GitHub Actions: Update config

tangrufus · tangrufus · commit 87a0aee5e486 · 2026-04-30T23:59:29.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,4 +4,6 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: weekly
+      interval: daily
+    cooldown:
+      default-days: 3
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,3 +1,5 @@
+# Taken from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enabling-automerge-on-a-pull-request
+# and https://github.com/dependabot/fetch-metadata/blob/06ea45a2e4582d87b11f03c7ce596ae3261f39f6/README.md?plain=1#L133-L160
 name: Dependabot Auto-merge
 
 on:
@@ -9,14 +11,25 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
-permissions: {}
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
-  dependabot:
-    permissions:
-      contents: write
-      pull-requests: write
-    uses: typisttech/.github/.github/workflows/dependabot-auto-merge.yml@v3
-    with:
-      minor: true
-      patch: true
+  auto-merge-pull-request:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - if: |
+          (steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor')
+          || (steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch')
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/lint-actions.yml b/.github/workflows/lint-actions.yml
@@ -0,0 +1,28 @@
+# Taken from https://github.com/typisttech/.github/blob/8c3b859e35165a6e81a660713be195ec61d2ca1d/.github/workflows/lint-actions.yml
+name: Lint GitHub Actions
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          sparse-checkout: .github
+
+      - name: Check workflow files
+        uses: docker://rhysd/actionlint:latest
+        with:
+          args: -color
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -1,24 +1,20 @@
 name: Release Drafter
 
 on:
-  workflow_dispatch:
   push:
     branches:
       - main
+  workflow_call:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 
-permissions: {}
-
 jobs:
   release-drafter:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: read
     steps:
-      - uses: release-drafter/release-drafter@v6
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+      - uses: release-drafter/release-drafter@563bf132657a13ded0b01fcb723c5a58cdd824e2 # v7.2.1
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -40,7 +40,7 @@ jobs:
           - caret-7-3
           - exactly-7-3-5
           - complex
-        verify-attestation: 
+        verify-attestation:
           - false
         include:
           - runs-on: ubuntu-24.04-arm
@@ -68,8 +68,9 @@ jobs:
             case: complex
             verify-attestation: true
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           path: local-action
 
       - name: Create fake composer.json
@@ -100,8 +101,9 @@ jobs:
   outputs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           path: local-action
 
       - uses: ./local-action
@@ -147,8 +149,9 @@ jobs:
           - missing-php
           - missing-require
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           path: local-action
 
       - name: Create fake composer.json
@@ -169,16 +172,17 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        mode: 
+        mode:
           - minor-only
           - full
         source:
           - auto
           - php.net
           - offline
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           path: local-action
 
       - name: Ensure no composer.json
diff --git a/README.md b/README.md
@@ -38,13 +38,13 @@
 See [action.yml](action.yml) and the underlying script [`typisttech/php-matrix`](https://github.com/typisttech/php-matrix/#options).
 
 ```yaml
-  - uses: typisttech/php-matrix-action@v2
+  - uses: typisttech/php-matrix-action@ee26ae37ffb37246b9a3912b71d95b661ad341b8 # v2.0.8
     with:
       # Path to composer.json
       #
       # Default: composer.json
       composer-json: some/path/to/composer.json
-      
+
       # Version format.
       #
       # Available modes:
@@ -68,9 +68,9 @@ See [action.yml](action.yml) and the underlying script [`typisttech/php-matrix`]
       source: offline
 
       # PHP Matrix version.
-      # 
+      #
       # The version of [php-matrix] to use. Leave blank for latest. For example: v1.0.2
-      # 
+      #
       # [php-matrix]: https://github.com/typisttech/php-matrix
       #
       # Default: ''
@@ -124,12 +124,13 @@ jobs:
     outputs:
       versions: ${{ steps.php-matrix.outputs.versions }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: composer.json
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
-      - uses: typisttech/php-matrix-action@v2
+      - uses: typisttech/php-matrix-action@ee26ae37ffb37246b9a3912b71d95b661ad341b8 # v2.0.8
         id: php-matrix
 
   test:
@@ -139,8 +140,10 @@ jobs:
       matrix:
         php-version: ${{ fromJSON(needs.php-matrix.outputs.versions) }}
     steps:
-      - uses: actions/checkout@v5
-      - uses: shivammathur/setup-php@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
         with:
           php-version: ${{ matrix.php-version }}
       - run: composer install
@@ -161,12 +164,13 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-
-      - uses: typisttech/php-matrix-action@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: typisttech/php-matrix-action@ee26ae37ffb37246b9a3912b71d95b661ad341b8 # v2.0.8
         id: php-matrix
 
-      - uses: shivammathur/setup-php@v2
+      - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
         with:
           php-version: ${{ steps.php-matrix.outputs.highest }}
 
@@ -192,12 +196,13 @@ jobs:
       highest: ${{ steps.php-matrix.outputs.highest }}
       lowest: ${{ steps.php-matrix.outputs.lowest }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: composer.json
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
-      - uses: typisttech/php-matrix-action@v2
+      - uses: typisttech/php-matrix-action@ee26ae37ffb37246b9a3912b71d95b661ad341b8 # v2.0.8
         id: php-matrix
 
   composer-audit:
@@ -215,18 +220,19 @@ jobs:
     env:
       COMPOSER_NO_AUDIT: 1
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: |
             composer.json
             composer.lock
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
-      - uses: shivammathur/setup-php@v2
+      - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
         with:
           php-version: ${{ matrix.php-version }}
           coverage: none
-      - uses: ramsey/composer-install@v3
+      - uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0
         with:
           dependency-versions: ${{ matrix.dependency-versions }}
 
