1.6.0

This release is a security hardening release. It removes code injection paths into GitHub Actions, that were only accessible to users who have permissions to execute code in GitHub Actions directly anyway.

Template expansion of the repository_dispatch event's client_payload in the GitHub Actions runner could have allowed code injection. Using these paths required triggering repository_dispatch, which requires a personal access token with repository write access. So the paths are only reachable for accounts that can push to the repository and therefore could also modify GitHub workflow files to execute code in GitHub Actions directly.

What's Changed

• Resolved multiple code-injection paths via template expansion of github.event.client_payload fields (branch name, Composer commands, Composer auth, webhook URLs) by @glaubinix in #30
• Only composer update and composer require invocations are now accepted from the payload. Any other binary, subcommand, or shell metacharacter is rejected before it reaches the runner by @glaubinix in #30
• The webhook callback to notify Private Packagist about the run now only accepts https://packagist.com URLs by @glaubinix in #30
• Added zizmor linting for action.yml and workflow files. by @glaubinix in #30
• Update ramsey/composer-install action to v3.2.1 by @renovate[bot] in #27

Full Changelog: 1.5.3...1.6.0

1.5.3

What's Changed

• Temporarily disable security blocking for initial setup by @stevenrombauts in #24

Full Changelog: 1.5.2...1.5.3

1.5.2

What's Changed

• Update webhook payload to include Conductor commit info by @stevenrombauts in #21

Full Changelog: 1.5.1...1.5.2

1.5.1

What's Changed

• Remove trailing commas from commit info by @stevenrombauts in #19

Full Changelog: 1.5.0...1.5.1

1.5.0

What's Changed

• Reorganize hook calls and send base branch head commit info back to Private Packagist by @IgorBenko in #17

Full Changelog: 1.4.0...1.5.0

1.4.0

What's Changed

• Update ramsey/composer-install action to v3.1.1 by @renovate in #14
• Increase verbosity of Composer commands in debug mode by @stevenrombauts in #15

Full Changelog: 1.3.0...1.4.0

1.3.0

What's Changed

• Update ramsey/composer-install action to v3.1.0 by @renovate in #11
• Add optional composer require step to modify the composer.json file by @glaubinix in #12

New Contributors

• @renovate made their first contribution in #11

Full Changelog: 1.2.0...1.3.0

1.2.0

What's Changed

• Git: add option to skip git hooks by @glaubinix in #8

Full Changelog: v1...1.2.0

1.1.1

What's Changed

• Don't push branch if there are no changes by @glaubinix in #7

Full Changelog: 1.1.0...1.1.1

1.1.0

Added

• Support for short-lived authentication tokens by @glaubinix in #5

Full Changelog: v1...1.1.0