Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit b41fd41

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
cs #64325 [CI] pin GitHub Actions references and add Dependabot (Kocal)
This PR was merged into the 6.4 branch. Discussion ---------- [CI] pin GitHub Actions references and add Dependabot | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | no | New feature? | no <!-- if yes, also update src/**/CHANGELOG.md --> | Deprecations? | no <!-- if yes, also update UPGRADE-*.md and src/**/CHANGELOG.md --> | Issues | Fix #... <!-- prefix each issue number with "Fix #"; no need to create an issue if none exists, explain below --> | License | MIT Following symfony/ux#3579 and all recent security issues (dependency chain abuse, `pull_request_target` exploit, etc...) Pinning actions versions is a good security practice, but it can be tedious to update. Opened a [PR for enabling Dependabot](#64326), that could help us a lot here. Commits ------- 61c7551 [CI] pin GitHub Actions references and add Dependabot
2 parents b269f09 + 61c7551 commit b41fd41
Copy full SHA for b41fd41

11 files changed

+243-23Lines changed: 243 additions & 23 deletions
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎.github/dependabot.yml‎

Copy file name to clipboard
+67Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
# https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference
2+
3+
# Generated by .github/sync-maintained-versions.php from https://symfony.com/maintained-versions.json
4+
# One entry per maintained branch; cooldown increases in merge-up order so the lowest branch surfaces first.
5+
6+
version: 2
7+
updates:
8+
9+
- package-ecosystem: 'github-actions'
10+
directory: '/'
11+
target-branch: '6.4'
12+
schedule:
13+
interval: 'weekly'
14+
groups:
15+
github-actions:
16+
patterns:
17+
- '*'
18+
cooldown:
19+
default-days: 7
20+
21+
- package-ecosystem: 'github-actions'
22+
directory: '/'
23+
target-branch: '7.4'
24+
schedule:
25+
interval: 'weekly'
26+
groups:
27+
github-actions:
28+
patterns:
29+
- '*'
30+
cooldown:
31+
default-days: 8
32+
33+
- package-ecosystem: 'github-actions'
34+
directory: '/'
35+
target-branch: '8.0'
36+
schedule:
37+
interval: 'weekly'
38+
groups:
39+
github-actions:
40+
patterns:
41+
- '*'
42+
cooldown:
43+
default-days: 9
44+
45+
- package-ecosystem: 'github-actions'
46+
directory: '/'
47+
target-branch: '8.1'
48+
schedule:
49+
interval: 'weekly'
50+
groups:
51+
github-actions:
52+
patterns:
53+
- '*'
54+
cooldown:
55+
default-days: 10
56+
57+
- package-ecosystem: 'github-actions'
58+
directory: '/'
59+
target-branch: '8.2'
60+
schedule:
61+
interval: 'weekly'
62+
groups:
63+
github-actions:
64+
patterns:
65+
- '*'
66+
cooldown:
67+
default-days: 11
Collapse file

