From 4be47e1558675e6db9790f6098f4d2b52c44e968 Mon Sep 17 00:00:00 2001 From: Artem Yeremenko Date: Wed, 27 Aug 2025 17:33:13 +0300 Subject: [PATCH 1/2] Remove unnecessary includes from phpstan.neon.dist. These dependencies are loaded by phpstan/extension-installer plugin --- phpstan.neon.dist | 2 -- 1 file changed, 2 deletions(-) diff --git a/phpstan.neon.dist b/phpstan.neon.dist index a940793..260b5e1 100644 --- a/phpstan.neon.dist +++ b/phpstan.neon.dist @@ -1,6 +1,4 @@ includes: - - vendor/larastan/larastan/extension.neon - - vendor/nesbot/carbon/extension.neon - phpstan-baseline.neon parameters: From 6b3e05614bd79682ed5b238b47e5444d4e2485cb Mon Sep 17 00:00:00 2001 From: Dan Harrin Date: Thu, 14 May 2026 09:31:06 +0100 Subject: [PATCH 2/2] Update GH actions security --- .github/dependabot.yml | 6 +- .github/workflows/dependabot-auto-merge.yml | 33 ---------- .github/workflows/fix-code-style.yml | 42 +++++++++++++ .../workflows/fix-php-code-style-issues.yml | 27 -------- .github/workflows/phpstan.yml | 61 ++++++++++++++++--- .../workflows/{run-tests.yml => tests.yml} | 31 +++++++--- .github/workflows/update-changelog.yml | 10 +-- .github/workflows/zizmor.yml | 28 +++++++++ 8 files changed, 155 insertions(+), 83 deletions(-) delete mode 100644 .github/workflows/dependabot-auto-merge.yml create mode 100644 .github/workflows/fix-code-style.yml delete mode 100644 .github/workflows/fix-php-code-style-issues.yml rename .github/workflows/{run-tests.yml => tests.yml} (61%) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 30c8a49..de6cf05 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,5 +8,9 @@ updates: directory: "/" schedule: interval: "weekly" + open-pull-requests-limit: 10 + cooldown: + default-days: 7 labels: - - "dependencies" \ No newline at end of file + - "dependencies" + - "github_actions" diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml deleted file mode 100644 index d266418..0000000 --- a/.github/workflows/dependabot-auto-merge.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: "Dependabot Auto-Merge" - -on: pull_request_target - -permissions: - pull-requests: write - contents: write - -jobs: - dependabot: - runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v1.6.0 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - - name: Auto-merge Dependabot PRs for semver-minor updates - if: ${{steps.metadata.outputs.update-type == 'version-update:semver-minor'}} - run: gh pr merge --auto --merge "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - - name: Auto-merge Dependabot PRs for semver-patch updates - if: ${{steps.metadata.outputs.update-type == 'version-update:semver-patch'}} - run: gh pr merge --auto --merge "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/fix-code-style.yml b/.github/workflows/fix-code-style.yml new file mode 100644 index 0000000..806706f --- /dev/null +++ b/.github/workflows/fix-code-style.yml @@ -0,0 +1,42 @@ +name: fix-code-style + +on: + push: + paths: + - '**.php' + +permissions: + contents: write + +jobs: + fix-code-style: + runs-on: ubuntu-latest + steps: + # persist-credentials: true is required so `git-auto-commit-action` below + # can push the reformatted files back to the branch. + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] + + - name: Cache Composer dependencies + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ~/.composer/cache/files + key: composer-cs-${{ hashFiles('composer.json') }} + restore-keys: | + composer-cs- + + - name: Setup PHP + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 + with: + php-version: 8.3 + + - name: Install dependencies + run: composer install --no-interaction --no-scripts + + - name: Run Pint + run: ./vendor/bin/pint + + - name: Commit changes + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 + with: + commit_message: Fix styling diff --git a/.github/workflows/fix-php-code-style-issues.yml b/.github/workflows/fix-php-code-style-issues.yml deleted file mode 100644 index 756a961..0000000 --- a/.github/workflows/fix-php-code-style-issues.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: "Fix PHP Code Styling" - -on: - push: - paths: - - '**.php' - -permissions: - contents: write - -jobs: - php-code-styling: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - ref: ${{ github.head_ref }} - - - name: Fix PHP code style issues - uses: aglipanci/laravel-pint-action@2.4 - - - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: Fix styling diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml index 3855a08..915cd0d 100644 --- a/.github/workflows/phpstan.yml +++ b/.github/workflows/phpstan.yml @@ -1,26 +1,67 @@ -name: PHPStan +name: phpstan on: push: - paths: - - '**.php' - - 'phpstan.neon.dist' + pull_request: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: phpstan: - name: phpstan runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + php: [8.3, 8.2, 8.1] + laravel: [11.