From 3bdeea0ddf022ba52ffb1822efa8f351c5fff47d Mon Sep 17 00:00:00 2001 From: Ondrej Mirtes Date: Mon, 25 May 2026 12:36:54 +0200 Subject: [PATCH 1/2] Bump GitHub Actions across major versions Major-version bumps, grouped separately so CI can shake out any breaking changes in isolation. All actions remain pinned to commit SHAs: - actions/cache (+ /restore, /save) v4.3.0 -> v5.0.5 - actions/download-artifact v4.3.0 -> v8.0.1 - actions/upload-artifact v4.6.2 -> v7.0.1 - actions/github-script v7.1.0 -> v9.0.0 - actions/setup-node v4.4.0 -> v6.4.0 - astral-sh/setup-uv v7.3.0 -> v8.1.0 - boostsecurityio/poutine-action v0.15.2 -> v1.1.4 - crazy-max/ghaction-import-gpg v6.3.0 -> v7.0.0 - dorny/paths-filter v3.0.2 -> v4.0.1 - peter-evans/create-or-update-comment v4.0.0 -> v5.0.0 - peter-evans/create-pull-request v6.1.0 -> v8.1.1 - peter-evans/find-comment v3.1.0 -> v4.0.0 - peter-evans/repository-dispatch v3.0.0 -> v4.0.1 - stefanzweifel/git-auto-commit-action v5.2.0 -> v7.1.0 - WyriHaximus/github-action-get-previous-tag v1.4.0 -> v2.0.0 download-artifact v5 changed single by-ID downloads to extract directly into `path` instead of nesting under the artifact name. The "Download old artifact by ID" step in phar.yml relied on the nested layout, so pin its `path` to phar-file-checksum to keep phar-file-checksum/phpstan.phar where the following step expects it. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/apiref.yml | 8 ++--- .github/workflows/bench.yml | 2 +- .../claude-react-on-review-dispatch.yml | 2 +- .github/workflows/claude-react-on-review.yml | 2 +- .github/workflows/create-tag.yml | 2 +- .github/workflows/issue-bot.yml | 36 +++++++++---------- .github/workflows/lint-workflows.yml | 4 +-- .github/workflows/phar.yml | 29 ++++++++------- .../workflows/pr-base-on-previous-branch.yml | 2 +- .github/workflows/pr-marked-as-ready.yml | 2 +- .github/workflows/reflection-golden-test.yml | 4 +-- .github/workflows/static-analysis.yml | 4 +-- .github/workflows/tests.yml | 4 +-- .github/workflows/update-phpstorm-stubs.yml | 2 +- 14 files changed, 53 insertions(+), 50 deletions(-) diff --git a/.github/workflows/apiref.yml b/.github/workflows/apiref.yml index 0943e27c45..75c715ced5 100644 --- a/.github/workflows/apiref.yml +++ b/.github/workflows/apiref.yml @@ -53,7 +53,7 @@ jobs: run: "apigen/vendor/bin/apigen -c apigen/apigen.neon --output docs -- src vendor/nikic/php-parser vendor/ondrejmirtes/better-reflection vendor/phpstan/phpdoc-parser" - name: "Upload docs" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: docs path: docs @@ -71,12 +71,12 @@ jobs: egress-policy: audit - name: "Install Node" - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "16" - name: "Download docs" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: docs path: docs @@ -102,7 +102,7 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.APIREF_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.APIREF_AWS_SECRET_ACCESS_KEY }} - - uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 + - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.PHPSTAN_BOT_TOKEN }} repository: "phpstan/phpstan" diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index 278c9d7adf..ac8ba8ed29 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -55,7 +55,7 @@ jobs: run: "tests/vendor/bin/phpbench run --dump-file=tests/bench/storage/baseline.xml --ansi" - name: "Upload baseline artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: phpbench-baseline path: tests/bench/storage/baseline.xml diff --git a/.github/workflows/claude-react-on-review-dispatch.yml b/.github/workflows/claude-react-on-review-dispatch.yml index 4f9d9c3a10..75b79e9ed2 100644 --- a/.github/workflows/claude-react-on-review-dispatch.yml +++ b/.github/workflows/claude-react-on-review-dispatch.yml @@ -20,7 +20,7 @@ jobs: - name: Download review context id: download - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 continue-on-error: true with: name: review-context diff --git a/.github/workflows/claude-react-on-review.yml b/.github/workflows/claude-react-on-review.yml index 37a6b30001..e6845718e9 100644 --- a/.github/workflows/claude-react-on-review.yml +++ b/.github/workflows/claude-react-on-review.yml @@ -23,7 +23,7 @@ jobs: echo "${{ github.event.pull_request.number }}" > pr_number.txt echo "${{ github.event.review.id }}" > review_id.txt - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: review-context path: | diff --git a/.github/workflows/create-tag.yml b/.github/workflows/create-tag.yml index 29b200f8f0..98bf7dabfa 100644 --- a/.github/workflows/create-tag.yml +++ b/.github/workflows/create-tag.yml @@ -33,7 +33,7 @@ jobs: - name: 'Get Previous tag' id: previoustag - uses: "WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce" # v1.4.0 + uses: "WyriHaximus/github-action-get-previous-tag@61819f33034117e6c686e6a31dba995a85afc9de" # v2.0.0 env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/issue-bot.yml b/.github/workflows/issue-bot.yml index ce40d9851b..af0d7ed2eb 100644 --- a/.github/workflows/issue-bot.yml +++ b/.github/workflows/issue-bot.yml @@ -40,14 +40,14 @@ jobs: - name: "Find existing PR comment" id: find-comment - uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 + uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0 with: issue-number: ${{ github.event.pull_request.number }} body-includes: "" - name: "Mark comment as running" if: steps.find-comment.outputs.comment-id != '' - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: comment-id: ${{ steps.find-comment.outputs.comment-id }} edit-mode: replace @@ -87,7 +87,7 @@ jobs: working-directory: "issue-bot" - name: "Cache downloads" - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ./issue-bot/tmp key: "issue-bot-download-v8-${{ github.run_id }}" @@ -106,17 +106,17 @@ jobs: run: | echo "shards=$(jq -c '{include: [range(length) | {shard: .}]}' matrix.json)" >> "$GITHUB_OUTPUT" - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: playground-cache path: issue-bot/tmp/playgroundCache.tmp - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: issue-cache path: issue-bot/tmp/issueCache.tmp - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: matrix path: issue-bot/matrix.json @@ -157,7 +157,7 @@ jobs: - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 with: - action: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + action: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: | name: playground-cache path: issue-bot/tmp @@ -166,7 +166,7 @@ jobs: - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 with: - action: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + action: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: | name: matrix path: issue-bot @@ -186,7 +186,7 @@ jobs: timeout-minutes: 5 run: ./console.php run ${{ steps.chunk.outputs.phpVersion }} ${{ steps.chunk.outputs.playgroundExamples }} - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: results-${{ steps.chunk.outputs.phpVersion }}-${{ steps.chunk.outputs.chunkNumber }} path: issue-bot/tmp/results-${{ steps.chunk.outputs.phpVersion }}-*.tmp @@ -220,17 +220,17 @@ jobs: with: working-directory: "issue-bot" - - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: playground-cache path: issue-bot/tmp - - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: issue-cache path: issue-bot/tmp - - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: results-* merge-multiple: true @@ -276,14 +276,14 @@ jobs: - name: "Upload step summary" if: github.event_name == 'pull_request' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: step-summary path: issue-bot/tmp/step-summary.md - name: "Upload PR comment body" if: github.event_name == 'pull_request' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: pr-comment path: issue-bot/tmp/pr-comment.md @@ -322,20 +322,20 @@ jobs: egress-policy: audit - name: "Download PR comment body" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: pr-comment - name: "Find PR comment" id: find-comment - uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 + uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0 with: issue-number: ${{ github.event.pull_request.number }} body-includes: "" - name: "Post/update PR comment (changes)" if: needs.evaluate.outputs.pr-evaluate-exit-code == '2' - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: comment-id: ${{ steps.find-comment.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -344,7 +344,7 @@ jobs: - name: "Update PR comment (no changes, only if exists)" if: needs.evaluate.outputs.pr-evaluate-exit-code == '0' && steps.find-comment.outputs.comment-id != '' - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: comment-id: ${{ steps.find-comment.outputs.comment-id }} edit-mode: replace diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index 47535a5df1..21dbeb4498 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -70,7 +70,7 @@ jobs: persist-credentials: false - name: Run Poutine - uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 + uses: boostsecurityio/poutine-action@e240ebd3eff8b2db5a8e5f6b28f58739d7db2247 # v1.1.4 - name: Upload poutine