Skip to content

ci: Zizmor security hardening#212

Open
ndonkoHenri wants to merge 4 commits into
mainfrom
zizmor
Open

ci: Zizmor security hardening#212
ndonkoHenri wants to merge 4 commits into
mainfrom
zizmor

Conversation

@ndonkoHenri

@ndonkoHenri ndonkoHenri commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

Hardens ci.yml to pass zizmor (49 findings → 0) and adds ongoing automation.

Hardening

  • All actions bumped to latest and pinned to commit SHA (with version comments): checkout v6.0.3, setup-uv v8.2.0, actions/cache v5.0.5, simulator-action v5, gradle/actions v6.2.0, android-emulator-runner v2.37.0, flutter-action v2.23.0, flutter-fvm-config-action v3.3.
  • persist-credentials: false on all checkouts; top-level permissions: contents: read (publish uses PUB_DEV_TOKEN).
  • Template-injection: simulator UDID output moved into env:.
  • Cache-poisoning: caching disabled only on refs/tags/* builds (per zizmor remediation) — fast on branch/PR runs, safe on releases.

Added

  • .github/workflows/zizmor.yml — runs zizmor on every push/PR → code scanning.
  • .github/dependabot.yml — github-actions, monthly, grouped, 7-day cooldown.

@ndonkoHenri
ci: zizmor security hardening, latest action versions, audit + Depend…
7c1a217 
…abot

Harden ci.yml to pass zizmor (49 findings -> 0):
- Bump every action to its latest release as of today, then pin to commit SHA
  (with version comments for Dependabot): checkout v4->v6.0.3, setup-uv
  v6->v8.2.0, actions/cache v4->v5.0.5, simulator-action v4->v5,
  gradle/actions v3->v6.2.0, android-emulator-runner v2.37.0,
  subosito/flutter-action v2.23.0, flutter-fvm-config-action v3.3.
- persist-credentials: false on all checkouts (no job pushes via git; publish
  only reads tags with git describe).
- Least-privilege top-level permissions: contents: read (publish uses
  PUB_DEV_TOKEN, not GITHUB_TOKEN).
- template-injection: move simulator UDID output into env:.
- cache-poisoning: disable caching on tag/release refs only (per zizmor
  remediation) so branch/PR CI stays fast while release builds cannot restore a
  poisoned cache: setup-uv enable-cache and gradle cache-disabled gated on
  github.ref, AVD cache lookup-only on tags.

Add .github/workflows/zizmor.yml (official zizmor-action on push/PR ->
code scanning) and .github/dependabot.yml (github-actions, monthly, grouped,
7-day cooldown).
@ndonkoHenri
improvements
e782dc1
@github-advanced-security

github-advanced-security AI commented Jun 17, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@ndonkoHenri ndonkoHenri mentioned this pull request Jun 17, 2026
Closed
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions configuration to satisfy zizmor security guidance (pinning actions by SHA, tightening token permissions, and mitigating injection/cache-poisoning findings) and adds automation for ongoing security analysis and dependency updates.

Changes:

  • Hardened .github/workflows/ci.yml by pinning all actions to SHAs, setting persist-credentials: false, adding top-level permissions: contents: read, and reducing injection risk by moving simulator UDID into env:.
  • Added .github/workflows/zizmor.yml to run zizmor and upload results to Code Scanning.
  • Added .github/dependabot.yml to group monthly GitHub Actions updates with a cooldown.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/zizmor.yml New zizmor workflow for GitHub Actions security analysis + SARIF upload.
.github/workflows/ci.yml CI workflow hardening: pinned actions, reduced permissions, safer env usage, cache-poisoning mitigations.
.github/dependabot.yml Dependabot configuration for grouped monthly GitHub Actions updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/zizmor.yml
@cclauss

cclauss commented Jun 17, 2026

Copy link
Copy Markdown

Windows Image: windows-2025-vs2026

@ndonkoHenri
ci: skip zizmor SARIF upload on fork PRs [skip ci]
03b0a47 
Fork PRs run with a read-only GITHUB_TOKEN (no security-events: write), so the
code-scanning SARIF upload fails and reddens the check for external
contributors. Gate advanced-security on the PR not being from a fork: forks
still get inline annotations, while pushes and same-repo PRs upload to the
Security tab.
@ndonkoHenri
ci: drop dependabot config from this PR
65363f1 
Keep this PR focused on zizmor security hardening; Dependabot to be handled
separately.
@ndonkoHenri ndonkoHenri changed the title ci: Zizmor security hardening + Dependabot ci: Zizmor security hardening Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@FeodorFitsner FeodorFitsner Awaiting requested review from FeodorFitsner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ndonkoHenri @github-advanced-security @cclauss