From 74d112514471155cc295f609a84bcc1c2b5f15d6 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 3 Jul 2026 00:08:17 +0300 Subject: [PATCH 1/4] Use shared zizmor workflow --- .github/dependabot.yml | 12 ++-------- .github/workflows/bechmark.yml | 18 ++++++++++----- .github/workflows/build.yml | 6 ++++- .../workflows/composer-require-checker.yml | 2 ++ .github/workflows/mutation.yml | 10 ++++++--- .github/workflows/rector.yml | 7 +++--- .github/workflows/static.yml | 2 ++ .github/workflows/zizmor.yml | 22 +++++++++++++++++++ 8 files changed, 56 insertions(+), 23 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 64c8667..5fd269d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,10 +7,6 @@ updates: interval: "weekly" cooldown: default-days: 7 - groups: - github-actions: - patterns: - - "*" ignore: - dependency-name: "yiisoft/*" @@ -18,11 +14,7 @@ updates: - package-ecosystem: "composer" directory: "/" schedule: - interval: "daily" + interval: "daily" + versioning-strategy: increase-if-necessary cooldown: default-days: 7 - groups: - composer-dependencies: - patterns: - - "*" - versioning-strategy: increase-if-necessary diff --git a/.github/workflows/bechmark.yml b/.github/workflows/bechmark.yml index 3e4b5fd..01ad5f2 100644 --- a/.github/workflows/bechmark.yml +++ b/.github/workflows/bechmark.yml @@ -24,6 +24,8 @@ on: name: bechmark +permissions: + contents: read jobs: phpbench: name: PHP ${{ matrix.php }} @@ -39,21 +41,26 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false - name: Check if we need to create a baseline for a PR run: | - if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.ref }}" != "refs/heads/${{ github.event.repository.default_branch }}" ]]; then + if [[ "${{ github.event_name }}" == "pull_request" && "${GITHUB_REF}" != "refs/heads/${GITHUB_EVENT_REPOSITORY_DEFAULT_BRANCH}" ]]; then echo "WITH_BENCH_BASELINE=1" >> $GITHUB_ENV else echo "WITH_BENCH_BASELINE=0" >> $GITHUB_ENV fi + env: + GITHUB_EVENT_REPOSITORY_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} - name: "Baseline creation: Checkout default branch." - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 if: ${{ env.WITH_BENCH_BASELINE == '1' }} with: ref: ${{ github.event.repository.default_branch }} + persist-credentials: false - name: Build if: ${{ env.WITH_BENCH_BASELINE == '1' }} @@ -72,11 +79,12 @@ jobs: run: echo "WITH_BENCH_BASELINE=0" >> $GITHUB_ENV - name: "Pull request: Checkout head." - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 if: ${{ github.event_name == 'pull_request' }} with: ref: ${{ github.event.pull_request.head.sha }} clean: false + persist-credentials: false - name: "Pull request: Build" if: ${{ github.event_name == 'pull_request' }} @@ -86,7 +94,7 @@ jobs: - name: "Run PhpBench." working-directory: ./tests run: | - if [ "${{ env.WITH_BENCH_BASELINE }}" == '1' ]; then + if [ "${WITH_BENCH_BASELINE}" == '1' ]; then docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' --ref=default --assert="mode(variant.time.avg) <= mode(baseline.time.avg) +/- 10%" > phpbench.log else docker compose run --rm -e XDEBUG_MODE=off php${{ matrix.php }} php vendor/bin/phpbench run --report='aggregate' > phpbench.log diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c0234dd..b5c3396 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,6 +22,8 @@ on: name: build +permissions: + contents: read jobs: phpunit: name: PHP ${{ matrix.php }} @@ -32,7 +34,9 @@ jobs: php: [ 81, 82, 83, 84 ] steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Build working-directory: ./tests run: docker compose build diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 857295f..05fafe5 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,6 +24,8 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 2f41299..03b474f 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -22,6 +22,8 @@ on: name: Mutation test +permissions: + contents: read jobs: mutation: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -33,7 +35,7 @@ jobs: services: rabbitmq: - image: rabbitmq:3.8 + image: rabbitmq:3.8 # zizmor: ignore[unpinned-images] env: RABBITMQ_DEFAULT_USER: guest RABBITMQ_DEFAULT_PASS: guest @@ -42,10 +44,12 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} ini-values: memory_limit=-1 diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 5d6931d..ebc6d37 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -1,5 +1,5 @@ on: - pull_request_target: + pull_request: paths-ignore: - 'docs/**' - 'README.md' @@ -11,13 +11,12 @@ on: name: rector +permissions: + contents: read jobs: rector: uses: yiisoft/actions/.github/workflows/rector.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} os: >- ['ubuntu-latest'] php: >- diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index b56464d..c0b8262 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,6 +22,8 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: uses: yiisoft/actions/.github/workflows/psalm.yml@master diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master From b204281e917e1ba9f5e242603b469291e4e3be74 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Mon, 6 Jul 2026 21:23:18 +0300 Subject: [PATCH 2/4] Restore dependabot configuration --- .github/dependabot.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5fd269d..64c8667 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,10 @@ updates: interval: "weekly" cooldown: default-days: 7 + groups: + github-actions: + patterns: + - "*" ignore: - dependency-name: "yiisoft/*" @@ -14,7 +18,11 @@ updates: - package-ecosystem: "composer" directory: "/" schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + interval: "daily" cooldown: default-days: 7 + groups: + composer-dependencies: + patterns: + - "*" + versioning-strategy: increase-if-necessary From 8403f3ec9ae91f1707c1fc84c49427b1a3b37b2e Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Mon, 6 Jul 2026 22:06:08 +0300 Subject: [PATCH 3/4] Fix workflow zizmor findings --- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/rector.yml | 2 +- .github/workflows/static.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 05fafe5..63e862e 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -28,7 +28,7 @@ permissions: contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master # zizmor: ignore[unpinned-uses] with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index ebc6d37..4d58c89 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -15,7 +15,7 @@ permissions: contents: read jobs: rector: - uses: yiisoft/actions/.github/workflows/rector.yml@master + uses: yiisoft/actions/.github/workflows/rector.yml@master # zizmor: ignore[unpinned-uses] with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index c0b8262..730ca47 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -26,7 +26,7 @@ permissions: contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@master + uses: yiisoft/actions/.github/workflows/psalm.yml@master # zizmor: ignore[unpinned-uses] with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 430255d..a98fdfe 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -19,4 +19,4 @@ permissions: jobs: zizmor: - uses: yiisoft/actions/.github/workflows/zizmor.yml@master + uses: yiisoft/actions/.github/workflows/zizmor.yml@master # zizmor: ignore[unpinned-uses] From fa403309639277c1405d978f06cc9ab526961e86 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Mon, 6 Jul 2026 22:19:59 +0300 Subject: [PATCH 4/4] Clean up shared action workflow references --- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/rector.yml | 2 +- .github/workflows/static.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 63e862e..05fafe5 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -28,7 +28,7 @@ permissions: contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master # zizmor: ignore[unpinned-uses] + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 4d58c89..ebc6d37 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -15,7 +15,7 @@ permissions: contents: read jobs: rector: - uses: yiisoft/actions/.github/workflows/rector.yml@master # zizmor: ignore[unpinned-uses] + uses: yiisoft/actions/.github/workflows/rector.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 730ca47..c0b8262 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -26,7 +26,7 @@ permissions: contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@master # zizmor: ignore[unpinned-uses] + uses: yiisoft/actions/.github/workflows/psalm.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index a98fdfe..430255d 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -19,4 +19,4 @@ permissions: jobs: zizmor: - uses: yiisoft/actions/.github/workflows/zizmor.yml@master # zizmor: ignore[unpinned-uses] + uses: yiisoft/actions/.github/workflows/zizmor.yml@master