diff --git a/.github/dependabot.yml b/.github/dependabot.yml index db86156..10f7e30 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,13 +4,17 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" # Maintain dependencies for Composer - package-ecosystem: "composer" directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 versioning-strategy: increase-if-necessary diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fd797cf..f53b13f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,12 +22,16 @@ on: name: build +permissions: + contents: read jobs: phpunit: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Build working-directory: ./tests run: docker compose build @@ -35,7 +39,7 @@ jobs: working-directory: ./tests run: docker compose run --rm php-cli vendor/bin/phpunit --coverage-clover ./tests/runtime/coverage.xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 with: verbose: true files: ./tests/runtime/coverage.xml diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index a857bce..560a8c0 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,6 +24,8 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 4c64b99..37445d0 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -28,6 +28,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: false - name: Mutation tests run: make mutation diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 7bb92d8..64bdca8 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -19,6 +19,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: false - name: Rector run: make rector diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index e33eca8..2047aec 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,6 +22,8 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: uses: yiisoft/actions/.github/workflows/psalm.yml@master diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master