diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 64c8667..10f7e30 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,10 +7,6 @@ updates: interval: "weekly" cooldown: default-days: 7 - groups: - github-actions: - patterns: - - "*" ignore: - dependency-name: "yiisoft/*" @@ -21,8 +17,4 @@ updates: interval: "daily" cooldown: default-days: 7 - groups: - composer-dependencies: - patterns: - - "*" versioning-strategy: increase-if-necessary diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 5970206..d23237d 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -13,6 +13,9 @@ on: name: backwards compatibility +permissions: + contents: read + jobs: roave_bc_check: uses: yiisoft/actions/.github/workflows/bc.yml@master @@ -20,4 +23,4 @@ jobs: os: >- ['ubuntu-latest'] php: >- - ['8.1'] + ['8.4'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 19b694d..35abbae 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,6 +22,9 @@ on: name: build +permissions: + contents: read + jobs: phpunit: uses: yiisoft/actions/.github/workflows/phpunit.yml@master diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index d2ef508..1a56fef 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,6 +24,9 @@ on: name: Composer require checker +permissions: + contents: read + jobs: composer-require-checker: uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 6677094..257b4a0 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,6 +20,9 @@ on: name: mutation test +permissions: + contents: read + jobs: mutation: uses: yiisoft/actions/.github/workflows/infection.yml@master diff --git a/.github/workflows/rector-cs.yml b/.github/workflows/rector-cs.yml index 6424c2a..d4003af 100644 --- a/.github/workflows/rector-cs.yml +++ b/.github/workflows/rector-cs.yml @@ -1,7 +1,7 @@ name: Rector + PHP CS Fixer on: - pull_request_target: + pull_request: paths: - 'src/**' - 'tests/**' @@ -20,8 +20,5 @@ concurrency: jobs: rector: uses: yiisoft/actions/.github/workflows/rector-cs.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: - repository: ${{ github.event.pull_request.head.repo.full_name }} php: '8.1' diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index d03874d..cab5775 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,6 +22,9 @@ on: name: static analysis +permissions: + contents: read + jobs: psalm: uses: yiisoft/actions/.github/workflows/psalm.yml@master diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master