SARIF file uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 @@ -96,7 +96,7 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: false diff --git a/.github/workflows/phar.yml b/.github/workflows/phar.yml index d6ebaa58b2..857708b3eb 100644 --- a/.github/workflows/phar.yml +++ b/.github/workflows/phar.yml @@ -78,7 +78,7 @@ jobs: working-directory: "compiler/build" run: "php ../box/vendor/bin/box compile --no-parallel --sort-compiled-files" - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: phar-file path: tmp/phpstan.phar @@ -114,7 +114,7 @@ jobs: id: "checksum" run: echo "md5=$(md5sum tmp/phpstan.phar | cut -d' ' -f1)" >> "$GITHUB_OUTPUT" - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: phar-file-checksum path: tmp/phpstan.phar @@ -122,7 +122,7 @@ jobs: - name: "Delete checksum PHAR" run: "rm tmp/phpstan.phar" - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: changes with: filters: | @@ -173,7 +173,7 @@ jobs: run: echo "base_sha=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT" - name: Set up Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 @@ -187,7 +187,7 @@ jobs: - name: Find phar-file-checksum from base commit id: find-artifact - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: BASE_SHA: ${{ steps.base.outputs.base_sha }} ARTIFACT_NAME: phar-file-checksum @@ -199,14 +199,17 @@ jobs: # saved to phar-file-checksum/phpstan.phar - name: Download old artifact by ID - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: artifact-ids: ${{ steps.find-artifact.outputs.artifact_id }} run-id: ${{ steps.find-artifact.outputs.run_id }} github-token: ${{ secrets.GITHUB_TOKEN }} + # download-artifact v5+ extracts single by-ID downloads directly into + # `path`, no longer nested under the artifact name; keep the old layout + path: phar-file-checksum - name: "Upload old artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: phar-file-checksum-base path: phar-file-checksum/phpstan.phar @@ -225,7 +228,7 @@ jobs: egress-policy: audit - name: "Download base phpstan.phar" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: phar-file-checksum-base @@ -253,14 +256,14 @@ jobs: # saved to phar-file-checksum/phpstan.phar - name: "Download phpstan.phar" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: phar-file-checksum path: phar-file-checksum # saved to phar-file-checksum-base/phpstan.phar - name: "Download base phpstan.phar" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: phar-file-checksum-base path: phar-file-checksum-base @@ -311,7 +314,7 @@ jobs: - name: Import GPG key id: import-gpg - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.GPG_PHPSTANBOT_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PHPSTANBOT_KEY_PASSPHRASE }} @@ -363,7 +366,7 @@ jobs: fi - name: "Download phpstan.phar" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: phar-file @@ -409,7 +412,7 @@ jobs: - name: "Commit PHAR - tag" if: "startsWith(github.ref, 'refs/tags/')" - uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0 + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 with: commit_user_name: "phpstan-bot" commit_user_email: "ondrej+phpstanbot@mirtes.cz" diff --git a/.github/workflows/pr-base-on-previous-branch.yml b/.github/workflows/pr-base-on-previous-branch.yml index 5233024eff..f62c27c26e 100644 --- a/.github/workflows/pr-base-on-previous-branch.yml +++ b/.github/workflows/pr-base-on-previous-branch.yml @@ -25,7 +25,7 @@ jobs: egress-policy: audit - name: Comment PR - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: body: "You've opened the pull request against the latest branch 2.2.x. PHPStan 2.2 is not going to be released for months. If your code is relevant on 2.1.x and you want it to be released sooner, please rebase your pull request and change its target to 2.1.x." token: ${{ secrets.PHPSTAN_BOT_TOKEN }} diff --git a/.github/workflows/pr-marked-as-ready.yml b/.github/workflows/pr-marked-as-ready.yml index cb8e735ff3..c18f32f558 100644 --- a/.github/workflows/pr-marked-as-ready.yml +++ b/.github/workflows/pr-marked-as-ready.yml @@ -22,7 +22,7 @@ jobs: egress-policy: audit - name: Comment PR - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: body: "This pull request has been marked as ready for review." token: ${{ secrets.PHPSTAN_BOT_TOKEN }} diff --git a/.github/workflows/reflection-golden-test.yml b/.github/workflows/reflection-golden-test.yml index df8b5fc0f5..fd7126c48c 100644 --- a/.github/workflows/reflection-golden-test.yml +++ b/.github/workflows/reflection-golden-test.yml @@ -53,7 +53,7 @@ jobs: - name: "Dump