*, 10.*] + stability: [prefer-stable] + include: + - laravel: 11.* + testbench: 9.* + - laravel: 10.* + testbench: 8.* + exclude: + - laravel: 11.* + php: 8.1 + name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Cache Composer dependencies + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ~/.composer/cache/files + key: composer-${{ matrix.php }}-${{ matrix.laravel }}-${{ hashFiles('composer.json') }} + restore-keys: | + composer-${{ matrix.php }}-${{ matrix.laravel }}- + composer-${{ matrix.php }}- + + - name: Cache PHPStan result + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: /tmp/phpstan + key: phpstan-${{ matrix.php }}-${{ matrix.laravel }}-${{ github.sha }} + restore-keys: | + phpstan-${{ matrix.php }}-${{ matrix.laravel }}- - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: - php-version: '8.1' + php-version: ${{ matrix.php }} + extensions: mbstring, pdo, pdo_sqlite coverage: none - - name: Install composer dependencies - uses: ramsey/composer-install@v3 + - name: Install dependencies + run: | + composer require "laravel/framework:${{ matrix.laravel }}" "orchestra/testbench:${{ matrix.testbench }}" --no-interaction --no-update + composer update --${{ matrix.stability }} --prefer-dist --no-interaction - name: Run PHPStan run: ./vendor/bin/phpstan --error-format=github diff --git a/.github/workflows/run-tests.yml b/.github/workflows/tests.yml similarity index 61% rename from .github/workflows/run-tests.yml rename to .github/workflows/tests.yml index 99b6755..5a3d3fa 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/tests.yml @@ -1,13 +1,18 @@ -name: run-tests +name: tests on: push: - branches: [main] pull_request: - branches: [main] + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: - test: + run-tests: runs-on: ${{ matrix.os }} strategy: fail-fast: true @@ -30,11 +35,21 @@ jobs: name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} - ${{ matrix.os }} steps: - - name: Checkout code - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Cache Composer dependencies + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ~/.composer/cache/files + key: composer-${{ matrix.os }}-${{ matrix.php }}-${{ matrix.laravel }}-${{ matrix.stability }}-${{ hashFiles('composer.json') }} + restore-keys: | + composer-${{ matrix.os }}-${{ matrix.php }}-${{ matrix.laravel }}- + composer-${{ matrix.os }}-${{ matrix.php }}- - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php }} extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, bcmath, soap, intl, gd, exif, iconv, imagick, fileinfo @@ -50,7 +65,7 @@ jobs: composer require "laravel/framework:${{ matrix.laravel }}" "orchestra/testbench:${{ matrix.testbench }}" "nesbot/carbon:${{ matrix.carbon }}" --no-interaction --no-update composer update --${{ matrix.stability }} --prefer-dist --no-interaction - - name: List Installed Dependencies + - name: List installed dependencies run: composer show -D - name: Execute tests diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml index ec40921..09b951d 100644 --- a/.github/workflows/update-changelog.yml +++ b/.github/workflows/update-changelog.yml @@ -1,4 +1,4 @@ -name: "Update Changelog" +name: update-changelog on: release: @@ -12,19 +12,21 @@ jobs: runs-on: ubuntu-latest steps: + # persist-credentials: true is required so `git-auto-commit-action` below + # can push the CHANGELOG update. - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] with: ref: main - name: Update Changelog - uses: stefanzweifel/changelog-updater-action@v1 + uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1.12.0 with: latest-version: ${{ github.event.release.name }} release-notes: ${{ github.event.release.body }} - name: Commit updated CHANGELOG - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 with: branch: main commit_message: Update CHANGELOG diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..fb10097 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,28 @@ +name: zizmor + +on: + push: + paths: + - '.github/workflows/**' + - '.github/dependabot.yml' + pull_request: + paths: + - '.github/workflows/**' + - '.github/dependabot.yml' + +permissions: + contents: read + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false