flet-dev · ndonkoHenri · Jun 17, 2026 · Jun 17, 2026 · Jun 18, 2026 · Jun 18, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -3,24 +3,32 @@ name: Build docs
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build Documentation
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20
+          package-manager-cache: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
       - name: Enable Corepack
         run: corepack enable
 
       - name: Setup uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        with:
+          enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
       - name: Build website
         run: |

diff --git a/.github/workflows/flet-build-image.yml b/.github/workflows/flet-build-image.yml
@@ -11,28 +11,30 @@ on:
         type: boolean
         default: true
 
-permissions:
-  contents: read
-  packages: write
-
 env:
   IMAGE: ghcr.io/${{ github.repository_owner }}/flet-build
 
 jobs:
   resolve_version:
     name: Resolve Flutter version
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       flutter_version: ${{ steps.v.outputs.value }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Resolve version
         id: v
+        env:
+          FLUTTER_VERSION_INPUT: ${{ inputs.flutter_version }}
         run: |
-          if [ -n "${{ inputs.flutter_version }}" ]; then
-            v="${{ inputs.flutter_version }}"
+          if [ -n "$FLUTTER_VERSION_INPUT" ]; then
+            v="$FLUTTER_VERSION_INPUT"
           else
             v="$(jq -r .flutter .fvmrc)"
           fi
@@ -51,11 +53,16 @@ jobs:
           - platform: linux/arm64
             runner: ubuntu-24.04-arm
     runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      packages: write
     env:
       FLUTTER_VERSION: ${{ needs.resolve_version.outputs.flutter_version }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Compute platform pair
         id: pair
@@ -64,18 +71,18 @@ jobs:
           echo "value=${p//\//-}" >> "$GITHUB_OUTPUT"
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build & push by digest
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: docker/flet-build
           file: docker/flet-build/Dockerfile
@@ -88,13 +95,15 @@ jobs:
           provenance: false
 
       - name: Export digest
+        env:
+          BUILD_DIGEST: ${{ steps.build.outputs.digest }}
         run: |
           mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
+          digest="$BUILD_DIGEST"
           touch "/tmp/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: flet-build-digests-${{ steps.pair.outputs.value }}
           path: /tmp/digests/*
@@ -107,21 +116,23 @@ jobs:
       - resolve_version
       - build
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     env:
       FLUTTER_VERSION: ${{ needs.resolve_version.outputs.flutter_version }}
     steps:
       - name: Download digests
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: /tmp/digests
           pattern: flet-build-digests-*
           merge-multiple: true
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -139,8 +150,10 @@ jobs:
 
       - name: Create & push manifest
         working-directory: /tmp/digests
+        env:
+          TAG_FLAGS: ${{ steps.tags.outputs.flags }}
         run: |
-          docker buildx imagetools create ${{ steps.tags.outputs.flags }} \
+          docker buildx imagetools create $TAG_FLAGS \
             $(printf "${IMAGE}@sha256:%s " *)
 
       - name: Inspect image

diff --git a/.github/workflows/flet-build-test-matrix.yml b/.github/workflows/flet-build-test-matrix.yml
@@ -32,6 +32,8 @@ jobs:
   build:
     name: Build (${{ matrix.name }})
     runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -140,13 +142,16 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
 
       - name: Setup uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        with:
+          enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
       - name: Patch versions
         shell: bash
@@ -165,20 +170,22 @@ jobs:
           sudo apt-get clean
 
       - name: Setup Flutter
-        uses: kuhnroyal/flutter-fvm-config-action/setup@v3
+        uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
         with:
           path: '.fvmrc'
-          cache: true
+          cache: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
       - name: Build app
         shell: bash
         working-directory: sdk/python/examples/apps/flet_build_test
+        env:
+          PYTHON_VERSION: ${{ inputs.python_version }}
         run: |
           echo "FLET_BUILD_EXTRA_ARGS='${FLET_BUILD_EXTRA_ARGS}'"
-          uv run ${{ matrix.build_cmd }} --python-version ${{ inputs.python_version }} --yes --verbose --build-number ${{ github.run_number }} $FLET_BUILD_EXTRA_ARGS
+          uv run ${{ matrix.build_cmd }} --python-version "$PYTHON_VERSION" --yes --verbose --build-number ${{ github.run_number }} $FLET_BUILD_EXTRA_ARGS
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ matrix.artifact_name }}-py${{ inputs.python_version }}
           path: sdk/python/examples/apps/flet_build_test/${{ matrix.artifact_path }}

diff --git a/.github/workflows/flet-build-test.yml b/.github/workflows/flet-build-test.yml
@@ -48,6 +48,9 @@ concurrency:
   group: ci-${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   ROOT: "${{ github.workspace }}"
   SDK_PYTHON: "${{ github.workspace }}/sdk/python"
@@ -94,6 +97,8 @@ jobs:
   pack:
     name: Pack (${{ matrix.name }})
     runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
     env:
       FLET_DESKTOP_FLAVOR: full
     strategy:
@@ -111,19 +116,22 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
 
       - name: Setup uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        with:
+          enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
       - name: Setup Flutter
-        uses: kuhnroyal/flutter-fvm-config-action/setup@v3
+        uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
         with:
           path: '.fvmrc'
-          cache: true
+          cache: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
       - name: Patch versions
         shell: bash
@@ -185,7 +193,7 @@ jobs:
           uv run --with pyinstaller flet pack src/main.py --yes --name flet-pack-test --distpath dist $FLET_PACK_EXTRA_ARGS
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ matrix.name }}-pack-artifact
           path: sdk/python/examples/apps/flet_build_test/dist

diff --git a/.github/workflows/macos-integration-tests.yml b/.github/workflows/macos-integration-tests.yml
@@ -35,6 +35,8 @@ env:
 jobs:
   test-macos:
     runs-on: macos-26
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -55,16 +57,20 @@ jobs:
     name: ${{ matrix.suite }} Integration Tests
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Setup uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        with:
+          enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
       - name: Setup Flutter
-        uses: kuhnroyal/flutter-fvm-config-action/setup@v3
+        uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
         with:
           path: '.fvmrc'
-          cache: true
+          cache: ${{ !startsWith(github.ref, 'refs/tags/') }}
 
       - name: Show tool versions
         run: |
@@ -91,7 +97,7 @@ jobs:
 
       - name: Upload artifact
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: integration-test-failures-macos-${{ env.SAFE_SUITE }}
           path: sdk/python/packages/flet/integration_tests/${{ matrix.suite }}/**/*_actual.png

diff --git a/.github/workflows/release-pr-changelog.yml b/.github/workflows/release-pr-changelog.yml
@@ -18,11 +18,14 @@ jobs:
   changelog_record:
     name: Require changelog record
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Verify root changelog update
         shell: bash

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,28 @@
+name: zizmor - GitHub Actions Security Analysis
+
+on:
+  push:
+  pull_request:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          # Fork PRs get a read-only token (no security-events: write), so the
+          # SARIF upload would fail. Skip it for forks — they still get inline
+          # annotations; pushes and same-repo PRs upload to code scanning.
+          advanced-security: ${{ github.event.pull_request.head.repo.fork != true }}