Lock down CI

mbabker · mbabker · commit 9fca67328471 · 2026-05-22T09:50:52.000-04:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    labels:
+      - 'dependencies'
+      - 'CI'
+    groups:
+      actions:
+        applies-to: version-updates
+        patterns:
+          - '*'
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -2,6 +2,13 @@ name: 'Run Tests'
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -19,23 +26,24 @@ jobs:
             composer-flags: '--prefer-stable --prefer-lowest'
             can-fail: false
 
-    name: "PHP ${{ matrix.php }} - Symfony ${{ matrix.symfony }}${{ matrix.composer-flags != '' && format(' - Composer {0}', matrix.composer-flags) || '' }}"
+    name: "PHP ${{ matrix.php }} - Symfony ${{ matrix.symfony }}${{ matrix.composer-flags != '' && format(' - Composer {0}', matrix.composer-flags) || '' }}" # zizmor: ignore[template-injection]
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v6
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: ${{ matrix.php }}
           tools: composer:v2,flex
           extensions: curl, iconv, mbstring, zip
           coverage: none
 
       - name: Install dependencies
-        run: |
-          composer update ${{ matrix.composer-flags }} --prefer-dist --no-suggest
+        run: composer update ${{ matrix.composer-flags }} --prefer-dist --no-suggest # zizmor: ignore[template-injection]
         env:
           SYMFONY_REQUIRE: ${{ matrix.symfony }}
 
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -2,18 +2,27 @@ name: 'Static Analysis'
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   sa-phpstan:
     runs-on: ubuntu-latest
 
     name: PHPStan
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v6
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: '8.5'
           tools: composer:v2,flex
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,31 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: ['development', 'feature/nuxt', 'go-backend']
+  pull_request:
+    branches: ['**']
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+          annotations: true
+          persona: pedantic