‎.github/sync-maintained-versions.php‎

Copy file name to clipboard
+153Lines changed: 153 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,153 @@
1+
<?php
2+
3+
// Syncs branch-dependent CI config from the maintained branches published at
4+
// https://symfony.com/maintained-versions.json (ordered low -> high).
5+
//
6+
// Standalone helper: run it by hand whenever the maintained branches change.
7+
//
8+
// Updates:
9+
// - .github/dependabot.yml one github-actions entry per maintained
10+
// branch; cooldown.default-days grows by one
11+
// in merge-up order so the lowest branch
12+
// surfaces first and the review queue is staggered.
13+
// - .github/workflows/scorecards.yml push trigger pinned to the default (highest) branch.
14+
// - .github/workflows/unit-tests.yml LTS test versions for the current branch: cross-test
15+
// against the latest LTS at or below it, low-deps floor
16+
// against the LTS one major below that.
17+
//
18+
// Usage:
19+
// php .github/sync-maintained-versions.php # rewrite the files
20+
// php .github/sync-maintained-versions.php --check # exit 1 if anything would change
21+
22+
if ('cli' !== PHP_SAPI) {
23+
echo "This script can only be run from the command line.\n";
24+
exit(1);
25+
}
26+
27+
$self = basename(__FILE__);
28+
$source = 'https://symfony.com/maintained-versions.json';
29+
$branches = json_decode(file_get_contents($source), true, 512, \JSON_THROW_ON_ERROR);
30+
31+
if (!\is_array($branches) || !$branches) {
32+
fwrite(\STDERR, "No maintained versions found at $source\n");
33+
exit(1);
34+
}
35+
36+
$branches = array_values($branches);
37+
$default = end($branches); // highest branch == dev == default
38+
$check = \in_array('--check', $argv, true);
39+
40+
// Identify the checked-out branch from the source tree itself (robust to detached
41+
// HEAD and branch naming, unlike `git branch`), then refuse to run unless it is one
42+
// of the maintained versions.
43+
if (!preg_match("/VERSION = '(\d+\.\d+)/", file_get_contents(__DIR__.'/../src/Symfony/Component/HttpKernel/Kernel.php'), $m)) {
44+
fwrite(\STDERR, "Could not read the branch version from Kernel.php\n");
45+
exit(1);
46+
}
47+
$branch = $m[1];
48+
49+
if (!\in_array($branch, $branches, true)) {
50+
fwrite(\STDERR, "Refusing to run: $branch is not a maintained version (".implode(', ', $branches).")\n");
51+
exit(1);
52+
}
53+
54+
$sync = static function (string $path, string $contents) use ($check): bool {
55+
if (is_file($path) && file_get_contents($path) === $contents) {
56+
return false;
57+
}
58+
if ($check) {
59+
fwrite(\STDERR, basename($path)." is out of date\n");
60+
} else {
61+
file_put_contents($path, $contents);
62+
}
63+
64+
return true;
65+
};
66+
67+
// --- .github/dependabot.yml -------------------------------------------------
68+
69+
$dependabot = <<<YAML
70+
# https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference
71+
72+
# Generated by .github/$self from $source
73+
# One entry per maintained branch; cooldown increases in merge-up order so the lowest branch surfaces first.
74+
75+
version: 2
76+
updates:
77+
78+
YAML;
79+
80+
$entry = <<<YAML
81+
- package-ecosystem: 'github-actions'
82+
directory: '/'
83+
target-branch: '%s'
84+
schedule:
85+
interval: 'weekly'
86+
groups:
87+
github-actions:
88+
patterns:
89+
- '*'
90+
cooldown:
91+
default-days: %d
92+
93+
YAML;
94+
95+
foreach ($branches as $i => $b) {
96+
$dependabot .= "\n".sprintf($entry, $b, 7 + $i);
97+
}
98+
99+
$dirty = $sync(__DIR__.'/dependabot.yml', rtrim($dependabot)."\n");
100+
101+
// --- .github/workflows/scorecards.yml (push trigger only) -------------------
102+
103+
$scorecards = __DIR__.'/workflows/scorecards.yml';
104+
$yaml = file_get_contents($scorecards);
105+
$patched = preg_replace('/^(\s*branches:\s*\[\s*")[^"]*("\s*\])/m', '${1}'.$default.'${2}', $yaml, 1, $count);
106+
107+
if (1 !== $count) {
108+
fwrite(\STDERR, "Could not find the push branch trigger in scorecards.yml\n");
109+
exit(1);
110+
}
111+
112+
$dirty = $sync($scorecards, $patched) || $dirty;
113+
114+
// --- .github/workflows/unit-tests.yml (LTS test versions) -------------------
115+
116+
// LTS releases are the *.4 maintained versions. Cross-test against the latest one
117+
// at or below this branch; the low-deps floor is the LTS one major below that.
118+
$crossLts = null;
119+
foreach (array_filter($branches, static fn ($v) => str_ends_with($v, '.4')) as $v) {
120+
if (version_compare($v, $branch, '<=')) {
121+
$crossLts = $v;
122+
}
123+
}
124+
125+
if (null === $crossLts) {
126+
fwrite(\STDERR, "No maintained LTS at or below $branch\n");
127+
exit(1);
128+
}
129+
130+
$floor = ((int) $crossLts - 1).'.4';
131+
132+
$unitTests = __DIR__.'/workflows/unit-tests.yml';
133+
$yaml = file_get_contents($unitTests);
134+
135+
$patches = [
136+
['/(&& echo )\d+\.\d+( \|\| echo \$SYMFONY_VERSION)/', '${1}'.$floor.'${2}'],
137+
['/(# for )\d+\.\d+( LTS, checkout and test previous major)/', '${1}'.$crossLts.'${2}'],
138+
['/(\$SYMFONY_VERSION = )\d+\.\d+/', '${1}'.$crossLts],
139+
];
140+
141+
foreach ($patches as [$pattern, $replacement]) {
142+
$yaml = preg_replace($pattern, $replacement, $yaml, 1, $count);
143+
if (1 !== $count) {
144+
fwrite(\STDERR, "Could not patch unit-tests.yml ($pattern matched $count times)\n");
145+
exit(1);
146+
}
147+
}
148+
149+
$dirty = $sync($unitTests, $yaml) || $dirty;
150+
151+
if ($check && $dirty) {
152+
exit(1);
153+
}
Collapse file

‎.github/workflows/fabbot.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/fabbot.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ permissions:
99
jobs:
1010
call-fabbot:
1111
name: Fabbot
12-
uses: symfony-tools/fabbot/.github/workflows/fabbot.yml@main
12+
uses: symfony-tools/fabbot/.github/workflows/fabbot.yml@main # zizmor: ignore[unpinned-uses]
1313
with:
1414
package: Symfony
1515
check_license: true
Collapse file

‎.github/workflows/integration-tests.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/integration-tests.yml
+9-9Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
env:
3535
POSTGRES_PASSWORD: 'password'
3636
ldap:
37-
image: bitnamilegacy/openldap
37+
image: bitnamilegacy/openldap # zizmor: ignore[unpinned-images]
3838
ports:
3939
- 3389:3389
4040
env:
@@ -45,7 +45,7 @@ jobs:
4545
LDAP_USERS: a
4646
LDAP_PASSWORDS: a
4747
ftp:
48-
image: onekilo79/ftpd_test
48+
image: onekilo79/ftpd_test # zizmor: ignore[unpinned-images]
4949
ports:
5050
- 21:21
5151
- 30000-30009:30000-30009
@@ -82,7 +82,7 @@ jobs:
8282
REDIS_MASTER_SET: redis_sentinel
8383
REDIS_SENTINEL_QUORUM: 1
8484
redis-primary:
85-
image: bitnamilegacy/redis:latest
85+
image: bitnamilegacy/redis:latest # zizmor: ignore[unpinned-images]
8686
ports:
8787
- 16381:6379
8888
env:
@@ -91,7 +91,7 @@ jobs:
9191
options: >-
9292
--name=redis-primary
9393
redis-replica:
94-
image: bitnamilegacy/redis:latest
94+
image: bitnamilegacy/redis:latest # zizmor: ignore[unpinned-images]
9595
ports:
9696
- 16382:6379
9797
env:
@@ -110,7 +110,7 @@ jobs:
110110
ports:
111111
- 5672:5672
112112
mongodb:
113-
image: mongo
113+
image: mongo # zizmor: ignore[unpinned-images]
114114
ports:
115115
- 27017:27017
116116
couchbase:
@@ -126,7 +126,7 @@ jobs:
126126
ports:
127127
- 4566:4566
128128
zookeeper:
129-
image: zookeeper
129+
image: zookeeper # zizmor: ignore[unpinned-images]
130130
kafka:
131131
image: bitnamilegacy/kafka:3.7
132132
ports:
@@ -160,7 +160,7 @@ jobs:
160160
161161
steps:
162162
- name: Checkout
163-
uses: actions/checkout@v6
163+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
164164
with:
165165
persist-credentials: false
166166
fetch-depth: 0
@@ -205,7 +205,7 @@ jobs:
205205
touch ./ftpusers/test/pub/example ./ftpusers/test/readme.txt
206206
207207
- name: Setup PHP
208-
uses: shivammathur/setup-php@v2
208+
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
209209
with:
210210
coverage: "none"
211211
extensions: "json,couchbase-3.2.2,memcached,mongodb-1.12.0,redis,rdkafka,xsl,ldap,relay"
@@ -219,7 +219,7 @@ jobs:
219219
php -i
220220
221221
- name: Load fixtures
222-
uses: docker://bitnamilegacy/openldap
222+
uses: docker://bitnamilegacy/openldap@sha256:687f14a22b5c74fb057a57221acdbe7b8c82e2d3619fc380db3af48ec4aa04ed # latest
223223
with:
224224
entrypoint: /bin/bash
225225
args: -c "(/opt/bitnami/openldap/bin/ldapwhoami -H ldap://ldap:3389 -D cn=admin,dc=symfony,dc=com -w symfony||sleep 5) && /opt/bitnami/openldap/bin/ldapadd -H ldap://ldap:3389 -D cn=admin,dc=symfony,dc=com -w symfony -f src/Symfony/Component/Ldap/Tests/Fixtures/data/fixtures.ldif && /opt/bitnami/openldap/bin/ldapdelete -H ldap://ldap:3389 -D cn=admin,dc=symfony,dc=com -w symfony cn=a,ou=users,dc=symfony,dc=com"
Collapse file

