From d92a98e63b29d5867ccb2fa25bd3475dd688bee4 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:29:38 +0300 Subject: [PATCH 1/9] Harden GitHub workflows --- .github/workflows/bc.yml | 5 ++++- .github/workflows/composer-require-checker.yml | 5 ++++- .github/workflows/mariadb.yml | 13 +++++++++---- .github/workflows/mssql.yml | 13 +++++++++---- .github/workflows/mutation.yml | 11 ++++++++--- .github/workflows/mysql.yml | 13 +++++++++---- .github/workflows/oracle.yml | 13 +++++++++---- .github/workflows/pgsql.yml | 13 +++++++++---- .github/workflows/rector-cs.yml | 4 ++-- .github/workflows/sqlite.yml | 13 +++++++++---- .github/workflows/static.yml | 11 ++++++++--- 11 files changed, 80 insertions(+), 34 deletions(-) diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 5050c9b..3ced34b 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -22,13 +22,16 @@ on: name: backwards compatibility +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@master + uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index af61e72..2afbe38 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,13 +24,16 @@ on: name: Composer require checker +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mariadb.yml b/.github/workflows/mariadb.yml index 967db50..6d06414 100644 --- a/.github/workflows/mariadb.yml +++ b/.github/workflows/mariadb.yml @@ -22,6 +22,9 @@ on: name: mariadb +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -78,10 +81,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -91,7 +96,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -103,7 +108,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.5' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/mssql.yml b/.github/workflows/mssql.yml index c5dd576..25256ae 100644 --- a/.github/workflows/mssql.yml +++ b/.github/workflows/mssql.yml @@ -22,6 +22,9 @@ on: name: mssql +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -80,7 +83,9 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd + with: + persist-credentials: false - name: Install ODBC driver. run: | @@ -91,7 +96,7 @@ jobs: run: docker exec -i mssql /opt/mssql-tools${{ matrix.mssql.odbc-version }}/bin/sqlcmd ${{ matrix.mssql.flag }} -S localhost -U SA -P 'YourStrong!Passw0rd' -Q 'CREATE DATABASE yiitest' - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -102,7 +107,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -114,7 +119,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.4' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 2f5a288..585b0ae 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,6 +20,9 @@ on: name: mutation test +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -54,10 +57,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: "${{ matrix.php }}" extensions: ${{ env.extensions }} @@ -68,7 +73,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" diff --git a/.github/workflows/mysql.yml b/.github/workflows/mysql.yml index 901ca89..75e2aad 100644 --- a/.github/workflows/mysql.yml +++ b/.github/workflows/mysql.yml @@ -22,6 +22,9 @@ on: name: mysql +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -70,10 +73,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -83,7 +88,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -95,7 +100,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.4' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/oracle.yml b/.github/workflows/oracle.yml index 95bc90d..1f2b110 100644 --- a/.github/workflows/oracle.yml +++ b/.github/workflows/oracle.yml @@ -22,6 +22,9 @@ on: name: oracle +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -72,10 +75,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -86,7 +91,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -98,7 +103,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.4' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/pgsql.yml b/.github/workflows/pgsql.yml index 21fb005..193505e 100644 --- a/.github/workflows/pgsql.yml +++ b/.github/workflows/pgsql.yml @@ -22,6 +22,9 @@ on: name: pgsql +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -77,10 +80,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -91,7 +96,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -103,7 +108,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.5' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 6424c2a..0ba021f 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -1,7 +1,7 @@ name: Rector + PHP CS Fixer on: - pull_request_target: + pull_request: paths: - 'src/**' - 'tests/**' @@ -19,7 +19,7 @@ concurrency: jobs: rector: - uses: yiisoft/actions/.github/workflows/rector-cs.yml@master + uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: