From cc3a621389cc93f845318636d210fe85decab31e Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:29:38 +0300 Subject: [PATCH 01/13] Harden GitHub workflows --- .github/workflows/bc.yml | 9 +++++++-- .github/workflows/build.yml | 11 ++++++++--- .github/workflows/mutation.yml | 11 ++++++++--- .github/workflows/static.yml | 11 ++++++++--- 4 files changed, 31 insertions(+), 11 deletions(-) diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 53f95bf..1fb84f8 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -3,13 +3,18 @@ on: push: name: backwards compatibility + +permissions: + contents: read jobs: roave_bc_check: name: Roave BC Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false - name: fetch tags run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - name: Roave BC Check - uses: docker://nyholm/roave-bc-check-ga + uses: docker://nyholm/roave-bc-check-ga@sha256:a9d3d932a4d3ba6a5a0563ef3788918a538198ee9c061a153f9b55caa8d3625f diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index da97b58..40a3f06 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,9 @@ on: name: build +permissions: + contents: read + jobs: tests: name: PHP ${{ matrix.php }}-pgsql-${{ matrix.pgsql }} @@ -61,10 +64,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -77,7 +82,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 08736d8..90942cb 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -19,6 +19,9 @@ on: name: mutation test +permissions: + contents: read + jobs: mutation: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -49,10 +52,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -64,7 +69,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 1a70e3d..3403e73 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -21,6 +21,9 @@ on: name: static analysis +permissions: + contents: read + jobs: mutation: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -42,10 +45,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -56,7 +61,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} From 6d97056c728811f14eea8a3851986bd8dcf7fdcd Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:09:59 +0300 Subject: [PATCH 02/13] Add zizmorify configuration --- .github/dependabot.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index db86156..6cc0071 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,8 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 - - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + interval: "weekly" + cooldown: + default-days: 7 From 12ca3e7d2dd8f5ecac167b24eaff4196ad455e96 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:33:29 +0300 Subject: [PATCH 03/13] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e9b7e06 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 0fa77944d63e323bcf15b12f172a1eeb6860d02f Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:02:26 +0300 Subject: [PATCH 04/13] Restore Dependabot non-GitHub-Actions updates --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6cc0071..b185d42 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,11 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + versioning-strategy: increase-if-necessary - package-ecosystem: "github-actions" directory: "/" schedule: From 89da8ad50393d79a560880f8a14e341823a1e18c Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:11:08 +0300 Subject: [PATCH 05/13] Restore Dependabot non-GitHub-Actions updates --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b185d42..988aa61 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,8 @@ version: 2 updates: # Maintain dependencies for GitHub Actions. + + # Maintain dependencies for Composer - package-ecosystem: "composer" directory: "/" schedule: From 541908ed6472796b783925be5a62f5826899ca87 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:18:06 +0300 Subject: [PATCH 06/13] Restore Dependabot non-GitHub-Actions updates --- .github/dependabot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 988aa61..41b2db6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,5 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. # Maintain dependencies for Composer - package-ecosystem: "composer" From 7bf2918691936d2d520f9e3cadc08f258401b890 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:25:20 +0300 Subject: [PATCH 07/13] Restore Dependabot non-GitHub-Actions updates --- .github/dependabot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 41b2db6..0088948 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,5 @@ version: 2 updates: - # Maintain dependencies for Composer - package-ecosystem: "composer" directory: "/" From 05e30166710b561502c52847e17edf46d33dafee Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:40:08 +0300 Subject: [PATCH 08/13] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 2f7691595cd3a2a5de1b7a51c6bb95372df60bc1 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:40:13 +0300 Subject: [PATCH 09/13] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 254d7e13ee9e8a489e7b3bd2a03845c3fac26a70 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:09:44 +0300 Subject: [PATCH 10/13] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index db86156..7da1f95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: From d2dde9dcde073c6153375cbb8d33fb3c6e692a55 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:09:49 +0300 Subject: [PATCH 11/13] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0088948..0510f85 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,3 +12,5 @@ updates: interval: "weekly" cooldown: default-days: 7 + ignore: + - dependency-name: "yiisoft/*" From 94c24bd0b733bae93996de2b89d1128b3d63ecbb Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:11:13 +0300 Subject: [PATCH 12/13] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca798..0000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 5d63ebcea182b0379c2df2c65d3b7c649943cc59 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 25 Jun 2026 00:47:06 +0300 Subject: [PATCH 13/13] Fix zizmor workflow findings --- .github/dependabot.yml | 2 ++ .github/workflows/zizmor.yml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a47ec9b..10f7e30 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,4 +15,6 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 versioning-strategy: increase-if-necessary diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 9465846..430255d 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -14,8 +14,8 @@ on: - '.github/**.yaml' permissions: - actions: read - contents: read + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. jobs: zizmor: