From b0e93b8a2a284c1de245b18a371e17eebb0409e5 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 3 Jul 2026 01:39:26 +0300 Subject: [PATCH 1/2] Use shared BC workflow --- .github/dependabot.yml | 8 -------- .github/workflows/bc.yml | 15 +++++++-------- .github/workflows/build.yml | 13 +++++++++---- .github/workflows/mutation.yml | 15 ++++++++++----- .github/workflows/static.yml | 11 ++++++++--- .github/workflows/zizmor.yml | 22 ++++++++++++++++++++++ composer.json | 2 +- 7 files changed, 57 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 64c8667..10f7e30 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,10 +7,6 @@ updates: interval: "weekly" cooldown: default-days: 7 - groups: - github-actions: - patterns: - - "*" ignore: - dependency-name: "yiisoft/*" @@ -21,8 +17,4 @@ updates: interval: "daily" cooldown: default-days: 7 - groups: - composer-dependencies: - patterns: - - "*" versioning-strategy: increase-if-necessary diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 53f95bf..feeb473 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -3,13 +3,12 @@ on: push: name: backwards compatibility + +permissions: + contents: read + jobs: roave_bc_check: - name: Roave BC Check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - name: fetch tags - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - - name: Roave BC Check - uses: docker://nyholm/roave-bc-check-ga + uses: yiisoft/actions/.github/workflows/bc.yml@master + with: + php: '["8.4"]' diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index da97b58..5cd1307 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,9 @@ on: name: build +permissions: + contents: read + jobs: tests: name: PHP ${{ matrix.php }}-pgsql-${{ matrix.pgsql }} @@ -50,7 +53,7 @@ jobs: services: postgres: - image: postgres:${{ matrix.pgsql }} + image: postgres:${{ matrix.pgsql }} # zizmor: ignore[unpinned-images] env: POSTGRES_USER: root POSTGRES_PASSWORD: root-password @@ -61,10 +64,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -77,7 +82,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 08736d8..1d13147 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -19,6 +19,9 @@ on: name: mutation test +permissions: + contents: read + jobs: mutation: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -38,7 +41,7 @@ jobs: services: postgres: - image: postgres:13 + image: postgres:13 # zizmor: ignore[unpinned-images] env: POSTGRES_USER: root POSTGRES_PASSWORD: root-password @@ -49,10 +52,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -64,7 +69,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} @@ -79,6 +84,6 @@ jobs: - name: Run infection run: | - vendor/bin/roave-infection-static-analysis-plugin -j2 --ignore-msi-with-no-mutations --only-covered + vendor/bin/roave-infection-static-analysis-plugin --threads=2 --ignore-msi-with-no-mutations --only-covered env: STRYKER_DASHBOARD_API_KEY: ${{ secrets.STRYKER_DASHBOARD_API_KEY }} diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 1a70e3d..3403e73 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -21,6 +21,9 @@ on: name: static analysis +permissions: + contents: read + jobs: mutation: name: PHP ${{ matrix.php }}-${{ matrix.os }} @@ -42,10 +45,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@b604ade2a87db23f8871b7182e69ec5e75effb45 with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} @@ -56,7 +61,7 @@ jobs: run: echo "COMPOSER_CACHE_DIR=$(composer config cache-dir)" >> $GITHUB_ENV - name: Cache dependencies installed with composer - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace with: path: ${{ env.COMPOSER_CACHE_DIR }} key: php${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master diff --git a/composer.json b/composer.json index 37687fe..39913cc 100644 --- a/composer.json +++ b/composer.json @@ -32,7 +32,7 @@ "yiisoft/mutex": "^1.1" }, "require-dev": { - "phpunit/phpunit": "^10.1", + "phpunit/phpunit": "^9.5", "roave/infection-static-analysis-plugin": "^1.16", "spatie/phpunit-watcher": "^1.23", "vimeo/psalm": "^4.30|^5.3" From 23480cec3e2149e1303246ae8fc8ae569360326d Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 3 Jul 2026 16:36:35 +0300 Subject: [PATCH 2/2] Adjust BC check PHP version --- .github/workflows/bc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index feeb473..6088060 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -11,4 +11,4 @@ jobs: roave_bc_check: uses: yiisoft/actions/.github/workflows/bc.yml@master with: - php: '["8.4"]' + php: '["8.1"]'