diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index e2132c3..ef80d49 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -23,6 +23,8 @@ on: name: backwards compatibility +permissions: + contents: read jobs: roave_bc_check: uses: yiisoft/actions/.github/workflows/bc.yml@master diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f333f6f..df7df24 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,7 +24,6 @@ name: build permissions: contents: read - jobs: phpunit: uses: yiisoft/actions/.github/workflows/phpunit.yml@master @@ -38,32 +37,13 @@ jobs: extensions: sodium, openssl phpunit-without-openssl: - name: PHP 8.2 without openssl - runs-on: windows-latest - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Install PHP with extensions - uses: shivammathur/setup-php@v2 - with: - php-version: '8.2' - - - name: Install Composer dependencies - uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 - - - name: Prepare PHP - uses: shivammathur/setup-php@v2 - with: - php-version: '8.2' - coverage: xdebug - extensions: :openssl - - - name: Run tests with PHPUnit with code coverage - run: vendor/bin/phpunit --coverage-clover=coverage.xml - - - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 - with: - token: ${{ secrets.CODECOV_TOKEN }} - files: ./coverage.xml + uses: yiisoft/actions/.github/workflows/phpunit.yml@master + secrets: + codecovToken: ${{ secrets.CODECOV_TOKEN }} + with: + coverage: xdebug + os: >- + ['windows-latest'] + php: >- + ['8.2'] + test-extensions: :openssl diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 5605c7c..3d7d437 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,6 +24,8 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index cc40daa..96b6d08 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,6 +20,8 @@ on: name: mutation test +permissions: + contents: read jobs: mutation: uses: yiisoft/actions/.github/workflows/infection.yml@master diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index ea744f3..3b6f300 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -11,7 +11,7 @@ on: - '.php-cs-fixer.dist.php' permissions: - contents: write + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -19,6 +19,8 @@ concurrency: jobs: rector: + permissions: + contents: write # Required to commit automated Rector and CS fixes. uses: yiisoft/actions/.github/workflows/rector-cs.yml@master with: php: '8.2' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 48c3bb8..bb8e2bb 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,6 +22,8 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: uses: yiisoft/actions/.github/workflows/psalm.yml@master diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..dce9aec --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,18 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + contents: read + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any