Skip to content

Harden GitHub workflows #579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
samdark wants to merge 15 commits into
base: master
Choose a base branch
from
Open

Harden GitHub workflows #579

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
8c3520f
Harden GitHub workflows
samdark Jun 18, 2026
6661b75
Add zizmorify configuration
samdark Jun 18, 2026
4026e0d
Add zizmorify workflow
samdark Jun 18, 2026
e4384c4
Restore Dependabot non-GitHub-Actions updates
samdark Jun 19, 2026
caa3f49
Use master for yiisoft actions
samdark Jun 20, 2026
a2abf1b
Use master for yiisoft actions
samdark Jun 20, 2026
9233b1f
Use master for yiisoft actions
samdark Jun 20, 2026
7789ce5
Use master for yiisoft actions
samdark Jun 20, 2026
db1bb7d
Remove redundant zizmor config
samdark Jun 21, 2026
2dc1fc6
Remove redundant dependabot change
samdark Jun 24, 2026
efaf765
Revert "Remove redundant dependabot change"
samdark Jun 24, 2026
93935d4
Merge zizmorify configuration
samdark Jun 24, 2026
9e13467
Normalize Dependabot GitHub Actions updates
samdark Jun 24, 2026
6205259
Fix Dependabot GitHub Actions updates
samdark Jun 24, 2026
840ad2e
Fix zizmor workflow findings
samdark Jun 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 17 additions & 13 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,20 @@
version: 2
updates:
# Maintain dependencies for GitHub Actions.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
# Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581
open-pull-requests-limit: 0
# Maintain dependencies for GitHub Actions.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
ignore:
- dependency-name: "yiisoft/*"

# Maintain dependencies for Composer
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "daily"
versioning-strategy: increase-if-necessary
# Maintain dependencies for Composer
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "daily"
versioning-strategy: increase-if-necessary
cooldown:
default-days: 7
2 changes: 2 additions & 0 deletions .github/workflows/composer-require-checker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
jobs:
composer-require-checker:
uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master
Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/db-mssql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
jobs:
build:
name: PHP ${{ matrix.php }}
Expand All @@ -43,7 +45,7 @@

services:
mssql:
image: mcr.microsoft.com/mssql/server:2022-latest

Check failure on line 48 in .github/workflows/db-mssql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

unpinned-images 

db-mssql.yml:48: unpinned image references: container image is not pinned to a SHA256 hash
env:
SA_PASSWORD: YourStrong!Passw0rd
ACCEPT_EULA: Y
Expand All @@ -61,13 +63,15 @@
sudo ACCEPT_EULA=Y apt-get install -y msodbcsql18

- name: Checkout.
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

Check warning on line 66 in .github/workflows/db-mssql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

ref-version-mismatch 

db-mssql.yml:66: action's hash pin has mismatched or missing version comment: missing version comment
with:
persist-credentials: false

- name: Create MS SQL Database
run: docker exec -i mssql /opt/mssql-tools18/bin/sqlcmd -C -S localhost -U SA -P 'YourStrong!Passw0rd' -Q 'CREATE DATABASE [ar-test]'

- name: Install PHP with extensions.
uses: shivammathur/setup-php@v2
uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45

Check warning on line 74 in .github/workflows/db-mssql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

stale-action-refs 

db-mssql.yml:74: commit hash does not point to a Git tag: this step
with:
php-version: ${{ matrix.php }}
extensions: ${{ env.extensions }}
Expand All @@ -87,7 +91,7 @@
run: vendor/bin/phpunit --testsuite=Mssql --coverage-clover=coverage.xml --colors=always --display-warnings --display-deprecations

- name: Upload coverage to Codecov.
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@04b047e8bb82a0c002c8312c1c880fbc6a999d45

Check warning on line 94 in .github/workflows/db-mssql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

stale-action-refs 

db-mssql.yml:94: commit hash does not point to a Git tag: this step
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.xml
12 changes: 8 additions & 4 deletions .github/workflows/db-mysql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
jobs:
build:
name: PHP ${{ matrix.php }}
Expand All @@ -43,7 +45,7 @@

services:
mysql:
image: mysql:latest
image: mysql:9

Check failure on line 48 in .github/workflows/db-mysql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

unpinned-images 

db-mysql.yml:48: unpinned image references: container image is not pinned to a SHA256 hash
env:
MYSQL_ALLOW_EMPTY_PASSWORD: true
MYSQL_DATABASE: ar-test
Expand All @@ -55,10 +57,12 @@

steps:
- name: Checkout.
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

Check warning on line 60 in .github/workflows/db-mysql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

ref-version-mismatch 

db-mysql.yml:60: action's hash pin has mismatched or missing version comment: missing version comment
with:
persist-credentials: false

- name: Install PHP with extensions.
uses: shivammathur/setup-php@v2
uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45

Check warning on line 65 in .github/workflows/db-mysql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

stale-action-refs 

db-mysql.yml:65: commit hash does not point to a Git tag: this step
with:
php-version: ${{ matrix.php }}
extensions: ${{ env.extensions }}
Expand All @@ -78,7 +82,7 @@
run: vendor/bin/phpunit --testsuite=Mysql --coverage-clover=coverage.xml --colors=always --display-warnings --display-deprecations

- name: Upload coverage to Codecov.
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@04b047e8bb82a0c002c8312c1c880fbc6a999d45

Check warning on line 85 in .github/workflows/db-mysql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

stale-action-refs 

db-mysql.yml:85: commit hash does not point to a Git tag: this step
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.xml
12 changes: 8 additions & 4 deletions .github/workflows/db-oracle.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
jobs:
build:
name: PHP ${{ matrix.php }}
Expand All @@ -43,7 +45,7 @@

services:
oci:
image: gvenzl/oracle-xe:latest
image: gvenzl/oracle-xe:21

Check failure on line 48 in .github/workflows/db-oracle.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

unpinned-images 

db-oracle.yml:48: unpinned image references: container image is not pinned to a SHA256 hash
ports:
- 1521:1521
env:
Expand All @@ -63,10 +65,12 @@
run: docker exec -i oci bash -c "sqlplus -s system/root@XE <<< 'ALTER USER system DEFAULT TABLESPACE USERS;'"

- name: Checkout.
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

Check warning on line 68 in .github/workflows/db-oracle.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

ref-version-mismatch 

db-oracle.yml:68: action's hash pin has mismatched or missing version comment: missing version comment
with:
persist-credentials: false

- name: Install PHP with extensions.
uses: shivammathur/setup-php@v2
uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45

Check warning on line 73 in .github/workflows/db-oracle.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

stale-action-refs 

db-oracle.yml:73: commit hash does not point to a Git tag: this step
with:
php-version: ${{ matrix.php }}
extensions: ${{ env.extensions }}
Expand All @@ -86,7 +90,7 @@
run: vendor/bin/phpunit --testsuite=Oracle --coverage-clover=coverage.xml --colors=always --display-warnings --display-deprecations

- name: Upload coverage to Codecov.
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@04b047e8bb82a0c002c8312c1c880fbc6a999d45

Check warning on line 93 in .github/workflows/db-oracle.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

stale-action-refs 

db-oracle.yml:93: commit hash does not point to a Git tag: this step
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.xml
10 changes: 7 additions & 3 deletions .github/workflows/db-pgsql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
jobs:
build:
name: PHP ${{ matrix.php }}
Expand All @@ -42,7 +44,7 @@

services:
postgres:
image: postgres:18

Check failure on line 47 in .github/workflows/db-pgsql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

unpinned-images 

db-pgsql.yml:47: unpinned image references: container image is not pinned to a SHA256 hash
env:
POSTGRES_DB: ar-test
POSTGRES_USER: yii
Expand All @@ -53,10 +55,12 @@

steps:
- name: Checkout.
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
persist-credentials: false

- name: Install PHP with extensions.
uses: shivammathur/setup-php@v2
uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45

Check warning on line 63 in .github/workflows/db-pgsql.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

stale-action-refs 

db-pgsql.yml:63: commit hash does not point to a Git tag: this step
with:
php-version: ${{ matrix.php }}
extensions: ${{ env.extensions }}
Expand All @@ -76,7 +80,7 @@
run: vendor/bin/phpunit --testsuite=Pgsql --coverage-clover=coverage.xml --colors=always --display-warnings --display-deprecations

- name: Upload coverage to Codecov.
uses: codecov/codecov-action@v3
uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.xml
10 changes: 7 additions & 3 deletions .github/workflows/db-sqlite.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
jobs:
build:
name: PHP ${{ matrix.php }}-sqlite-${{ matrix.os }}
Expand All @@ -47,10 +49,12 @@ jobs:

steps:
- name: Checkout.
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
persist-credentials: false

- name: Install PHP with extensions.
uses: shivammathur/setup-php@v2
uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45
with:
php-version: ${{ matrix.php }}
extensions: ${{ env.extensions }}
Expand All @@ -70,7 +74,7 @@ jobs:
run: vendor/bin/phpunit --testsuite=Sqlite --coverage-clover=coverage.xml --colors=always --display-warnings --display-deprecations

- name: Upload coverage to Codecov.
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@04b047e8bb82a0c002c8312c1c880fbc6a999d45
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.xml
10 changes: 7 additions & 3 deletions .github/workflows/mutation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
jobs:
mutation:
name: PHP ${{ matrix.php }}-${{ matrix.os }}
Expand All @@ -36,7 +38,7 @@

services:
postgres:
image: postgres:18

Check failure on line 41 in .github/workflows/mutation.yml

View workflow job for this annotation

GitHub Actions / zizmor / Run zizmor 🌈

unpinned-images 

mutation.yml:41: unpinned image references: container image is not pinned to a SHA256 hash
env:
POSTGRES_DB: ar-test
POSTGRES_USER: yii
Expand All @@ -47,10 +49,12 @@

steps:
- name: Checkout.
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
persist-credentials: false

- name: Install PHP with extensions.
uses: shivammathur/setup-php@v2
uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45
with:
php-version: ${{ matrix.php }}
extensions: ${{ env.extensions }}
Expand All @@ -61,7 +65,7 @@
run: composer remove --dev yiisoft/db-sqlite yiisoft/db-mysql yiisoft/db-mssql yiisoft/db-oracle

- name: Install Composer dependencies
uses: ramsey/composer-install@v3
uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f

- name: Install required yiisoft/db and yiisoft/db-pgsql
uses: yiisoft/actions/install-packages@master
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/static.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
jobs:
psalm:
uses: yiisoft/actions/.github/workflows/psalm.yml@master
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/update-readme-packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Update README packages

on:
pull_request_target:
pull_request:
paths:
- '.github/workflows/update-readme-packages.yml'
- 'composer.json'
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches:
- master
- main
paths:
- '.github/**.yml'
- '.github/**.yaml'
pull_request:
paths:
- '.github/**.yml'
- '.github/**.yaml'

permissions:
actions: read # Required by zizmor when reading workflow metadata through the API.
contents: read # Required to read workflow files.

jobs:
zizmor:
uses: yiisoft/actions/.github/workflows/zizmor.yml@master
Loading