From 90fc30114f9215bedda42202798fff9d5085ffea Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:06:49 +0300 Subject: [PATCH 01/10] Add zizmorify configuration --- .github/dependabot.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..6cc00712 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 From ddfc07cc93277f434a00c40123e50e64cfe7aa31 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:31:30 +0300 Subject: [PATCH 02/10] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..e9b7e067 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 7e640e59ec92fb5963e178c9f9325a370227836c Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:36:06 +0300 Subject: [PATCH 03/10] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..85ca7982 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 6e347ec8b80a2d7b57d7d74a37ec17250c5a2de8 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:05:43 +0300 Subject: [PATCH 04/10] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6cc00712..9322d3f0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,5 @@ updates: interval: "weekly" cooldown: default-days: 7 + ignore: + - dependency-name: "yiisoft/*" From 5a10b05ddfcc16a8f29986145686afa89350f485 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:42:47 +0300 Subject: [PATCH 05/10] Harden GitHub workflows --- .github/workflows/docs.yml | 16 +++++++++++----- .github/workflows/github-pages.yml | 16 ++++++++++------ .github/workflows/translate.yml | 16 ++++++++++++---- 3 files changed, 33 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 34e479c9..b9876cbd 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -8,14 +8,19 @@ on: permissions: contents: read - checks: write jobs: build: + permissions: + checks: write + contents: read + runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: false - name: Fetch styles run: | @@ -24,7 +29,7 @@ jobs: unzip Microsoft.zip -d .github/styles - name: Check - uses: errata-ai/vale-action@reviewdog + uses: errata-ai/vale-action@85f9f7f2c5f449ac0ae5b66662961bae3f77ca6a with: reporter: github-check fail_on_error: false @@ -37,9 +42,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with: fetch-depth: 0 + persist-credentials: false - name: Find files to check id: links @@ -82,7 +88,7 @@ jobs: - name: Setup Node.js if: steps.links.outputs.count != '0' - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: 22 cache: npm diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml index 8e20176a..c248de5a 100644 --- a/.github/workflows/github-pages.yml +++ b/.github/workflows/github-pages.yml @@ -8,8 +8,6 @@ on: permissions: contents: read - pages: write - id-token: write concurrency: group: "pages" @@ -20,10 +18,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: 22 cache: npm @@ -35,12 +35,16 @@ jobs: run: npm run build - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b with: path: src/.vitepress/dist deploy: if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} + permissions: + pages: write + id-token: write + environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} @@ -49,4 +53,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e diff --git a/.github/workflows/translate.yml b/.github/workflows/translate.yml index 5b130cde..e13a119a 100644 --- a/.github/workflows/translate.yml +++ b/.github/workflows/translate.yml @@ -1,7 +1,7 @@ name: Update translations on: - pull_request_target: + pull_request: paths: - '_translations/**' push: @@ -10,31 +10,39 @@ on: - '_translations/**' - 'src/**' +permissions: + contents: write jobs: update-docs: name: Update docs runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: token: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} ref: ${{ github.head_ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Prepare po4a configuration run: _translations/prepare-config.sh - name: Use po4a - uses: vjik/docker-run@v1 + uses: vjik/docker-run@623c9adf6ee99fc8f9fa4e3b0b6b0c25859b69ee with: image: ghcr.io/yiisoft-contrib/po4a:0.74 volumes: ${{ github.workspace }}:/src workdir: /src/_translations command: po4a po4a.conf && po4a po4a.conf + - name: Configure Git credentials + env: + GH_TOKEN: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} + run: git config --global credential.helper '!f() { echo username=x-access-token; echo password=$GH_TOKEN; }; f' + - name: Commit changed files - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 with: commit_message: Update translation file_pattern: '_translations src' From 840434bf769c4fe59918d3028eaf925433c57529 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:36:00 +0300 Subject: [PATCH 06/10] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..85ca7982 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 445e4f6972064476f1890d87f343dc514925bfc1 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:00:30 +0300 Subject: [PATCH 07/10] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca7982..00000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 8283bb802c587f65785397bd827674391207d6b0 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Wed, 24 Jun 2026 23:23:27 +0300 Subject: [PATCH 08/10] Fix Dependabot GitHub Actions updates --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9322d3f0..9fb62265 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,6 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions. - package-ecosystem: "github-actions" directory: "/" schedule: From 6f5b5d8f99327f49128b6f446bff7815e0d62cc3 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 25 Jun 2026 00:46:25 +0300 Subject: [PATCH 09/10] Fix zizmor workflow findings --- .github/workflows/zizmor.