Lint workflows

.github/actionlint-matcher.json

@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}

.github/actionlint.yaml

@@ -0,0 +1,23 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels:
+    - blacksmith-4vcpu-ubuntu-2404
+
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: null
+
+# Configuration for file paths. The keys are glob patterns to match to file
+# paths relative to the repository root. The values are the configurations for
+# the file paths. Note that the path separator is always '/'.
+# The following configurations are available.
+#
+# "ignore" is an array of regular expression patterns. Matched error messages
+# are ignored. This is similar to the "-ignore" command line option.
+paths:
+  .github/workflows/**/*.{yml,yaml}:
+    # List of regular expressions to filter errors by the error messages.
+    ignore:
+      # Ignore the specific error from shellcheck
+      - 'shellcheck reported issue in this script: SC2129:.+'

.github/workflows/backward-compatibility.yml

@@ -51,4 +51,4 @@ jobs:
           composer global require --dev ondrejmirtes/backward-compatibility-check:^7.3.0.1
 
       - name: "Check"
-        run: "$(composer global config bin-dir --absolute)/roave-backward-compatibility-check"
+        run: '"$(composer global config bin-dir --absolute)"/roave-backward-compatibility-check'

.github/workflows/issue-bot.yml

@@ -68,7 +68,7 @@
         id: shards
         working-directory: "issue-bot"
         run: |
-          echo "shards=$(jq -c '{include: [range(length) | {shard: .}]}' matrix.json)" >> $GITHUB_OUTPUT
+          echo "shards=$(jq -c '{include: [range(length) | {shard: .}]}' matrix.json)" >> "$GITHUB_OUTPUT"
 
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -210,7 +210,7 @@
           ./console.php evaluate > tmp/step-summary.md
           exit_code="$?"
 
-          cat tmp/step-summary.md >> $GITHUB_STEP_SUMMARY
+          cat tmp/step-summary.md >> "$GITHUB_STEP_SUMMARY"
 
           if [[ "$exit_code" == "2" ]]; then
             echo "::notice file=.github/workflows/issue-bot.yml,line=3 ::Issue bot detected open issues which are affected by this pull request - see https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
@@ -235,7 +235,7 @@
           PHPSTAN_SRC_COMMIT_AFTER: ${{ github.event.after }}
         run: |
           set +e
-          ./console.php evaluate --post-comments >> $GITHUB_STEP_SUMMARY
+          ./console.php evaluate --post-comments >> "$GITHUB_STEP_SUMMARY"
           exit_code="$?"
 
           # its fine when issue-bot found affected issues

.github/workflows/lint-workflows.yml

@@ -0,0 +1,113 @@
+# Configuration from:
+# https://github.com/johnbillion/plugin-infrastructure/blob/571cba96190304963285181e2b928d941b9ec7c4/.github/workflows/reusable-workflow-lint.yml
+
+name: Lint GitHub Actions workflows
+on:
+  pull_request:
+  push:
+    branches:
+      - "2.1.x"
+
+permissions: {}
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Check workflow files
+        run: |
+          echo "::add-matcher::.github/actionlint-matcher.json"
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint -color
+        shell: bash
+
+  octoscan:
+    name: Octoscan
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for codeql-action/upload-sarif to upload SARIF files.
+    timeout-minutes: 10
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Run octoscan
+        id: octoscan
+        uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0
+        with:
+          filter_triggers: ''
+
+      - name: Upload SARIF file to GitHub
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        with:
+          sarif_file: "${{steps.octoscan.outputs.sarif_output}}"
+          category: octoscan
+          wait-for-processing: false
+
+  poutine:
+    name: Poutine
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for codeql-action/upload-sarif to upload SARIF files.
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run Poutine
+        uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2
+
+      - name: Upload poutine SARIF file
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        with:
+          sarif_file: results.sarif
+          category: poutine
+          wait-for-processing: false
+
+  zizmor:
+    name: Zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for codeql-action/upload-sarif to upload SARIF files.
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+        with:
+          enable-cache: false
+
+      - name: Run zizmor
+        run: uvx zizmor@1.20.0 --persona=auditor --format=sarif --strict-collection . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        with:
+          sarif_file: results.sarif
+          category: zizmor
+          wait-for-processing: false

.github/workflows/phar.yml

@@ -112,7 +112,7 @@
 
       - name: "Save checksum"
         id: "checksum"
-        run: echo "md5=$(md5sum tmp/phpstan.phar | cut -d' ' -f1)" >> $GITHUB_OUTPUT
+        run: echo "md5=$(md5sum tmp/phpstan.phar | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
 