‎.github/workflows/intl-data-tests.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/intl-data-tests.yml
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535

3636
steps:
3737
- name: Checkout
38-
uses: actions/checkout@v6
38+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3939
with:
4040
persist-credentials: false
4141

@@ -55,7 +55,7 @@ jobs:
5555
echo "SYMFONY_ICU_VERSION=$SYMFONY_ICU_VERSION" >> $GITHUB_ENV
5656
5757
- name: Setup PHP
58-
uses: shivammathur/setup-php@v2
58+
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
5959
with:
6060
coverage: "none"
6161
extensions: "zip,intl-${{env.SYMFONY_ICU_VERSION}}"
Collapse file

‎.github/workflows/package-tests.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/package-tests.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
runs-on: ubuntu-24.04
1515
steps:
1616
- name: Checkout code
17-
uses: actions/checkout@v6
17+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1818
with:
1919
persist-credentials: false
2020

Collapse file

‎.github/workflows/phpunit-bridge.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/phpunit-bridge.yml
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,12 +27,12 @@ jobs:
2727

2828
steps:
2929
- name: Checkout
30-
uses: actions/checkout@v6
30+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3131
with:
3232
persist-credentials: false
3333

3434
- name: Setup PHP
35-
uses: shivammathur/setup-php@v2
35+
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
3636
with:
3737
coverage: "none"
3838
php-version: "7.1"
Collapse file

‎.github/workflows/scorecards.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/scorecards.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ jobs:
2626

2727
steps:
2828
- name: "Checkout code"
29-
uses: actions/checkout@v6
29+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3030
with:
3131
persist-credentials: false
3232

Collapse file

‎.github/workflows/static-analysis.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/static-analysis.yml
+4-4Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,14 +23,14 @@ jobs:
2323
php-version: '8.1'
2424
steps:
2525
- name: Setup PHP
26-
uses: shivammathur/setup-php@v2
26+
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
2727
with:
2828
php-version: ${{ env.php-version }}
2929
ini-values: memory_limit=-1,intl.default_locale=en,intl.error_level=0
3030
coverage: none
3131

3232
- name: Checkout target branch
33-
uses: actions/checkout@v6
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3434
with:
3535
persist-credentials: false
3636
ref: ${{ github.base_ref }}
@@ -63,14 +63,14 @@ jobs:
6363
php-version: '8.1'
6464
steps:
6565
- name: Setup PHP
66-
uses: shivammathur/setup-php@v2
66+
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
6767
with:
6868
php-version: ${{ env.php-version }}
6969
ini-values: memory_limit=-1,intl.default_locale=en,intl.error_level=0
7070
coverage: none
7171

7272
- name: Checkout target branch
73-
uses: actions/checkout@v6
73+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7474
with:
7575
persist-credentials: false
7676
ref: ${{ github.base_ref }}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.