ci: zizmor security checks, richer job summaries#79
Merged
Conversation
Phase 1 — a Summarize built wheels step lists each matrix job's produced wheels (name + size) in the GitHub job summary (cibuildwheel-style). Phase 2 — publish_to_pypi now captures Gemfury's per-wheel HTTP status and writes a publish table (published / already-exists / failed), and returns non-zero on a real upload failure (previously a failed upload was silently swallowed). Duplicates (409 / already exists) are expected on re-publish and do not fail the step.
…n run on workflow_dispatch Publishing was gated to push-to-main only. Add a boolean publish input (default false) threaded build-wheels.yml -> build-wheels-version.yml; the publish step now runs when (push to main) OR publish=true. Lets a manual dispatch exercise + demo the publish summary without changing default behavior.
…e test title The mobile-test summary used a ## heading titled "recipe-tester — <platform>", while the built-wheels (📦) and publish (⬆️) sections use ###. Level it to ### and rename to "🧪 On-device test — <platform>" so the run summary reads as a consistent build → test → publish progression.
The publish input was demo scaffolding so a fork dispatch could exercise the publish-status summary. Revert it: publishing is back to push-to-main-only. Keeps the built-wheels (📦) and publish-status (⬆️) summaries and the on-device test heading (🧪).
Standardize on-device test section titles by dynamically including the specific platform (e.g., Android Emulator, iOS Simulator) for clarity in the job summary.
There was a problem hiding this comment.
Pull request overview
Housekeeping update to the repository’s CI and metadata defaults: hardens GitHub Actions workflows (zizmor-clean, pinned actions, least-privilege permissions), improves GitHub job summaries for builds/tests/publishing, tunes Dependabot noise/risk controls, and updates the default recipe build.number to 1 to align build tagging behavior.
Changes:
- Add a dedicated zizmor workflow and harden existing wheel build workflows (pinned SHAs, reduced permissions, safer input handling, non-persisting checkouts).
- Add richer job summaries (built wheel tables; clearer on-device test headings; publish outcome table and stricter failure behavior).
- Tune Dependabot scheduling/grouping and update meta schema + CI parsing to default
build.numberto 1.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
src/forge/schema/meta-schema.yaml |
Changes recipe schema default build.number to 1 and expands its description. |
.github/workflows/zizmor.yml |
Adds zizmor workflow to continuously scan Actions security and upload results to code scanning. |
.github/workflows/build-wheels.yml |
Hardens workflow permissions/checkout and pins actions to SHAs. |
.github/workflows/build-wheels-version.yml |
Hardens workflow permissions/checkout, pins actions to SHAs, mitigates template injection risk, adds wheel build summaries, updates action versions. |
.github/dependabot.yml |
Adjusts cadence/grouping and adds cooldown settings for Dependabot updates. |
.ci/wait_for_console.sh |
Improves GitHub job summary headings for on-device test output. |
.ci/read_meta.py |
Aligns build number default parsing with the updated schema default (1). |
.ci/common.sh |
Enhances publishing to emit a job-summary table and fail on real upload errors. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Stop merging curl stderr into the captured output (drop 2>&1): a transfer-level failure could otherwise push a non-status line onto what tail parses as the HTTP code. -S still surfaces errors on stderr / the log. - Drop "denied" from the duplicate-detection pattern: it is ambiguous and would misclassify a real 401/403 auth failure as "already exists". Keep matching only "already exists|same version".
Fork PRs run with a read-only GITHUB_TOKEN (no security-events: write), so the code-scanning SARIF upload fails and reddens the check for external contributors. Gate advanced-security on the PR not being from a fork: forks still get inline annotations, while pushes and same-repo PRs upload to the Security tab.
Dependabot does not run on this fork, so the config was dead. Drop it; manage dependency updates separately if needed.
ndonkoHenri
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Housekeeping pass over the build/publish CI: clearer run summaries, a security audit + hardening of the workflows. No change to what wheels we build or where they publish.
Workflow security hardening (now zizmor-clean)
Ran zizmor over the workflows and fixed every finding:
@<sha> # <tag>), so Dependabot still tracks/bumps them.dtolnay/rust-toolchaingained an explicittoolchain: stablesince the SHA drops the channel.permissions:— top-levelcontents: readon both workflows (deny-by-default elsewhere).persist-credentials: falseon all checkouts (we publish via curl, not git).inputs.*used in the matrix step are now passed viaenv:instead of interpolated straight intorun:.New: Security audit workflow
.github/workflows/zizmor.ymlruns zizmor (officialzizmor-action) on every push and PR, uploading findings to code scanning — so workflow-security regressions surface as a check + Security-tab alerts before they land.Job summaries
Workflow runs now write readable Markdown to the GitHub job summary instead of burying everything in logs:
*.whlproduced (name + size), inspired by cibuildwheel's summary.🧪 Test on Android Emulator/🧪 Test on iOS Simulator), all leveled to###so the summary reads as build → test → publish.🔢 Default build number → 1
read_meta.py+ the meta schema now default a recipe'sbuild.numberto 1.