diff --git a/.github/dependabot.yml b/.github/dependabot.yml index db86156d..10f7e30b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,13 +4,17 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" # Maintain dependencies for Composer - package-ecosystem: "composer" directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 versioning-strategy: increase-if-necessary diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 4b1d0ed9..7d57ef47 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths-ignore: diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index 06360277..08db924b 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths-ignore: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6454b92e..19ebb294 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths-ignore: @@ -25,6 +28,8 @@ name: build jobs: phpunit: uses: yiisoft/actions/.github/workflows/phpunit.yml@master + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: extensions: intl,fileinfo coverage: xdebug @@ -34,6 +39,8 @@ jobs: ['8.1', '8.2', '8.3', '8.4', '8.5'] phpunit-without-intl: uses: yiisoft/actions/.github/workflows/phpunit.yml@master + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: phpunitConfig: phpunit-without-intl.xml extensions: :intl diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 3796ad59..156287ce 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths-ignore: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 9851b9db..60bf9069 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -16,6 +16,10 @@ on: permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: check-docs: name: Check docs @@ -42,7 +46,7 @@ jobs: name: Update docs if: github.event_name == 'push' permissions: - contents: write + contents: write # Required to push generated docs translation updates. runs-on: ubuntu-latest steps: - name: Checkout diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 57ecb471..ce6170ad 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths-ignore: diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 69a1310c..dae5dca8 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -1,7 +1,7 @@ name: Rector + PHP CS Fixer on: - pull_request_target: + pull_request: paths-ignore: - 'docs/**' - 'README.md' @@ -21,8 +21,7 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} + permissions: + contents: write # Required by the reusable workflow to push Rector and PHP CS Fixer changes. with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '8.1' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index b56464d6..09dc6d45 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: pull_request: paths-ignore: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..430255de --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master