From 911cd7b7da0a962096fea0f8ce6ff438249786f0 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 18 Jun 2026 23:48:03 +0300 Subject: [PATCH 01/14] Harden GitHub workflows --- .github/workflows/bc.yml | 5 ++++- .github/workflows/build.yml | 5 ++++- .github/workflows/composer-require-checker.yml | 5 ++++- .github/workflows/mutation.yml | 5 ++++- .github/workflows/rector-cs.yml | 4 ++-- .github/workflows/static.yml | 5 ++++- 6 files changed, 22 insertions(+), 7 deletions(-) diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 00041a9..bdfe214 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -23,9 +23,12 @@ on: name: backwards compatibility +permissions: + contents: read + jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@master + uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1b1e2d8..cfd125c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,9 +22,12 @@ on: name: build +permissions: + contents: read + jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@master + uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index d2ef508..2847051 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,9 +24,12 @@ on: name: Composer require checker +permissions: + contents: read + jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index a6873e2..5b6cd84 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,9 +20,12 @@ on: name: mutation test +permissions: + contents: read + jobs: mutation: - uses: yiisoft/actions/.github/workflows/roave-infection.yml@master + uses: yiisoft/actions/.github/workflows/roave-infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 03b7c75..f32ff2f 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -1,7 +1,7 @@ name: Rector + PHP CS Fixer on: - pull_request_target: + pull_request: paths: - 'config/**' - 'src/**' @@ -20,7 +20,7 @@ concurrency: jobs: rector: - uses: yiisoft/actions/.github/workflows/rector-cs.yml@master + uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index d03874d..5af6900 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,9 +22,12 @@ on: name: static analysis +permissions: + contents: read + jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@master + uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] From 809b47f35ecb8f3db191f7450a4b447e3dd29532 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:13:31 +0300 Subject: [PATCH 02/14] Add zizmorify configuration --- .github/dependabot.yml | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbf..6cc0071 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,8 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 - - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 From 94defbe4a44361dab11068096d0a9612f04a6c69 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:35:36 +0300 Subject: [PATCH 03/14] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e9b7e06 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 3378dbc3af3d523eb7a96a3bdc4d730398e7cbee Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:03:52 +0300 Subject: [PATCH 04/14] Restore Dependabot non-GitHub-Actions updates --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6cc0071..cb0e7a1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,19 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 + open-pull-requests-limit: 0 + + # Maintain dependencies for Composer + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + versioning-strategy: increase-if-necessary - package-ecosystem: "github-actions" directory: "/" schedule: From 80de08cb27629cab40df8186d2825faa2c95d961 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:47:04 +0300 Subject: [PATCH 05/14] Remove Rector pull_request_target inputs --- .github/workflows/rector-cs.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index f32ff2f..5c1fe2e 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -21,8 +21,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '8.1' From 8b1e32e659ba5e39ccb2ef315b604fae5c34350b Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:47:09 +0300 Subject: [PATCH 06/14] Remove Rector pull_request_target inputs --- .github/workflows/rector-cs.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 03b7c75..aba0be6 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -21,8 +21,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '8.1' From 13f20d5ed56b92e6eed3deddd3cb41f26523eb98 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:44:34 +0300 Subject: [PATCH 07/14] Use master for yiisoft actions --- .github/workflows/bc.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/mutation.yml | 2 +- .github/workflows/rector-cs.yml | 2 +- .github/workflows/static.yml | 2 +- .github/zizmor.yml | 5 +++++ 7 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index bdfe214..b269391 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -28,7 +28,7 @@ permissions: jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/bc.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cfd125c..3ba58fe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ permissions: jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/phpunit.yml@master secrets: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 2847051..1a56fef 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -29,7 +29,7 @@ permissions: jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 5b6cd84..4a9d869 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -25,7 +25,7 @@ permissions: jobs: mutation: - uses: yiisoft/actions/.github/workflows/roave-infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/roave-infection.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 5c1fe2e..6307f29 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -20,6 +20,6 @@ concurrency: jobs: rector: - uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/rector-cs.yml@master with: php: '8.1' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 5af6900..cab5775 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -27,7 +27,7 @@ permissions: jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/psalm.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 84f8ace7cd7360d9403bb50993d06098365cf783 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:44:39 +0300 Subject: [PATCH 08/14] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 634efec8bd623edf91b3f1e0107390b0a9306c07 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:14:10 +0300 Subject: [PATCH 09/14] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbf..426dc2b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: From ec81888fae4838a1c25f12fd565093154987082d Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:14:15 +0300 Subject: [PATCH 10/14] Use master for yiisoft actions --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cb0e7a1..763f708 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: @@ -20,3 +22,5 @@ updates: interval: "weekly" cooldown: default-days: 7 + ignore: + - dependency-name: "yiisoft/*" From e140c2ed0bda3c7054e2a4668d280a8ab715f983 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:21:22 +0300 Subject: [PATCH 11/14] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca798..0000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 950d8575c097f2a35f7057217f117cf2073f1322 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Wed, 24 Jun 2026 17:55:03 +0300 Subject: [PATCH 12/14] Normalize Dependabot GitHub Actions updates --- .github/dependabot.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 763f708..01264e0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,6 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions"\n directory: "/"\n schedule:\n interval: "weekly"\n cooldown:\n default-days: 7\n ignore:\n - dependency-name: "yiisoft/*"\n # Maintain dependencies for GitHub Actions. - package-ecosystem: "github-actions" directory: "/" schedule: @@ -9,18 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer - ignore: - - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: interval: "daily" versioning-strategy: increase-if-necessary - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" - cooldown: - default-days: 7 - ignore: - - dependency-name: "yiisoft/*" From 0e5de0b9eded58ea71c4595877b12946233ef956 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Wed, 24 Jun 2026 22:38:42 +0300 Subject: [PATCH 13/14] Fix Dependabot GitHub Actions updates --- .github/dependabot.yml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 01264e0..a4c1ef2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,18 @@ version: 2 updates: - - package-ecosystem: "github-actions"\n directory: "/"\n schedule:\n interval: "weekly"\n cooldown:\n default-days: 7\n ignore:\n - dependency-name: "yiisoft/*"\n # Maintain dependencies for GitHub Actions. - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + # Maintain dependencies for Composer + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + versioning-strategy: increase-if-necessary From c2ab55e1472fed6dc38b5d22587a19c811e99d75 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 25 Jun 2026 00:46:30 +0300 Subject: [PATCH 14/14] Fix zizmor workflow findings --- .github/dependabot.yml | 2 ++ .github/workflows/zizmor.yml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a4c1ef2..5fd269d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,3 +16,5 @@ updates: schedule: interval: "daily" versioning-strategy: increase-if-necessary + cooldown: + default-days: 7 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 9465846..430255d 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -14,8 +14,8 @@ on: - '.github/**.yaml' permissions: - actions: read - contents: read + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. jobs: zizmor: