.outputs.flags }} run: | - docker buildx imagetools create ${{ steps.tags.outputs.flags }} \ + docker buildx imagetools create $TAG_FLAGS \ $(printf "${IMAGE}@sha256:%s " *) - name: Inspect image diff --git a/.github/workflows/flet-build-test.yml b/.github/workflows/flet-build-test.yml index b241c29e62..064d6bc33b 100644 --- a/.github/workflows/flet-build-test.yml +++ b/.github/workflows/flet-build-test.yml @@ -35,6 +35,9 @@ concurrency: group: ci-${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.ref_name }} cancel-in-progress: true +permissions: + contents: read + env: ROOT: "${{ github.workspace }}" SDK_PYTHON: "${{ github.workspace }}/sdk/python" @@ -53,6 +56,8 @@ jobs: build: name: Build (${{ matrix.name }}) runs-on: ${{ matrix.runner }} + permissions: + contents: read strategy: fail-fast: false matrix: @@ -161,10 +166,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Setup uv uses: astral-sh/setup-uv@v6 @@ -186,7 +192,7 @@ jobs: sudo apt-get clean - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' cache: true @@ -199,7 +205,7 @@ jobs: uv run ${{ matrix.build_cmd }} --yes --verbose --build-number ${{ github.run_number }} $FLET_BUILD_EXTRA_ARGS - name: Upload Artifact - uses: actions/upload-artifact@v5.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.artifact_name }} path: sdk/python/examples/apps/flet_build_test/${{ matrix.artifact_path }} @@ -209,6 +215,8 @@ jobs: pack: name: Pack (${{ matrix.name }}) runs-on: ${{ matrix.runner }} + permissions: + contents: read env: FLET_DESKTOP_FLAVOR: full strategy: @@ -226,16 +234,17 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Setup uv uses: astral-sh/setup-uv@v6 - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' cache: true @@ -300,7 +309,7 @@ jobs: uv run --with pyinstaller flet pack src/main.py --yes --name flet-pack-test --distpath dist $FLET_PACK_EXTRA_ARGS - name: Upload Artifact - uses: actions/upload-artifact@v5.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.name }}-pack-artifact path: sdk/python/examples/apps/flet_build_test/dist diff --git a/.github/workflows/macos-integration-tests.yml b/.github/workflows/macos-integration-tests.yml index 396e5f1be5..ed03f0bb06 100644 --- a/.github/workflows/macos-integration-tests.yml +++ b/.github/workflows/macos-integration-tests.yml @@ -35,6 +35,8 @@ env: jobs: test-macos: runs-on: macos-26 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -55,13 +57,15 @@ jobs: name: ${{ matrix.suite }} Integration Tests steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup uv uses: astral-sh/setup-uv@v6 - name: Setup Flutter - uses: kuhnroyal/flutter-fvm-config-action/setup@v3 + uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' cache: true @@ -91,7 +95,7 @@ jobs: - name: Upload artifact if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: integration-test-failures-macos-${{ env.SAFE_SUITE }} path: sdk/python/packages/flet/integration_tests/${{ matrix.suite }}/**/*_actual.png diff --git a/.github/workflows/release-pr-changelog.yml b/.github/workflows/release-pr-changelog.yml index f3b6d4aea8..084bde013f 100644 --- a/.github/workflows/release-pr-changelog.yml +++ b/.github/workflows/release-pr-changelog.yml @@ -18,11 +18,14 @@ jobs: changelog_record: name: Require changelog record runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 + persist-credentials: false - name: Verify root changelog update shell: bash From 415826d5252c7e44c17c69d212e9bfa487b8c63d Mon Sep 17 00:00:00 2001 From: ndonkoHenri Date: Thu, 18 Jun 2026 06:39:03 +0200 Subject: [PATCH 3/5] improve caching --- .github/workflows/ci.yml | 41 +++++++++++-------- .github/workflows/docs.yml | 5 ++- .github/workflows/flet-build-test.yml | 12 ++++-- .github/workflows/macos-integration-tests.yml | 6 ++- 4 files changed, 40 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 634bdb8523..9bb519fc5a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,7 @@ jobs: uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: ${{ matrix.python-version }} + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Run tests shell: bash @@ -109,6 +110,7 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 + package-manager-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Enable Corepack run: corepack enable @@ -116,7 +118,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build website run: | @@ -148,7 +150,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Compute versions id: versions @@ -161,7 +163,7 @@ jobs: uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Run tests shell: bash @@ -199,7 +201,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch build template flet version shell: bash @@ -253,13 +255,15 @@ jobs: persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build Flutter Windows client env: @@ -314,13 +318,13 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build