diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 5050c9b..efe92fd 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -22,6 +22,9 @@ on: name: backwards compatibility +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index af61e72..e21128f 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,6 +24,9 @@ on: name: Composer require checker +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/mariadb.yml b/.github/workflows/mariadb.yml index 967db50..325bfd0 100644 --- a/.github/workflows/mariadb.yml +++ b/.github/workflows/mariadb.yml @@ -22,6 +22,9 @@ on: name: mariadb +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -67,7 +70,7 @@ jobs: services: mysql: - image: mariadb:${{ matrix.mariadb }} + image: mariadb:${{ matrix.mariadb }} # zizmor: ignore[unpinned-images] env: MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: true MARIADB_ROOT_PASSWORD: '' @@ -78,10 +81,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -91,7 +96,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -103,7 +108,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.5' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/mssql.yml b/.github/workflows/mssql.yml index c5dd576..b44ba33 100644 --- a/.github/workflows/mssql.yml +++ b/.github/workflows/mssql.yml @@ -22,6 +22,9 @@ on: name: mssql +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -69,7 +72,7 @@ jobs: services: mssql: - image: mcr.microsoft.com/mssql/server:${{ matrix.mssql.server }} + image: mcr.microsoft.com/mssql/server:${{ matrix.mssql.server }} # zizmor: ignore[unpinned-images] env: MSSQL_SA_PASSWORD: YourStrong!Passw0rd ACCEPT_EULA: Y @@ -80,7 +83,9 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd + with: + persist-credentials: false - name: Install ODBC driver. run: | @@ -91,7 +96,7 @@ jobs: run: docker exec -i mssql /opt/mssql-tools${{ matrix.mssql.odbc-version }}/bin/sqlcmd ${{ matrix.mssql.flag }} -S localhost -U SA -P 'YourStrong!Passw0rd' -Q 'CREATE DATABASE yiitest' - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -102,7 +107,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -114,7 +119,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.4' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 2f5a288..43c66a9 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,6 +20,9 @@ on: name: mutation test +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -43,7 +46,7 @@ jobs: services: postgres: - image: postgres:18 + image: postgres:18 # zizmor: ignore[unpinned-images] env: POSTGRES_USER: root POSTGRES_PASSWORD: root @@ -54,10 +57,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: "${{ matrix.php }}" extensions: ${{ env.extensions }} @@ -68,7 +73,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" diff --git a/.github/workflows/mysql.yml b/.github/workflows/mysql.yml index 901ca89..a0acc7e 100644 --- a/.github/workflows/mysql.yml +++ b/.github/workflows/mysql.yml @@ -22,6 +22,9 @@ on: name: mysql +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -59,7 +62,7 @@ jobs: services: mysql: - image: mysql:${{ matrix.mysql }} + image: mysql:${{ matrix.mysql }} # zizmor: ignore[unpinned-images] env: MYSQL_ALLOW_EMPTY_PASSWORD: true MYSQL_PASSWORD: '' @@ -70,10 +73,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -83,7 +88,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -95,7 +100,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.4' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/oracle.yml b/.github/workflows/oracle.yml index 95bc90d..c704010 100644 --- a/.github/workflows/oracle.yml +++ b/.github/workflows/oracle.yml @@ -22,6 +22,9 @@ on: name: oracle +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -57,7 +60,7 @@ jobs: services: oci: - image: gvenzl/oracle-xe:${{ matrix.oracle }} + image: gvenzl/oracle-xe:${{ matrix.oracle }} # zizmor: ignore[unpinned-images] ports: - 1521:1521 env: @@ -72,10 +75,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -86,7 +91,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -98,7 +103,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.4' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/pgsql.yml b/.github/workflows/pgsql.yml index 21fb005..79dde4f 100644 --- a/.github/workflows/pgsql.yml +++ b/.github/workflows/pgsql.yml @@ -22,6 +22,9 @@ on: name: pgsql +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -66,7 +69,7 @@ jobs: services: postgres: - image: postgres:${{ matrix.pgsql }} + image: postgres:${{ matrix.pgsql }} # zizmor: ignore[unpinned-images] env: POSTGRES_USER: root POSTGRES_PASSWORD: root @@ -77,10 +80,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -91,7 +96,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -103,7 +108,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.5' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 6424c2a..d4003af 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -1,7 +1,7 @@ name: Rector + PHP CS Fixer on: - pull_request_target: + pull_request: paths: - 'src/**' - 'tests/**' @@ -20,8 +20,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '8.1' diff --git a/.github/workflows/sqlite.yml b/.github/workflows/sqlite.yml index 1a07760..badb486 100644 --- a/.github/workflows/sqlite.yml +++ b/.github/workflows/sqlite.yml @@ -22,6 +22,9 @@ on: name: sqlite +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -51,10 +54,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -65,7 +70,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -77,7 +82,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.5' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index d7732e2..5e186bb 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,6 +22,9 @@ on: name: static analysis +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -47,10 +50,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} tools: composer:v2, cs2pr @@ -59,7 +64,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..dce9aec --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,18 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + contents: read + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any