ci: zizmor security checks

.github/workflows/build-python-version.yml

@@ -34,15 +34,17 @@ jobs:
     runs-on: macos-26
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
       - name: Derive short Python version
         shell: bash
         run: |
           echo "PYTHON_VERSION_SHORT=$(echo "$PYTHON_VERSION" | cut -d. -f1,2)" >> "$GITHUB_ENV"
 
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
         with:
           python-version: ${{ env.PYTHON_VERSION_SHORT }}
 
@@ -72,7 +74,7 @@ jobs:
           bash ./package-macos-for-dart.sh . "$PYTHON_VERSION"
 
       - name: Upload Darwin build artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: python-darwin-${{ env.PYTHON_VERSION }}
           path: darwin/dist/python-*.tar.gz
@@ -83,15 +85,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
       - name: Derive short Python version
         shell: bash
         run: |
           echo "PYTHON_VERSION_SHORT=$(echo "$PYTHON_VERSION" | cut -d. -f1,2)" >> "$GITHUB_ENV"
 
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
         with:
           python-version: ${{ env.PYTHON_VERSION_SHORT }}
 
@@ -130,7 +134,7 @@ jobs:
         run: python3 -m unittest discover -s android/tests -t android/tests -v
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: python-android-${{ env.PYTHON_VERSION }}
           path: android/dist/python-android-*.tar.gz
@@ -141,15 +145,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
       - name: Derive short Python version
         shell: bash
         run: |
           echo "PYTHON_VERSION_SHORT=$(echo "$PYTHON_VERSION" | cut -d. -f1,2)" >> "$GITHUB_ENV"
 
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
         with:
           python-version: ${{ env.PYTHON_VERSION_SHORT }}
 
@@ -163,7 +169,7 @@ jobs:
           bash ./package-for-linux.sh aarch64 ""
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: python-linux-${{ env.PYTHON_VERSION }}
           path: linux/python-linux-dart-*.tar.gz
@@ -173,28 +179,30 @@ jobs:
     name: Build Python for Windows
     runs-on: windows-2022
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
       - name: Derive short Python version
         shell: pwsh
         run: |
-          $parts = "${{ env.PYTHON_VERSION }}".Split(".")
+          $parts = "$env:PYTHON_VERSION".Split(".")
           "PYTHON_VERSION_SHORT=$($parts[0]).$($parts[1])" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
 
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
         with:
           python-version: ${{ env.PYTHON_VERSION_SHORT }}
 
       - name: Build CPython from sources and package for Dart
         shell: pwsh
         run: |
           .\windows\package-for-dart.ps1 `
-            -PythonVersion "${{ env.PYTHON_VERSION }}" `
-            -PythonVersionShort "${{ env.PYTHON_VERSION_SHORT }}"
+            -PythonVersion "$env:PYTHON_VERSION" `
+            -PythonVersionShort "$env:PYTHON_VERSION_SHORT"
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: python-windows-${{ env.PYTHON_VERSION }}
           path: windows/python-windows-for-dart-*.zip

.github/workflows/build-python.yml

@@ -20,6 +20,9 @@
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   setup:
     name: Read build matrix from manifest
@@ -28,7 +31,9 @@
       versions: ${{ steps.read.outputs.versions }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Extract Python versions from manifest.json
         id: read
         # manifest.json is the single source of truth: it both selects which
@@ -46,7 +51,6 @@
     uses: ./.github/workflows/build-python-version.yml
     with:
       python_version: ${{ matrix.python_version }}
-    secrets: inherit
 
   publish-release:
     name: Publish Release Assets
@@ -63,10 +67,12 @@
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
       - name: Download all build artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           pattern: python-*
           path: release-artifacts
@@ -75,10 +81,12 @@
       - name: Add runtime manifest (with release date) to the release
         # Publish the same manifest.json that drove this build, with the release
         # date injected, so consumers can fetch a consistent version set by date.
-        run: jq '.release = "${{ inputs.release_date }}"' manifest.json > release-artifacts/manifest.json
+        env:
+          INPUTS_RELEASE_DATE: ${{ inputs.release_date }}
+        run: jq --arg date "$INPUTS_RELEASE_DATE" '.release = $date' manifest.json > release-artifacts/manifest.json
 
       - name: Publish all artifacts to release
-        uses: softprops/action-gh-release@v3
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
         with:
           tag_name: ${{ inputs.release_date }}
           name: ${{ inputs.release_date }}

.github/workflows/zizmor.yml

@@ -0,0 +1,28 @@
+name: zizmor - GitHub Actions Security Analysis
+
+on:
+  push:
+  pull_request:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          # Fork PRs get a read-only token (no security-events: write), so the
+          # SARIF upload would fail. Skip it for forks — they still get inline
+          # annotations; pushes and same-repo PRs upload to code scanning.
+          advanced-security: ${{ github.event.pull_request.head.repo.fork != true }}