Skip to content
30 changes: 17 additions & 13 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,16 +1,20 @@
version: 2
updates:
# Maintain dependencies for GitHub Actions.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
# Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581
open-pull-requests-limit: 0
# Maintain dependencies for GitHub Actions.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
ignore:
- dependency-name: "yiisoft/*"

# Maintain dependencies for Composer
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "daily"
versioning-strategy: increase-if-necessary
# Maintain dependencies for Composer
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "daily"
versioning-strategy: increase-if-necessary
cooldown:
default-days: 7
18 changes: 13 additions & 5 deletions .github/workflows/bechmark.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
on:

Check warning on line 1 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

concurrency-limits

bechmark.yml:1: insufficient job-level concurrency limits: workflow is missing concurrency setting
pull_request:
paths-ignore:
- 'docs/**'
Expand All @@ -24,6 +24,8 @@

name: bechmark

permissions:
contents: read
jobs:
phpbench:
name: PHP ${{ matrix.php }}
Expand All @@ -39,32 +41,37 @@

steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

Check warning on line 44 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

ref-version-mismatch

bechmark.yml:44: action's hash pin has mismatched or missing version comment: missing version comment
with:
persist-credentials: false

- name: Check if we need to create a baseline for a PR
run: |
if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.ref }}" != "refs/heads/${{ github.event.repository.default_branch }}" ]]; then
if [[ "${{ github.event_name }}" == "pull_request" && "${GITHUB_REF}" != "refs/heads/${GITHUB_EVENT_REPOSITORY_DEFAULT_BRANCH}" ]]; then

Check warning on line 50 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

template-injection

bechmark.yml:50: code injection via template expansion: may expand into attacker-controllable code
echo "WITH_BENCH_BASELINE=1" >> $GITHUB_ENV
else
echo "WITH_BENCH_BASELINE=0" >> $GITHUB_ENV
fi
env:
GITHUB_EVENT_REPOSITORY_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}

- name: "Baseline creation: Checkout default branch."
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

Check warning on line 59 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

ref-version-mismatch

bechmark.yml:59: action's hash pin has mismatched or missing version comment: missing version comment
if: ${{ env.WITH_BENCH_BASELINE == '1' }}
with:
ref: ${{ github.event.repository.default_branch }}
persist-credentials: false

- name: Build
if: ${{ env.WITH_BENCH_BASELINE == '1' }}
working-directory: ./tests
run: docker compose build php${{ matrix.php }}

Check warning on line 68 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

template-injection

bechmark.yml:68: code injection via template expansion: may expand into attacker-controllable code

- name: "Baseline creation: Run PhpBench."
id: baseline
if: ${{ env.WITH_BENCH_BASELINE == '1' }}
continue-on-error: true
run: docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' --tag=default

Check warning on line 74 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

template-injection

bechmark.yml:74: code injection via template expansion: may expand into attacker-controllable code
working-directory: ./tests

- name: Disable baseline comparison when baseline creation failed
Expand All @@ -72,22 +79,23 @@
run: echo "WITH_BENCH_BASELINE=0" >> $GITHUB_ENV

- name: "Pull request: Checkout head."
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

Check warning on line 82 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

ref-version-mismatch

bechmark.yml:82: action's hash pin has mismatched or missing version comment: missing version comment
if: ${{ github.event_name == 'pull_request' }}
with:
ref: ${{ github.event.pull_request.head.sha }}
clean: false
persist-credentials: false

- name: "Pull request: Build"
if: ${{ github.event_name == 'pull_request' }}
working-directory: ./tests
run: docker compose build php${{ matrix.php }}

Check warning on line 92 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

template-injection

bechmark.yml:92: code injection via template expansion: may expand into attacker-controllable code

- name: "Run PhpBench."
working-directory: ./tests
run: |
if [ "${{ env.WITH_BENCH_BASELINE }}" == '1' ]; then
if [ "${WITH_BENCH_BASELINE}" == '1' ]; then
docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' --ref=default --assert="mode(variant.time.avg) <= mode(baseline.time.avg) +/- 10%" > phpbench.log

Check warning on line 98 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

template-injection

bechmark.yml:98: code injection via template expansion: may expand into attacker-controllable code
else
docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' > phpbench.log

Check warning on line 100 in .github/workflows/bechmark.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

template-injection

bechmark.yml:100: code injection via template expansion: may expand into attacker-controllable code
fi
6 changes: 5 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ on:

name: build

permissions:
contents: read
jobs:
phpunit:
name: PHP ${{ matrix.php }}
Expand All @@ -32,7 +34,9 @@ jobs:
php: [ 81, 82, 83, 84 ]
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
with:
persist-credentials: false
- name: Build
working-directory: ./tests
run: docker compose build
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/composer-require-checker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ on:

name: Composer require checker

permissions:
contents: read
jobs:
composer-require-checker:
uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/mutation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@

name: Mutation test

permissions:
contents: read
jobs:
mutation:
name: PHP ${{ matrix.php }}-${{ matrix.os }}
Expand All @@ -33,7 +35,7 @@

services:
rabbitmq:
image: rabbitmq:3.8

Check failure on line 38 in .github/workflows/mutation.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

unpinned-images

mutation.yml:38: unpinned image references: container image is not pinned to a SHA256 hash
env:
RABBITMQ_DEFAULT_USER: guest
RABBITMQ_DEFAULT_PASS: guest
Expand All @@ -42,10 +44,12 @@

steps:
- name: Checkout.
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
with:
persist-credentials: false

- name: Install PHP with extensions.
uses: shivammathur/setup-php@v2
uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45
with:
php-version: ${{ matrix.php }}
ini-values: memory_limit=-1
Expand Down
7 changes: 3 additions & 4 deletions .github/workflows/rector.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
on:
pull_request_target:
pull_request:
paths-ignore:
- 'docs/**'
- 'README.md'
Expand All @@ -11,13 +11,12 @@ on:

name: rector

permissions:
contents: read
jobs:
rector:
uses: yiisoft/actions/.github/workflows/rector.yml@master
secrets:
token: ${{ secrets.YIISOFT_GITHUB_TOKEN }}
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
os: >-
['ubuntu-latest']
php: >-
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/static.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ on:

name: static analysis

permissions:
contents: read
jobs:
psalm:
uses: yiisoft/actions/.github/workflows/psalm.yml@master
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches:
- master
- main
paths:
- '.github/**.yml'
- '.github/**.yaml'
pull_request:
paths:
- '.github/**.yml'
- '.github/**.yaml'

permissions:
actions: read # Required by zizmor when reading workflow metadata through the API.
contents: read # Required to read workflow files.

jobs:
zizmor:
uses: yiisoft/actions/.github/workflows/zizmor.yml@master
Loading