From 46e9740cd61278a96e4ec2da7df02e6ec0e73b30 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:42:47 +0300 Subject: [PATCH 01/12] Harden GitHub workflows --- .github/workflows/bechmark.yml | 18 +++++++++++++----- .github/workflows/build.yml | 6 +++++- .github/workflows/composer-require-checker.yml | 4 +++- .github/workflows/mutation.yml | 8 ++++++-- .github/workflows/rector.yml | 6 ++++-- .github/workflows/static.yml | 4 +++- 6 files changed, 34 insertions(+), 12 deletions(-) diff --git a/.github/workflows/bechmark.yml b/.github/workflows/bechmark.yml index 3e4b5fd..01ad5f2 100644 --- a/.github/workflows/bechmark.yml +++ b/.github/workflows/bechmark.yml @@ -24,6 +24,8 @@ on: name: bechmark +permissions: + contents: read jobs: phpbench: name: PHP ${{ matrix.php }} @@ -39,21 +41,26 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false - name: Check if we need to create a baseline for a PR run: | - if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.ref }}" != "refs/heads/${{ github.event.repository.default_branch }}" ]]; then + if [[ "${{ github.event_name }}" == "pull_request" && "${GITHUB_REF}" != "refs/heads/${GITHUB_EVENT_REPOSITORY_DEFAULT_BRANCH}" ]]; then echo "WITH_BENCH_BASELINE=1" >> $GITHUB_ENV else echo "WITH_BENCH_BASELINE=0" >> $GITHUB_ENV fi + env: + GITHUB_EVENT_REPOSITORY_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} - name: "Baseline creation: Checkout default branch." - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 if: ${{ env.WITH_BENCH_BASELINE == '1' }} with: ref: ${{ github.event.repository.default_branch }} + persist-credentials: false - name: Build if: ${{ env.WITH_BENCH_BASELINE == '1' }} @@ -72,11 +79,12 @@ jobs: run: echo "WITH_BENCH_BASELINE=0" >> $GITHUB_ENV - name: "Pull request: Checkout head." - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 if: ${{ github.event_name == 'pull_request' }} with: ref: ${{ github.event.pull_request.head.sha }} clean: false + persist-credentials: false - name: "Pull request: Build" if: ${{ github.event_name == 'pull_request' }} @@ -86,7 +94,7 @@ jobs: - name: "Run PhpBench." working-directory: ./tests run: | - if [ "${{ env.WITH_BENCH_BASELINE }}" == '1' ]; then + if [ "${WITH_BENCH_BASELINE}" == '1' ]; then docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' --ref=default --assert="mode(variant.time.avg) <= mode(baseline.time.avg) +/- 10%" > phpbench.log else docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' > phpbench.log diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c0234dd..b5c3396 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,6 +22,8 @@ on: name: build +permissions: + contents: read jobs: phpunit: name: PHP ${{ matrix.php }} @@ -32,7 +34,9 @@ jobs: php: [ 81, 82, 83, 84 ] steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Build working-directory: ./tests run: docker compose build diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 857295f..f642504 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,9 +24,11 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 2f41299..864cc43 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -22,6 +22,8 @@ on: name: Mutation test +permissions: + contents: read jobs: mutation: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -42,10 +44,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} ini-values: memory_limit=-1 diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 5d6931d..fc2f701 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -1,5 +1,5 @@ on: - pull_request_target: + pull_request: paths-ignore: - 'docs/**' - 'README.md' @@ -11,9 +11,11 @@ on: name: rector +permissions: + contents: read jobs: rector: - uses: yiisoft/actions/.github/workflows/rector.yml@master + uses: yiisoft/actions/.github/workflows/rector.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index b56464d..59d2b1a 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,9 +22,11 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@master + uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] From 559eab00a9c0d6b82efe39c7eaf123863da80739 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:15:12 +0300 Subject: [PATCH 02/12] Add zizmorify configuration --- .github/dependabot.yml | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbf..6cc0071 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,8 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 - - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 From b395f2f7174d1687649739c30fe19b4e865f8a85 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:36:40 +0300 Subject: [PATCH 03/12] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e9b7e06 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 9ac9a47889fb94f19a657697110fd3a85825ba08 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:04:34 +0300 Subject: [PATCH 04/12] Restore Dependabot non-GitHub-Actions updates --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6cc0071..cb0e7a1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,19 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 + open-pull-requests-limit: 0 + + # Maintain dependencies for Composer + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + versioning-strategy: increase-if-necessary - package-ecosystem: "github-actions" directory: "/" schedule: From 4733bcf3669156e84900865aa74c5c004f0c9bad Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:48:55 +0300 Subject: [PATCH 05/12] Remove Rector pull_request_target inputs --- .github/workflows/rector.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index fc2f701..698aa3c 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -16,10 +16,7 @@ permissions: jobs: rector: uses: yiisoft/actions/.github/workflows/rector.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} os: >- ['ubuntu-latest'] php: >- From 548480440deb8c5385e0d7ac8796a835fc11ecf2 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:48:59 +0300 Subject: [PATCH 06/12] Remove Rector pull_request_target inputs --- .github/workflows/rector.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 5d6931d..c164c30 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -14,10 +14,7 @@ name: rector jobs: rector: uses: yiisoft/actions/.github/workflows/rector.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} os: >- ['ubuntu-latest'] php: >- From 0e147ed050df3868471648ec7151a8f2ba8c9980 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:46:49 +0300 Subject: [PATCH 07/12] Use master for yiisoft actions --- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/rector.yml | 2 +- .github/workflows/static.yml | 2 +- .github/zizmor.yml | 5 +++++ 4 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index f642504..05fafe5 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -28,7 +28,7 @@ permissions: contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 698aa3c..ebc6d37 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -15,7 +15,7 @@ permissions: contents: read jobs: rector: - uses: yiisoft/actions/.github/workflows/rector.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/rector.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 59d2b1a..c0b8262 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -26,7 +26,7 @@ permissions: contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/psalm.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From e47dc8693a5a10340c57de66e58bb2fd21ea07a0 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:46:54 +0300 Subject: [PATCH 08/12] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 0a90ea8eadcafc8cab4dd1783e3ead82f949aadc Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:16:25 +0300 Subject: [PATCH 09/12] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbf..426dc2b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: From 10ef06d7b7a5a549b91c497297378dba379b30d8 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:16:30 +0300 Subject: [PATCH 10/12] Use master for yiisoft actions --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cb0e7a1..763f708 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: @@ -20,3 +22,5 @@ updates: interval: "weekly" cooldown: default-days: 7 + ignore: + - dependency-name: "yiisoft/*" From 098b0be98ca483061b1af6272ba397fa37d8460e Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:00:55 +0300 Subject: [PATCH 11/12] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca798..0000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 3506b5b5c437ebda700d5a9d769ecd0e1c555129 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 25 Jun 2026 00:47:14 +0300 Subject: [PATCH 12/12] Fix zizmor workflow findings --- .github/dependabot.yml | 2 ++ .github/workflows/zizmor.yml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a4c1ef2..5fd269d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,3 +16,5 @@ updates: schedule: interval: "daily" versioning-strategy: increase-if-necessary + cooldown: + default-days: 7 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 9465846..430255d 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -14,8 +14,8 @@ on: - '.github/**.yaml' permissions: - actions: read - contents: read + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. jobs: zizmor: