Merge branch 'master' of github.com:/PhpGt/Routing

g105b · g105b · commit 74f83ab4260e · 2025-09-16T12:33:48.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,52 +7,52 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php: [ 8.0, 8.1, 8.2 ]
+        php: [ 8.1, 8.2, 8.3, 8.4 ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Cache Composer dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /tmp/composer-cache
-          key: ${{ runner.os }}-${{ hashFiles('**/composer.lock') }}
+          key: ${{ runner.os }}-${{ matrix.php }}-${{ hashFiles('**/composer.lock') }}
 
       - name: Composer install
         uses: php-actions/composer@v6
         with:
           php_version: ${{ matrix.php }}
 
       - name: Archive build
-        run: mkdir /tmp/github-actions/ && tar -cvf /tmp/github-actions/build.tar ./
+        run: mkdir /tmp/github-actions/ && tar --exclude=".git" -cvf /tmp/github-actions/build.tar ./
 
       - name: Upload build archive for test runners
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: build-artifact
+          name: build-artifact-${{ matrix.php }}
           path: /tmp/github-actions
 
   phpunit:
     runs-on: ubuntu-latest
     needs: [ composer ]
     strategy:
       matrix:
-        php: [ 8.0, 8.1, 8.2 ]
+        php: [ 8.1, 8.2, 8.3, 8.4 ]
 
     outputs:
       coverage: ${{ steps.store-coverage.outputs.coverage_text }}
 
     steps:
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
-          name: build-artifact
+          name: build-artifact-${{ matrix.php }}
           path: /tmp/github-actions
 
       - name: Extract build archive
         run: tar -xvf /tmp/github-actions/build.tar ./
 
       - name: PHP Unit tests
-        uses: php-actions/phpunit@v3
+        uses: php-actions/phpunit@v4
         env:
           XDEBUG_MODE: cover
         with:
@@ -62,40 +62,43 @@ jobs:
           coverage_clover: _coverage/clover.xml
 
       - name: Store coverage data
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: code-coverage
+          name: code-coverage-${{ matrix.php }}-${{ github.run_number }}
           path: _coverage
 
   coverage:
     runs-on: ubuntu-latest
     needs: [ phpunit ]
+    strategy:
+      matrix:
+        php: [ 8.1, 8.2, 8.3, 8.4 ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
-          name: code-coverage
+          name: code-coverage-${{ matrix.php }}-${{ github.run_number }}
           path: _coverage
 
       - name: Output coverage
         run: cat "_coverage/coverage.txt"
 
       - name: Upload to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
 
   phpstan:
     runs-on: ubuntu-latest
     needs: [ composer ]
     strategy:
       matrix:
-        php: [ 8.0, 8.1, 8.2 ]
+        php: [ 8.1, 8.2, 8.3, 8.4 ]
 
     steps:
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
-          name: build-artifact
+          name: build-artifact-${{ matrix.php }}
           path: /tmp/github-actions
 
       - name: Extract build archive
@@ -107,53 +110,52 @@ jobs:
           php_version: ${{ matrix.php }}
           path: src/
 
-# TODO: Uncomment these once phpms and phpcs are happy https://github.com/PhpGt/Routing/pull/53
-#  phpmd:
-#    runs-on: ubuntu-latest
-#    needs: [ composer ]
-#    strategy:
-#      matrix:
-#        php: [ 8.0, 8.1, 8.2 ]
-#
-#    steps:
-#      - uses: actions/download-artifact@v3
-#        with:
-#          name: build-artifact
-#          path: /tmp/github-actions
-#
-#      - name: Extract build archive
-#        run: tar -xvf /tmp/github-actions/build.tar ./
-#
-#      - name: PHP Mess Detector
-#        uses: php-actions/phpmd@v1
-#        with:
-#          php_version: ${{ matrix.php }}
-#          path: src/
-#          output: text
-#          ruleset: phpmd.xml
-#
-#  phpcs:
-#    runs-on: ubuntu-latest
-#    needs: [ composer ]
-#    strategy:
-#      matrix:
-#        php: [ 8.0, 8.1, 8.2 ]
-#
-#    steps:
-#      - uses: actions/download-artifact@v3
-#        with:
-#          name: build-artifact
-#          path: /tmp/github-actions
-#
-#      - name: Extract build archive
-#        run: tar -xvf /tmp/github-actions/build.tar ./
-#
-#      - name: PHP Code Sniffer
-#        uses: php-actions/phpcs@v1
-#        with:
-#          php_version: ${{ matrix.php }}
-#          path: src/
-#          standard: phpcs.xml
+  phpmd:
+    runs-on: ubuntu-latest
+    needs: [ composer ]
+    strategy:
+      matrix:
+        php: [ 8.1, 8.2, 8.3, 8.4 ]
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: build-artifact-${{ matrix.php }}
+          path: /tmp/github-actions
+
+      - name: Extract build archive
+        run: tar -xvf /tmp/github-actions/build.tar ./
+
+      - name: PHP Mess Detector
+        uses: php-actions/phpmd@v1
+        with:
+          php_version: ${{ matrix.php }}
+          path: src/
+          output: text
+          ruleset: phpmd.xml
+
+  phpcs:
+    runs-on: ubuntu-latest
+    needs: [ composer ]
+    strategy:
+      matrix:
+        php: [ 8.1, 8.2, 8.3, 8.4 ]
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: build-artifact-${{ matrix.php }}
+          path: /tmp/github-actions
+
+      - name: Extract build archive
+        run: tar -xvf /tmp/github-actions/build.tar ./
+
+      - name: PHP Code Sniffer
+        uses: php-actions/phpcs@v1
+        with:
+          php_version: ${{ matrix.php }}
+          path: src/
+          standard: phpcs.xml
 
   remove_old_artifacts:
     runs-on: ubuntu-latest
@@ -163,7 +165,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          gh api "/repos/${{ github.repository }}/actions/artifacts?name=build-artifact" | jq ".artifacts[] | select(.name == \"build-artifact\") | .id" > artifact-id-list.txt
+          gh api "/repos/${{ github.repository }}/actions/artifacts" | jq ".artifacts[] | select(.name | startswith(\"build-artifact\")) | .id" > artifact-id-list.txt
           while read id
           do
             echo -n "Deleting artifact ID $id ... "
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+All MAJOR versions of this package will receive security updates for **two years after the next major version is released**. For example, if version 4.0.0 is released, version 3.x will continue receiving security updates for two years from that date.
+
+Versions outside this window are considered end-of-life and will no longer receive updates, even for critical vulnerabilities.
+
+## Reporting a Vulnerability
+
+If you discover a security issue, please report it using GitHub's [**"Report a vulnerability"** feature](../../security/advisories/new) under the **Security** tab of this repository.
+
+When reporting, please include the following information to help us investigate quickly and thoroughly:
+
+- A clear description of the vulnerability and what part of the code it affects.
+- Steps to reproduce the issue, ideally including:
+  - The affected version
+  - A code snippet or minimal test case
+  - The expected vs. actual behavior
+- If applicable, an explanation of potential impact or severity.
+- Any suggested mitigations or patches (optional, but appreciated).
+
+Please do not disclose the vulnerability publicly until we've had a chance to investigate and publish a fix.
+
+We appreciate responsible disclosure and are committed to resolving issues promptly.
diff --git a/composer.lock b/composer.lock
