Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit cf12661

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
Merge branch '8.1' into 8.2
* 8.1: [CI] pin GitHub Actions references and add Dependabot [CI] GitHub Actions workflows hardenings
2 parents ed0acc2 + b853d1a commit cf12661
Copy full SHA for cf12661

12 files changed

+273-32Lines changed: 273 additions & 32 deletions
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎.github/dependabot.yml‎

Copy file name to clipboard
+67Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
# https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference
2+
3+
# Generated by .github/sync-maintained-versions.php from https://symfony.com/maintained-versions.json
4+
# One entry per maintained branch; cooldown increases in merge-up order so the lowest branch surfaces first.
5+
6+
version: 2
7+
updates:
8+
9+
- package-ecosystem: 'github-actions'
10+
directory: '/'
11+
target-branch: '6.4'
12+
schedule:
13+
interval: 'weekly'
14+
groups:
15+
github-actions:
16+
patterns:
17+
- '*'
18+
cooldown:
19+
default-days: 7
20+
21+
- package-ecosystem: 'github-actions'
22+
directory: '/'
23+
target-branch: '7.4'
24+
schedule:
25+
interval: 'weekly'
26+
groups:
27+
github-actions:
28+
patterns:
29+
- '*'
30+
cooldown:
31+
default-days: 8
32+
33+
- package-ecosystem: 'github-actions'
34+
directory: '/'
35+
target-branch: '8.0'
36+
schedule:
37+
interval: 'weekly'
38+
groups:
39+
github-actions:
40+
patterns:
41+
- '*'
42+
cooldown:
43+
default-days: 9
44+
45+
- package-ecosystem: 'github-actions'
46+
directory: '/'
47+
target-branch: '8.1'
48+
schedule:
49+
interval: 'weekly'
50+
groups:
51+
github-actions:
52+
patterns:
53+
- '*'
54+
cooldown:
55+
default-days: 10
56+
57+
- package-ecosystem: 'github-actions'
58+
directory: '/'
59+
target-branch: '8.2'
60+
schedule:
61+
interval: 'weekly'
62+
groups:
63+
github-actions:
64+
patterns:
65+
- '*'
66+
cooldown:
67+
default-days: 11
Collapse file

