Skip to content

Commit 5c34fea

Browse files
claudeclaude
committed
ci: hash-pin all GitHub Actions and auto-merge Dependabot updates
Pin every external action to its commit SHA so mutable tags can no longer alter what runs in CI. The zizmor policy is switched from ref-pin to hash-pin to enforce this going forward. Dependabot already tracks the github-actions ecosystem weekly and will open PRs to bump the SHA pins. A new auto-merge workflow approves and squash-merges minor/patch GitHub Actions updates from Dependabot automatically, keeping pins current without manual churn. https://claude.ai/code/session_01YEC8c9bU4Mory8FFoiAS5T
1 parent 340f3db commit 5c34fea

11 files changed

Lines changed: 85 additions & 60 deletions

File tree

.github/actions/watcher/action.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ runs:
1111
GH_TOKEN: ${{ github.token }}
1212
- name: Cache e-dant/watcher
1313
id: cache-watcher
14-
uses: actions/cache@v4
14+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
1515
with:
1616
path: watcher/target
1717
key: watcher-${{ runner.os }}-${{ runner.arch }}-${{ steps.determine-watcher-version.outputs.version }}-${{ env.CC && env.CC || 'gcc' }}

.github/workflows/dependabot.yaml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
name: Dependabot Auto-Merge
3+
on: pull_request
4+
permissions: {}
5+
jobs:
6+
auto-merge:
7+
if: github.actor == 'dependabot[bot]'
8+
runs-on: ubuntu-latest
9+
permissions:
10+
contents: write
11+
pull-requests: write
12+
steps:
13+
- name: Fetch Dependabot metadata
14+
id: metadata
15+
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2
16+
with:
17+
github-token: ${{ secrets.GITHUB_TOKEN }}
18+
- name: Auto-merge minor and patch GitHub Actions updates
19+
if: steps.metadata.outputs.package-ecosystem == 'github_actions' && steps.metadata.outputs.update-type != 'version-update:semver-major'
20+
env:
21+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
22+
PR_URL: ${{ github.event.pull_request.html_url }}
23+
run: |
24+
gh pr review --approve "${PR_URL}"
25+
gh pr merge --auto --squash "${PR_URL}"

.github/workflows/docker.yaml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -53,12 +53,12 @@ jobs:
5353
ref: ${{ steps.check.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}
5454
base_fingerprint: ${{ steps.check.outputs.base_fingerprint }}
5555
steps:
56-
- uses: actions/checkout@v6
56+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
5757
with:
5858
fetch-depth: 0
5959
persist-credentials: false
6060
- name: Set up Docker Buildx
61-
uses: docker/setup-buildx-action@v4
61+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
6262
- name: Check PHP versions and base image fingerprint
6363
id: check
6464
env:
@@ -121,23 +121,23 @@ jobs:
121121
run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}"
122122
env:
123123
PLATFORM: ${{ matrix.platform }}
124-
- uses: actions/checkout@v6
124+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
125125
with:
126126
ref: ${{ needs.prepare.outputs.ref }}
127127
persist-credentials: false
128128
- name: Set up Docker Buildx
129-
uses: docker/setup-buildx-action@v4
129+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
130130
with:
131131
platforms: ${{ matrix.platform }}
132132
- name: Login to DockerHub
133-
uses: docker/login-action@v4
133+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
134134
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
135135
with:
136136
username: ${{ vars.DOCKERHUB_USERNAME }}
137137
password: ${{ secrets.DOCKERHUB_TOKEN }}
138138
- name: Build
139139
id: build
140-
uses: docker/bake-action@v7
140+
uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7
141141
with:
142142
pull: true
143143
load: ${{ !fromJson(needs.prepare.outputs.push) }}
@@ -178,15 +178,15 @@ jobs:
178178
VARIANT: ${{ matrix.variant }}
179179
- name: Upload builder metadata
180180
if: fromJson(needs.prepare.outputs.push)
181-
uses: actions/upload-artifact@v7
181+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
182182
with:
183183
name: metadata-builder-${{ matrix.variant }}-${{ steps.prepare.outputs.sanitized_platform }}
184184
path: /tmp/metadata/builder/*
185185
if-no-files-found: error
186186
retention-days: 1
187187
- name: Upload runner metadata
188188
if: fromJson(needs.prepare.outputs.push)
189-
uses: actions/upload-artifact@v7
189+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
190190
with:
191191
name: metadata-runner-${{ matrix.variant }}-${{ steps.prepare.outputs.sanitized_platform }}
192192
path: /tmp/metadata/runner/*
@@ -223,15 +223,15 @@ jobs:
223223
target: ["builder", "runner"]
224224
steps:
225225
- name: Download metadata
226-
uses: actions/download-artifact@v8
226+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
227227
with:
228228
pattern: metadata-${{ matrix.target }}-${{ matrix.variant }}-*
229229
path: /tmp/metadata
230230
merge-multiple: true
231231
- name: Set up Docker Buildx
232-
uses: docker/setup-buildx-action@v4
232+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
233233
- name: Login to DockerHub
234-
uses: docker/login-action@v4
234+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
235235
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
236236
with:
237237
username: ${{ vars.DOCKERHUB_USERNAME }}

