Skip to content

ci: Zizmor security hardening #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ndonkoHenri wants to merge 4 commits into
base: main
Choose a base branch
from
Open

ci: Zizmor security hardening #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7c1a217
ci: zizmor security hardening, latest action versions, audit + Depend…
ndonkoHenri Jun 17, 2026
e782dc1
improvements
ndonkoHenri Jun 17, 2026
03b0a47
ci: skip zizmor SARIF upload on fork PRs [skip ci]
ndonkoHenri Jun 17, 2026
65363f1
ci: drop dependabot config from this PR
ndonkoHenri Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 48 additions & 21 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ env:
SERIOUS_PYTHON_SITE_PACKAGES: "${{ github.workspace }}/site-packages"
UV_PYTHON: "3.12"

permissions:
contents: read

jobs:
macos:
name: Test on macOS (Python ${{ matrix.python_version }})
Expand All @@ -27,10 +30,12 @@ jobs:
SERIOUS_PYTHON_VERSION: ${{ matrix.python_version }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Setup Flutter
uses: kuhnroyal/flutter-fvm-config-action/setup@v3
uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
with:
path: '.fvmrc'
cache: true
Expand All @@ -52,17 +57,19 @@ jobs:
SERIOUS_PYTHON_VERSION: ${{ matrix.python_version }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Setup Flutter
uses: kuhnroyal/flutter-fvm-config-action/setup@v3
uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
with:
path: '.fvmrc'
cache: true

- name: Setup iOS Simulator
id: simulator
uses: futureware-tech/simulator-action@v4
uses: futureware-tech/simulator-action@e89aa8f93d3aec35083ff49d2854d07f7186f7f5 # v5
with:
# https://github.com/futureware-tech/simulator-action/wiki/Devices-macos-latest
model: 'iPhone 16 Pro Max'
Expand All @@ -73,9 +80,11 @@ jobs:

- name: Run tests
working-directory: "src/serious_python/example/flet_example"
env:
SIMULATOR_UDID: ${{ steps.simulator.outputs.udid }}
run: |
dart run serious_python:main package app/src --platform iOS --python-version ${{ matrix.python_version }} --requirements flet==0.28.3
flutter test integration_test --device-id ${{ steps.simulator.outputs.udid }} --dart-define=EXPECTED_PYTHON_VERSION=${{ matrix.python_version }}
flutter test integration_test --device-id ${SIMULATOR_UDID} --dart-define=EXPECTED_PYTHON_VERSION=${{ matrix.python_version }}

android:
name: Test on Android (Python ${{ matrix.python_version }})
Expand All @@ -88,10 +97,12 @@ jobs:
SERIOUS_PYTHON_VERSION: ${{ matrix.python_version }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Setup Flutter
uses: kuhnroyal/flutter-fvm-config-action/setup@v3
uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
with:
path: '.fvmrc'
cache: true
Expand All @@ -103,19 +114,24 @@ jobs:
sudo udevadm trigger --name-match=kvm

- name: Gradle cache
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@3f131e8634966bd73d06cc69884922b02e6faf92 # v6.2.0
with:
# Disable the Gradle cache on tag/release builds to avoid cache poisoning.
cache-disabled: ${{ startsWith(github.ref, 'refs/tags/') }}

- name: AVD cache
uses: actions/cache@v4
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: avd-cache
with:
path: |
~/.android/avd/*
~/.android/adb*
key: avd
# Disable cache restore on tag/release builds to avoid cache poisoning.
lookup-only: ${{ startsWith(github.ref, 'refs/tags/') }}

- name: Setup Android Emulator + Run tests
uses: reactivecircus/android-emulator-runner@v2
uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2.37.0
env:
EMULATOR_PORT: 5554
with:
Expand Down Expand Up @@ -147,10 +163,12 @@ jobs:
SERIOUS_PYTHON_VERSION: ${{ matrix.python_version }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Setup Flutter
uses: kuhnroyal/flutter-fvm-config-action/setup@v3
uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
with:
path: '.fvmrc'
cache: true
Expand Down Expand Up @@ -180,19 +198,24 @@ jobs:
SERIOUS_PYTHON_VERSION: ${{ matrix.python_version }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Setup uv
uses: astral-sh/setup-uv@v6
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
# Disable the uv cache on tag/release builds to avoid cache poisoning.
enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }}

- name: Get Flutter version from ".fvmrc"
uses: kuhnroyal/flutter-fvm-config-action/config@v3
uses: kuhnroyal/flutter-fvm-config-action/config@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
id: fvm-config-action
with:
path: '.fvmrc'

- name: Setup Flutter
uses: subosito/flutter-action@v2
uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
with:
flutter-version: ${{ steps.fvm-config-action.outputs.FLUTTER_VERSION }}
channel: ${{ matrix.arch == 'arm64' && 'master' || 'stable' }} # https://github.com/subosito/flutter-action/issues/345#issuecomment-2657332687
Expand Down Expand Up @@ -249,15 +272,19 @@ jobs:
steps:

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 0
persist-credentials: false

- name: Setup uv
uses: astral-sh/setup-uv@v6
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
# Disable the uv cache on tag/release builds to avoid cache poisoning.
enable-cache: ${{ !startsWith(github.ref, 'refs/tags/') }}

- name: Setup Flutter
uses: kuhnroyal/flutter-fvm-config-action/setup@v3
uses: kuhnroyal/flutter-fvm-config-action/setup@c378498f1d1962d33039c3989411093ef8a17b2c # v3.3
with:
path: '.fvmrc'
cache: true
Expand Down Expand Up @@ -321,4 +348,4 @@ jobs:
publish_pkg src/serious_python_windows
publish_pkg src/serious_python_linux
sleep 600
publish_pkg src/serious_python
publish_pkg src/serious_python
28 changes: 28 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: zizmor - GitHub Actions Security Analysis

on:
push:
pull_request:

permissions: {}

jobs:
zizmor:
name: Run zizmor
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
Comment thread
ndonkoHenri marked this conversation as resolved.
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
# Fork PRs get a read-only token (no security-events: write), so the
# SARIF upload would fail. Skip it for forks — they still get inline
# annotations; pushes and same-repo PRs upload to code scanning.
advanced-security: ${{ github.event.pull_request.head.repo.fork != true }}
Loading