‎.github/sync-maintained-versions.php‎

Copy file name to clipboard
+153Lines changed: 153 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,153 @@
1+
<?php
2+
3+
// Syncs branch-dependent CI config from the maintained branches published at
4+
// https://symfony.com/maintained-versions.json (ordered low -> high).
5+
//
6+
// Standalone helper: run it by hand whenever the maintained branches change.
7+
//
8+
// Updates:
9+
// - .github/dependabot.yml one github-actions entry per maintained
10+
// branch; cooldown.default-days grows by one
11+
// in merge-up order so the lowest branch
12+
// surfaces first and the review queue is staggered.
13+
// - .github/workflows/scorecards.yml push trigger pinned to the default (highest) branch.
14+
// - .github/workflows/unit-tests.yml LTS test versions for the current branch: cross-test
15+
// against the latest LTS at or below it, low-deps floor
16+
// against the LTS one major below that.
17+
//
18+
// Usage:
19+
// php .github/sync-maintained-versions.php # rewrite the files
20+
// php .github/sync-maintained-versions.php --check # exit 1 if anything would change
21+
22+
if ('cli' !== PHP_SAPI) {
23+
echo "This script can only be run from the command line.\n";
24+
exit(1);
25+
}
26+
27+
$self = basename(__FILE__);
28+
$source = 'https://symfony.com/maintained-versions.json';
29+
$branches = json_decode(file_get_contents($source), true, 512, \JSON_THROW_ON_ERROR);
30+
31+
if (!\is_array($branches) || !$branches) {
32+
fwrite(\STDERR, "No maintained versions found at $source\n");
33+
exit(1);
34+
}
35+
36+
$branches = array_values($branches);
37+
$default = end($branches); // highest branch == dev == default
38+
$check = \in_array('--check', $argv, true);
39+
40+
// Identify the checked-out branch from the source tree itself (robust to detached
41+
// HEAD and branch naming, unlike `git branch`), then refuse to run unless it is one
42+
// of the maintained versions.
43+
if (!preg_match("/VERSION = '(\d+\.\d+)/", file_get_contents(__DIR__.'/../src/Symfony/Component/HttpKernel/Kernel.php'), $m)) {
44+
fwrite(\STDERR, "Could not read the branch version from Kernel.php\n");
45+
exit(1);
46+
}
47+
$branch = $m[1];
48+
49+
if (!\in_array($branch, $branches, true)) {
50+
fwrite(\STDERR, "Refusing to run: $branch is not a maintained version (".implode(', ', $branches).")\n");
51+
exit(1);
52+
}
53+
54+
$sync = static function (string $path, string $contents) use ($check): bool {
55+
if (is_file($path) && file_get_contents($path) === $contents) {
56+
return false;
57+
}
58+
if ($check) {
59+
fwrite(\STDERR, basename($path)." is out of date\n");
60+
} else {
61+
file_put_contents($path, $contents);
62+
}
63+
64+
return true;
65+
};
66+
67+
// --- .github/dependabot.yml -------------------------------------------------
68+
69+
$dependabot = <<<YAML
70+
# https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference
71+
72+
# Generated by .github/$self from $source
73+
# One entry per maintained branch; cooldown increases in merge-up order so the lowest branch surfaces first.
74+
75+
version: 2
76+
updates:
77+
78+
YAML;
79+
80+
$entry = <<<YAML
81+
- package-ecosystem: 'github-actions'
82+
directory: '/'
83+
target-branch: '%s'
84+
schedule:
85+
interval: 'weekly'
86+
groups:
87+
github-actions:
88+
patterns:
89+
- '*'
90+
cooldown:
91+
default-days: %d
92+
93+
YAML;
94+
95+
foreach ($branches as $i => $b) {
96+
$dependabot .= "\n".sprintf($entry, $b, 7 + $i);
97+
}
98+
99+
$dirty = $sync(__DIR__.'/dependabot.yml', rtrim($dependabot)."\n");
100+
101+
// --- .github/workflows/scorecards.yml (push trigger only) -------------------
102+
103+
$scorecards = __DIR__.'/workflows/scorecards.yml';
104+
$yaml = file_get_contents($scorecards);
105+
$patched = preg_replace('/^(\s*branches:\s*\[\s*")[^"]*("\s*\])/m', '${1}'.$default.'${2}', $yaml, 1, $count);
106+
107+
if (1 !== $count) {
108+
fwrite(\STDERR, "Could not find the push branch trigger in scorecards.yml\n");
109+
exit(1);
110+
}
111+
112+
$dirty = $sync($scorecards, $patched) || $dirty;
113+
114+
// --- .github/workflows/unit-tests.yml (LTS test versions) -------------------
115+
116+
// LTS releases are the *.4 maintained versions. Cross-test against the latest one
117+
// at or below this branch; the low-deps floor is the LTS one major below that.
118+
$crossLts = null;
119+
foreach (array_filter($branches, static fn ($v) => str_ends_with($v, '.4')) as $v) {
120+
if (version_compare($v, $branch, '<=')) {
121+
$crossLts = $v;
122+
}
123+
}
124+
125+
if (null === $crossLts) {
126+
fwrite(\STDERR, "No maintained LTS at or below $branch\n");
127+
exit(1);
128+
}
129+
130+
$floor = ((int) $crossLts - 1).'.4';
131+
132+
$unitTests = __DIR__.'/workflows/unit-tests.yml';
133+
$yaml = file_get_contents($unitTests);
134+
135+
$patches = [
136+
['/(&& echo )\d+\.\d+( \|\| echo \$SYMFONY_VERSION)/', '${1}'.$floor.'${2}'],
137+
['/(# for )\d+\.\d+( LTS, checkout and test previous major)/', '${1}'.$crossLts.'${2}'],
138+
['/(\$SYMFONY_VERSION = )\d+\.\d+/', '${1}'.$crossLts],
139+
];
140+
141+
foreach ($patches as [$pattern, $replacement]) {
142+
$yaml = preg_replace($pattern, $replacement, $yaml, 1, $count);
143+
if (1 !== $count) {
144+
fwrite(\STDERR, "Could not patch unit-tests.yml ($pattern matched $count times)\n");
145+
exit(1);
146+
}
147+
}
148+
149+
$dirty = $sync($unitTests, $yaml) || $dirty;
150+
151+
if ($check && $dirty) {
152+
exit(1);
153+
}
Collapse file

