From e4967e27c321afb291d299b6f36e8060c940e65b Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 24 Feb 2026 17:02:45 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/actions/downgrade-code/action.yml | 4 +- .github/workflows/apiref.yml | 32 ++++--- .github/workflows/backward-compatibility.yml | 14 +++- .github/workflows/block-merge-commits.yml | 7 +- .github/workflows/build-issue-bot.yml | 16 +++- .github/workflows/changelog-generator.yml | 16 +++- .github/workflows/claude-fix-issue.yml | 18 ++-- .github/workflows/claude-fix-pr-ci.yml | 20 +++-- .../claude-random-easy-fixes-scheduled.yml | 8 ++ .../workflows/claude-random-easy-fixes.yml | 5 ++ .github/workflows/claude-react-on-comment.yml | 21 ++++- .github/workflows/close-issues-on-merge.yml | 8 ++ .github/workflows/create-tag.yml | 15 ++-- .github/workflows/e2e-tests.yml | 25 ++++-- .github/workflows/issue-bot.yml | 61 +++++++++----- .github/workflows/lint.yml | 48 +++++++---- .github/workflows/merge-bot-pr.yml | 9 +- .github/workflows/merge-maintained-branch.yml | 9 +- .github/workflows/phar.yml | 79 ++++++++++++------ .../workflows/pr-base-on-previous-branch.yml | 10 ++- .github/workflows/pr-marked-as-ready.yml | 10 ++- .github/workflows/reflection-golden-test.yml | 32 ++++--- .github/workflows/spelling.yml | 12 ++- .github/workflows/static-analysis.yml | 48 +++++++---- .github/workflows/tests.yml | 83 +++++++++++++------ .github/workflows/update-phpstorm-stubs.yml | 18 ++-- 26 files changed, 452 insertions(+), 176 deletions(-) diff --git a/.github/actions/downgrade-code/action.yml b/.github/actions/downgrade-code/action.yml index e09c61b232..cf9440632b 100644 --- a/.github/actions/downgrade-code/action.yml +++ b/.github/actions/downgrade-code/action.yml @@ -10,7 +10,7 @@ runs: - name: "Change to simple-downgrade PHP version" if: inputs.php-version == '7.4' || inputs.php-version == '8.0' || inputs.php-version == '8.1' - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.4" @@ -25,7 +25,7 @@ runs: - name: "Re-store PHP version" if: inputs.php-version == '7.4' || inputs.php-version == '8.0' || inputs.php-version == '8.1' - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "${{ inputs.php-version }}" diff --git a/.github/workflows/apiref.yml b/.github/workflows/apiref.yml index d22eecb2ab..889ccbf544 100644 --- a/.github/workflows/apiref.yml +++ b/.github/workflows/apiref.yml @@ -28,19 +28,24 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Install ApiGen dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "apigen" @@ -48,7 +53,7 @@ jobs: run: "apigen/vendor/bin/apigen -c apigen/apigen.neon --output docs -- src vendor/nikic/php-parser vendor/ondrejmirtes/better-reflection vendor/phpstan/phpdoc-parser" - name: "Upload docs" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: docs path: docs @@ -60,19 +65,24 @@ jobs: if: github.repository_owner == 'phpstan' runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Install Node" - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "16" - name: "Download docs" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: docs path: docs - name: "Sync with S3" - uses: jakejarvis/s3-sync-action@v0.5.1 + uses: jakejarvis/s3-sync-action@be0c4ab89158cac4278689ebedd8407dd5f35a83 # v0.5.1 with: args: --exclude '.git*/*' --follow-symlinks env: @@ -84,7 +94,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.APIREF_AWS_SECRET_ACCESS_KEY }} - name: "Invalidate CloudFront" - uses: chetan/invalidate-cloudfront-action@v2 + uses: chetan/invalidate-cloudfront-action@12d242edc7752fca9140c2034be28792ad22c5a8 # v2.4.1 env: DISTRIBUTION: "E37G1C2KWNAPBD" PATHS: '/${{ github.ref_name }}/*' @@ -92,14 +102,14 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.APIREF_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.APIREF_AWS_SECRET_ACCESS_KEY }} - - uses: peter-evans/repository-dispatch@v3 + - uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: token: ${{ secrets.PHPSTAN_BOT_TOKEN }} repository: "phpstan/phpstan" event-type: check_website_links - name: "Check for broken links" - uses: ScholliYT/Broken-Links-Crawler-Action@v3 + uses: ScholliYT/Broken-Links-Crawler-Action@21eab52f98097989d343116dbbd46dc4541b849b # v3.3.2 with: website_url: 'https://apiref.phpstan.org/${{ github.ref_name }}/index.html' resolve_before_filtering: 'true' diff --git a/.github/workflows/backward-compatibility.yml