diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index ba3e9ef..a7b1e31 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -4,6 +4,9 @@ on: name: backwards compatibility +permissions: + contents: read + jobs: roave_bc_check: uses: yiisoft/actions/.github/workflows/bc.yml@master @@ -11,4 +14,4 @@ jobs: os: >- ['ubuntu-latest'] php: >- - ['8.0'] + ['8.4'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8708e8a..31e4711 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,9 @@ on: name: build +permissions: + contents: read + jobs: phpunit: uses: yiisoft/actions/.github/workflows/phpunit.yml@master diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 863e5fc..02f73a8 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -23,6 +23,9 @@ on: name: Composer require checker +permissions: + contents: read + jobs: composer-require-checker: uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index c1aca98..8f193f6 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -19,6 +19,9 @@ on: name: mutation test +permissions: + contents: read + jobs: mutation: uses: yiisoft/actions/.github/workflows/roave-infection.yml@master diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index b5a5649..5fd2d0a 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -11,11 +11,12 @@ on: name: rector +permissions: + contents: read + jobs: rector: uses: yiisoft/actions/.github/workflows/rector.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index b7d3200..14c06a2 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -21,6 +21,9 @@ on: name: static analysis +permissions: + contents: read + jobs: psalm: uses: yiisoft/actions/.github/workflows/psalm.yml@master diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master