diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..95c1c3e --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,12 @@ +version: 2 +updates: + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'weekly' + groups: + github-actions: + patterns: + - '*' + cooldown: + default-days: 7 diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 2cc50dc..84c6479 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -6,6 +6,13 @@ on: push: branches: ['2.x', '1.x'] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + jobs: php-cs-fixer: name: PHP CS Fixer (PHP ${{ matrix.php-version }}) @@ -18,19 +25,20 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2 with: coverage: none php-version: ${{ matrix.php-version }} - tools: cs2pr - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 with: composer-options: '--working-dir=tools/php-cs-fixer' - name: Run PHP CS Fixer - run: 'tools/php-cs-fixer/vendor/bin/php-cs-fixer fix --dry-run --format=checkstyle | cs2pr' + run: 'tools/php-cs-fixer/vendor/bin/php-cs-fixer fix --dry-run' diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 99e6b33..8fdec24 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -6,6 +6,13 @@ on: push: branches: ['2.x', '1.x'] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + jobs: phpunit: name: PHPUnit (PHP ${{ matrix.php-version }} - Symfony ${{ matrix.symfony-version }}) @@ -22,20 +29,21 @@ jobs: - '8.5' symfony-version: - '6.4.*' - - '7.3.*' - - '7.4.*@dev' + - '7.4.*' include: - - php-version: '8.4' - symfony-version: '8.0.*@dev' - php-version: '8.5' - symfony-version: '8.0.*@dev' + symfony-version: '8.1.*' + - php-version: '8.5' + symfony-version: '8.2.*@dev' steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2 with: php-version: ${{ matrix.php-version }} extensions: zip @@ -47,7 +55,7 @@ jobs: run: composer config minimum-stability dev - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 - name: Setup Git run: | @@ -59,5 +67,5 @@ jobs: run: vendor/bin/phpunit --coverage-clover=coverage.xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 if: matrix.php-version == '8.2' && matrix.symfony-version == '6.4.*' diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index bebd647..c645660 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -6,6 +6,13 @@ on: push: branches: ['2.x', '1.x'] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + jobs: phpstan: name: PHPStan (PHP ${{ matrix.php-version }}) @@ -18,22 +25,23 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2 with: coverage: none php-version: ${{ matrix.php-version }} - tools: cs2pr - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 - name: Install Composer dependencies for PHPStan - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 with: composer-options: '--working-dir=tools/phpstan' - name: Run PHPStan - run: 'tools/phpstan/vendor/bin/phpstan analyse --error-format=checkstyle | cs2pr' + run: 'tools/phpstan/vendor/bin/phpstan analyse' diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..d80d6c1 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,35 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + pull_request: + branches: ["*.x"] + paths: + - '.github/**.yaml' + push: + branches: ["*.x"] + paths: + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-24.04 + steps: + - name: Checkout repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic'