Merge pull request #2372 from flow-php/data-frame-mago

refactor: cover core static analysis with mago

Author: norberttech

.github/workflows/automation-changelog-release.yml

@@ -2,8 +2,11 @@ on:
   push:
     tags: [ '*' ]
 
+permissions:
+  contents: read
+
 jobs:
   automation:
-    uses: aeon-php/actions/.github/workflows/automation-changelog-release.yml@main
+    uses: aeon-php/actions/.github/workflows/automation-changelog-release.yml@ed056e3e36c7011d5c0f633471e7d888737e628a # main
     secrets:
       automation_github_token: "${{ secrets.ACCESS_TOKEN }}"

.github/workflows/automation-changelog-update.yml

@@ -3,8 +3,11 @@ on:
   push:
     branches: [ 1.x ]
 
+permissions:
+  contents: read
+
 jobs:
   automation:
-    uses: aeon-php/actions/.github/workflows/automation-changelog-update.yml@main
+    uses: aeon-php/actions/.github/workflows/automation-changelog-update.yml@ed056e3e36c7011d5c0f633471e7d888737e628a # main
     secrets:
       automation_github_token: "${{ secrets.ACCESS_TOKEN }}"

.github/workflows/automation-release-description-update.yml

@@ -2,8 +2,11 @@ on:
   release:
     types: [ created ]
 
+permissions:
+  contents: read
+
 jobs:
   automation:
-    uses: aeon-php/actions/.github/workflows/automation-release-description-update.yml@main
+    uses: aeon-php/actions/.github/workflows/automation-release-description-update.yml@ed056e3e36c7011d5c0f633471e7d888737e628a # main
     secrets:
       automation_github_token: "${{ secrets.ACCESS_TOKEN }}"

.github/workflows/baseline.yml

@@ -15,9 +15,15 @@ on:
   schedule:
     - cron: '0 3 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   build-archives:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     strategy:
       fail-fast: false
@@ -29,9 +35,10 @@ jobs:
 
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v5"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup PHP Environment"
         uses: "./.github/actions/setup-php-env"
@@ -52,20 +59,20 @@ jobs:
           ./build/flow.phar --version
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build Docker Image
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
         with:
           context: .
           file: ./Dockerfile
@@ -82,9 +89,9 @@ jobs:
         shell: bash
         run: |
           BUILD_TAG=${GITHUB_SHA:0:7}
-          echo "BUILD_TAG=$BUILD_TAG" >> $GITHUB_ENV
+          echo "BUILD_TAG=$BUILD_TAG" >> "$GITHUB_ENV"
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: flow-${{ env.BUILD_TAG }}.phar
           path: build/flow.phar
@@ -100,13 +107,14 @@ jobs:
 
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v5"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Get Flow Version"
         id: flow_version
-        uses: "WyriHaximus/github-action-get-previous-tag@v1"
+        uses: WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce # v1
         with:
           fallback: 1.x-dev
 
@@ -146,15 +154,15 @@ jobs:
         run: "just docs-api"
 
       - name: "Setup Node.js"
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '20'
 
       - name: "Build Pagefind index"
         run: "npx --yes pagefind@1.5.2 --site web/landing/build --output-subdir pagefind"
 
       - name: Pushes build to website repository
-        uses: cpina/github-action-push-to-another-repository@main
+        uses: cpina/github-action-push-to-another-repository@55306faa4ed53b815ae49e564af8cfb359d32ae2 # main
         env:
           API_TOKEN_GITHUB: ${{ secrets.ACCESS_TOKEN }}
         with:

.github/workflows/dependabot-auto-merge.yml

@@ -7,16 +7,16 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v3
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
         if: ${{steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/docs.yml

@@ -16,12 +16,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   documentation-linter:
     runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v5"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: "Setup PHP Environment"
         uses: "./.github/actions/setup-php-env"

.github/workflows/job-arrow-extension.yml

@@ -17,7 +17,9 @@ jobs:
         php: ['8.3', '8.4', '8.5']
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: Setup PHP Environment
         uses: ./.github/actions/setup-php-env
@@ -30,10 +32,12 @@ jobs:
           install-dependencies: 'false'
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
+        with:
+          toolchain: stable
 
       - name: Cache cargo registry and build
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/.cargo/registry
@@ -53,7 +57,7 @@ jobs:
         if: runner.os == 'macOS'
         run: |
           brew install llvm
-          echo "LIBCLANG_PATH=$(brew --prefix llvm)/lib" >> $GITHUB_ENV
+          echo "LIBCLANG_PATH=$(brew --prefix llvm)/lib" >> "$GITHUB_ENV"
 
       - name: Set LIBCLANG_PATH (Ubuntu)
         if: runner.os == 'Linux'
@@ -68,7 +72,7 @@ jobs:
             echo "Could not locate libclang.so under /usr/lib" >&2
             exit 1
           fi
-          echo "LIBCLANG_PATH=$(dirname "$LIBCLANG_SO")" >> $GITHUB_ENV
+          echo "LIBCLANG_PATH=$(dirname "$LIBCLANG_SO")" >> "$GITHUB_ENV"
           echo "Detected libclang at: $LIBCLANG_SO"
 
       - name: Build extension
@@ -95,7 +99,7 @@ jobs:
 
       - name: Upload to Codecov
         if: ${{ !cancelled() && matrix.php == '8.3' && matrix.os == 'ubuntu-latest' }}
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: ./var/phpunit/coverage/clover
@@ -112,7 +116,9 @@ jobs:
         os: ['ubuntu-latest', 'macos-latest']
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: Setup PHP Environment
         uses: ./.github/actions/setup-php-env
@@ -123,7 +129,9 @@ jobs:
           tools: 'composer:v2, phpize, php-config'
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
+        with:
+          toolchain: stable
 
       - name: Install build dependencies (Ubuntu)
         if: runner.os == 'Linux'
@@ -135,7 +143,7 @@ jobs:
         if: runner.os == 'macOS'
         run: |
           brew install autoconf automake libtool llvm
-          echo "LIBCLANG_PATH=$(brew --prefix llvm)/lib" >> $GITHUB_ENV
+          echo "LIBCLANG_PATH=$(brew --prefix llvm)/lib" >> "$GITHUB_ENV"
 
       - name: Set LIBCLANG_PATH (Ubuntu)
         if: runner.os == 'Linux'
@@ -150,7 +158,7 @@ jobs:
             echo "Could not locate libclang.so under /usr/lib" >&2
             exit 1
           fi
-          echo "LIBCLANG_PATH=$(dirname "$LIBCLANG_SO")" >> $GITHUB_ENV
+          echo "LIBCLANG_PATH=$(dirname "$LIBCLANG_SO")" >> "$GITHUB_ENV"
           echo "Detected libclang at: $LIBCLANG_SO"
 
       - name: Install PIE

.github/workflows/job-extension-tests.yml

@@ -21,7 +21,9 @@ jobs:
 
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v5"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: "Install dependencies"
         run: |
@@ -51,8 +53,8 @@ jobs:
 
       - name: Upload to Codecov
         if: ${{ !cancelled() && matrix.php-version == '8.3' }}
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: ./var/phpunit/coverage/clover
-          flags: extension-tests
+          flags: extension-tests

.github/workflows/job-mutation-tests.yml

@@ -16,9 +16,10 @@ jobs:
 
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v5"
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0  # Need full history for git-diff-filter
+          persist-credentials: false
 
       - name: "Setup PHP Environment"
         uses: "./.github/actions/setup-php-env"
@@ -32,17 +33,20 @@ jobs:
         run: "mkdir -p var/infection/cache"
 
       - name: "Cache infection results"
-        uses: "actions/cache@v5"
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: "var/infection/cache"
           key: "php-${{ matrix.php-version }}-infection-cache-${{ hashFiles('infection.json', 'tools/infection/phpunit.xml', 'composer.lock') }}"
           restore-keys: |
             php-${{ matrix.php-version }}-infection-cache-
 
       - name: "Mutation Tests"
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          BASE_REF: ${{ github.base_ref }}
         run: |
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            just test-mutation --git-diff-filter=AM --git-diff-base=origin/${{ github.base_ref }} --logger-github=false --log-verbosity=none
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            just test-mutation --git-diff-filter=AM --git-diff-base="origin/$BASE_REF" --logger-github=false --log-verbosity=none
           else
             just test-mutation --logger-github=false --log-verbosity=none
-          fi
+          fi

.github/workflows/job-pg-query-extension.yml

@@ -2,9 +2,6 @@ name: PG Query Extension
 
 on:
   workflow_call:
-    secrets:
-      CODECOV_TOKEN:
-        required: false
 
 jobs:
   build:
@@ -17,7 +14,9 @@ jobs:
         php: ['8.3', '8.4', '8.5']
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: Setup PHP Environment
         uses: ./.github/actions/setup-php-env
@@ -66,7 +65,9 @@ jobs:
         os: ['ubuntu-latest', 'macos-latest']
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: Setup PHP Environment
         uses: ./.github/actions/setup-php-env