.github/workflows/lint.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,12 @@ jobs:
2121
statuses: write
2222
steps:
2323
- name: Checkout Code
24-
uses: actions/checkout@v6
24+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
2525
with:
2626
fetch-depth: 0
2727
persist-credentials: false
2828
- name: Lint Code Base
29-
uses: super-linter/super-linter/slim@v8
29+
uses: super-linter/super-linter/slim@d24d9629088c26de5cc684fbe17d1843469c37e0 # v8
3030
env:
3131
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3232
LINTER_RULES_PATH: /

.github/workflows/sanitizers.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,10 +42,10 @@ jobs:
4242
steps:
4343
- name: Remove local PHP
4444
run: sudo apt-get remove --purge --autoremove 'php*' 'libmemcached*'
45-
- uses: actions/checkout@v6
45+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
4646
with:
4747
persist-credentials: false
48-
- uses: actions/setup-go@v6
48+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
4949
with:
5050
go-version: "1.26"
5151
cache-dependency-path: |
@@ -59,7 +59,7 @@ jobs:
5959
echo archive="$(jq -r '.[] .source[] | select(.filename |endswith(".xz")) | "https://www.php.net/distributions/" + .filename' version.json)" >> "$GITHUB_OUTPUT"
6060
- name: Cache PHP
6161
id: cache-php
62-
uses: actions/cache@v5
62+
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
6363
with:
6464
path: php/target
6565
key: php-sanitizers-${{ matrix.sanitizer }}-${{ runner.arch }}-${{ steps.determine-php-version.outputs.version }}

.github/workflows/static.yaml

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -64,12 +64,12 @@ jobs:
6464
env:
6565
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6666
REF: ${{ (github.ref_type == 'tag' && github.ref_name) || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}
67-
- uses: actions/checkout@v6
67+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
6868
with:
6969
ref: ${{ steps.check.outputs.ref }}
7070
persist-credentials: false
7171
- name: Set up Docker Buildx
72-
uses: docker/setup-buildx-action@v4
72+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
7373
- name: Create platforms matrix
7474
id: matrix
7575
run: |
@@ -111,16 +111,16 @@ jobs:
111111
run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}"
112112
env:
113113
PLATFORM: ${{ matrix.platform }}
114-
- uses: actions/checkout@v6
114+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
115115
with:
116116
ref: ${{ needs.prepare.outputs.ref }}
117117
persist-credentials: false
118118
- name: Set up Docker Buildx
119-
uses: docker/setup-buildx-action@v4
119+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
120120
with:
121121
platforms: ${{ matrix.platform }}
122122
- name: Login to DockerHub
123-
uses: docker/login-action@v4
123+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
124124
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
125125
with:
126126
username: ${{ vars.DOCKERHUB_USERNAME }}
@@ -140,7 +140,7 @@ jobs:
140140
REF: ${{ needs.prepare.outputs.ref }}
141141
- name: Build
142142
id: build
143-
uses: docker/bake-action@v7
143+
uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7
144144
with:
145145
pull: true
146146
load: ${{ !fromJson(needs.prepare.outputs.push) || matrix.debug || matrix.mimalloc }}
@@ -172,7 +172,7 @@ jobs:
172172
METADATA: ${{ steps.build.outputs.metadata }}
173173
- name: Upload metadata
174174
if: fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc
175-
uses: actions/upload-artifact@v7
175+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
176176
with:
177177
name: metadata-static-builder-musl-${{ steps.prepare.outputs.sanitized_platform }}
178178
path: /tmp/metadata/*
@@ -192,7 +192,7 @@ jobs:
192192
PLATFORM: ${{ matrix.platform }}
193193
- name: Upload artifact
194194
if: ${{ !fromJson(needs.prepare.outputs.push) }}
195-
uses: actions/upload-artifact@v7
195+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
196196
with:
197197
name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}
198198
path: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}
@@ -204,7 +204,7 @@ jobs:
204204
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
205205
REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}
206206
- if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
207-
uses: actions/attest-build-provenance@v4
207+
uses: actions/attest-build-provenance@b3e506e8c389afc651c5bacf2b8f2a1ea0557215 # v4
208208
with:
209209
subject-path: ${{ github.workspace }}/frankenphp-linux-*
210210
- name: Run sanity checks
@@ -267,7 +267,7 @@ jobs:
267267
run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}"
268268
env:
269269
PLATFORM: ${{ matrix.platform }}
270-
- uses: actions/checkout@v6
270+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
271271
with:
272272
ref: ${{ needs.prepare.outputs.ref }}
273273
persist-credentials: false
@@ -285,18 +285,18 @@ jobs:
285285
env:
286286
REF: ${{ needs.prepare.outputs.ref }}
287287
- name: Set up Docker Buildx
288-
uses: docker/setup-buildx-action@v4
288+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
289289
with:
290290
platforms: ${{ matrix.platform }}
291291
- name: Login to DockerHub
292-
uses: docker/login-action@v4
292+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
293293
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
294294
with:
295295
username: ${{ vars.DOCKERHUB_USERNAME }}
296296
password: ${{ secrets.DOCKERHUB_TOKEN }}
297297
- name: Build
298298
id: build
299-
uses: docker/bake-action@v7
299+
uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7
300300
with:
301301
pull: true
302302
load: ${{ !fromJson(needs.prepare.outputs.push) }}
@@ -326,7 +326,7 @@ jobs:
326326
METADATA: ${{ steps.build.outputs.metadata }}
327327
- name: Upload metadata
328328
if: fromJson(needs.prepare.outputs.push)
329-
uses: actions/upload-artifact@v7
329+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
330330
with:
331331
name: metadata-static-builder-gnu-${{ steps.prepare.outputs.sanitized_platform }}
332332
path: /tmp/metadata-gnu/*
@@ -352,7 +352,7 @@ jobs:
352352
PLATFORM: ${{ matrix.platform }}
353353
- name: Upload artifact
354354
if: ${{ !fromJson(needs.prepare.outputs.push) }}
355-
uses: actions/upload-artifact@v7
355+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
356356
with:
357357
name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu-files
358358
path: gh-output/*
@@ -363,7 +363,7 @@ jobs:
363363
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
364364
REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}
365365
- if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag')
366-
uses: actions/attest-build-provenance@v4
366+
uses: actions/attest-build-provenance@b3e506e8c389afc651c5bacf2b8f2a1ea0557215 # v4
367367
with:
368368
subject-path: ${{ github.workspace }}/gh-output/frankenphp-linux-*-gnu
369369
- name: Run sanity checks
@@ -391,21 +391,21 @@ jobs:
391391
if: fromJson(needs.prepare.outputs.push)
392392
steps:
393393
- name: Download metadata
394-
uses: actions/download-artifact@v8
394+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
395395
with:
396396
pattern: metadata-static-builder-musl-*
397397
path: /tmp/metadata
398398
merge-multiple: true
399399
- name: Download GNU metadata
400-
uses: actions/download-artifact@v8
400+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
401401
with:
402402
pattern: metadata-static-builder-gnu-*
403403
path: /tmp/metadata-gnu
404404
merge-multiple: true
405405
- name: Set up Docker Buildx
406-
uses: docker/setup-buildx-action@v4
406+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
407407
- name: Login to DockerHub
408-
uses: docker/login-action@v4
408+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
409409
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
410410
with:
411411
username: ${{ vars.DOCKERHUB_USERNAME }}
@@ -454,11 +454,11 @@ jobs:
454454
env:
455455
HOMEBREW_NO_AUTO_UPDATE: 1
456456
steps:
457-
- uses: actions/checkout@v6
457+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
458458
with:
459459
ref: ${{ needs.prepare.outputs.ref }}
460460
persist-credentials: false
461-
- uses: actions/setup-go@v6
461+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
462462
with: # zizmor: ignore[cache-poisoning]
463463
go-version: "1.26"
464464
cache-dependency-path: |
@@ -486,17 +486,17 @@ jobs:
486486
NO_COMPRESS: ${{ github.event_name == 'pull_request' && '1' || '' }}
487487
- name: Upload logs
488488
if: ${{ failure() }}
489-
uses: actions/upload-artifact@v7
489+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
490490
with:
491491
path: dist/static-php-cli/log
492492
name: static-php-cli-log-${{ matrix.platform }}-${{ github.sha }}
493493
- if: needs.prepare.outputs.ref || github.ref_type == 'tag'
494-
uses: actions/attest-build-provenance@v4
494+
uses: actions/attest-build-provenance@b3e506e8c389afc651c5bacf2b8f2a1ea0557215 # v4
495495
with:
496496
subject-path: ${{ github.workspace }}/dist/frankenphp-mac-*
497497
- name: Upload artifact
498498
if: github.ref_type == 'branch'
499-
uses: actions/upload-artifact@v7
499+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
500500
with:
501501
name: frankenphp-mac-${{ matrix.platform }}
502502
path: dist/frankenphp-mac-${{ matrix.platform }}

0 commit comments

Comments
 (0)