diff --git a/.github/actions/watcher/action.yaml b/.github/actions/watcher/action.yaml index 2025f65c21..55749a5f82 100644 --- a/.github/actions/watcher/action.yaml +++ b/.github/actions/watcher/action.yaml @@ -11,7 +11,7 @@ runs: GH_TOKEN: ${{ github.token }} - name: Cache e-dant/watcher id: cache-watcher - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: watcher/target key: watcher-${{ runner.os }}-${{ runner.arch }}-${{ steps.determine-watcher-version.outputs.version }}-${{ env.CC && env.CC || 'gcc' }} diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml new file mode 100644 index 0000000000..6dfb1bfb85 --- /dev/null +++ b/.github/workflows/dependabot.yaml @@ -0,0 +1,25 @@ +--- +name: Dependabot Auto-Merge +on: pull_request +permissions: {} +jobs: + auto-merge: + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + - name: Auto-merge minor and patch GitHub Actions updates + if: steps.metadata.outputs.package-ecosystem == 'github_actions' && steps.metadata.outputs.update-type != 'version-update:semver-major' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + run: | + gh pr review --approve "${PR_URL}" + gh pr merge --auto --squash "${PR_URL}" diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index c1c29bbfc3..f8d7f8bc99 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -30,13 +30,14 @@ on: type: string schedule: - cron: "0 4 * * *" -permissions: - contents: read +permissions: {} env: IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }} jobs: prepare: runs-on: ubuntu-24.04 + permissions: + contents: read outputs: # Push if it's a scheduled job, a tag, or if we're committing to the main branch push: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')) && true || false }} @@ -52,12 +53,12 @@ jobs: ref: ${{ steps.check.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }} base_fingerprint: ${{ steps.check.outputs.base_fingerprint }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Check PHP versions and base image fingerprint id: check env: @@ -82,6 +83,8 @@ jobs: build: environment: dockerhub runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }} + permissions: + contents: read needs: - prepare if: ${{ !fromJson(needs.prepare.outputs.skip) }} @@ -118,23 +121,23 @@ jobs: run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}" env: PLATFORM: ${{ matrix.platform }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ needs.prepare.outputs.ref }} persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 with: platforms: ${{ matrix.platform }} - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: username: ${{ vars.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build id: build - uses: docker/bake-action@v7 + uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7 with: pull: true load: ${{ !fromJson(needs.prepare.outputs.push) }} @@ -175,7 +178,7 @@ jobs: VARIANT: ${{ matrix.variant }} - name: Upload builder metadata if: fromJson(needs.prepare.outputs.push) - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: metadata-builder-${{ matrix.variant }}-${{ steps.prepare.outputs.sanitized_platform }} path: /tmp/metadata/builder/* @@ -183,7 +186,7 @@ jobs: retention-days: 1 - name: Upload runner metadata if: fromJson(needs.prepare.outputs.push) - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: metadata-runner-${{ matrix.variant }}-${{ steps.prepare.outputs.sanitized_platform }} path: /tmp/metadata/runner/* @@ -207,6 +210,8 @@ jobs: push: environment: dockerhub runs-on: ubuntu-24.04 + permissions: + contents: read needs: - prepare - build @@ -218,15 +223,15 @@ jobs: target: ["builder", "runner"] steps: - name: Download metadata - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: metadata-${{ matrix.target }}-${{ matrix.variant }}-* path: /tmp/metadata merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: username: ${{ vars.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 7a4f83a0c9..d491107851 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -10,22 +10,23 @@ on: push: branches: - main -permissions: - contents: read - packages: read - statuses: write +permissions: {} jobs: build: name: Lint Code Base runs-on: ubuntu-latest + permissions: + contents: read + packages: read + statuses: write steps: - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 persist-credentials: false - name: Lint Code Base - uses: super-linter/super-linter/slim@v8 + uses: super-linter/super-linter/slim@d24d9629088c26de5cc684fbe17d1843469c37e0 # v8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LINTER_RULES_PATH: / diff --git a/.github/workflows/sanitizers.yaml b/.github/workflows/sanitizers.yaml index 15fe013d5b..7eab4decdd 100644 --- a/.github/workflows/sanitizers.yaml +++ b/.github/workflows/sanitizers.yaml @@ -14,8 +14,7 @@ on: - main paths-ignore: - "docs/**" -permissions: - contents: read +permissions: {} env: GOTOOLCHAIN: local GOTESTSUM_FORMAT: pkgname-and-test-fails @@ -24,6 +23,8 @@ jobs: sanitizers: name: ${{ matrix.sanitizer }} runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: @@ -41,10 +42,10 @@ jobs: steps: - name: Remove local PHP run: sudo apt-get remove --purge --autoremove 'php*' 'libmemcached*' - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26" cache-dependency-path: | @@ -58,7 +59,7 @@ jobs: echo archive="$(jq -r '.[] .source[] | select(.filename |endswith(".xz")) | "https://www.php.net/distributions/" + .filename' version.json)" >> "$GITHUB_OUTPUT" - name: Cache PHP id: cache-php - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: php/target key: php-sanitizers-${{ matrix.sanitizer }}-${{ runner.arch }}-${{ steps.determine-php-version.outputs.version }} diff --git a/.github/workflows/static.yaml b/.github/workflows/static.yaml index 165c48bcb2..2defcb6ceb 100644 --- a/.github/workflows/static.yaml +++ b/.github/workflows/static.yaml @@ -32,8 +32,7 @@ on: schedule: - cron: "0 0 * * *" -permissions: - contents: read +permissions: {} env: IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }} @@ -43,6 +42,8 @@ env: jobs: prepare: runs-on: ubuntu-24.04 + permissions: + contents: read outputs: push: ${{ toJson((steps.check.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')) && true || false) }} platforms: ${{ steps.matrix.outputs.platforms }} @@ -63,12 +64,12 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF: ${{ (github.ref_type == 'tag' && github.ref_name) || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ steps.check.outputs.ref }} persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Create platforms matrix id: matrix run: | @@ -110,16 +111,16 @@ jobs: run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}" env: PLATFORM: ${{ matrix.platform }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ needs.prepare.outputs.ref }} persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 with: platforms: ${{ matrix.platform }} - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: username: ${{ vars.DOCKERHUB_USERNAME }} @@ -139,7 +140,7 @@ jobs: REF: ${{ needs.prepare.outputs.ref }} - name: Build id: build - uses: docker/bake-action@v7 + uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7 with: pull: true load: ${{ !fromJson(needs.prepare.outputs.push) || matrix.debug || matrix.mimalloc }} @@ -171,7 +172,7 @@ jobs: METADATA: ${{ steps.build.outputs.metadata }} - name: Upload metadata if: fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: metadata-static-builder-musl-${{ steps.prepare.outputs.sanitized_platform }} path: /tmp/metadata/* @@ -191,7 +192,7 @@ jobs: PLATFORM: ${{ matrix.platform }} - name: Upload artifact if: ${{ !fromJson(needs.prepare.outputs.push) }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} path: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} @@ -203,7 +204,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }} - if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') - uses: actions/attest-build-provenance@v4 + uses: actions/attest-build-provenance@b3e506e8c389afc651c5bacf2b8f2a1ea0557215 # v4 with: subject-path: ${{ github.workspace }}/frankenphp-linux-* - name: Run sanity checks @@ -266,7 +267,7 @@ jobs: run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}" env: PLATFORM: ${{ matrix.platform }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ needs.prepare.outputs.ref }} persist-credentials: false @@ -284,18 +285,18 @@ jobs: env: REF: ${{ needs.prepare.outputs.ref }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 with: platforms: ${{ matrix.platform }} - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: username: ${{ vars.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build id: build - uses: docker/bake-action@v7 + uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7 with: pull: true load: ${{ !fromJson(needs.prepare.outputs.push) }} @@ -325,7 +326,7 @@ jobs: METADATA: ${{ steps.build.outputs.metadata }} - name: Upload metadata if: fromJson(needs.prepare.outputs.push) - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: metadata-static-builder-gnu-${{ steps.prepare.outputs.sanitized_platform }} path: /tmp/metadata-gnu/* @@ -351,7 +352,7 @@ jobs: PLATFORM: ${{ matrix.platform }} - name: Upload artifact if: ${{ !fromJson(needs.prepare.outputs.push) }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu-files path: gh-output/* @@ -362,7 +363,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }} - if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') - uses: actions/attest-build-provenance@v4 + uses: actions/attest-build-provenance@b3e506e8c389afc651c5bacf2b8f2a1ea0557215 # v4 with: subject-path: ${{ github.workspace }}/gh-output/frankenphp-linux-*-gnu - name: Run sanity checks @@ -381,6 +382,8 @@ jobs: push: environment: dockerhub runs-on: ubuntu-24.04 + permissions: + contents: read needs: - prepare - build-linux-musl @@ -388,21 +391,21 @@ jobs: if: fromJson(needs.prepare.outputs.push) steps: - name: Download metadata - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: metadata-static-builder-musl-* path: /tmp/metadata merge-multiple: true - name: Download GNU metadata - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: metadata-static-builder-gnu-* path: /tmp/metadata-gnu merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: username: ${{ vars.DOCKERHUB_USERNAME }} @@ -451,11 +454,11 @@ jobs: env: HOMEBREW_NO_AUTO_UPDATE: 1 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ needs.prepare.outputs.ref }} persist-credentials: false - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: # zizmor: ignore[cache-poisoning] go-version: "1.26" cache-dependency-path: | @@ -483,17 +486,17 @@ jobs: NO_COMPRESS: ${{ github.event_name == 