‎.github/workflows/fabbot.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/fabbot.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ permissions:
99
jobs:
1010
call-fabbot:
1111
name: Fabbot
12-
uses: symfony-tools/fabbot/.github/workflows/fabbot.yml@main
12+
uses: symfony-tools/fabbot/.github/workflows/fabbot.yml@main # zizmor: ignore[unpinned-uses]
1313
with:
1414
package: Symfony
1515
check_license: true
Collapse file

‎.github/workflows/integration-tests.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/integration-tests.yml
+10-9Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
env:
3535
POSTGRES_PASSWORD: 'password'
3636
ldap:
37-
image: bitnamilegacy/openldap
37+
image: bitnamilegacy/openldap # zizmor: ignore[unpinned-images]
3838
ports:
3939
- 3389:3389
4040
env:
@@ -45,7 +45,7 @@ jobs:
4545
LDAP_USERS: a
4646
LDAP_PASSWORDS: a
4747
ftp:
48-
image: onekilo79/ftpd_test
48+
image: onekilo79/ftpd_test # zizmor: ignore[unpinned-images]
4949
ports:
5050
- 21:21
5151
- 30000-30009:30000-30009
@@ -82,7 +82,7 @@ jobs:
8282
REDIS_MASTER_SET: redis_sentinel
8383
REDIS_SENTINEL_QUORUM: 1
8484
redis-primary:
85-
image: bitnamilegacy/redis:latest
85+
image: bitnamilegacy/redis:latest # zizmor: ignore[unpinned-images]
8686
ports:
8787
- 16381:6379
8888
env:
@@ -91,7 +91,7 @@ jobs:
9191
options: >-
9292
--name=redis-primary
9393
redis-replica:
94-
image: bitnamilegacy/redis:latest
94+
image: bitnamilegacy/redis:latest # zizmor: ignore[unpinned-images]
9595
ports:
9696
- 16382:6379
9797
env:
@@ -110,7 +110,7 @@ jobs:
110110
ports:
111111
- 5672:5672
112112
mongodb:
113-
image: mongo
113+
image: mongo # zizmor: ignore[unpinned-images]
114114
ports:
115115
- 27017:27017
116116
couchbase:
@@ -126,7 +126,7 @@ jobs:
126126
ports:
127127
- 4566:4566
128128
zookeeper:
129-
image: zookeeper
129+
image: zookeeper # zizmor: ignore[unpinned-images]
130130
kafka:
131131
image: bitnamilegacy/kafka:3.7
132132
ports:
@@ -160,8 +160,9 @@ jobs:
160160
161161
steps:
162162
- name: Checkout
163-
uses: actions/checkout@v4
163+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
164164
with:
165+
persist-credentials: false
165166
fetch-depth: 0
166167

167168
- name: Init Kafka topics
@@ -204,7 +205,7 @@ jobs:
204205
touch ./ftpusers/test/pub/example ./ftpusers/test/readme.txt
205206
206207
- name: Setup PHP
207-
uses: shivammathur/setup-php@v2
208+
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
208209
with:
209210
coverage: "none"
210211
extensions: "json,couchbase-3.2.2,memcached,mongodb-1.12.0,redis,rdkafka,xsl,ldap,relay"
@@ -218,7 +219,7 @@ jobs:
218219
php -i
219220
220221
- name: Load fixtures
221-
uses: docker://bitnamilegacy/openldap
222+
uses: docker://bitnamilegacy/openldap@sha256:687f14a22b5c74fb057a57221acdbe7b8c82e2d3619fc380db3af48ec4aa04ed # latest
222223
with:
223224
entrypoint: /bin/bash
224225
args: -c "(/opt/bitnami/openldap/bin/ldapwhoami -H ldap://ldap:3389 -D cn=admin,dc=symfony,dc=com -w symfony||sleep 5) && /opt/bitnami/openldap/bin/ldapadd -H ldap://ldap:3389 -D cn=admin,dc=symfony,dc=com -w symfony -f src/Symfony/Component/Ldap/Tests/Fixtures/data/fixtures.ldif && /opt/bitnami/openldap/bin/ldapdelete -H ldap://ldap:3389 -D cn=admin,dc=symfony,dc=com -w symfony cn=a,ou=users,dc=symfony,dc=com"
Collapse file

