From bd0265c182100eae06e2270679ed2586aac9adf9 Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Thu, 18 Jun 2026 23:49:41 +0300
Subject: [PATCH 1/5] Harden GitHub workflows

---
 .github/workflows/bc.yml                       | 5 ++++-
 .github/workflows/build.yml                    | 5 ++++-
 .github/workflows/composer-require-checker.yml | 5 ++++-
 .github/workflows/mutation.yml                 | 5 ++++-
 .github/workflows/rector-cs.yml                | 4 ++--
 .github/workflows/static.yml                   | 5 ++++-
 6 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml
index 5970206c..1f3d4719 100644
--- a/.github/workflows/bc.yml
+++ b/.github/workflows/bc.yml
@@ -13,9 +13,12 @@ on:
 
 name: backwards compatibility
 
+permissions:
+  contents: read
+
 jobs:
   roave_bc_check:
-    uses: yiisoft/actions/.github/workflows/bc.yml@master
+    uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
     with:
       os: >-
         ['ubuntu-latest']
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 19b694df..6f63ac13 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,9 +22,12 @@ on:
 
 name: build
 
+permissions:
+  contents: read
+
 jobs:
   phpunit:
-    uses: yiisoft/actions/.github/workflows/phpunit.yml@master
+    uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
     with:
       os: >-
         ['ubuntu-latest', 'windows-latest']
diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml
index d2ef508b..28470512 100644
--- a/.github/workflows/composer-require-checker.yml
+++ b/.github/workflows/composer-require-checker.yml
@@ -24,9 +24,12 @@ on:
 
 name: Composer require checker
 
+permissions:
+  contents: read
+
 jobs:
   composer-require-checker:
-    uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master
+    uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
     with:
       os: >-
         ['ubuntu-latest']
diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml
index 66770946..77bf21f1 100644
--- a/.github/workflows/mutation.yml
+++ b/.github/workflows/mutation.yml
@@ -20,9 +20,12 @@ on:
 
 name: mutation test
 
+permissions:
+  contents: read
+
 jobs:
   mutation:
-    uses: yiisoft/actions/.github/workflows/infection.yml@master
+    uses: yiisoft/actions/.github/workflows/infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
     with:
       os: >-
         ['ubuntu-latest']
diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml
index 6424c2aa..0ba021fc 100644
--- a/.github/workflows/rector-cs.yml
+++ b/.github/workflows/rector-cs.yml
@@ -1,7 +1,7 @@
 name: Rector + PHP CS Fixer
 
 on:
-  pull_request_target:
+  pull_request:
     paths:
       - 'src/**'
       - 'tests/**'
@@ -19,7 +19,7 @@ concurrency:
 
 jobs:
   rector:
-    uses: yiisoft/actions/.github/workflows/rector-cs.yml@master
+    uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
     secrets:
       token: ${{ secrets.YIISOFT_GITHUB_TOKEN }}
     with:
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index d03874dc..5af69000 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -22,9 +22,12 @@ on:
 
 name: static analysis
 
+permissions:
+  contents: read
+
 jobs:
   psalm:
-    uses: yiisoft/actions/.github/workflows/psalm.yml@master
+    uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
     with:
       os: >-
         ['ubuntu-latest']

From 39ad96fe2f447505db15a2abd9bfad5a3b6d91bd Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Fri, 19 Jun 2026 12:45:37 +0300
Subject: [PATCH 2/5] Remove Rector pull_request_target inputs

---
 .github/workflows/rector-cs.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml
index 0ba021fc..7f02bf01 100644
--- a/.github/workflows/rector-cs.yml
+++ b/.github/workflows/rector-cs.yml
@@ -20,8 +20,5 @@ concurrency:
 jobs:
   rector:
     uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
-    secrets:
-      token: ${{ secrets.YIISOFT_GITHUB_TOKEN }}
     with:
-      repository: ${{ github.event.pull_request.head.repo.full_name }}
       php: '8.1'

From 824e15ea3848ca93b0ed8b513334cb6420f99ac8 Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Sat, 20 Jun 2026 11:42:59 +0300
Subject: [PATCH 3/5] Use master for yiisoft actions

---
 .github/workflows/bc.yml                       | 2 +-
 .github/workflows/build.yml                    | 2 +-
 .github/workflows/composer-require-checker.yml | 2 +-
 .github/workflows/mutation.yml                 | 2 +-
 .github/workflows/rector-cs.yml                | 2 +-
 .github/workflows/static.yml                   | 2 +-
 .github/zizmor.yml                             | 5 +++++
 7 files changed, 11 insertions(+), 6 deletions(-)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml
index 1f3d4719..49e555a8 100644
--- a/.github/workflows/bc.yml
+++ b/.github/workflows/bc.yml
@@ -18,7 +18,7 @@ permissions:
 
 jobs:
   roave_bc_check:
-    uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
+    uses: yiisoft/actions/.github/workflows/bc.yml@master
     with:
       os: >-
         ['ubuntu-latest']
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6f63ac13..35abbaee 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -27,7 +27,7 @@ permissions:
 
 jobs:
   phpunit:
-    uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
+    uses: yiisoft/actions/.github/workflows/phpunit.yml@master
     with:
       os: >-
         ['ubuntu-latest', 'windows-latest']
diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml
index 28470512..1a56fef6 100644
--- a/.github/workflows/composer-require-checker.yml
+++ b/.github/workflows/composer-require-checker.yml
@@ -29,7 +29,7 @@ permissions:
 
 jobs:
   composer-require-checker:
-    uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
+    uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master
     with:
       os: >-
         ['ubuntu-latest']
diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml
index 77bf21f1..257b4a06 100644
--- a/.github/workflows/mutation.yml
+++ b/.github/workflows/mutation.yml
@@ -25,7 +25,7 @@ permissions:
 
 jobs:
   mutation:
-    uses: yiisoft/actions/.github/workflows/infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
+    uses: yiisoft/actions/.github/workflows/infection.yml@master
     with:
       os: >-
         ['ubuntu-latest']
diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml
index 7f02bf01..d4003af5 100644
--- a/.github/workflows/rector-cs.yml
+++ b/.github/workflows/rector-cs.yml
@@ -19,6 +19,6 @@ concurrency:
 
 jobs:
   rector:
-    uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
+    uses: yiisoft/actions/.github/workflows/rector-cs.yml@master
     with:
       php: '8.1'
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index 5af69000..cab57750 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -27,7 +27,7 @@ permissions:
 
 jobs:
   psalm:
-    uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2
+    uses: yiisoft/actions/.github/workflows/psalm.yml@master
     with:
       os: >-
         ['ubuntu-latest']
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 00000000..85ca7982
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "yiisoft/*": any

From c91bb86b1e777a230bb83cc8538af28fe0e4fbd7 Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Sat, 20 Jun 2026 12:12:35 +0300
Subject: [PATCH 4/5] Use master for yiisoft actions

---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index db86156d..7da1f95c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,6 +9,8 @@ updates:
     open-pull-requests-limit: 0
 
   # Maintain dependencies for Composer
+    ignore:
+      - dependency-name: "yiisoft/*"
   - package-ecosystem: "composer"
     directory: "/"
     schedule:

From e454c452a1183e7c0611b669873abe234ccc6618 Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Sun, 21 Jun 2026 15:21:11 +0300
Subject: [PATCH 5/5] Remove redundant zizmor config

---
 .github/zizmor.yml | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 .github/zizmor.yml

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
deleted file mode 100644
index 85ca7982..00000000
--- a/.github/zizmor.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-rules:
-  unpinned-uses:
-    config:
-      policies:
-        "yiisoft/*": any