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -231,7 +231,7 @@
 
       - name: "Save old checksum"
         id: "old_checksum"
-        run: echo "md5=$(md5sum phpstan.phar | cut -d' ' -f1)" >> $GITHUB_OUTPUT
+        run: echo "md5=$(md5sum phpstan.phar | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
 
       - name: "Assert checksum"
         run: |
@@ -330,7 +330,7 @@
       - name: "Get previous pushed dist commit"
         id: previous-commit
         working-directory: phpstan-dist
-        run: echo "sha=$(sed -n '2p' .phar-checksum)" >> $GITHUB_OUTPUT
+        run: echo "sha=$(sed -n '2p' .phar-checksum)" >> "$GITHUB_OUTPUT"
 
       - name: "Checkout phpstan-src"
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
@@ -342,24 +342,24 @@
         id: git-log
         working-directory: phpstan-src
         run: |
-          echo "log<<MESSAGE" >> $GITHUB_OUTPUT
-          echo "$(git log ${{ steps.previous-commit.outputs.sha }}..${{ github.event.after }} --reverse --pretty='https://github.com/phpstan/phpstan-src/commit/%H %s')" >> $GITHUB_OUTPUT
-          echo 'MESSAGE' >> $GITHUB_OUTPUT
+          echo "log<<MESSAGE" >> "$GITHUB_OUTPUT"
+          git log ${{ steps.previous-commit.outputs.sha }}..${{ github.event.after }} --reverse --pretty='https://github.com/phpstan/phpstan-src/commit/%H %s' >> "$GITHUB_OUTPUT"
+          echo 'MESSAGE' >> "$GITHUB_OUTPUT"
 
       - name: "Get short phpstan-src SHA"
         id: short-src-sha
         working-directory: phpstan-src
-        run: echo "sha=$(git rev-parse --short=7 HEAD)" >> $GITHUB_OUTPUT
+        run: echo "sha=$(git rev-parse --short=7 HEAD)" >> "$GITHUB_OUTPUT"
 
       - name: "Check PHAR checksum"
         id: checksum-difference
         working-directory: phpstan-dist
         run: |
-          checksum=${{needs.compiler-tests.outputs.checksum}}
+          checksum="${{needs.compiler-tests.outputs.checksum}}"
           if [[ $(head -n 1 .phar-checksum) != "$checksum" ]]; then
-            echo "result=different" >> $GITHUB_OUTPUT
+            echo "result=different" >> "$GITHUB_OUTPUT"
           else
-            echo "result=same" >> $GITHUB_OUTPUT
+            echo "result=same" >> "$GITHUB_OUTPUT"
           fi
 
       - name: "Download phpstan.phar"

.github/workflows/static-analysis.yml

@@ -185,6 +185,6 @@ jobs:
 
       - name: "Generate baseline"
         run: |
-          > phpstan-baseline.neon && \
+          true > phpstan-baseline.neon && \
           make phpstan-generate-baseline-php && \
           make phpstan-result-cache

.github/workflows/tests.yml

@@ -171,7 +171,7 @@
       - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
 
       - id: set-matrix
-        run: echo "matrix=$(php .github/workflows/tests-levels-matrix.php)" >> $GITHUB_OUTPUT
+        run: echo "matrix=$(php .github/workflows/tests-levels-matrix.php)" >> "$GITHUB_OUTPUT"
 
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
@@ -325,12 +325,12 @@
             --source-directory='build/PHPStan/Build' \
             --timeout=500 \
           > infection.json5
-          cat infection.json5 | jq
+          jq < infection.json5
 
       - name: "Determine default branch"
         id: default-branch
         run: |
-          echo "name=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')" >> $GITHUB_OUTPUT
+          echo "name=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')" >> "$GITHUB_OUTPUT"
 
       - name: "Restore result cache"
         uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0

.github/workflows/update-phpstorm-stubs.yml

@@ -39,7 +39,7 @@ jobs:
           path: "phpstorm-stubs"
           repository: "jetbrains/phpstorm-stubs"
       - name: "Update stubs"
-        run: "composer require jetbrains/phpstorm-stubs:dev-master#$(git -C phpstorm-stubs rev-parse HEAD)"
+        run: "composer require \"jetbrains/phpstorm-stubs:dev-master#$(git -C phpstorm-stubs rev-parse HEAD)\""
       - name: "Remove stubs repo"
         run: "rm -r phpstorm-stubs"
       - name: "Update function metadata"