phpSymbols.txt" run: "php tests/dump-reflection-test-symbols.php" - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: phpSymbols path: ${{ env.REFLECTION_GOLDEN_SYMBOLS_FILE }} @@ -108,7 +108,7 @@ jobs: - name: "Dump previous reflection data" run: "php tests/generate-reflection-test.php" - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: reflection-${{ matrix.php-version }}.test path: ${{ env.REFLECTION_GOLDEN_TEST_FILE }} diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 13cbc09683..4968a1e47b 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -72,7 +72,7 @@ jobs: if: failure() && (matrix.php-version == '7.4' || matrix.php-version == '8.0' || matrix.php-version == '8.1') run: "php -d memory_limit=599M bin/phpstan analyse --generate-baseline baseline-php-${{ matrix.php-version }}.neon" - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: ${{ failure() }} with: name: baseline-${{ matrix.php-version }} @@ -113,7 +113,7 @@ jobs: - uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # v4.0.0 - name: "Cache Result cache" - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ./tmp key: "result-cache-v15-${{ matrix.php-version }}-${{ github.run_id }}" diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ed027794db..4b6b20da45 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -333,7 +333,7 @@ jobs: echo "name=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')" >> "$GITHUB_OUTPUT" - name: "Restore result cache" - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ./tmp key: "result-cache-v1-${{ matrix.php-version }}-${{ github.run_id }}" @@ -364,7 +364,7 @@ jobs: --logger-text=php://stdout - name: "Save result cache" - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 if: ${{ !cancelled() }} with: path: ./tmp diff --git a/.github/workflows/update-phpstorm-stubs.yml b/.github/workflows/update-phpstorm-stubs.yml index f0fdb8ef20..07b2aa392c 100644 --- a/.github/workflows/update-phpstorm-stubs.yml +++ b/.github/workflows/update-phpstorm-stubs.yml @@ -46,7 +46,7 @@ jobs: run: "./bin/generate-function-metadata.php" - name: "Create Pull Request" id: create-pr - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: token: ${{ secrets.PHPSTAN_BOT_TOKEN }} branch-suffix: random From 87839327d85d559807630236a51404212c3215ff Mon Sep 17 00:00:00 2001 From: Ondrej Mirtes Date: Mon, 25 May 2026 12:48:25 +0200 Subject: [PATCH 2/2] Drop Wandalen/wretry.action retry wrapper around artifact downloads Unwrap the three actions/download-artifact steps that were run through Wandalen/wretry.action (attempt_limit 5, attempt_delay 1000) back into plain steps. All three download by name, so the v5+ by-ID path change does not apply. The reflection-golden-test.yml step was still on the moving actions/download-artifact@v4 tag (nested inside the wretry action: input, so it escaped the SHA pinning); pin it to the v8.0.1 SHA used everywhere else. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/issue-bot.yml | 22 +++++++------------- .github/workflows/reflection-golden-test.yml | 10 +++------ 2 files changed, 10 insertions(+), 22 deletions(-) diff --git a/.github/workflows/issue-bot.yml b/.github/workflows/issue-bot.yml index af0d7ed2eb..9032665a45 100644 --- a/.github/workflows/issue-bot.yml +++ b/.github/workflows/issue-bot.yml @@ -155,23 +155,15 @@ jobs: with: working-directory: "issue-bot" - - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: - action: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: | - name: playground-cache - path: issue-bot/tmp - attempt_limit: 5 - attempt_delay: 1000 - - - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 + name: playground-cache + path: issue-bot/tmp + + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: - action: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: | - name: matrix - path: issue-bot - attempt_limit: 5 - attempt_delay: 1000 + name: matrix + path: issue-bot - name: "Extract shard" working-directory: "issue-bot" diff --git a/.github/workflows/reflection-golden-test.yml b/.github/workflows/reflection-golden-test.yml index fd7126c48c..dec5c82a6b 100644 --- a/.github/workflows/reflection-golden-test.yml +++ b/.github/workflows/reflection-golden-test.yml @@ -79,14 +79,10 @@ jobs: with: egress-policy: audit - - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: - action: actions/download-artifact@v4 - with: | - name: phpSymbols - path: /tmp - attempt_limit: 5 - attempt_delay: 1000 + name: phpSymbols + path: /tmp - name: "Checkout base commit" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2