diff --git a/.github/dependabot.yml b/.github/dependabot.yml index db86156..a47ec9b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,9 +4,11 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - # Too noisy. See https://community.github.com/t/increase-if-necessary-for-github-actions-in-dependabot/179581 - open-pull-requests-limit: 0 + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" # Maintain dependencies for Composer - package-ecosystem: "composer" diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 00041a9..0577a84 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -23,6 +23,9 @@ on: name: backwards compatibility +permissions: + contents: read + jobs: roave_bc_check: uses: yiisoft/actions/.github/workflows/bc.yml@master @@ -30,4 +33,4 @@ jobs: os: >- ['ubuntu-latest'] php: >- - ['8.1'] + ['8.4'] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f980c7f..d3a7abc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,6 +22,9 @@ on: name: build +permissions: + contents: read + jobs: phpunit: uses: yiisoft/actions/.github/workflows/phpunit.yml@master diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml index 5473ec9..6c2e161 100644 --- a/.github/workflows/composer-require-checker.yml +++ b/.github/workflows/composer-require-checker.yml @@ -24,6 +24,9 @@ on: name: Composer require checker +permissions: + contents: read + jobs: composer-require-checker: uses: yiisoft/actions/.github/workflows/composer-require-checker.yml@master diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 8150499..1f7ad3d 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -20,6 +20,9 @@ on: name: mutation test +permissions: + contents: read + jobs: mutation: uses: yiisoft/actions/.github/workflows/roave-infection.yml@master diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 35411d0..98a6ff7 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -11,11 +11,12 @@ on: name: rector +permissions: + contents: read + jobs: rector: uses: yiisoft/actions/.github/workflows/rector.yml@master - secrets: - token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: os: >- ['ubuntu-latest'] diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 8694d2d..f176c8e 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -22,6 +22,9 @@ on: name: static analysis +permissions: + contents: read + jobs: psalm: uses: yiisoft/actions/.github/workflows/psalm.yml@master diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..430255d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master diff --git a/composer.json b/composer.json index df553e2..4503cb3 100644 --- a/composer.json +++ b/composer.json @@ -27,7 +27,7 @@ "rector/rector": "^0.18.3", "roave/infection-static-analysis-plugin": "^1.16", "spatie/phpunit-watcher": "^1.23", - "vimeo/psalm": "^4.30|^5.8" + "vimeo/psalm": "^4.30|^5.8|^6.16" }, "autoload": { "psr-4": {