diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 807e7d53..420b4f4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -205,7 +205,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, pdo_sqlite, sqlite3, xml, zip @@ -247,7 +247,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, pdo_sqlite, sqlite3, xml, zip @@ -325,7 +325,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, pdo_sqlite, sqlite3, xml, zip @@ -423,10 +423,10 @@ jobs: persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Build Docker image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 with: context: . load: true @@ -464,7 +464,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, pdo_sqlite, sqlite3, xml, zip @@ -509,7 +509,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} coverage: none @@ -561,7 +561,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, pdo_sqlite, sqlite3, xml, zip diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ab128c9d..745894b7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -76,7 +76,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 (repo allow-listed SHA) - name: Initialize CodeQL - uses: github/codeql-action/init@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.35.5 + uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -94,7 +94,7 @@ jobs: # composer install --no-dev --no-progress here. - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3.35.5 + uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: category: /language:${{ matrix.language }} # Upload SARIF to Security tab. Off-by-default for forks diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index fcf10556..5af08472 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -32,7 +32,7 @@ jobs: persist-credentials: false - name: Setup PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: '8.4' extensions: mbstring, xml, bcmath, sqlite3, pdo_sqlite, gd, zip, curl diff --git a/.github/workflows/cosign-verify.yml b/.github/workflows/cosign-verify.yml index 8e35e39b..24459f15 100644 --- a/.github/workflows/cosign-verify.yml +++ b/.github/workflows/cosign-verify.yml @@ -46,7 +46,7 @@ jobs: persist-credentials: false - name: Log in to GHCR (read-only) - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/dependabot-local-ci-bridge.yml b/.github/workflows/dependabot-local-ci-bridge.yml index 45951873..2901158e 100644 --- a/.github/workflows/dependabot-local-ci-bridge.yml +++ b/.github/workflows/dependabot-local-ci-bridge.yml @@ -59,7 +59,7 @@ jobs: # --- Composer audit (mirrors security.yml: composer-audit) --- - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} coverage: none @@ -127,7 +127,7 @@ jobs: # --- Typos (mirrors security.yml: typos, advisory) --- - name: Run typos continue-on-error: true - uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1 + uses: crate-ci/typos@7b04f660f4ee4f048d18fd341887cf28dfbedfe2 # v1.46.3 # --- Post fop/local-ci/pr commit status --- # Uses gh api (same tooling as local-ci-attestation in ci.yml) to avoid diff --git a/.github/workflows/devcontainer-publish.yml b/.github/workflows/devcontainer-publish.yml index 2c3fc820..ee94f198 100644 --- a/.github/workflows/devcontainer-publish.yml +++ b/.github/workflows/devcontainer-publish.yml @@ -38,10 +38,10 @@ jobs: persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Log in to ghcr.io - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -49,7 +49,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -59,7 +59,7 @@ jobs: - name: Build and push id: build - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: .devcontainer file: .devcontainer/Containerfile diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 2021cbdd..d032f7de 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -42,10 +42,10 @@ jobs: persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Log in to GHCR - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -53,7 +53,7 @@ jobs: - name: Extract image metadata id: meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -64,7 +64,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} - name: Build scan image - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 with: context: . load: true @@ -90,7 +90,7 @@ jobs: - name: Build and push id: push - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 with: context: . push: true diff --git a/.github/workflows/infection.yml b/.github/workflows/infection.yml index 8ffcfcd8..27784d29 100644 --- a/.github/workflows/infection.yml +++ b/.github/workflows/infection.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: Set up PHP (xdebug for coverage) - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: '8.4' coverage: xdebug diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 75687bbf..ea770d5c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -34,7 +34,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} coverage: none @@ -82,7 +82,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, xml, zip @@ -145,7 +145,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, pdo_sqlite, sqlite3, xml, zip diff --git a/.github/workflows/openapi-drift.yml b/.github/workflows/openapi-drift.yml index 9e9333d1..ac117af0 100644 --- a/.github/workflows/openapi-drift.yml +++ b/.github/workflows/openapi-drift.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: '8.4' coverage: none diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 44b73e51..f51dafa5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -74,7 +74,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, pdo_sqlite, sqlite3, xml, zip diff --git a/.github/workflows/schemathesis.yml b/.github/workflows/schemathesis.yml index d271ae1a..2c2a9e01 100644 --- a/.github/workflows/schemathesis.yml +++ b/.github/workflows/schemathesis.yml @@ -36,7 +36,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: '8.4' extensions: bcmath, curl, gd, intl, mbstring, pdo_sqlite, sqlite3, xml, zip diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 1afc52ef..0553ba04 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -31,7 +31,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} coverage: none @@ -94,7 +94,7 @@ jobs: skip-dirs: helm/ - name: Upload Trivy results to GitHub Security tab - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 if: always() && hashFiles('trivy-results.sarif') != '' with: sarif_file: trivy-results.sarif @@ -156,7 +156,7 @@ jobs: persist-credentials: false - name: Run typos continue-on-error: true - uses: crate-ci/typos@5374cbf686e897b15713110e233094e2874de7ef # v1.46.1 + uses: crate-ci/typos@7b04f660f4ee4f048d18fd341887cf28dfbedfe2 # v1.46.3 zizmor: name: Zizmor (GHA SAST, audit-mode) @@ -212,7 +212,7 @@ jobs: .github/workflows .gitea/workflows > zizmor.sarif - name: Upload Zizmor SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 if: always() && hashFiles('zizmor.sarif') != '' continue-on-error: true with: @@ -271,7 +271,7 @@ jobs: --output=osv-scanner.sarif - name: Upload OSV-Scanner SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 if: always() && hashFiles('osv-scanner.sarif') != '' continue-on-error: true with: @@ -298,7 +298,7 @@ jobs: persist-credentials: false - name: Log in to GHCR (read-only) - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -317,7 +317,7 @@ jobs: trivyignores: .trivyignore - name: Upload Trivy image SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 if: always() && hashFiles('trivy-image.sarif') != '' with: sarif_file: trivy-image.sarif diff --git a/.github/workflows/visual-regression.yml b/.github/workflows/visual-regression.yml index 82e65d4d..0c35238e 100644 --- a/.github/workflows/visual-regression.yml +++ b/.github/workflows/visual-regression.yml @@ -50,7 +50,7 @@ jobs: persist-credentials: false - name: Set up PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ env.PHP_VERSION }} extensions: bcmath, curl, gd, intl, mbstring, pdo_mysql, pdo_sqlite, sqlite3, xml, zip