diff --git a/.github/dependabot.yml b/.github/dependabot.yml index db86156..10f7e30 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,13 +4,17 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" # Maintain dependencies for Composer - package-ecosystem: "composer" directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 versioning-strategy: increase-if-necessary diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 00041a9..563f85f 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -23,6 +23,8 @@ on: name: backwards compatibility +permissions: + contents: read jobs: roave_bc_check: uses: yiisoft/actions/.github/workflows/bc.yml@master diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b754bd2..0a3817b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,6 +23,8 @@ on: name: build +permissions: + contents: read jobs: phpunit: uses: yiisoft/actions/.github/workflows/phpunit.yml@master diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 7999747..9ef9028 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -25,6 +25,8 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 91d3036..6e8be66 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -21,6 +21,8 @@ on: name: mutation test +permissions: + contents: read jobs: mutation: uses: yiisoft/actions/.github/workflows/infection.yml@master diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 6424c2a..d4003af 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -1,7 +1,7 @@ name: Rector + PHP CS Fixer on: - pull_request_target: + pull_request: paths: - 'src/**' - 'tests/**' @@ -20,8 +20,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '8.1' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 9e12684..4ae842e 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -23,6 +23,8 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: uses: yiisoft/actions/.github/workflows/psalm.yml@master diff --git a/.github/workflows/yiisoft-di.yml b/.github/workflows/yiisoft-di.yml index 833c0d2..b7eeceb 100644 --- a/.github/workflows/yiisoft-di.yml +++ b/.github/workflows/yiisoft-di.yml @@ -23,6 +23,8 @@ on: name: yiisoft-di +permissions: + contents: read jobs: phpunit: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -42,25 +44,27 @@ jobs: steps: - name: Checkout Yii Definitions - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: path: definitions-repo + persist-credentials: false - name: Checkout Yii DI - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: path: di-repo repository: 'yiisoft/di' + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: 8.2 tools: composer:v2 coverage: none - name: Install Composer dependencies - uses: "ramsey/composer-install@v3" + uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f with: working-directory: di-repo diff --git a/.github/workflows/yiisoft-factory.yml b/.github/workflows/yiisoft-factory.yml index f75fff3..ca84151 100644 --- a/.github/workflows/yiisoft-factory.yml +++ b/.github/workflows/yiisoft-factory.yml @@ -23,6 +23,8 @@ on: name: yiisoft-factory +permissions: + contents: read jobs: phpunit: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -41,25 +43,27 @@ jobs: steps: - name: Checkout Yii Definitions - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: path: definitions-repo + persist-credentials: false - name: Checkout Yii Factory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: path: factory-repo repository: 'yiisoft/factory' + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: 8.2 tools: composer:v2 coverage: none - name: Install Composer dependencies - uses: "ramsey/composer-install@v3" + uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f with: working-directory: factory-repo diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master