From 0a939ecdced349a2ea33fa6de3d0a75b2de74c20 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 18 Jun 2026 23:48:03 +0300 Subject: [PATCH 1/5] Harden GitHub workflows --- .github/workflows/bc.yml | 5 ++++- .github/workflows/build.yml | 2 +- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/mutation.yml | 2 +- .github/workflows/rector-cs.yml | 2 ++ .github/workflows/static.yml | 2 +- 6 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index ffbd2ed1..fd3a787f 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -13,13 +13,16 @@ on: name: backwards compatibility +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@master + uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3c1567a3..c53b91c6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,7 +24,7 @@ concurrency: jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@master + uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 3dccb976..4696d3e5 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,7 +24,7 @@ concurrency: jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: php: >- ['8.1', '8.2', '8.3', '8.4', '8.5'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 44a32d00..a096ccea 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -24,7 +24,7 @@ concurrency: jobs: mutation: - uses: yiisoft/actions/.github/workflows/roave-infection.yml@master + uses: yiisoft/actions/.github/workflows/roave-infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: STRYKER_DASHBOARD_API_KEY: ${{ secrets.STRYKER_DASHBOARD_API_KEY }} with: diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 8806605d..6ac7948c 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -20,5 +20,7 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@master + secrets: + token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: php: '8.1' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 50521d86..d50f13d5 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -24,7 +24,7 @@ concurrency: jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@master + uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: php: >- ['8.1', '8.2', '8.3', '8.4', '8.5'] From 75b1e054e9e4fbf5389e7e2c6b09089c333fab13 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:48:42 +0300 Subject: [PATCH 2/5] Remove Rector pull_request_target inputs --- .github/workflows/rector-cs.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 6ac7948c..8806605d 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -20,7 +20,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: php: '8.1' From f7ecce102f04ae69af708a5fc18721e6f4288dde Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:46:29 +0300 Subject: [PATCH 3/5] Use master for yiisoft actions --- .github/workflows/bc.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/mutation.yml | 2 +- .github/workflows/static.yml | 2 +- .github/zizmor.yml | 5 +++++ 6 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index fd3a787f..5fb60542 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -22,7 +22,7 @@ concurrency: jobs: roave_bc_check: - uses: yiisoft/actions/.github/workflows/bc.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/bc.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c53b91c6..3c1567a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,7 +24,7 @@ concurrency: jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/phpunit.yml@master secrets: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 4696d3e5..3dccb976 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,7 +24,7 @@ concurrency: jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master with: php: >- ['8.1', '8.2', '8.3', '8.4', '8.5'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index a096ccea..44a32d00 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -24,7 +24,7 @@ concurrency: jobs: mutation: - uses: yiisoft/actions/.github/workflows/roave-infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/roave-infection.yml@master secrets: STRYKER_DASHBOARD_API_KEY: ${{ secrets.STRYKER_DASHBOARD_API_KEY }} with: diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index d50f13d5..50521d86 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -24,7 +24,7 @@ concurrency: jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/psalm.yml@master with: php: >- ['8.1', '8.2', '8.3', '8.4', '8.5'] diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..85ca7982 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From e4a070ac602a2534ed0545e2f111e79ccce2f8b6 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:16:06 +0300 Subject: [PATCH 4/5] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbfd..426dc2b0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: From 2b7c3c4c38619535018c3f7dcf13b3380ba24df9 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:14:12 +0300 Subject: [PATCH 5/5] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca7982..00000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any