Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Hello! 👋 Thanks for opening this pull request! Please check out our contributing guidelines. We appreciate you taking the initiative to contribute to this project. Contributing isn't limited to just code. We encourage you to contribute in the way that best fits your abilities, by writing tutorials, giving a demo at your local meetup, helping other users with their support questions, or revising our documentation. Here are some useful Composer commands to get you started:
To run a single Behat test, you can use the following command: # Run all tests in a single file
composer behat features/some-feature.feature
# Run only a specific scenario (where 123 is the line number of the "Scenario:" title)
composer behat features/some-feature.feature:123You can find a list of all available Behat steps in our handbook. |
There was a problem hiding this comment.
Pull request overview
Pins selected GitHub Actions in key CI/CD workflows to immutable commit SHAs to improve supply-chain security and workflow reproducibility.
Changes:
- Pin
actions/checkoutto a specific commit SHA (annotated as# v6). - Pin
shivammathur/setup-phpto a specific commit SHA (annotated as# v2).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/update-framework.yml | Pins checkout and PHP setup actions to SHAs in the framework update workflow. |
| .github/workflows/deployment.yml | Pins checkout and PHP setup actions to SHAs across build/test/deploy jobs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Check out source code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
|
|
||
| - name: Set up PHP environment | ||
| uses: shivammathur/setup-php@v2 | ||
| uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 |
There was a problem hiding this comment.
This workflow now pins actions/checkout and setup-php to SHAs, but other third-party actions in the same file are still referenced via mutable tags (e.g. ramsey/composer-install@v3 and repo-sync/pull-request@v2). Given the repo already pins actions to SHAs elsewhere (see .github/workflows/copilot-setup-steps.yml), consider pinning the remaining actions here as well to avoid supply-chain risk and keep the workflow consistent.
| - name: Check out source code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
|
|
||
| - name: Set up PHP environment | ||
| uses: shivammathur/setup-php@v2 | ||
| uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 |
There was a problem hiding this comment.
actions/checkout and setup-php are pinned to SHAs now, but this workflow still uses other actions via mutable refs (notably ad-m/github-push-action@master, plus several @v* tags like ramsey/composer-install@v3 and actions/*-artifact@v7/v8). To reduce supply-chain risk and keep the workflow consistent with other pinned workflows in this repo, please pin these remaining actions to full commit SHAs (optionally keeping a # vX comment).
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
No description provided.