zizmor audit

.github/workflows/build.yml

@@ -1,9 +1,16 @@
+name: build
+
 on:
   pull_request:
   push:
     branches: [ 'master' ]
 
-name: build
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   tests:
@@ -24,10 +31,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
       - name: Install PHP with extensions
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2
         env:
           update: true
         with:
@@ -36,13 +45,13 @@ jobs:
           coverage: xdebug
 
       - name: Install Composer dependencies
-        uses: ramsey/composer-install@v3
+        uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1
 
       - name: Run tests with PHPUnit
         run: vendor/bin/phpunit --colors=always --coverage-clover=coverage.xml
 
       - name: Upload coverage to Coveralls
         if: matrix.os == 'ubuntu-latest'
-        uses: coverallsapp/github-action@v2
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2
         with:
           file: ./coverage.xml

.github/workflows/code-style.yml

@@ -1,28 +1,37 @@
 name: Code Style
 
-on: [ pull_request ]
+on:
+  pull_request:
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  php-cs-fixer:
+  cs:
+    name: PHP CS Fixer + Rector
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: write # needed to push auto-fixed commits back to the PR branch
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           ref: ${{ github.head_ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
 
       - name: Install PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2
         with:
           php-version: 8.2
           tools: composer:v2
           coverage: none
 
       - name: Install Composer dependencies
-        uses: "ramsey/composer-install@v4"
+        uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # 4.0.0
 
       - name: Run PHP CS Fixer
         run: composer cs-fix
@@ -31,8 +40,13 @@ jobs:
         run: ./vendor/bin/rector --output-format=github
 
       - name: Commit changes
-        uses: stefanzweifel/git-auto-commit-action@v7
-        with:
-          commit_message: "Apply PHP CS Fixer and Rector changes (CI)"
-          file_pattern: '*.php'
-          disable_globbing: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HEAD_REF: ${{ github.head_ref }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add '*.php'
+          git diff --staged --quiet || git commit -m "Apply PHP CS Fixer and Rector changes (CI)"
+          git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${REPOSITORY}.git" "HEAD:${HEAD_REF}"

.github/workflows/composer-dependency-analyser.yml

@@ -1,9 +1,16 @@
+name: Composer Dependency Analyser
+
 on:
   pull_request:
   push:
     branches: [ 'master' ]
 
-name: Composer Dependency Analyser
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   composer-require-checker:
@@ -23,16 +30,18 @@ jobs:
 
     steps:
       - name: Checkout.
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
       - name: Install PHP with extensions.
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2
         with:
           php-version: ${{ matrix.php }}
           coverage: none
 
       - name: Install Composer dependencies
-        uses: ramsey/composer-install@v3
+        uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1
 
       - name: Check dependencies
         run: vendor/bin/composer-dependency-analyser

.github/workflows/mutation.yml

@@ -1,38 +1,49 @@
+name: mutation test
+
 on:
   pull_request:
   push:
     branches: [ 'master' ]
 
-name: mutation test
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   mutation:
     name: PHP ${{ matrix.php }}-${{ matrix.os }}
 
     runs-on: ${{ matrix.os }}
 
+    environment:
+      name: ${{ github.event_name == 'push' && 'Mutation testing' || '' }}
+      deployment: false
+
     strategy:
       matrix:
-        os:
-          - ubuntu-latest
-        php:
-          - "8.5"
+        os: [ubuntu-latest]
+        php: ["8.5"]
 
     steps:
-      - name: Checkout.
-        uses: actions/checkout@v6
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
-      - name: Install PHP with extensions.
-        uses: shivammathur/setup-php@v2
+      - name: Install PHP with extensions
+        uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2
         with:
           php-version: "${{ matrix.php }}"
           ini-values: memory_limit=-1
           coverage: xdebug
 
       - name: Install Composer dependencies
-        uses: ramsey/composer-install@v3
+        uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1
 
-      - name: Run infection.
+      - name: Run infection
         run: vendor/bin/infection --threads=max --ignore-msi-with-no-mutations
         env:
-          STRYKER_DASHBOARD_API_KEY: ${{ secrets.STRYKER_DASHBOARD_API_KEY }}
+          STRYKER_DASHBOARD_API_KEY: ${{ github.event_name == 'push' && secrets.STRYKER_DASHBOARD_API_KEY || '' }}

.github/workflows/psalm.yml

@@ -1,10 +1,17 @@
+name: static analysis
+
 on:
   pull_request:
   push:
     branches:
       - master
 
-name: static analysis
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   psalm:
@@ -24,17 +31,21 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
 
       - name: Install PHP with extensions
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2
         with:
           coverage: none
           php-version: ${{ matrix.php }}
           tools: composer:v2, cs2pr
 
       - name: Install Composer dependencies
-        uses: ramsey/composer-install@v3
+        uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1
 
       - name: Static analysis
-        run: vendor/bin/psalm --shepherd --stats --output-format=checkstyle --php-version=${{ matrix.php }} | cs2pr --graceful-warnings --colorize
+        env:
+          PHP_VERSION: ${{ matrix.php }}
+        run: vendor/bin/psalm --shepherd --stats --output-format=checkstyle --php-version=$PHP_VERSION | cs2pr --graceful-warnings --colorize

.github/workflows/zizmor.yml

@@ -0,0 +1,31 @@
+name: zizmor
+
+on:
+  push:
+    branches: [ 'master' ]
+  pull_request:
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # needed to upload SARIF results to GitHub Security tab
+      contents: read         # needed to clone the repo
+      actions: read          # needed for upload-sarif to read workflow run info
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          persona: auditor

Makefile

@@ -1,12 +1,20 @@
 .DEFAULT_GOAL := help
 
+zizmor: ARGS ?= --persona auditor --color always
+zizmor: ## Run zizmor security audit (1.25.2)
+	docker run \
+      --volume .:/project:ro \
+      --rm \
+      ghcr.io/zizmorcore/zizmor@sha256:14ea7f5cc7c67933394a35b5a38a277397818d232602635edb2010b313afb110 \
+      $(ARGS) /project
+
 scaffolder: ## Run scaffolder
 	docker run \
       --volume .:/project \
       --user $(shell id -u):$(shell id -g) \
       --interactive --tty --rm --init \
-      ghcr.io/phptg/scaffolder:latest \
-      $(RUN_ARGS)
+      ghcr.io/phptg/scaffolder@sha256:29ce3c9aa63e4ae93bffccec1c80cf46701ebc7c70d6469a3f39e2cbb6885154 \
+      $(ARGS)
 
 # Output the help for each task, see https://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
 help: ## This help.