diff --git a/.github/workflows/sqlite.yml b/.github/workflows/sqlite.yml index 1a07760..badb486 100644 --- a/.github/workflows/sqlite.yml +++ b/.github/workflows/sqlite.yml @@ -22,6 +22,9 @@ on: name: sqlite +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -51,10 +54,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -65,7 +70,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" @@ -77,7 +82,7 @@ jobs: - name: Upload coverage to Codecov. if: matrix.php == '8.5' - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index d7732e2..5e186bb 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,6 +22,9 @@ on: name: static analysis +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -47,10 +50,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} tools: composer:v2, cs2pr @@ -59,7 +64,7 @@ jobs: - name: Update composer. run: composer self-update - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f" with: composer-options: "--prefer-dist --no-interaction --no-progress --ansi" From c94f79f809dfbf67819a2dbf95b53fca739ac315 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:44:02 +0300 Subject: [PATCH 2/9] Remove Rector pull_request_target inputs --- .github/workflows/rector-cs.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 0ba021f..7f02bf0 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -20,8 +20,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '8.1' From 825caa1e0d32915723171a588fe2f200f96803ab Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:41:15 +0300 Subject: [PATCH 3/9] Use master for yiisoft actions --- .github/workflows/bc.yml | 2 +- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/rector-cs.yml | 2 +- .github/zizmor.yml | 5 +++++ 4 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 3ced34b..efe92fd 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -31,7 +31,7 @@ concurrency: jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/bc.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 2afbe38..e21128f 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -33,7 +33,7 @@ concurrency: jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 7f02bf0..d4003af 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -19,6 +19,6 @@ concurrency: jobs: rector: - uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/rector-cs.yml@master with: php: '8.1' diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 6f12c080bfde90c0d2031f1f88bbd7e11cda78f8 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:12:23 +0300 Subject: [PATCH 4/9] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca798..0000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 7003ffb8790223959addb2be26ef81a24df0a5a0 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:34:00 +0300 Subject: [PATCH 5/9] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e9b7e06 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 1d442ddd90986dadde10422311f815f7ade27d91 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:41:19 +0300 Subject: [PATCH 6/9] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 540f3f0f2f1eef275590c2082e9f046aa7fd5169 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 25 Jun 2026 00:45:53 +0300 Subject: [PATCH 7/9] Fix zizmor workflow findings --- .github/dependabot.yml | 2 ++ .github/workflows/zizmor.yml | 41 ++++++++++-------------------------- 2 files changed, 13 insertions(+), 30 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 64c8667..f84e056 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,3 +26,5 @@ updates: patterns: - "*" versioning-strategy: increase-if-necessary + cooldown: + default-days: 7 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index e9b7e06..dce9aec 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,37 +1,18 @@ name: GitHub Actions Security Analysis with zizmor 🌈 on: - push: - branches: - - main - paths: - - '.github/**.yml' - - '.github/**.yaml' - pull_request: - paths: - - '.github/**.yml' - - '.github/**.yaml' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + push: + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' permissions: - contents: read + contents: read jobs: - zizmor: - name: Run zizmor 🌈 - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Run zizmor 🌈 - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 - with: - advanced-security: false - annotations: true - persona: 'pedantic' + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master From d827c4f4d33cc624d473f8d384396d3c817093d3 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 2 Jul 2026 23:31:46 +0300 Subject: [PATCH 8/9] Fix hardened workflow checks --- .github/workflows/mariadb.yml | 2 +- .github/workflows/mssql.yml | 2 +- .github/workflows/mutation.yml | 2 +- .github/workflows/mysql.yml | 2 +- .github/workflows/oracle.yml | 2 +- .github/workflows/pgsql.yml | 2 +- .github/workflows/zizmor.yml | 30 ++++++++++++++++++++++++++++-- 7 files changed, 34 insertions(+), 8 deletions(-) diff --git a/.github/workflows/mariadb.yml b/.github/workflows/mariadb.yml index 6d06414..325bfd0 100644 --- a/.github/workflows/mariadb.yml +++ b/.github/workflows/mariadb.yml @@ -70,7 +70,7 @@ jobs: services: mysql: - image: mariadb:${{ matrix.mariadb }} + image: mariadb:${{ matrix.mariadb }} # zizmor: ignore[unpinned-images] env: MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: true MARIADB_ROOT_PASSWORD: '' diff --git a/.github/workflows/mssql.yml b/.github/workflows/mssql.yml index 25256ae..b44ba33 100644 --- a/.github/workflows/mssql.yml +++ b/.github/workflows/mssql.yml @@ -72,7 +72,7 @@ jobs: services: mssql: - image: mcr.microsoft.com/mssql/server:${{ matrix.mssql.server }} + image: mcr.microsoft.com/mssql/server:${{ matrix.mssql.server }} # zizmor: ignore[unpinned-images] env: MSSQL_SA_PASSWORD: YourStrong!Passw0rd ACCEPT_EULA: Y diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 585b0ae..43c66a9 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -46,7 +46,7 @@ jobs: services: postgres: - image: postgres:18 + image: postgres:18 # zizmor: ignore[unpinned-images] env: POSTGRES_USER: root POSTGRES_PASSWORD: root diff --git a/.github/workflows/mysql.yml b/.github/workflows/mysql.yml index 75e2aad..a0acc7e 100644 --- a/.github/workflows/mysql.yml +++ b/.github/workflows/mysql.yml @@ -62,7 +62,7 @@ jobs: services: mysql: - image: mysql:${{ matrix.mysql }} + image: mysql:${{ matrix.mysql }} # zizmor: ignore[unpinned-images] env: MYSQL_ALLOW_EMPTY_PASSWORD: true MYSQL_PASSWORD: '' diff --git a/.github/workflows/oracle.yml b/.github/workflows/oracle.yml index 1f2b110..c704010 100644 --- a/.github/workflows/oracle.yml +++ b/.github/workflows/oracle.yml @@ -60,7 +60,7 @@ jobs: services: oci: - image: gvenzl/oracle-xe:${{ matrix.oracle }} + image: gvenzl/oracle-xe:${{ matrix.oracle }} # zizmor: ignore[unpinned-images] ports: - 1521:1521 env: diff --git a/.github/workflows/pgsql.yml b/.github/workflows/pgsql.yml index 193505e..79dde4f 100644 --- a/.github/workflows/pgsql.yml +++ b/.github/workflows/pgsql.yml @@ -69,7 +69,7 @@ jobs: services: postgres: - image: postgres:${{ matrix.pgsql }} + image: postgres:${{ matrix.pgsql }} # zizmor: ignore[unpinned-images] env: POSTGRES_USER: root POSTGRES_PASSWORD: root diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index dce9aec..a038b15 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,4 +1,4 @@ -name: GitHub Actions Security Analysis with zizmor 🌈 +name: GitHub Actions Security Analysis with zizmor on: push: @@ -15,4 +15,30 @@ permissions: jobs: zizmor: - uses: yiisoft/actions/.github/workflows/zizmor.yml@master + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - name: Create zizmor configuration + run: | + cat > .zizmor-shared.yml <<'YAML' + rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any + YAML + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + config: .zizmor-shared.yml + inputs: .github + min-severity: high + persona: 'pedantic' From d4a09c49d1b010e341e40b276c5a3cf58ccdc6dd Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 3 Jul 2026 00:07:55 +0300 Subject: [PATCH 9/9] Use shared zizmor workflow --- .github/dependabot.yml | 2 -- .github/workflows/zizmor.yml | 30 ++---------------------------- 2 files changed, 2 insertions(+), 30 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f84e056..64c8667 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,5 +26,3 @@ updates: patterns: - "*" versioning-strategy: increase-if-necessary - cooldown: - default-days: 7 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index a038b15..dce9aec 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,4 +1,4 @@ -name: GitHub Actions Security Analysis with zizmor +name: GitHub Actions Security Analysis with zizmor 🌈 on: push: @@ -15,30 +15,4 @@ permissions: jobs: zizmor: - name: Run zizmor - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - - name: Create zizmor configuration - run: | - cat > .zizmor-shared.yml <<'YAML' - rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any - YAML - - - name: Run zizmor - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 - with: - advanced-security: false - annotations: true - config: .zizmor-shared.yml - inputs: .github - min-severity: high - persona: 'pedantic' + uses: yiisoft/actions/.github/workflows/zizmor.yml@master