From 0e8e10faee11d24d6325e774d2690d122c4e166e Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:42:47 +0300 Subject: [PATCH 01/14] Harden GitHub workflows --- .github/workflows/bc.yml | 4 +++- .github/workflows/build.yml | 4 +++- .github/workflows/composer-require-checker.yml | 4 +++- .github/workflows/mutation.yml | 4 +++- .github/workflows/rector-cs.yml | 4 ++-- .github/workflows/static.yml | 6 ++++-- 6 files changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 0ea4a5c..d7e5cd5 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -23,9 +23,11 @@ on: name: backwards compatibility +permissions: + contents: read jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@master + uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5c52945..10818a7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,9 +22,11 @@ on: name: build +permissions: + contents: read jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@master + uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest', 'windows-latest'] diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 57379c0..e37a286 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,9 +24,11 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index d746b42..862334c 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,9 +20,11 @@ on: name: mutation test +permissions: + contents: read jobs: mutation: - uses: yiisoft/actions/.github/workflows/roave-infection.yml@master + uses: yiisoft/actions/.github/workflows/roave-infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index a9b7d76..bb377ad 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -1,7 +1,7 @@ name: Rector + PHP CS Fixer on: - pull_request_target: + pull_request: paths: - 'config/**' - 'src/**' @@ -20,7 +20,7 @@ concurrency: jobs: rector: - uses: yiisoft/actions/.github/workflows/rector-cs.yml@master + uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 958261b..17561f3 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,16 +22,18 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@master + uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] php: >- ['8.1', '8.2', '8.3', '8.4'] psalm74-80: - uses: yiisoft/actions/.github/workflows/psalm.yml@master + uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: psalm-config: psalm74-80.xml os: >- From a8eddc2b1e3f5964f9b21d7eb1ef4807ce20f54f Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:16:02 +0300 Subject: [PATCH 02/14] Add zizmorify configuration --- .github/dependabot.yml | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbf..6cc0071 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,8 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 - - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 From 625ab99c4bbe7cdfb063270f0a665782f79ab57d Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:37:13 +0300 Subject: [PATCH 03/14] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e9b7e06 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From a6604cb4535bfc9193d7a3c7fa7580c563fac68e Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:04:54 +0300 Subject: [PATCH 04/14] Restore Dependabot non-GitHub-Actions updates --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6cc0071..cb0e7a1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,19 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 + open-pull-requests-limit: 0 + + # Maintain dependencies for Composer + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + versioning-strategy: increase-if-necessary - package-ecosystem: "github-actions" directory: "/" schedule: From 211c420abc9e30718b9d12ad8f69c3c8eb8a2ae2 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:49:54 +0300 Subject: [PATCH 05/14] Remove Rector pull_request_target inputs --- .github/workflows/rector-cs.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index bb377ad..15a6513 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -21,8 +21,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '7.4' From eb1abdad323b805b1e5c07bb4d65f85302b0e05f Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:49:59 +0300 Subject: [PATCH 06/14] Remove Rector pull_request_target inputs --- .github/workflows/rector-cs.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index a9b7d76..5ebdd90 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -21,8 +21,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '7.4' From 1a8703292fde723c8210bd2be21f2ef66cb805db Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:47:56 +0300 Subject: [PATCH 07/14] Use master for yiisoft actions --- .github/workflows/bc.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/mutation.yml | 2 +- .github/workflows/rector-cs.yml | 2 +- .github/workflows/static.yml | 4 ++-- .github/zizmor.yml | 5 +++++ 7 files changed, 12 insertions(+), 7 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index d7e5cd5..cd57767 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -27,7 +27,7 @@ permissions: contents: read jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/bc.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 10818a7..b076b1e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,7 +26,7 @@ permissions: contents: read jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/phpunit.yml@master with: os: >- ['ubuntu-latest', 'windows-latest'] diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index e37a286..99589c2 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -28,7 +28,7 @@ permissions: contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 862334c..bdd64d4 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -24,7 +24,7 @@ permissions: contents: read jobs: mutation: - uses: yiisoft/actions/.github/workflows/roave-infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/roave-infection.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 15a6513..0a9abdf 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -20,6 +20,6 @@ concurrency: jobs: rector: - uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/rector-cs.yml@master with: php: '7.4' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 17561f3..16cd1ff 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -26,14 +26,14 @@ permissions: contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/psalm.yml@master with: os: >- ['ubuntu-latest'] php: >- ['8.1', '8.2', '8.3', '8.4'] psalm74-80: - uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/psalm.yml@master with: psalm-config: psalm74-80.xml os: >- diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 3f31666159019e1339e14ba0967c1ce2cc5a9be0 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:48:01 +0300 Subject: [PATCH 08/14] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..85ca798 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 5d6140db89495f98fc64d4b6bcfff3c18e1e6652 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:17:30 +0300 Subject: [PATCH 09/14] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbf..426dc2b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: From 28219629776457116d345f0923d79d02d6aa6816 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:17:34 +0300 Subject: [PATCH 10/14] Use master for yiisoft actions --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cb0e7a1..763f708 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: @@ -20,3 +22,5 @@ updates: interval: "weekly" cooldown: default-days: 7 + ignore: + - dependency-name: "yiisoft/*" From c2e324a088f7ad26df47060beaf05ccabc735aa0 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:01:38 +0300 Subject: [PATCH 11/14] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca798..0000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 67bc092119170b7fd0cd3fcd793dd5f7845162d5 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 25 Jun 2026 00:46:54 +0300 Subject: [PATCH 12/14] Fix zizmor workflow findings --- .github/dependabot.yml | 2 ++ .github/workflows/zizmor.yml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a4c1ef2..5fd269d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,3 +16,5 @@ updates: schedule: interval: "daily" versioning-strategy: increase-if-necessary + cooldown: + default-days: 7 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 9465846..430255d 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -14,8 +14,8 @@ on: - '.github/**.yaml' permissions: - actions: read - contents: read + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. jobs: zizmor: From 392e179165979959c65787802b7aea00e84c37c7 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Tue, 30 Jun 2026 15:30:04 +0300 Subject: [PATCH 13/14] Restore Codecov settings in build workflow --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b076b1e..6995f25 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,10 @@ permissions: jobs: phpunit: uses: yiisoft/actions/.github/workflows/phpunit.yml@master + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: + codecovFailCiIfError: false os: >- ['ubuntu-latest', 'windows-latest'] php: >- From 7c67bd3e288390005f3bda275c192deefc200272 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Tue, 30 Jun 2026 15:35:19 +0300 Subject: [PATCH 14/14] Scope Rector workflow write permission --- .github/workflows/rector-cs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 0a9abdf..f4a9e94 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -20,6 +20,8 @@ concurrency: jobs: rector: + permissions: + contents: write # Required to push PHP CS Fixer and Rector changes back to the branch. uses: yiisoft/actions/.github/workflows/rector-cs.yml@master with: php: '7.4'