diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..06a38ef --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +# https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference + +version: 2 +updates: + # GitHub Actions + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'weekly' + groups: + github-actions: + patterns: + - '*' + cooldown: + default-days: 7 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48e0537..42b43b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,8 @@ on: jobs: tests: - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest + permissions: {} strategy: fail-fast: false @@ -39,11 +40,13 @@ jobs: SYMFONY_REQUIRE: ${{ matrix.symfony-version || '>=5.4' }} steps: - - name: "Checkout code" - uses: "actions/checkout@v2" + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 + with: + persist-credentials: false - - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + - name: Setup PHP + uses: shivammathur/setup-php@083d5237d9340d541bf95e2a6eceaf3529b85892 with: coverage: "none" php-version: "${{ matrix.php-version }}" @@ -56,7 +59,7 @@ jobs: run: composer config minimum-stability ${{ matrix.minimum-stability || 'stable' }} --ansi - name: "Composer install" - uses: "ramsey/composer-install@v2" + uses: ramsey/composer-install@26d8a556604053a9612623447203a691f406fbe6 with: dependency-versions: "${{ matrix.dependency-version }}" composer-options: "--prefer-dist --no-progress" diff --git a/.github/workflows/fabbot.yml b/.github/workflows/fabbot.yml index 340959e..4debcc8 100644 --- a/.github/workflows/fabbot.yml +++ b/.github/workflows/fabbot.yml @@ -9,7 +9,7 @@ permissions: jobs: call-fabbot: name: Fabbot - uses: symfony-tools/fabbot/.github/workflows/fabbot.yml@main + uses: symfony-tools/fabbot/.github/workflows/fabbot.yml@main # zizmor: ignore[unpinned-uses] with: package: WebpackEncoreBundle check_license: true diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index d90105b..54cdcd1 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -4,24 +4,27 @@ name: Static analysis jobs: phpstan: name: PHPStan - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest + permissions: {} steps: - - name: Checkout code - uses: actions/checkout@v2 + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 + with: + persist-credentials: false - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@083d5237d9340d541bf95e2a6eceaf3529b85892 with: php-version: 8.1 coverage: none tools: cs2pr - name: Download dependencies - uses: ramsey/composer-install@v1 + uses: ramsey/composer-install@26d8a556604053a9612623447203a691f406fbe6 - name: Install PHPStan - uses: ramsey/composer-install@v1 + uses: ramsey/composer-install@26d8a556604053a9612623447203a691f406fbe6 with: composer-options: "--working-dir=tools/phpstan" @@ -30,23 +33,27 @@ jobs: psalm: name: Psalm - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest + permissions: {} + steps: - - name: Checkout code - uses: actions/checkout@v2 + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 + with: + persist-credentials: false - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@083d5237d9340d541bf95e2a6eceaf3529b85892 with: php-version: 8.1 coverage: none tools: vimeo/psalm:4.11.2 - name: Download dependencies - uses: ramsey/composer-install@v1 + uses: ramsey/composer-install@26d8a556604053a9612623447203a691f406fbe6 - name: Install psalm - uses: ramsey/composer-install@v1 + uses: ramsey/composer-install@26d8a556604053a9612623447203a691f406fbe6 with: composer-options: "--working-dir=tools/psalm" @@ -55,18 +62,21 @@ jobs: composer-normalize: name: Composer Normalize - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest + permissions: {} steps: - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@083d5237d9340d541bf95e2a6eceaf3529b85892 with: php-version: 8.1 coverage: none tools: composer-normalize - - name: Checkout code - uses: actions/checkout@v2 + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 + with: + persist-credentials: false - name: Normalize run: composer-normalize --dry-run diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..b554a2a --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,26 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ['main'] + pull_request: + branches: ['**'] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + contents: read # Only needed for private repos. Needed to clone the repo. + actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. + steps: + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6