diff --git a/.github/workflows/cgl.yaml b/.github/workflows/cgl.yaml index 52ede7aa..223aff7b 100644 --- a/.github/workflows/cgl.yaml +++ b/.github/workflows/cgl.yaml @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + jobs: prepare: name: Prepare workflow @@ -16,10 +19,12 @@ jobs: runs-on: ubuntu-latest needs: prepare if: needs.prepare.outputs.continue == 'true' + permissions: + security-events: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Prepare environment - name: Setup PHP @@ -76,3 +81,7 @@ jobs: # Migration - name: Run Rector migration run: composer migration:rector -- --dry-run + + # Zizmor + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f36ac03c..3f1ca1cf 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,14 +5,19 @@ on: - '*' workflow_dispatch: +env: + REF_NAME: ${{ github.ref_name }} + jobs: phar: name: Compile PHAR runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Prepare environment - name: Setup PHP @@ -28,6 +33,7 @@ jobs: uses: ramsey/composer-install@5c2bcf28d7b060ef3c601d7b476d5430a7b46c27 #v4 with: composer-options: "--no-dev" + ignore-cache: true - name: Compile PHAR run: ./tools/box compile --with-docker @@ -54,16 +60,19 @@ jobs: name: Docker deploy runs-on: ubuntu-latest needs: phar + permissions: + contents: read + packages: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Check if tag is valid - name: Check tag if: ${{ github.event_name != 'workflow_dispatch' }} run: | - if ! [[ ${{ github.ref }} =~ ^refs/tags/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then + if ! [[ "$REF_NAME" =~ ^\d+\.\d+\.\d+$ ]]; then exit 1 fi @@ -86,7 +95,7 @@ jobs: tags: | type=raw,value=latest,enable=${{ github.event_name != 'workflow_dispatch' }} type=semver,pattern={{version}} - type=raw,value=${{ github.ref_name }},enable=${{ github.event_name == 'workflow_dispatch' }} + type=raw,value=${{ env.REF_NAME }},enable=${{ github.event_name == 'workflow_dispatch' }} # Prepare build - name: Set up QEMU @@ -126,8 +135,6 @@ jobs: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} - - # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read pages: write @@ -141,14 +148,14 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Prepare environment - name: Setup Node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 - cache: npm + package-manager-cache: false - name: Setup PHP uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: @@ -201,15 +208,17 @@ jobs: if: ${{ github.event_name != 'workflow_dispatch' }} runs-on: ubuntu-latest needs: phar + permissions: + contents: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Check if tag is valid - name: Check tag run: | - if ! [[ ${{ github.ref }} =~ ^refs/tags/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then + if ! [[ "${REF_NAME}" =~ ^\d+\.\d+\.\d+$ ]]; then exit 1 fi @@ -223,7 +232,6 @@ jobs: # Create release - name: Create release - uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1 - with: - generateReleaseNotes: true - artifacts: .build/cache-warmup.phar,.build/cache-warmup.phar.asc + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh release create "${REF_NAME}" --generate-notes .build/cache-warmup.phar .build/cache-warmup.phar.asc diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index e33d52ae..95710286 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + jobs: prepare: name: Prepare workflow @@ -33,7 +36,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Prepare environment - name: Setup PHP @@ -62,7 +65,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Prepare environment - name: Setup PHP @@ -101,7 +104,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Download artifact - name: Download coverage artifact @@ -124,7 +127,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false # Prepare environment - name: Setup PHP