From f106131fc3d1a738694999614bdd75e93871a2c5 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:42:47 +0300 Subject: [PATCH 01/10] Harden GitHub workflows --- .github/workflows/bc.yml | 4 +++- .github/workflows/build.yml | 3 +-- .github/workflows/composer-require-checker.yml | 4 +++- .github/workflows/mutation.yml | 4 +++- .github/workflows/static.yml | 4 +++- 5 files changed, 13 insertions(+), 6 deletions(-) diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index e2132c3..80f32c2 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -23,9 +23,11 @@ on: name: backwards compatibility +permissions: + contents: read jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@master + uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f333f6f..65a3ac6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,10 +24,9 @@ name: build permissions: contents: read - jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@master + uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 5605c7c..4a000d9 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,9 +24,11 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index cc40daa..45bf389 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,9 +20,11 @@ on: name: mutation test +permissions: + contents: read jobs: mutation: - uses: yiisoft/actions/.github/workflows/infection.yml@master + uses: yiisoft/actions/.github/workflows/infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 48c3bb8..1f148df 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,9 +22,11 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@master + uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] From fded91a7921f8bba2ae0e0567f0f091783473ef2 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:42:49 +0300 Subject: [PATCH 02/10] Use master for yiisoft actions --- .github/workflows/bc.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/mutation.yml | 2 +- .github/workflows/static.yml | 2 +- .github/zizmor.yml | 5 +++++ 6 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 80f32c2..ef80d49 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -27,7 +27,7 @@ permissions: contents: read jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/bc.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 65a3ac6..fd312b4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,7 +26,7 @@ permissions: contents: read jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/phpunit.yml@master secrets: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 4a000d9..3d7d437 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -28,7 +28,7 @@ permissions: contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 45bf389..96b6d08 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -24,7 +24,7 @@ permissions: contents: read jobs: mutation: - uses: yiisoft/actions/.github/workflows/infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/infection.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 1f148df..bb8e2bb 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -26,7 +26,7 @@ permissions: contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/psalm.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 906a825b848d373ea56a529102ed9f56cf29a40b Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:02:17 +0300 Subject: [PATCH 03/10] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca798..0000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 96a79a8069e024efd8af32b439255a3e7fdaa366 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:34:45 +0300 Subject: [PATCH 04/10] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e9b7e06 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 3d0592e3d941cd6065ef4e4e3512393f17ea79a2 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:42:54 +0300 Subject: [PATCH 05/10] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 1e142af04c993baf20db40f74ed4272b0b56f5a6 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 25 Jun 2026 00:46:48 +0300 Subject: [PATCH 06/10] Fix zizmor workflow findings --- .github/dependabot.yml | 2 ++ .github/workflows/zizmor.yml | 41 ++++++++++-------------------------- 2 files changed, 13 insertions(+), 30 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 64c8667..f84e056 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,3 +26,5 @@ updates: patterns: - "*" versioning-strategy: increase-if-necessary + cooldown: + default-days: 7 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index e9b7e06..dce9aec 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,37 +1,18 @@ name: GitHub Actions Security Analysis with zizmor 🌈 on: - push: - branches: - - main - paths: - - '.github/**.yml' - - '.github/**.yaml' - pull_request: - paths: - - '.github/**.yml' - - '.github/**.yaml' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + push: + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' permissions: - contents: read + contents: read jobs: - zizmor: - name: Run zizmor 🌈 - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Run zizmor 🌈 - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 - with: - advanced-security: false - annotations: true - persona: 'pedantic' + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master From aa7e64020eeb7d66f215c98f2858d5c34cd2dbf3 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 2 Jul 2026 23:31:56 +0300 Subject: [PATCH 07/10] Fix hardened workflow checks --- .github/workflows/build.yml | 8 ++++---- .github/workflows/rector-cs.yml | 4 +++- .github/workflows/zizmor.yml | 30 ++++++++++++++++++++++++++++-- 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fd312b4..57135e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,10 +41,10 @@ jobs: runs-on: windows-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install PHP with extensions - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 # v2 with: php-version: '8.2' @@ -52,7 +52,7 @@ jobs: uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 - name: Prepare PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 # v2 with: php-version: '8.2' coverage: xdebug @@ -62,7 +62,7 @@ jobs: run: vendor/bin/phpunit --coverage-clover=coverage.xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index ea744f3..3b6f300 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -11,7 +11,7 @@ on: - '.php-cs-fixer.dist.php' permissions: - contents: write + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -19,6 +19,8 @@ concurrency: jobs: rector: + permissions: + contents: write # Required to commit automated Rector and CS fixes. uses: yiisoft/actions/.github/workflows/rector-cs.yml@master with: php: '8.2' diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index dce9aec..a038b15 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,4 +1,4 @@ -name: GitHub Actions Security Analysis with zizmor 🌈 +name: GitHub Actions Security Analysis with zizmor on: push: @@ -15,4 +15,30 @@ permissions: jobs: zizmor: - uses: yiisoft/actions/.github/workflows/zizmor.yml@master + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - name: Create zizmor configuration + run: | + cat > .zizmor-shared.yml <<'YAML' + rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any + YAML + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + config: .zizmor-shared.yml + inputs: .github + min-severity: high + persona: 'pedantic' From 98a0403edfb670227c9886b0ba064880ec2b652e Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 3 Jul 2026 00:08:07 +0300 Subject: [PATCH 08/10] Use shared zizmor workflow --- .github/workflows/zizmor.yml | 30 ++---------------------------- 1 file changed, 2 insertions(+), 28 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index a038b15..dce9aec 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,4 +1,4 @@ -name: GitHub Actions Security Analysis with zizmor +name: GitHub Actions Security Analysis with zizmor 🌈 on: push: @@ -15,30 +15,4 @@ permissions: jobs: zizmor: - name: Run zizmor - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - - name: Create zizmor configuration - run: | - cat > .zizmor-shared.yml <<'YAML' - rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any - YAML - - - name: Run zizmor - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 - with: - advanced-security: false - annotations: true - config: .zizmor-shared.yml - inputs: .github - min-severity: high - persona: 'pedantic' + uses: yiisoft/actions/.github/workflows/zizmor.yml@master From 71e6d642ce5fa05ab707ed0a565b82eacb458ef4 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 3 Jul 2026 00:36:37 +0300 Subject: [PATCH 09/10] Use shared phpunit workflow for OpenSSL test --- .github/workflows/build.yml | 39 ++++++++++--------------------------- 1 file changed, 10 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 57135e2..a1e6d12 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,32 +37,13 @@ jobs: extensions: sodium, openssl phpunit-without-openssl: - name: PHP 8.2 without openssl - runs-on: windows-latest - steps: - - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - - name: Install PHP with extensions - uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 # v2 - with: - php-version: '8.2' - - - name: Install Composer dependencies - uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 - - - name: Prepare PHP - uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 # v2 - with: - php-version: '8.2' - coverage: xdebug - extensions: :openssl - - - name: Run tests with PHPUnit with code coverage - run: vendor/bin/phpunit --coverage-clover=coverage.xml - - - name: Upload coverage to Codecov - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 - with: - token: ${{ secrets.CODECOV_TOKEN }} - files: ./coverage.xml + uses: yiisoft/actions/.github/workflows/phpunit.yml@master + secrets: + codecovToken: ${{ secrets.CODECOV_TOKEN }} + with: + coverage: xdebug + extensions: :openssl + os: >- + ['windows-latest'] + php: >- + ['8.2'] From 69a318a0e123e08ba78c47bd0ded4d4cd036911f Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 3 Jul 2026 00:47:41 +0300 Subject: [PATCH 10/10] Disable OpenSSL after dependency install --- .github/dependabot.yml | 2 -- .github/workflows/build.yml | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f84e056..64c8667 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,5 +26,3 @@ updates: patterns: - "*" versioning-strategy: increase-if-necessary - cooldown: - default-days: 7 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a1e6d12..df7df24 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,8 +42,8 @@ jobs: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: coverage: xdebug - extensions: :openssl os: >- ['windows-latest'] php: >- ['8.2'] + test-extensions: :openssl