Skip to content

Commit 6e4583a

Browse files
committed
Update GitHub workflows: pin action versions, set permissions
1 parent 10772a6 commit 6e4583a

10 files changed

Lines changed: 74 additions & 42 deletions

File tree

.github/workflows/check.yaml

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,19 @@ on:
66
pull_request:
77
branches: [ master ]
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
phpstan:
1114
runs-on: ubuntu-latest
1215
steps:
13-
- uses: actions/checkout@v4
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
17+
with:
18+
persist-credentials: false
1419

1520
- name: Setup PHP
16-
uses: shivammathur/setup-php@v2
21+
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
1722
with:
1823
php-version: '8.3'
1924

@@ -25,7 +30,7 @@ jobs:
2530
run: |
2631
echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
2732
28-
- uses: actions/cache@v4
33+
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
2934
with:
3035
path: ${{ steps.composer-cache.outputs.dir }}
3136
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
@@ -42,10 +47,12 @@ jobs:
4247
code-style:
4348
runs-on: ubuntu-latest
4449
steps:
45-
- uses: actions/checkout@v4
50+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
51+
with:
52+
persist-credentials: false
4653

4754
- name: Setup PHP
48-
uses: shivammathur/setup-php@v2
55+
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
4956
with:
5057
php-version: '8.3'
5158

@@ -57,7 +64,7 @@ jobs:
5764
run: |
5865
echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
5966
60-
- uses: actions/cache@v4
67+
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
6168
with:
6269
path: ${{ steps.composer-cache.outputs.dir }}
6370
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}

.github/workflows/docker.yaml

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -9,26 +9,29 @@ on:
99
description: 'Version'
1010
required: true
1111

12-
permissions:
13-
id-token: write
14-
attestations: write
12+
permissions: {}
1513

1614
jobs:
1715
build-and-push:
1816
runs-on: ubuntu-latest
17+
permissions:
18+
id-token: write
19+
attestations: write
1920
steps:
20-
- uses: actions/checkout@v4
21+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
22+
with:
23+
persist-credentials: false
2124

2225
- name: Setup PHP
23-
uses: shivammathur/setup-php@v2
26+
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
2427
with:
2528
php-version: '8.4'
2629

2730
- name: Get version
2831
run: |
2932
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV
3033
if [ -n "$VERSION" ]; then
31-
echo "RELEASE_VERSION=${{ inputs.version }}" >> $GITHUB_ENV
34+
echo "RELEASE_VERSION=$VERSION" >> $GITHUB_ENV
3235
fi
3336
env:
3437
VERSION: ${{ inputs.version }}
@@ -37,11 +40,11 @@ jobs:
3740
run: php -d phar.readonly=0 bin/build -v"$RELEASE_VERSION"
3841

3942
- name: Set up Docker Buildx
40-
uses: docker/setup-buildx-action@v3
43+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
4144

4245
- name: Docker meta
4346
id: meta
44-
uses: docker/metadata-action@v5
47+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
4548
with:
4649
images: deployphp/deployer
4750
tags: |
@@ -54,13 +57,13 @@ jobs:
5457
type=ref,event=tag
5558
5659
- name: Login to Docker Hub
57-
uses: docker/login-action@v3
60+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
5861
with:
5962
username: deployphp
6063
password: ${{ secrets.DOCKERHUB_TOKEN }}
6164

6265
- name: Build and push
63-
uses: docker/build-push-action@v6
66+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
6467
with:
6568
context: .
6669
platforms: linux/amd64,linux/arm64

.github/workflows/docs-sync.yaml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,17 +4,18 @@ on:
44
push:
55
branches: [ master ]
66

7-
permissions:
8-
contents: write
7+
permissions: {}
98

109
jobs:
1110
docgen-and-commit:
1211
runs-on: ubuntu-latest
12+
permissions:
13+
contents: write
1314
steps:
14-
- uses: actions/checkout@v4
15+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1516

1617
- name: Setup PHP
17-
uses: shivammathur/setup-php@v2
18+
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
1819
with:
1920
php-version: '8.3'
2021

@@ -23,7 +24,7 @@ jobs:
2324
run: |
2425
echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
2526
26-
- uses: actions/cache@v4
27+
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
2728
with:
2829
path: ${{ steps.composer-cache.outputs.dir }}
2930
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
@@ -38,7 +39,7 @@ jobs:
3839
run: php bin/docgen
3940

4041
- name: Add & Commit
41-
uses: EndBug/add-and-commit@v9
42+
uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
4243
with:
4344
default_author: github_actions
4445
add: 'docs'

.github/workflows/docs.yaml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,19 @@ on:
66
pull_request:
77
branches: [ master ]
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
docgen:
1114
runs-on: ubuntu-latest
1215
steps:
13-
- uses: actions/checkout@v4
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
17+
with:
18+
persist-credentials: false
1419

1520
- name: Setup PHP
16-
uses: shivammathur/setup-php@v2
21+
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
1722
with:
1823
php-version: '8.3'
1924

@@ -22,7 +27,7 @@ jobs:
2227
run: |
2328
echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
2429
25-
- uses: actions/cache@v4
30+
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
2631
with:
2732
path: ${{ steps.composer-cache.outputs.dir }}
2833
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}

.github/workflows/labeler.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,13 @@ name: labeler
33
on:
44
- pull_request_target
55

6+
permissions: {}
7+
68
jobs:
79
labeler:
810
permissions:
911
contents: read
1012
pull-requests: write
1113
runs-on: ubuntu-latest
1214
steps:
13-
- uses: actions/labeler@v6
14-
15+
- uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6

.github/workflows/lint.yaml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,22 @@ on:
66
pull_request:
77
types: [opened, synchronize, reopened, ready_for_review]
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
lint:
1114
runs-on: ubuntu-latest
1215
strategy:
1316
matrix:
14-
php-versions: [ '8.2' ]
17+
php-versions: [ '8.3' ]
1518
steps:
16-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
20+
with:
21+
persist-credentials: false
1722

1823
- name: Setup PHP
19-
uses: shivammathur/setup-php@v2
24+
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
2025
with:
2126
php-version: ${{ matrix.php-versions }}
2227
tools: cs2pr, parallel-lint

.github/workflows/release.yaml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,20 +9,23 @@ on:
99
description: 'Version'
1010
required: true
1111

12-
permissions:
13-
contents: write
12+
permissions: {}
1413

1514
jobs:
1615
release:
1716
runs-on: ubuntu-latest
17+
permissions:
18+
contents: write
1819
steps:
19-
- uses: actions/checkout@v4
20+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
21+
with:
22+
persist-credentials: false
2023

2124
- name: Get version
2225
run: |
2326
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV
2427
if [ -n "$VERSION" ]; then
25-
echo "RELEASE_VERSION=${{ inputs.version }}" >> $GITHUB_ENV
28+
echo "RELEASE_VERSION=$VERSION" >> $GITHUB_ENV
2629
fi
2730
env:
2831
VERSION: ${{ inputs.version }}

.github/workflows/stale.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,20 +4,22 @@ on:
44
- cron: "* * * * *"
55
workflow_dispatch:
66

7+
permissions: {}
8+
79
jobs:
810
close-issues:
911
runs-on: ubuntu-latest
1012
permissions:
1113
issues: write
1214
steps:
13-
- uses: actions/stale@v9
15+
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
1416
with:
1517
days-before-issue-stale: 0
1618
days-before-issue-close: 0
1719
ignore-updates: true
1820
close-issue-message: |
1921
This issue has been automatically closed. Please, open a discussion for bug reports and feature requests.
20-
22+
2123
Read more: https://github.com/deployphp/deployer/discussions/3888
2224
days-before-pr-stale: -1
2325
days-before-pr-close: -1

.github/workflows/test.yaml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66
pull_request:
77
branches: [ master ]
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
unit:
1114
runs-on: ubuntu-latest
@@ -16,10 +19,12 @@ jobs:
1619
- '8.4'
1720
- '8.5'
1821
steps:
19-
- uses: actions/checkout@v4
22+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
23+
with:
24+
persist-credentials: false
2025

2126
- name: Setup PHP
22-
uses: shivammathur/setup-php@v2
27+
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
2328
with:
2429
php-version: ${{ matrix.php-versions }}
2530
extensions: mbstring, intl
@@ -33,7 +38,7 @@ jobs:
3338
run: |
3439
echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
3540
36-
- uses: actions/cache@v4
41+
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
3742
with:
3843
path: ${{ steps.composer-cache.outputs.dir }}
3944
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}

.github/workflows/zizmor.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,14 @@ jobs:
1717
actions: read
1818
steps:
1919
- name: Checkout repository
20-
uses: actions/checkout@v5
20+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2121
with:
2222
persist-credentials: false
2323

2424
- name: Install the latest version of uv
25-
uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba #v6.3.1
25+
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
2626
with:
2727
enable-cache: false
2828

2929
- name: Run zizmor
30-
run: uvx zizmor@1.14.0 .github/workflows -v -p --min-severity=medium
30+
run: uvx zizmor@latest .github/workflows -v -p --min-severity=medium

0 commit comments

Comments
 (0)