'pull_request' && '1' || '' }} - name: Upload logs if: ${{ failure() }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: dist/static-php-cli/log name: static-php-cli-log-${{ matrix.platform }}-${{ github.sha }} - if: needs.prepare.outputs.ref || github.ref_type == 'tag' - uses: actions/attest-build-provenance@v4 + uses: actions/attest-build-provenance@b3e506e8c389afc651c5bacf2b8f2a1ea0557215 # v4 with: subject-path: ${{ github.workspace }}/dist/frankenphp-mac-* - name: Upload artifact if: github.ref_type == 'branch' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: frankenphp-mac-${{ matrix.platform }} path: dist/frankenphp-mac-${{ matrix.platform }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 396d9ccf77..276325fdaf 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -14,8 +14,7 @@ on: - main paths-ignore: - "docs/**" -permissions: - contents: read +permissions: {} env: GOTOOLCHAIN: local GOEXPERIMENT: cgocheck2 @@ -25,6 +24,8 @@ jobs: name: Tests (Linux, PHP ${{ matrix.php-versions }}) runs-on: ubuntu-latest continue-on-error: false + permissions: + contents: read strategy: fail-fast: false matrix: @@ -38,16 +39,16 @@ jobs: LIBRARY_PATH: ${{ github.workspace }}/watcher/target/lib GOFLAGS: "-tags=nobadger,nomysql,nopgx" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26" cache-dependency-path: | go.sum caddy/go.sum - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@728c6c6b8cf02c2e48117716a91ee48313958a19 # v2 with: php-version: ${{ matrix.php-versions }} ini-file: development @@ -84,7 +85,7 @@ jobs: - name: Run integrations tests run: ./reload_test.sh - name: Lint Go code - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 if: matrix.php-versions == '8.5' with: version: latest @@ -98,6 +99,8 @@ jobs: integration-tests: name: Integration Tests (Linux, PHP ${{ matrix.php-versions }}) runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: @@ -105,16 +108,16 @@ jobs: env: XCADDY_GO_BUILD_FLAGS: "-tags=nobadger,nomysql,nopgx" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26" cache-dependency-path: | go.sum caddy/go.sum - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@728c6c6b8cf02c2e48117716a91ee48313958a19 # v2 with: php-version: ${{ matrix.php-versions }} ini-file: development @@ -145,20 +148,22 @@ jobs: tests-mac: name: Tests (macOS, PHP 8.5) runs-on: macos-latest + permissions: + contents: read env: HOMEBREW_NO_AUTO_UPDATE: 1 GOFLAGS: "-tags=nowatcher,nobadger,nomysql,nopgx" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: "1.26" cache-dependency-path: | go.sum caddy/go.sum - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@728c6c6b8cf02c2e48117716a91ee48313958a19 # v2 with: php-version: 8.5 ini-file: development diff --git a/.github/workflows/translate.yaml b/.github/workflows/translate.yaml index c8bf52b099..282b84f178 100644 --- a/.github/workflows/translate.yaml +++ b/.github/workflows/translate.yaml @@ -8,17 +8,18 @@ on: - main paths: - "docs/*" -permissions: - contents: write - pull-requests: write +permissions: {} jobs: build: environment: translate name: Translate Docs runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # zizmor: ignore[artipacked] @@ -32,7 +33,7 @@ jobs: echo "files=$FILES" >> "$GITHUB_OUTPUT" - name: Set up PHP if: steps.md_files.outputs.found == 'true' - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@728c6c6b8cf02c2e48117716a91ee48313958a19 # v2 with: php-version: "8.5" - name: run translation script @@ -45,7 +46,7 @@ jobs: - name: Run Linter if: steps.md_files.outputs.found == 'true' continue-on-error: true - uses: super-linter/super-linter/slim@v8 + uses: super-linter/super-linter/slim@d24d9629088c26de5cc684fbe17d1843469c37e0 # v8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LINTER_RULES_PATH: / diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml index 8da5547899..1ddcd2f51d 100644 --- a/.github/workflows/windows.yaml +++ b/.github/workflows/windows.yaml @@ -28,8 +28,7 @@ on: schedule: - cron: "0 8 * * *" -permissions: - contents: read +permissions: {} env: GOTOOLCHAIN: local @@ -63,7 +62,7 @@ jobs: git config --global core.eol lf - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ env.REF || '' }} path: frankenphp @@ -88,7 +87,7 @@ jobs: "FRANKENPHP_VERSION=$frankenphpVersion" >> $env:GITHUB_ENV - name: Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: # zizmor: ignore[cache-poisoning] go-version: "1.26" cache-dependency-path: | @@ -208,7 +207,7 @@ jobs: - name: Upload Artifact if: ${{ !env.REF }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: ${{ env.DIR_NAME }} path: ${{ env.DIR_NAME }} diff --git a/.github/workflows/wrap-issue-details.yaml b/.github/workflows/wrap-issue-details.yaml index fe240552af..553d2e6eb4 100644 --- a/.github/workflows/wrap-issue-details.yaml +++ b/.github/workflows/wrap-issue-details.yaml @@ -3,8 +3,7 @@ on: issues: types: [opened, edited] -permissions: - contents: read +permissions: {} jobs: wrap_content: @@ -12,7 +11,7 @@ jobs: permissions: issues: write steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const body = context.payload.issue.body; diff --git a/zizmor.yaml b/zizmor.yaml deleted file mode 100644 index bbb03663b7..0000000000 --- a/zizmor.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -rules: - unpinned-uses: - config: - policies: - "*": ref-pin