b/.github/workflows/backward-compatibility.yml index 3e1c466227..57efc92341 100644 --- a/.github/workflows/backward-compatibility.yml +++ b/.github/workflows/backward-compatibility.yml @@ -15,6 +15,9 @@ concurrency: group: bc-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches cancel-in-progress: true +permissions: + contents: read + jobs: backward-compatibility: name: "Backward Compatibility" @@ -23,18 +26,23 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Install BackwardCompatibilityCheck" run: | diff --git a/.github/workflows/block-merge-commits.yml b/.github/workflows/block-merge-commits.yml index 2399d07570..f94d10b54e 100644 --- a/.github/workflows/block-merge-commits.yml +++ b/.github/workflows/block-merge-commits.yml @@ -9,7 +9,12 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Block Merge Commits - uses: Morishiri/block-merge-commits-action@v1.0.1 + uses: Morishiri/block-merge-commits-action@a4554c78def8d874966a8d1e20e2971121443755 # v1.0.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/build-issue-bot.yml b/.github/workflows/build-issue-bot.yml index 6debccc935..f634d4e975 100644 --- a/.github/workflows/build-issue-bot.yml +++ b/.github/workflows/build-issue-bot.yml @@ -18,6 +18,9 @@ concurrency: group: build-issue-bot-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches cancel-in-progress: true +permissions: + contents: read + jobs: build-issue-bot: name: "Build Issue Bot" @@ -33,19 +36,24 @@ jobs: - "vendor/bin/phpunit" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.5" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Install issue-bot dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "issue-bot" diff --git a/.github/workflows/changelog-generator.yml b/.github/workflows/changelog-generator.yml index cd76fb3188..2dd24c145b 100644 --- a/.github/workflows/changelog-generator.yml +++ b/.github/workflows/changelog-generator.yml @@ -18,6 +18,9 @@ concurrency: group: changelog-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches cancel-in-progress: true +permissions: + contents: read + jobs: changelog-generator: name: "Build Changelog Generator" @@ -26,19 +29,24 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Install Changelog Generator dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "changelog-generator" diff --git a/.github/workflows/claude-fix-issue.yml b/.github/workflows/claude-fix-issue.yml index 84e7338bc6..198b6012b1 100644 --- a/.github/workflows/claude-fix-issue.yml +++ b/.github/workflows/claude-fix-issue.yml @@ -14,6 +14,9 @@ on: required: true type: string +permissions: + contents: read + jobs: fix: name: "Fix #${{ inputs.issue-number }}" @@ -25,22 +28,27 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: phpstan/phpstan-src ref: "2.1.x" fetch-depth: 0 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.4" ini-file: development extensions: mbstring - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Fetch issue details" id: issue @@ -59,7 +67,7 @@ jobs: echo "$ISSUE_JSON" | jq -r '.body' > /tmp/issue-body.txt - name: "Run Claude Code" - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@35a9e0292d36f1186f5d842b14eb575074e8b450 # v1.0.57 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} claude_args: "--model claude-opus-4-6" @@ -161,7 +169,7 @@ jobs: - name: "Create Pull Request" id: create-pr - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: branch-suffix: random delete-branch: true diff --git a/.github/workflows/claude-fix-pr-ci.yml b/.github/workflows/claude-fix-pr-ci.yml index 912681e59d..154ff46576 100644 --- a/.github/workflows/claude-fix-pr-ci.yml +++ b/.github/workflows/claude-fix-pr-ci.yml @@ -19,9 +19,14 @@ jobs: outputs: status: ${{ steps.waitforstatuschecks.outputs.status }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Wait for status checks" id: waitforstatuschecks - uses: "WyriHaximus/github-action-wait-for-status@v1" + uses: "WyriHaximus/github-action-wait-for-status@b809158b20d3e32350fe2d868a124f7f2e0e4253" # v1 with: ignoreActions: "Wait for CI checks,Fix CI failure,Automerge PRs" checkInterval: 13 @@ -40,6 +45,11 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Check fix attempt count" id: check-attempts env: @@ -114,14 +124,14 @@ jobs: - name: "Checkout PR branch" if: steps.check-attempts.outputs.skip != 'true' && steps.failures.outputs.skip != 'true' - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.head_ref }} fetch-depth: 0 - name: "Install PHP" if: steps.check-attempts.outputs.skip != 'true' && steps.failures.outputs.skip != 'true' - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.4" @@ -130,11 +140,11 @@ jobs: - name: "Install dependencies" if: steps.check-attempts.outputs.skip != 'true' && steps.failures.outputs.skip != 'true' - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Run Claude Code" if: steps.check-attempts.outputs.skip != 'true' && steps.failures.outputs.skip != 'true' - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@35a9e0292d36f1186f5d842b14eb575074e8b450 # v1.0.57 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} claude_args: "--model claude-opus-4-6" diff --git a/.github/workflows/claude-random-easy-fixes-scheduled.yml b/.github/workflows/claude-random-easy-fixes-scheduled.yml index fabbfb4153..f9a9e032eb 100644 --- a/.github/workflows/claude-random-easy-fixes-scheduled.yml +++ b/.github/workflows/claude-random-easy-fixes-scheduled.yml @@ -5,6 +5,9 @@ on: # Run 4 times, once an hour at :15, from 9pm CET (20:00 UTC) to 12am CET (23:00 UTC) - cron: '15 20-23 * * *' +permissions: + contents: read + jobs: trigger: runs-on: ubuntu-latest @@ -12,6 +15,11 @@ jobs: contents: read actions: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Trigger Claude Random Easy Fixes env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/claude-random-easy-fixes.yml b/.github/workflows/claude-random-easy-fixes.yml index 3e84d8e242..7ab8186735 100644 --- a/.github/workflows/claude-random-easy-fixes.yml +++ b/.github/workflows/claude-random-easy-fixes.yml @@ -23,6 +23,11 @@ jobs: issues: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Pick random Easy fix issues" id: pick-issues env: diff --git a/.github/workflows/claude-react-on-comment.yml b/.github/workflows/claude-react-on-comment.yml index 1e4dd5d17b..ec3276d503 100644 --- a/.github/workflows/claude-react-on-comment.yml +++ b/.github/workflows/claude-react-on-comment.yml @@ -12,6 +12,9 @@ concurrency: group: claude-pr-reactions-${{ github.event.pull_request.number || github.event.issue.number }} cancel-in-progress: false +permissions: + contents: read + jobs: check-trigger: name: "Check trigger phrase" @@ -20,6 +23,11 @@ jobs: outputs: triggered: ${{ steps.check.outputs.triggered }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Check for trigger phrase" id: check env: @@ -47,23 +55,28 @@ jobs: id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.4" ini-file: development extensions: mbstring - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "React to feedback" - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@35a9e0292d36f1186f5d842b14eb575074e8b450 # v1.0.57 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} trigger_phrase: "@phpstan-bot" diff --git a/.github/workflows/close-issues-on-merge.yml b/.github/workflows/close-issues-on-merge.yml index e157df37c5..4c411c3365 100644 --- a/.github/workflows/close-issues-on-merge.yml +++ b/.github/workflows/close-issues-on-merge.yml @@ -9,12 +9,20 @@ on: types: - closed +permissions: + contents: read + jobs: close-issues: name: Close linked issues if: github.repository_owner == 'phpstan' && github.event.pull_request.merged == true runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Find and close linked issues" env: GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }} diff --git a/.github/workflows/create-tag.yml b/.github/workflows/create-tag.yml index a853501487..493a742a6a 100644 --- a/.github/workflows/create-tag.yml +++ b/.github/workflows/create-tag.yml @@ -20,33 +20,38 @@ jobs: name: "Create tag" runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 token: ${{ secrets.PHPSTAN_BOT_TOKEN }} - name: 'Get Previous tag' id: previoustag - uses: "WyriHaximus/github-action-get-previous-tag@v1" + uses: "WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce" # v1.4.0 env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - name: 'Get next versions' id: semvers - uses: "WyriHaximus/github-action-next-semvers@v1" + uses: "WyriHaximus/github-action-next-semvers@d079934efaf011a4cf8912d4637097fe35d32b93" # v1 with: version: ${{ steps.previoustag.outputs.tag }} - name: "Create new minor tag" - uses: rickstaa/action-create-tag@v1 + uses: rickstaa/action-create-tag@a1c7777fcb2fee4f19b0f283ba888afa11678b72 # v1.7.2 if: inputs.version == 'minor' with: tag: ${{ steps.semvers.outputs.minor }} message: ${{ steps.semvers.outputs.minor }} - name: "Create new patch tag" - uses: rickstaa/action-create-tag@v1 + uses: rickstaa/action-create-tag@a1c7777fcb2fee4f19b0f283ba888afa11678b72 # v1.7.2 if: inputs.version == 'patch' with: tag: ${{ steps.semvers.outputs.patch }} diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index de91317724..7a378cbb30 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -22,6 +22,9 @@ concurrency: group: e2e-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches cancel-in-progress: true +permissions: + contents: read + jobs: result-cache-e2e-tests: name: "Result cache E2E tests" @@ -304,18 +307,23 @@ jobs: ../bashunit -a not_contains 'test.php:7' "$OUTPUT" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" extensions: mbstring ini-values: memory_limit=256M - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Patch PHPStan" run: "patch src/Analyser/Error.php < e2e/PHPStanErrorPatch.patch" @@ -422,18 +430,23 @@ jobs: ../../bin/phpstan analyze steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" tools: ${{ matrix.tools }} extensions: ${{ matrix.extensions }} - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Install bashunit" run: "curl -s https://bashunit.typeddevs.com/install.sh | bash -s e2e/ 0.22.0" diff --git a/.github/workflows/issue-bot.yml b/.github/workflows/issue-bot.yml index bb3d3cda92..ea4e4fd42a 100644 --- a/.github/workflows/issue-bot.yml +++ b/.github/workflows/issue-bot.yml @@ -31,22 +31,27 @@ jobs: matrix: ${{ steps.shards.outputs.shards }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.5" - name: "Install issue-bot dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "issue-bot" - name: "Cache downloads" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ./issue-bot/tmp key: "issue-bot-download-v7-${{ github.run_id }}" @@ -65,17 +70,17 @@ jobs: run: | echo "shards=$(jq -c '{include: [range(length) | {shard: .}]}' matrix.json)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: playground-cache path: issue-bot/tmp/playgroundCache.tmp - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: issue-cache path: issue-bot/tmp/issueCache.tmp - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: matrix path: issue-bot/matrix.json @@ -91,36 +96,41 @@ jobs: matrix: ${{ fromJSON(needs.download.outputs.matrix) }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.5" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: composer-options: "--no-dev" - name: "Install issue-bot dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "issue-bot" - - uses: Wandalen/wretry.action@v3.8.0 + - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 with: - action: actions/download-artifact@v4 + action: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: | name: playground-cache path: issue-bot/tmp attempt_limit: 5 attempt_delay: 1000 - - uses: Wandalen/wretry.action@v3.8.0 + - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 with: - action: actions/download-artifact@v4 + action: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: | name: matrix path: issue-bot @@ -140,7 +150,7 @@ jobs: timeout-minutes: 5 run: ./console.php run ${{ steps.chunk.outputs.phpVersion }} ${{ steps.chunk.outputs.playgroundExamples }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: results-${{ steps.chunk.outputs.phpVersion }}-${{ steps.chunk.outputs.chunkNumber }} path: issue-bot/tmp/results-${{ steps.chunk.outputs.phpVersion }}-*.tmp @@ -152,31 +162,36 @@ jobs: runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.5" - name: "Install issue-bot dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "issue-bot" - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: playground-cache path: issue-bot/tmp - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: issue-cache path: issue-bot/tmp - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: results-* merge-multiple: true @@ -206,7 +221,7 @@ jobs: - name: "Upload step summary" if: github.event_name == 'pull_request' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: step-summary path: issue-bot/tmp/step-summary.md diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 43c2804993..a48cc8087d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -31,11 +31,16 @@ jobs: - "8.5" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "${{ matrix.php-version }}" @@ -44,7 +49,7 @@ jobs: if: matrix.php-version == '7.4' || matrix.php-version == '8.0' || matrix.php-version == '8.1' run: "composer require --dev phpunit/phpunit:^9.6 sebastian/diff:^4.0 doctrine/instantiator:^1.0 --update-with-dependencies --ignore-platform-reqs" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - uses: ./.github/actions/downgrade-code with: @@ -63,18 +68,23 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Checkout build-cs" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: "phpstan/build-cs" path: "build-cs" ref: "2.x" - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.5" @@ -82,10 +92,10 @@ jobs: - name: "Validate Composer" run: "composer validate" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Install build-cs dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "build-cs" @@ -102,16 +112,21 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.5" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Composer Dependency Analyser" run: "make composer-dependency-analyser" @@ -123,16 +138,21 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.5" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Name Collision Detector" run: "make name-collision" diff --git a/.github/workflows/merge-bot-pr.yml b/.github/workflows/merge-bot-pr.yml index 6d34bb3d80..58a9ddb557 100644 --- a/.github/workflows/merge-bot-pr.yml +++ b/.github/workflows/merge-bot-pr.yml @@ -11,17 +11,22 @@ jobs: name: Automerge PRs runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: 'Wait for status checks' if: github.event.pull_request.user.login == 'phpstan-bot' id: waitforstatuschecks - uses: "WyriHaximus/github-action-wait-for-status@v1" + uses: "WyriHaximus/github-action-wait-for-status@b809158b20d3e32350fe2d868a124f7f2e0e4253" # v1 with: ignoreActions: "automerge,Automerge PRs" checkInterval: 13 env: GITHUB_TOKEN: "${{ secrets.PHPSTAN_BOT_TOKEN }}" - name: Merge Pull Request - uses: juliangruber/merge-pull-request-action@v1 + uses: juliangruber/merge-pull-request-action@d4773803fdc1d1fd46801ab0c56c135df9075de8 # v1.1.1 if: steps.waitforstatuschecks.outputs.status == 'success' with: github-token: "${{ secrets.PHPSTAN_BOT_TOKEN }}" diff --git a/.github/workflows/merge-maintained-branch.yml b/.github/workflows/merge-maintained-branch.yml index 0910e6db4a..8b5aa99578 100644 --- a/.github/workflows/merge-maintained-branch.yml +++ b/.github/workflows/merge-maintained-branch.yml @@ -13,10 +13,15 @@ jobs: if: github.repository_owner == 'phpstan' runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Merge branch" - uses: everlytic/branch-merge@1.1.5 + uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973 # 1.1.5 with: github_token: "${{ secrets.PHPSTAN_BOT_TOKEN }}" source_ref: ${{ github.ref }} diff --git a/.github/workflows/phar.yml b/.github/workflows/phar.yml index be5ef62818..ed356e6197 100644 --- a/.github/workflows/phar.yml +++ b/.github/workflows/phar.yml @@ -26,26 +26,31 @@ jobs: compiler_changed: ${{ steps.changes.outputs.compiler }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" extensions: mbstring, intl - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 # only sebastian/diff ^4 supports PHP 7.4 so we need that in the PHAR - name: "Downgrade PHPUnit" run: "composer require --dev phpunit/phpunit:^9.6 sebastian/diff:^4.0 doctrine/instantiator:^1.0 --update-with-dependencies --ignore-platform-reqs" - name: "Install compiler dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "compiler" @@ -65,7 +70,7 @@ jobs: run: "composer dump" - name: "Install Box dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "compiler/box" @@ -73,7 +78,7 @@ jobs: working-directory: "compiler/build" run: "php ../box/vendor/bin/box compile --no-parallel --sort-compiled-files" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: phar-file path: tmp/phpstan.phar @@ -88,7 +93,7 @@ jobs: - name: "Set autoloader suffix" run: "composer config autoloader-suffix PHPStanChecksum" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 env: COMPOSER_ROOT_VERSION: "2.2.x-dev" @@ -109,7 +114,7 @@ jobs: id: "checksum" run: echo "md5=$(md5sum tmp/phpstan.phar | cut -d' ' -f1)" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: phar-file-checksum path: tmp/phpstan.phar @@ -117,7 +122,7 @@ jobs: - name: "Delete checksum PHAR" run: "rm tmp/phpstan.phar" - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: filters: | @@ -156,14 +161,19 @@ jobs: if: github.event_name == 'pull_request' && needs.compiler-tests.outputs.compiler_changed == 'true' runs-on: "ubuntu-latest" steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Get base commit SHA id: base run: echo "base_sha=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT" - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20 @@ -177,7 +187,7 @@ jobs: - name: Find phar-file-checksum from base commit id: find-artifact - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 env: BASE_SHA: ${{ steps.base.outputs.base_sha }} ARTIFACT_NAME: phar-file-checksum @@ -189,14 +199,14 @@ jobs: # saved to phar-file-checksum/phpstan.phar - name: Download old artifact by ID - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: artifact-ids: ${{ steps.find-artifact.outputs.artifact_id }} run-id: ${{ steps.find-artifact.outputs.run_id }} github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Upload old artifact" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: phar-file-checksum-base path: phar-file-checksum/phpstan.phar @@ -209,8 +219,13 @@ jobs: runs-on: "ubuntu-latest" steps: # saved to phpstan.phar + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Download base phpstan.phar" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: phar-file-checksum-base @@ -229,32 +244,37 @@ jobs: needs: download-base-sha-phar runs-on: "ubuntu-latest" steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # saved to phar-file-checksum/phpstan.phar - name: "Download phpstan.phar" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: phar-file-checksum path: phar-file-checksum # saved to phar-file-checksum-base/phpstan.phar - name: "Download base phpstan.phar" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: phar-file-checksum-base path: phar-file-checksum-base - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Install Box dependencies" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "compiler/box" @@ -283,10 +303,15 @@ jobs: runs-on: "ubuntu-latest" timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Import GPG key id: import-gpg - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 with: gpg_private_key: ${{ secrets.GPG_PHPSTANBOT_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PHPSTANBOT_KEY_PASSPHRASE }} @@ -295,7 +320,7 @@ jobs: git_commit_gpgsign: true - name: "Checkout phpstan-dist" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: phpstan/phpstan path: phpstan-dist @@ -308,7 +333,7 @@ jobs: run: echo "sha=$(sed -n '2p' .phar-checksum)" >> $GITHUB_OUTPUT - name: "Checkout phpstan-src" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 path: phpstan-src @@ -338,7 +363,7 @@ jobs: fi - name: "Download phpstan.phar" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: phar-file @@ -364,7 +389,7 @@ jobs: run: "gpg --verify phpstan.phar.asc" - name: "Install lucky_commit" - uses: baptiste0928/cargo-install@v3 + uses: baptiste0928/cargo-install@f204293d9709061b7bc1756fec3ec4e2cd57dec0 # v3.4.0 with: crate: lucky_commit args: --no-default-features @@ -384,7 +409,7 @@ jobs: - name: "Commit PHAR - tag" if: "startsWith(github.ref, 'refs/tags/')" - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0 with: commit_user_name: "phpstan-bot" commit_user_email: "ondrej+phpstanbot@mirtes.cz" diff --git a/.github/workflows/pr-base-on-previous-branch.yml b/.github/workflows/pr-base-on-previous-branch.yml index 34ef71bb83..2776247343 100644 --- a/.github/workflows/pr-base-on-previous-branch.yml +++ b/.github/workflows/pr-base-on-previous-branch.yml @@ -10,14 +10,22 @@ on: - '2.2.x' +permissions: + contents: read + jobs: comment: name: "Comment on pull request" runs-on: 'ubuntu-latest' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Comment PR - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: body: "You've opened the pull request against the latest branch 2.2.x. PHPStan 2.2 is not going to be released for months. If your code is relevant on 2.1.x and you want it to be released sooner, please rebase your pull request and change its target to 2.1.x." token: ${{ secrets.PHPSTAN_BOT_TOKEN }} diff --git a/.github/workflows/pr-marked-as-ready.yml b/.github/workflows/pr-marked-as-ready.yml index