diff --git a/.github/dependabot.yml b/.github/dependabot.yml index db86156..10f7e30 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,13 +4,17 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" # Maintain dependencies for Composer - package-ecosystem: "composer" directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 versioning-strategy: increase-if-necessary diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 53f95bf..1fb84f8 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -3,13 +3,18 @@ on: push: name: backwards compatibility + +permissions: + contents: read jobs: roave_bc_check: name: Roave BC Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false - name: fetch tags run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - name: Roave BC Check - uses: docker://nyholm/roave-bc-check-ga + uses: docker://nyholm/roave-bc-check-ga@sha256:a9d3d932a4d3ba6a5a0563ef3788918a538198ee9c061a153f9b55caa8d3625f diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index da97b58..40a3f06 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,9 @@ on: name: build +permissions: + contents: read + jobs: tests: name: PHP ${{ matrix.php }}-pgsql-${{ matrix.pgsql }} @@ -61,10 +64,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -77,7 +82,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 08736d8..90942cb 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -19,6 +19,9 @@ on: name: mutation test +permissions: + contents: read + jobs: mutation: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -49,10 +52,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -64,7 +69,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 1a70e3d..3403e73 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -21,6 +21,9 @@ on: name: static analysis +permissions: + contents: read + jobs: mutation: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -42,10 +45,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -56,7 +61,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master