Unpushed commits (local main ahead of origin/main)#59
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a dedicated GitHub Actions workflow to run Composer security audits when dependency manifests change and on a weekly schedule.
Changes:
- Introduces a new
Composer auditworkflow triggered oncomposer.json/composer.lockchanges, schedule, and manual dispatch. - Sets up PHP 8.4 and runs Composer commands to resolve dependencies and audit.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| composer update --no-interaction --no-ansi | ||
| composer audit |
There was a problem hiding this comment.
Running composer update before composer audit means the audit is performed against freshly-updated dependencies rather than the versions in composer.lock. This can let a vulnerable version that’s committed in the lockfile pass CI because the workflow upgrades it in the runner. Prefer auditing the lockfile/installed locked deps (e.g., install from composer.lock and audit with the locked set) so the check reflects what’s actually in the repo.
| composer update --no-interaction --no-ansi | |
| composer audit | |
| composer install --no-interaction --no-ansi --no-progress | |
| composer audit --locked |
Local main was 24 commit(s) ahead of origin/main. Opened from update-opensource-active.sh for review.