b9785a2a3c..03182b1e41 100644 --- a/.github/workflows/pr-marked-as-ready.yml +++ b/.github/workflows/pr-marked-as-ready.yml @@ -7,14 +7,22 @@ on: types: - ready_for_review +permissions: + contents: read + jobs: comment: name: "Comment on pull request" runs-on: 'ubuntu-latest' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Comment PR - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: body: "This pull request has been marked as ready for review." token: ${{ secrets.PHPSTAN_BOT_TOKEN }} diff --git a/.github/workflows/reflection-golden-test.yml b/.github/workflows/reflection-golden-test.yml index f57fa94f9b..4ca96ccde2 100644 --- a/.github/workflows/reflection-golden-test.yml +++ b/.github/workflows/reflection-golden-test.yml @@ -32,23 +32,28 @@ jobs: runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.3" # Include exotic extensions to discover more symbols extensions: ds,mbstring,runkit7,scoutapm,seaslog,simdjson,var_representation,yac - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Dump phpSymbols.txt" run: "php tests/dump-reflection-test-symbols.php" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: phpSymbols path: ${{ env.REFLECTION_GOLDEN_SYMBOLS_FILE }} @@ -69,7 +74,12 @@ jobs: - "8.5" steps: - - uses: Wandalen/wretry.action@v3.8.0 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 with: action: actions/download-artifact@v4 with: | @@ -79,12 +89,12 @@ jobs: attempt_delay: 1000 - name: "Checkout base commit" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.event.pull_request.base.sha || github.event.before }} - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "${{ matrix.php-version }}" @@ -93,20 +103,20 @@ jobs: ini-file: development ini-values: memory_limit=2G - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Dump previous reflection data" run: "php tests/generate-reflection-test.php" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: reflection-${{ matrix.php-version }}.test path: ${{ env.REFLECTION_GOLDEN_TEST_FILE }} - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Reflection golden test" run: "make tests-golden-reflection || true" diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index 24f48d2bb7..442cd7347e 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -8,16 +8,24 @@ on: branches: - "2.2.x" +permissions: + contents: read + jobs: typos: name: "Check for typos" runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Check for typos" - uses: "crate-ci/typos@v1" + uses: "crate-ci/typos@57b11c6b7e54c402ccd9cda953f1072ec4f78e33" # v1.43.5 with: files: "README.md src/" diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 681d948eb3..c16667fdd4 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -38,11 +38,16 @@ jobs: operating-system: [ubuntu-latest, windows-latest] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "${{ matrix.php-version }}" @@ -54,7 +59,7 @@ jobs: shell: bash run: "composer require --dev phpunit/phpunit:^9.6 sebastian/diff:^4.0 doctrine/instantiator:^1.0 --update-with-dependencies --ignore-platform-reqs" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - uses: ./.github/actions/downgrade-code with: @@ -67,7 +72,7 @@ jobs: if: failure() && (matrix.php-version == '7.4' || matrix.php-version == '8.0' || matrix.php-version == '8.1') run: "php -d memory_limit=599M bin/phpstan analyse --generate-baseline baseline-php-${{ matrix.php-version }}.neon" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ failure() }} with: name: baseline-${{ matrix.php-version }} @@ -89,21 +94,26 @@ jobs: - "8.5" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "${{ matrix.php-version }}" ini-file: development extensions: mbstring - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Cache Result cache" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ./tmp key: "result-cache-v15-${{ matrix.php-version }}-${{ github.run_id }}" @@ -126,17 +136,22 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" ini-file: development - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Generate baseline" run: | @@ -151,17 +166,22 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" ini-file: development - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Generate baseline" run: | diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index cfd7829136..56461bf177 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -38,11 +38,16 @@ jobs: operating-system: [ ubuntu-latest, windows-latest ] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "${{ matrix.php-version }}" @@ -76,11 +81,16 @@ jobs: operating-system: [ ubuntu-latest, windows-latest ] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "${{ matrix.php-version }}" @@ -89,7 +99,7 @@ jobs: ini-file: development ini-values: memory_limit=-1 - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Check PHP configuration" run: "vendor/bin/phpunit --check-php-configuration" @@ -108,11 +118,16 @@ jobs: operating-system: [ ubuntu-latest, windows-latest ] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" @@ -121,7 +136,7 @@ jobs: ini-file: development ini-values: memory_limit=-1 - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Check PHP configuration" run: "vendor/bin/phpunit --check-php-configuration" @@ -135,11 +150,16 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.3" @@ -148,7 +168,7 @@ jobs: ini-file: development ini-values: memory_limit=1G - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - id: set-matrix run: echo "matrix=$(php .github/workflows/tests-levels-matrix.php)" >> $GITHUB_OUTPUT @@ -169,11 +189,16 @@ jobs: script: "${{fromJson(needs.tests-levels-matrix.outputs.matrix)}}" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.3" @@ -182,7 +207,7 @@ jobs: ini-file: development ini-values: memory_limit=-1 - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Check PHP configuration" run: "vendor/bin/phpunit --check-php-configuration" @@ -208,11 +233,16 @@ jobs: operating-system: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "${{ matrix.php-version }}" @@ -225,7 +255,7 @@ jobs: shell: bash run: "composer require --dev phpunit/phpunit:^9.6 sebastian/diff:^4.0 doctrine/instantiator:^1.0 --update-with-dependencies --ignore-platform-reqs" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Downgrade PHPUnit with Paratest" shell: bash @@ -253,11 +283,16 @@ jobs: operating-system: [ubuntu-latest] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: "Checkout build-infection" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: repository: "phpstan/build-infection" path: "build-infection" @@ -268,9 +303,9 @@ jobs: php-version: "${{ matrix.php-version }}" php-extensions: ds,mbstring - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "tests/" @@ -280,7 +315,7 @@ jobs: composer require --dev phpunit/phpunit:^12 brianium/paratest:^7.16 symfony/process:^7 symfony/string:^7 symfony/console:^7 --update-with-dependencies --ignore-platform-reqs --working-dir=tests composer require --dev phpunit/phpunit:^12 sebastian/diff --update-with-dependencies --ignore-platform-reqs - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 with: working-directory: "build-infection/" @@ -298,7 +333,7 @@ jobs: echo "name=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')" >> $GITHUB_OUTPUT - name: "Restore result cache" - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ./tmp key: "result-cache-v1-${{ matrix.php-version }}-${{ github.run_id }}" @@ -329,7 +364,7 @@ jobs: --logger-text=php://stdout - name: "Save result cache" - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 if: ${{ !cancelled() }} with: path: ./tmp diff --git a/.github/workflows/update-phpstorm-stubs.yml b/.github/workflows/update-phpstorm-stubs.yml index ad4ae46d60..bbc3f68ee5 100644 --- a/.github/workflows/update-phpstorm-stubs.yml +++ b/.github/workflows/update-phpstorm-stubs.yml @@ -7,26 +7,34 @@ on: # * is a special character in YAML so you have to quote this string - cron: '0 0 * * 2' +permissions: + contents: read + jobs: update-phpstorm-stubs: name: "Update PhpStorm stubs" if: ${{ github.repository == 'phpstan/phpstan-src' }} runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: 2.1.x fetch-depth: '0' token: ${{ secrets.PHPSTAN_BOT_TOKEN }} - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.2" - - uses: "ramsey/composer-install@v3" + - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - name: "Checkout stubs" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: "phpstorm-stubs" repository: "jetbrains/phpstorm-stubs" @@ -38,7 +46,7 @@ jobs: run: "./bin/generate-function-metadata.php" - name: "Create Pull Request" id: create-pr - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: token: ${{ secrets.PHPSTAN_BOT_TOKEN }} branch-suffix: random