From ec25243b0814d8cc86ef1e88e36fbdccb0d073d6 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:42:47 +0300 Subject: [PATCH 01/11] Harden GitHub workflows --- .github/workflows/bechmark.yml | 4 +++- .github/workflows/build.yml | 4 +++- .github/workflows/composer-require-checker.yml | 4 +++- .github/workflows/mutation.yml | 4 +++- .github/workflows/rector-cs.yml | 2 +- .github/workflows/static.yml | 4 +++- 6 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/bechmark.yml b/.github/workflows/bechmark.yml index cdd6b5f8..215fd24a 100644 --- a/.github/workflows/bechmark.yml +++ b/.github/workflows/bechmark.yml @@ -24,9 +24,11 @@ on: name: bechmark +permissions: + contents: read jobs: phpbench: - uses: yiisoft/actions/.github/workflows/phpbench.yml@master + uses: yiisoft/actions/.github/workflows/phpbench.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest', 'windows-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b07761af..b8a6f85b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,9 +22,11 @@ on: name: build +permissions: + contents: read jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@master + uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 secrets: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index d2ef508b..df7f55b0 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,9 +24,11 @@ on: name: Composer require checker +permissions: + contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index d746b429..862334cb 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,9 +20,11 @@ on: name: mutation test +permissions: + contents: read jobs: mutation: - uses: yiisoft/actions/.github/workflows/roave-infection.yml@master + uses: yiisoft/actions/.github/workflows/roave-infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 477cafe8..30071177 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -20,6 +20,6 @@ concurrency: jobs: rector: - uses: yiisoft/actions/.github/workflows/rector-cs.yml@master + uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: php: '8.1' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index eec55426..b86304d7 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,9 +22,11 @@ on: name: static analysis +permissions: + contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@master + uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 with: os: >- ['ubuntu-latest'] From 1d4de27a4a7301fc8878016ed28f1c4d18933a23 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:08:04 +0300 Subject: [PATCH 02/11] Add zizmorify configuration --- .github/dependabot.yml | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbfd..6cc00712 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,8 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 - - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 From 48d5c96c852021ee9f09a09b9c6b7d423be700a4 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:32:16 +0300 Subject: [PATCH 03/11] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..e9b7e067 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 3dc249e6c4d273694e4454418bef26723af1a23c Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 12:01:36 +0300 Subject: [PATCH 04/11] Restore Dependabot non-GitHub-Actions updates --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6cc00712..cb0e7a1e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,19 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 + open-pull-requests-limit: 0 + + # Maintain dependencies for Composer + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + versioning-strategy: increase-if-necessary - package-ecosystem: "github-actions" directory: "/" schedule: From 0339e5b344ceeb247dbbd90053a64c3a7490d8b4 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:37:36 +0300 Subject: [PATCH 05/11] Use master for yiisoft actions --- .github/workflows/bechmark.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/composer-require-checker.yml | 2 +- .github/workflows/mutation.yml | 2 +- .github/workflows/rector-cs.yml | 2 +- .github/workflows/static.yml | 2 +- .github/zizmor.yml | 5 +++++ 7 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/bechmark.yml b/.github/workflows/bechmark.yml index 215fd24a..c10d7381 100644 --- a/.github/workflows/bechmark.yml +++ b/.github/workflows/bechmark.yml @@ -28,7 +28,7 @@ permissions: contents: read jobs: phpbench: - uses: yiisoft/actions/.github/workflows/phpbench.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/phpbench.yml@master with: os: >- ['ubuntu-latest', 'windows-latest'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b8a6f85b..1e4d01dc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,7 +26,7 @@ permissions: contents: read jobs: phpunit: - uses: yiisoft/actions/.github/workflows/phpunit.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/phpunit.yml@master secrets: codecovToken: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index df7f55b0..b7d1b7d8 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -28,7 +28,7 @@ permissions: contents: read jobs: composer-require-checker: - uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 862334cb..bdd64d40 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -24,7 +24,7 @@ permissions: contents: read jobs: mutation: - uses: yiisoft/actions/.github/workflows/roave-infection.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/roave-infection.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 30071177..477cafe8 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -20,6 +20,6 @@ concurrency: jobs: rector: - uses: yiisoft/actions/.github/workflows/rector-cs.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/rector-cs.yml@master with: php: '8.1' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index b86304d7..379a28c5 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -26,7 +26,7 @@ permissions: contents: read jobs: psalm: - uses: yiisoft/actions/.github/workflows/psalm.yml@ab62d6b3b0e0cff6c9724ec5a395bedb41c639a2 + uses: yiisoft/actions/.github/workflows/psalm.yml@master with: os: >- ['ubuntu-latest'] diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..85ca7982 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From b49154f1e8ec57f6e1c458d617668174ff14283b Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:37:41 +0300 Subject: [PATCH 06/11] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..85ca7982 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From cc4e42645d28bb39a948f53cab889fbf28a2036d Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:07:12 +0300 Subject: [PATCH 07/11] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d7ebdbfd..426dc2b0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: From 9f864422d00149865daaa99a2fde578c9e360537 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:07:17 +0300 Subject: [PATCH 08/11] Use master for yiisoft actions --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cb0e7a1e..763f7080 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer + ignore: + - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: @@ -20,3 +22,5 @@ updates: interval: "weekly" cooldown: default-days: 7 + ignore: + - dependency-name: "yiisoft/*" From 0015215ea072c677ffcd0913e6a682a4c9995361 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:01:12 +0300 Subject: [PATCH 09/11] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca7982..00000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 46f2ed91ccbdb472d8a258e8d181aa3556cc7ccd Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Wed, 24 Jun 2026 17:59:58 +0300 Subject: [PATCH 10/11] Normalize Dependabot GitHub Actions updates --- .github/dependabot.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 763f7080..01264e0b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,6 @@ version: 2 updates: - # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions"\n directory: "/"\n schedule:\n interval: "weekly"\n cooldown:\n default-days: 7\n ignore:\n - dependency-name: "yiisoft/*"\n # Maintain dependencies for GitHub Actions. - package-ecosystem: "github-actions" directory: "/" schedule: @@ -9,18 +9,8 @@ updates: open-pull-requests-limit: 0 # Maintain dependencies for Composer - ignore: - - dependency-name: "yiisoft/*" - package-ecosystem: "composer" directory: "/" schedule: interval: "daily" versioning-strategy: increase-if-necessary - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" - cooldown: - default-days: 7 - ignore: - - dependency-name: "yiisoft/*" From d2da33b5def6e5ae5defd94fa2efed8136330375 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Wed, 24 Jun 2026 22:39:55 +0300 Subject: [PATCH 11/11] Fix Dependabot GitHub Actions updates --- .github/dependabot.yml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 01264e0b..a4c1ef2b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,18 @@ version: 2 updates: - - package-ecosystem: "github-actions"\n directory: "/"\n schedule:\n interval: "weekly"\n cooldown:\n default-days: 7\n ignore:\n - dependency-name: "yiisoft/*"\n # Maintain dependencies for GitHub Actions. - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - # Too noisy. See https://github.community/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "daily" - versioning-strategy: increase-if-necessary + # Maintain dependencies for Composer + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + versioning-strategy: increase-if-necessary