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 94658469..430255de 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -14,8 +14,8 @@ on: - '.github/**.yaml' permissions: - actions: read - contents: read + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. jobs: zizmor: From d36f42bf1d7a6fc19c5da5d8acafdacc3b7190b3 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 2 Jul 2026 22:15:40 +0300 Subject: [PATCH 10/10] Fix zizmor workflow findings --- .github/workflows/docs.yml | 35 ++++++++++++++++++++---------- .github/workflows/github-pages.yml | 16 ++++++++------ .github/workflows/translate.yml | 33 ++++++++++++++++++++++------ 3 files changed, 58 insertions(+), 26 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index b9876cbd..cdf5b471 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -7,18 +7,23 @@ on: pull_request: permissions: - contents: read + contents: read # Required to check out repository contents. + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build: + name: Build documentation permissions: - checks: write - contents: read + checks: write # Required by vale-action to publish check annotations. + contents: read # Required to check out repository contents. runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false @@ -29,7 +34,7 @@ jobs: unzip Microsoft.zip -d .github/styles - name: Check - uses: errata-ai/vale-action@85f9f7f2c5f449ac0ae5b66662961bae3f77ca6a + uses: errata-ai/vale-action@85f9f7f2c5f449ac0ae5b66662961bae3f77ca6a # tag = reviewdog with: reporter: github-check fail_on_error: false @@ -39,10 +44,11 @@ jobs: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} links: + name: Check links runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 persist-credentials: false @@ -50,13 +56,18 @@ jobs: - name: Find files to check id: links shell: bash + env: + EVENT_NAME: ${{ github.event_name }} + PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} + BEFORE_SHA: ${{ github.event.before }} + CURRENT_SHA: ${{ github.sha }} run: | - if [ "${{ github.event_name }}" = "pull_request" ]; then - git diff --name-status --diff-filter=ACMRTD "${{ github.event.pull_request.base.sha }}...HEAD" > changed-files.txt - elif [ "${{ github.event.before }}" = "0000000000000000000000000000000000000000" ]; then - git diff-tree --root --no-commit-id --name-status -r "${{ github.sha }}" > changed-files.txt + if [ "$EVENT_NAME" = "pull_request" ]; then + git diff --name-status --diff-filter=ACMRTD "$PR_BASE_SHA...HEAD" > changed-files.txt + elif [ "$BEFORE_SHA" = "0000000000000000000000000000000000000000" ]; then + git diff-tree --root --no-commit-id --name-status -r "$CURRENT_SHA" > changed-files.txt else - git diff --name-status --diff-filter=ACMRTD "${{ github.event.before }}..${{ github.sha }}" > changed-files.txt + git diff --name-status --diff-filter=ACMRTD "$BEFORE_SHA..$CURRENT_SHA" > changed-files.txt fi check_all=false @@ -88,7 +99,7 @@ jobs: - name: Setup Node.js if: steps.links.outputs.count != '0' - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 cache: npm diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml index c248de5a..2e7e1df6 100644 --- a/.github/workflows/github-pages.yml +++ b/.github/workflows/github-pages.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: permissions: - contents: read + contents: read # Required to check out repository contents. concurrency: group: "pages" @@ -15,15 +15,16 @@ concurrency: jobs: build: + name: Build site runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 cache: npm @@ -35,15 +36,16 @@ jobs: run: npm run build - name: Upload artifact - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4 with: path: src/.vitepress/dist deploy: + name: Deploy site if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} permissions: - pages: write - id-token: write + pages: write # Required to publish to GitHub Pages. + id-token: write # Required to authenticate the Pages deployment. environment: name: github-pages @@ -53,4 +55,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/translate.yml b/.github/workflows/translate.yml index e13a119a..b30039b3 100644 --- a/.github/workflows/translate.yml +++ b/.github/workflows/translate.yml @@ -11,14 +11,22 @@ on: - 'src/**' permissions: - contents: write + contents: read # Required to check out repository contents by default. + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: update-docs: name: Update docs + permissions: + contents: write # Required to push generated translation updates. + runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} ref: ${{ github.head_ref }} @@ -29,7 +37,7 @@ jobs: run: _translations/prepare-config.sh - name: Use po4a - uses: vjik/docker-run@623c9adf6ee99fc8f9fa4e3b0b6b0c25859b69ee + uses: vjik/docker-run@623c9adf6ee99fc8f9fa4e3b0b6b0c25859b69ee # v1 with: image: ghcr.io/yiisoft-contrib/po4a:0.74 volumes: ${{ github.workspace }}:/src @@ -42,7 +50,18 @@ jobs: run: git config --global credential.helper '!f() { echo username=x-access-token; echo password=$GH_TOKEN; }; f' - name: Commit changed files - uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 - with: - commit_message: Update translation - file_pattern: '_translations src' + env: + GIT_AUTHOR_NAME: github-actions[bot] + GIT_AUTHOR_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com + GIT_COMMITTER_NAME: github-actions[bot] + GIT_COMMITTER_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com + run: | + git add _translations src + + if git diff --cached --quiet; then + echo "No translation changes to commit." + exit 0 + fi + + git commit -m "Update translation" + git push