Flutter macOS client shell: bash @@ -478,7 +482,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Get Flutter version from ".fvmrc" uses: kuhnroyal/flutter-fvm-config-action/config@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 @@ -491,7 +495,7 @@ jobs: with: flutter-version: ${{ steps.fvm-config-action.outputs.FLUTTER_VERSION }} channel: ${{ matrix.arch == 'arm64' && 'master' || 'stable' }} # https://github.com/subosito/flutter-action/issues/345#issuecomment-2657332687 - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Mark git safe directories shell: bash @@ -598,13 +602,13 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch Python and Flutter versions shell: bash @@ -694,13 +698,13 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Analyze and Build Flutter & Python packages shell: bash @@ -760,6 +764,8 @@ jobs: build_flet_cli_desktop: name: Build flet, flet-cli and flet-desktop Python packages runs-on: ubuntu-latest + permissions: + contents: read env: PYPI_VER: ${{ needs.build_flet_package.outputs.PYPI_VER }} needs: @@ -772,7 +778,9 @@ jobs: persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build Python packages shell: bash @@ -831,7 +839,7 @@ jobs: merge-multiple: true - name: Create/Update GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -864,6 +872,7 @@ jobs: with: ignore-empty-workdir: true cache-dependency-glob: "" + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Download artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index bffca8580a..f938d79b80 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -17,9 +17,10 @@ jobs: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 + package-manager-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Enable Corepack run: corepack enable @@ -27,7 +28,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build website run: | diff --git a/.github/workflows/flet-build-test.yml b/.github/workflows/flet-build-test.yml index 064d6bc33b..a3d9c4045c 100644 --- a/.github/workflows/flet-build-test.yml +++ b/.github/workflows/flet-build-test.yml @@ -173,7 +173,9 @@ jobs: persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch versions shell: bash @@ -195,7 +197,7 @@ jobs: uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build app shell: bash @@ -241,13 +243,15 @@ jobs: persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch versions shell: bash diff --git a/.github/workflows/macos-integration-tests.yml b/.github/workflows/macos-integration-tests.yml index ed03f0bb06..ea67f495e3 100644 --- a/.github/workflows/macos-integration-tests.yml +++ b/.github/workflows/macos-integration-tests.yml @@ -62,13 +62,15 @@ jobs: persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + with: + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Setup Flutter uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Show tool versions run: | From 290c122d500ee332227a1dcb6c585a5f63dbddcc Mon Sep 17 00:00:00 2001 From: ndonkoHenri Date: Thu, 18 Jun 2026 06:47:14 +0200 Subject: [PATCH 4/5] zizmor action --- .github/workflows/zizmor.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..e9ba32c042 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,28 @@ +name: zizmor - GitHub Actions Security Analysis + +on: + push: + pull_request: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + # Fork PRs get a read-only token (no security-events: write), so the + # SARIF upload would fail. Skip it for forks — they still get inline + # annotations; pushes and same-repo PRs upload to code scanning. + advanced-security: ${{ github.event.pull_request.head.repo.fork != true }} From 5c910cf141867eb6376e84e8d30822860bff09f6 Mon Sep 17 00:00:00 2001 From: ndonkoHenri Date: Thu, 18 Jun 2026 07:03:07 +0200 Subject: [PATCH 5/5] update --- .github/workflows/ci.yml | 1 - .github/workflows/flet-build-test-matrix.yml | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 02e92b58f3..3fd6fe2a5d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -106,7 +106,6 @@ jobs: persist-credentials: false - name: Setup Node.js - # zizmor: ignore[cache-poisoning] -- node binary tool-cache cannot be disabled; docs-only job, low risk uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 diff --git a/.github/workflows/flet-build-test-matrix.yml b/.github/workflows/flet-build-test-matrix.yml index 16d522fe00..8d139861e3 100644 --- a/.github/workflows/flet-build-test-matrix.yml +++ b/.github/workflows/flet-build-test-matrix.yml @@ -151,7 +151,7 @@ jobs: - name: Setup uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: - enable-cache: false + enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Patch versions shell: bash @@ -173,7 +173,7 @@ jobs: uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3 with: path: '.fvmrc' - cache: true + cache: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Build app shell: bash