Skip to content

ci: Zizmor security hardening#212

Merged
FeodorFitsner merged 3 commits into
mainfrom
zizmor
Jul 2, 2026
Merged

ci: Zizmor security hardening#212
FeodorFitsner merged 3 commits into
mainfrom
zizmor

Conversation

@ndonkoHenri

Copy link
Copy Markdown
Collaborator

Hardens ci.yml to pass zizmor (49 findings → 0) and adds ongoing automation.

Hardening

  • All actions bumped to latest and pinned to commit SHA (with version comments): checkout v6.0.3, setup-uv v8.2.0, actions/cache v5.0.5, simulator-action v5, gradle/actions v6.2.0, android-emulator-runner v2.37.0, flutter-action v2.23.0, flutter-fvm-config-action v3.3.
  • persist-credentials: false on all checkouts; top-level permissions: contents: read (publish uses PUB_DEV_TOKEN).
  • Template-injection: simulator UDID output moved into env:.
  • Cache-poisoning: caching disabled only on refs/tags/* builds (per zizmor remediation) — fast on branch/PR runs, safe on releases.

Added

  • .github/workflows/zizmor.yml — runs zizmor on every push/PR → code scanning.
  • .github/dependabot.yml — github-actions, monthly, grouped, 7-day cooldown.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions configuration to satisfy zizmor security guidance (pinning actions by SHA, tightening token permissions, and mitigating injection/cache-poisoning findings) and adds automation for ongoing security analysis and dependency updates.

Changes:

  • Hardened .github/workflows/ci.yml by pinning all actions to SHAs, setting persist-credentials: false, adding top-level permissions: contents: read, and reducing injection risk by moving simulator UDID into env:.
  • Added .github/workflows/zizmor.yml to run zizmor and upload results to Code Scanning.
  • Added .github/dependabot.yml to group monthly GitHub Actions updates with a cooldown.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/zizmor.yml New zizmor workflow for GitHub Actions security analysis + SARIF upload.
.github/workflows/ci.yml CI workflow hardening: pinned actions, reduced permissions, safer env usage, cache-poisoning mitigations.
.github/dependabot.yml Dependabot configuration for grouped monthly GitHub Actions updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/zizmor.yml
@cclauss

cclauss commented Jun 17, 2026

Copy link
Copy Markdown

Windows Image: windows-2025-vs2026

@ndonkoHenri ndonkoHenri changed the title ci: Zizmor security hardening + Dependabot ci: Zizmor security hardening Jun 18, 2026
Runs zizmor (zizmorcore/zizmor-action) on pushes and PRs to statically
audit the workflows for CI/CD security issues (unpinned actions, excessive
token permissions, cache poisoning, template injection, credential
persistence). Uploads SARIF to code scanning on pushes and same-repo PRs;
fork PRs get a read-only token, so the SARIF upload is skipped for them
(they still receive inline annotations).

Least privilege: empty top-level permissions; the job grants only
security-events: write + contents: read. The action itself is pinned to a
commit SHA.
Security hardening of the CI workflow with no functional change to what the
jobs do:

- Pin every action to a commit SHA (with a human-readable version comment)
  to defeat tag-mutation supply-chain attacks (unpinned-uses).
- Add a least-privilege top-level `permissions: contents: read`
  (excessive-permissions).
- Set `persist-credentials: false` on every checkout so the workflow token
  isn't left behind in the local git config (artipacked).
- Pass the iOS simulator UDID through a step `env:` var instead of
  interpolating `steps.simulator.outputs.udid` straight into the run script
  (template-injection).
- Gate every runtime cache on tag/release refs to avoid cache poisoning of
  release builds: `lookup-only`/`cache-disabled` become true on tags for the
  flet, AVD and Gradle caches, and the publish job's uv cache is disabled on
  tags via `enable-cache`. On branch/PR builds these evaluate to normal
  read-write caching, so CI performance is unchanged.

setup-gradle stays on v5 (pinned to v5.0.2) per the existing licensing note;
it is not bumped to v6.

Verified locally with `zizmor` v1.26.1: no findings (default persona,
online audits).
@FeodorFitsner FeodorFitsner merged commit 33d0293 into main Jul 2, 2026
53 of 56 checks passed
@FeodorFitsner FeodorFitsner deleted the zizmor branch July 2, 2026 03:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants