chore(deps): update shivammathur/setup-php action to v2.37.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
shivammathur/setup-php	action	minor	2.36.0 → 2.37.1

---

Release Notes

shivammathur/setup-php (shivammathur/setup-php)

v2.37.1

Compare Source

Changelog

Security Updates

• Fixed shell command escaping and PHP version input validation. Please see GHSA-pqwm-q9pv-ph8r.

[!NOTE]
This can affect workflows that pass values from users or pull requests to setup-php, for example from comments, dispatch inputs, PR titles/branches, generated matrices, or files such as .php-version and composer.json.
Be especially careful with pull_request_target workflows that use any value from the pull request. Workflows that only use fixed trusted values are not expected to be affected, but updating to 2.37.1 is recommended.

• Fixed GitHub auth handling for Composer versions affected by GHSA-f9f8-rm49-7jv2. It should now skip configuring GitHub OAuth if affected Composer versions are installed and show a warning to upgrade. Please see GHSA-5wxr-w449-57cm

[!NOTE]
This only affects workflows where the composer version is pinned like composer:2.9.7, workflows that do not pin the version or use composer:v2 are not affected as those get automatic updates. In case you pin the version, it is highly recommended to upgrade and have automation to do such timely upgrades in your workflows.

Fixes and Improvements

• Fixed support for phalcon on Windows.

• Fixed restoring tools when using cached using previous runs.

• Improved enabling gearman extension on Linux.

• Fixed fallback when installing PhpManager and VcRedist modules on Windows.

• Fixed parsing extension inputs with backslash line continuation.

• Improved workflow examples

  • Added workflow examples for Drupal 11 composer-managed projects and WordPress plugins.
  • Added workflow examples for Yii3 web applications and replaced Yii2 Starter Kit examples.
  • Updated workflow examples to use currently supported PHP versions.

• Updated OS release mappings for newer Ubuntu releases.

• Updated internal workflows for Codecov v6 and NPM trusted publishing.

• Updated Node.js dependencies.

• Fixed composer version in README. (#​1081)

Thanks @​Pyker for the contribution

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.37.0

Compare Source

Changelog

• Updated the action to use Node.js 24. (#​1049)

• Added support for master in the php-version input. It should now set up a nightly build from the master branch of php-src.

• Added support to install ioncube and zephir_parser extensions on PHP 8.5.

• Expanded support for installing extensions using Homebrew on macOS from the shivammathur/homebrew-extensions tap. This includes pdo_firebird, sqlsrv, pdo_sqlsrv, pecl_http, swow, xhprof, and several other supported extensions.

• Improved switching PHP versions on Linux. Missing alternatives should now be registered automatically before switching versions. #​1067

• Improved support for Homebrew on macOS. It should now retry stuck brew commands with an inactivity watchdog.

• Improved support for adding tools. It should now correctly use the latest release download URL when a version is not specified. (#​1064)

• Improved tool setup and caching on self-hosted runners.

• Improved support for sqlsrv and pdo_sqlsrv on PHP 8.1 and 8.2.

• Fixed installing pecl_http on Windows. Switched to downloads.php.net for fixing ICU version post install.

• Fixed cached couchbase installs on macOS using the shivammathur/cache-extensions action.

• Replaced @actions/core with local functions to reduce bundle size.

• Refactored to use ES2024+ features for Node 24.

• Updated actions used in examples to their latest versions.

• Updated Node.js dependencies.

Thanks @​theluckystrike for the contribution 🎉

Thanks @​code-kudu, @​ssddanbrown, @​RoundingWell, and @​ntzrbtr for the sponsorship ❤️

For the complete list of changes, please refer to the Full Changelog

Follow for updates

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/shivammathur/setup-php	7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc	🟢 7	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 1/19 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST 🟢 7 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/static-code-analysis.yml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (051a44d) to head (ac2d907).

Additional details and impacted files

@@             Coverage Diff             @@
##              master      #534   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
  Complexity         7         7           
===========================================
  Files              1         1           
  Lines             17        17           
===========================================
  Hits              17        17           

Flag	Coverage Δ
unittests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud