diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbf..5fd269d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,20 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + # Maintain dependencies for Composer + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + versioning-strategy: increase-if-necessary + cooldown: + default-days: 7 diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 0ea4a5c..cd57767 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -23,6 +23,8 @@ on: name: backwards compatibility +permissions: + contents: read jobs: roave_bc_check: uses: yiisoft/actions/.github/workflows/bc.yml@master diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 43eab1c..6995f25 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,6 +22,8 @@ on: name: build +permissions: + contents: read jobs: phpunit: uses: yiisoft/actions/.github/workflows/phpunit.yml@master diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 57379c0..99589c2 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,6 +24,8 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index d746b42..bdd64d4 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,6 +20,8 @@ on: name: mutation test +permissions: + contents: read jobs: mutation: uses: yiisoft/actions/.github/workflows/roave-infection.yml@master diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index a000eab..f4a9e94 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -1,7 +1,7 @@ name: Rector + PHP CS Fixer on: - pull_request_target: + pull_request: paths: - 'config/**' - 'src/**' @@ -12,7 +12,7 @@ on: - '.php-cs-fixer.dist.php' permissions: - contents: write + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -20,6 +20,8 @@ concurrency: jobs: rector: + permissions: + contents: write # Required to push PHP CS Fixer and Rector changes back to the branch. uses: yiisoft/actions/.github/workflows/rector-cs.yml@master with: php: '7.4' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 958261b..16cd1ff 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,6 +22,8 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: uses: yiisoft/actions/.github/workflows/psalm.yml@master diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master