‎.github/workflows/intl-data-tests.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/intl-data-tests.yml
+4-2Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,9 @@ jobs:
4141

4242
steps:
4343
- name: Checkout
44-
uses: actions/checkout@v4
44+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
45+
with:
46+
persist-credentials: false
4547

4648
- name: Install system dependencies
4749
run: |
@@ -59,7 +61,7 @@ jobs:
5961
echo "SYMFONY_ICU_VERSION=$SYMFONY_ICU_VERSION" >> $GITHUB_ENV
6062
6163
- name: Setup PHP
62-
uses: shivammathur/setup-php@v2
64+
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
6365
with:
6466
coverage: "none"
6567
extensions: "zip,intl-${{env.SYMFONY_ICU_VERSION}}"
Collapse file

‎.github/workflows/package-tests.yml‎

Copy file name to clipboardExpand all lines: .github/workflows/package-tests.yml
+15-6Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,19 +14,26 @@ jobs:
1414
runs-on: ubuntu-24.04
1515
steps:
1616
- name: Checkout code
17-
uses: actions/checkout@v4
17+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
18+
with:
19+
persist-credentials: false
1820

1921
- name: Fetch branch from where the PR started
2022
run: git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
2123

2224
- name: Find packages
2325
id: find-packages
26+
env:
27+
BASE_REF: ${{ github.base_ref }}
2428
run: |
25-
all_packages=$(find src/Symfony -mindepth 2 -type f -name composer.json -printf '%h\n' | grep -v src/Symfony/Component/Emoji/Resources/bin |jq -R -s -c 'split("\n")[:-1]')
26-
modified_files=$(git diff --name-only origin/${{ github.base_ref }} HEAD | grep src/ | jq -R -s -c 'split("\n")[:-1]')
27-
echo "packages=$(php .github/get-modified-packages.php $all_packages $modified_files)" >> $GITHUB_OUTPUT
29+
packages=$(php .github/get-modified-packages.php \
30+
"$(find src/Symfony -mindepth 2 -type f -name composer.json -printf '%h\n' | grep -v src/Symfony/Component/Emoji/Resources/bin | jq -R -s -c 'split("\n")[:-1]')" \
31+
"$(git diff --name-only "origin/$BASE_REF" HEAD | grep src/ | jq -R -s -c 'split("\n")[:-1]')")
32+
echo "packages=$packages" >> "$GITHUB_OUTPUT"
2833
2934
- name: Verify meta files are correct
35+
env:
36+
PACKAGES_JSON: ${{ steps.find-packages.outputs.packages }}
3037
run: |
3138
ok=0
3239
@@ -60,7 +67,7 @@ jobs:
6067
fi
6168
}
6269
63-
json='${{ steps.find-packages.outputs.packages }}'
70+
json="$PACKAGES_JSON"
6471
for package in $(echo "${json}" | jq -r '.[] | @base64'); do
6572
_jq() {
6673
echo ${package} | base64 --decode | jq -r ${1}
@@ -105,11 +112,13 @@ jobs:
105112
106113
exit $ok
107114
- name: Verify symfony/deprecation-contracts requirements
115+
env:
116+
PACKAGES_JSON: ${{ steps.find-packages.outputs.packages }}
108117
run: |
109118
set +e
110119
111120
ok=0
112-
json='${{ steps.find-packages.outputs.packages }}'
121+
json="$PACKAGES_JSON"
113122
for package in $(echo "${json}" | jq -r '.[] | @base64'); do
114123
_jq() {
115124
echo ${package} | base64 --decode | jq -r ${1}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.