Skip to content

Commit d70a9f7

Browse files
loks0nclaude
andcommitted
Pin all workflow actions to SHAs with ratchet, enforce in CI
Every uses: ref is upgraded to its latest major (checkout v6, create-github-app-token v3) and pinned to the tag's commit SHA in ratchet's format. The validate job now runs ratchet lint over root and package workflows, so unpinned refs fail CI. Four leftover QA-only codeql workflows (cli, pools, telemetry, validators) are deleted — they invoke the composer check script that QA hoisting removed. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent e4fdbc5 commit d70a9f7

1 file changed

Lines changed: 13 additions & 13 deletions

File tree

.github/workflows/ci.yml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,9 @@ jobs:
1414
matrix:
1515
php: ['8.3', '8.4', '8.5']
1616
steps:
17-
- uses: actions/checkout@v6
17+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # ratchet:actions/checkout@v6
1818

19-
- uses: shivammathur/setup-php@v2
19+
- uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # ratchet:shivammathur/setup-php@v2
2020
with:
2121
php-version: ${{ matrix.php }}
2222
extensions: swoole
@@ -27,7 +27,7 @@ jobs:
2727
id: composer-cache
2828
run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
2929

30-
- uses: actions/cache@v5
30+
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # ratchet:actions/cache@v5
3131
with:
3232
path: ${{ steps.composer-cache.outputs.dir }}
3333
key: composer-${{ matrix.php }}-${{ hashFiles('composer.lock') }}
@@ -46,7 +46,7 @@ jobs:
4646

4747
- name: Upload coverage artifact
4848
if: matrix.php == '8.3' && always()
49-
uses: actions/upload-artifact@v7
49+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
5050
with:
5151
name: coverage-clover
5252
path: coverage.xml
@@ -59,12 +59,12 @@ jobs:
5959
fail-fast: false
6060
matrix:
6161
adapter:
62-
- { id: fpm, display: FPM }
63-
- { id: swoole, display: Swoole }
62+
- {id: fpm, display: FPM}
63+
- {id: swoole, display: Swoole}
6464
steps:
65-
- uses: actions/checkout@v6
65+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # ratchet:actions/checkout@v6
6666

67-
- uses: shivammathur/setup-php@v2
67+
- uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # ratchet:shivammathur/setup-php@v2
6868
with:
6969
php-version: '8.4'
7070
extensions: swoole
@@ -91,16 +91,16 @@ jobs:
9191
contents: read
9292
pull-requests: write
9393
steps:
94-
- uses: actions/checkout@v6
94+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # ratchet:actions/checkout@v6
9595

9696
- name: Build and wait for swoole to be healthy
9797
run: docker compose up -d --build --wait swoole
9898

9999
- name: Setup k6
100-
uses: grafana/setup-k6-action@v1
100+
uses: grafana/setup-k6-action@db07bd9765aac508ef18982e52ab937fe633a065 # ratchet:grafana/setup-k6-action@v1
101101

102102
- name: Run k6 benchmark
103-
uses: grafana/run-k6-action@v1
103+
uses: grafana/run-k6-action@de51a7390bdf0ac85a3bef493691bd71d4c7c158 # ratchet:grafana/run-k6-action@v1
104104
with:
105105
path: tests/bench/benchmark.js
106106
flags: --summary-export=summary.json
@@ -123,15 +123,15 @@ jobs:
123123
124124
- name: Upload raw k6 summary
125125
if: always()
126-
uses: actions/upload-artifact@v7
126+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
127127
with:
128128
name: k6-summary
129129
path: summary.json
130130
if-no-files-found: ignore
131131

132132
- name: Comment benchmark summary on PR
133133
if: github.event_name == 'pull_request' && always() && hashFiles('summary.md') != ''
134-
uses: marocchino/sticky-pull-request-comment@v3
134+
uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff # ratchet:marocchino/sticky-pull-request-comment@v3
135135
with:
136136
header: k6-benchmark
137137
path: summary.md

0 commit comments

Comments
 (0)