ci: Zizmor security hardening#212
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions configuration to satisfy zizmor security guidance (pinning actions by SHA, tightening token permissions, and mitigating injection/cache-poisoning findings) and adds automation for ongoing security analysis and dependency updates.
Changes:
- Hardened
.github/workflows/ci.ymlby pinning all actions to SHAs, settingpersist-credentials: false, adding top-levelpermissions: contents: read, and reducing injection risk by moving simulator UDID intoenv:. - Added
.github/workflows/zizmor.ymlto run zizmor and upload results to Code Scanning. - Added
.github/dependabot.ymlto group monthly GitHub Actions updates with a cooldown.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/zizmor.yml | New zizmor workflow for GitHub Actions security analysis + SARIF upload. |
| .github/workflows/ci.yml | CI workflow hardening: pinned actions, reduced permissions, safer env usage, cache-poisoning mitigations. |
| .github/dependabot.yml | Dependabot configuration for grouped monthly GitHub Actions updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Windows Image: windows-2025-vs2026 |
Runs zizmor (zizmorcore/zizmor-action) on pushes and PRs to statically audit the workflows for CI/CD security issues (unpinned actions, excessive token permissions, cache poisoning, template injection, credential persistence). Uploads SARIF to code scanning on pushes and same-repo PRs; fork PRs get a read-only token, so the SARIF upload is skipped for them (they still receive inline annotations). Least privilege: empty top-level permissions; the job grants only security-events: write + contents: read. The action itself is pinned to a commit SHA.
Security hardening of the CI workflow with no functional change to what the jobs do: - Pin every action to a commit SHA (with a human-readable version comment) to defeat tag-mutation supply-chain attacks (unpinned-uses). - Add a least-privilege top-level `permissions: contents: read` (excessive-permissions). - Set `persist-credentials: false` on every checkout so the workflow token isn't left behind in the local git config (artipacked). - Pass the iOS simulator UDID through a step `env:` var instead of interpolating `steps.simulator.outputs.udid` straight into the run script (template-injection). - Gate every runtime cache on tag/release refs to avoid cache poisoning of release builds: `lookup-only`/`cache-disabled` become true on tags for the flet, AVD and Gradle caches, and the publish job's uv cache is disabled on tags via `enable-cache`. On branch/PR builds these evaluate to normal read-write caching, so CI performance is unchanged. setup-gradle stays on v5 (pinned to v5.0.2) per the existing licensing note; it is not bumped to v6. Verified locally with `zizmor` v1.26.1: no findings (default persona, online audits).
Hardens
ci.ymlto pass zizmor (49 findings → 0) and adds ongoing automation.Hardening
persist-credentials: falseon all checkouts; top-levelpermissions: contents: read(publish usesPUB_DEV_TOKEN).env:.refs/tags/*builds (per zizmor remediation) — fast on branch/PR runs, safe on releases.Added
.github/workflows/zizmor.yml— runs zizmor on every push/PR → code scanning..github/dependabot.yml— github-actions, monthly, grouped, 7-day cooldown.