From deb2299a774c40006819b4f23eaa7ce01bc26ae4 Mon Sep 17 00:00:00 2001 From: Shivam Mathur Date: Fri, 15 May 2026 23:56:20 +0530 Subject: [PATCH] Harden GitHub Actions workflows --- .github/dependabot.yml | 16 +++++++++++----- .github/workflows/codeql.yml | 13 +++++++++---- .github/workflows/docs.yml | 30 ++++++++++++++++++++---------- .github/workflows/node.yml | 11 ++++++++--- .github/workflows/php.yml | 21 +++++++++++++++------ .github/workflows/publish.yml | 27 +++++++++++++++++++-------- 6 files changed, 82 insertions(+), 36 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c00c6474..9507e9f9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,7 +1,13 @@ version: 2 updates: -- package-ecosystem: "github-actions" - directory: "/" - target-branch: "develop" - schedule: - interval: "weekly" + - package-ecosystem: 'github-actions' + directory: '/' + target-branch: 'develop' + schedule: + interval: 'weekly' + groups: + github-actions: + patterns: + - '*' + cooldown: + default-days: 7 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 10fa47cb..ca283b00 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,9 +5,13 @@ on: - cron: '0 15 * * 6' permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: codeql: + name: CodeQL Analysis if: github.event.repository.fork == false permissions: actions: read # for github/codeql-action/init to get workflow details @@ -16,18 +20,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 + persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 with: config-file: ./.github/codeql/codeql-configuration.yml languages: javascript - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 464fb982..43cd6919 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -5,12 +5,15 @@ on: - cron: '0 15 * * 6' permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: create: if: github.event.repository.fork == false permissions: - contents: none + contents: none # this job only prepares artifacts and uploads them, no repository writes name: Create runs-on: ${{ matrix.operating-system }} strategy: @@ -20,7 +23,7 @@ jobs: php-versions: ['5.3', '5.4', '5.5', '5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5', '8.6'] steps: - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ matrix.php-versions }} tools: none @@ -39,7 +42,7 @@ jobs: run: | php -m | Out-File -FilePath "$env:file.all" -Append - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ matrix.php-versions }} extensions: none @@ -72,7 +75,7 @@ jobs: version: ${{ matrix.php-versions }} if: matrix.operating-system == 'windows-2022' run: | - Write-Output "## PHP ${{ matrix.php-versions }}`n" | Out-File -FilePath "$env:file" + Write-Output "## PHP $env:version`n" | Out-File -FilePath "$env:file" Write-Output "``````" | Out-File -FilePath "$env:file" -Append php -m | Out-File -FilePath "$env:file.builtin" -Append Get-Content "$env:file.all" | ForEach-Object { @@ -88,7 +91,7 @@ jobs: Remove-Item "$env:file.all" -Force Remove-Item "$env:file.builtin" -Force - name: Upload artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: lists-php${{ matrix.php-versions }}-${{ matrix.operating-system }}.md path: php${{ matrix.php-versions }}-${{ matrix.operating-system }}.md @@ -101,19 +104,23 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: ${{ github.repository }}.wiki + persist-credentials: false - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ${{ github.workspace }}/lists pattern: lists-* merge-multiple: true - name: Configure Git + env: + GIT_USER_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com + GIT_USER_NAME: github-actions[bot] run : | - git config --local user.email "${{ secrets.email }}" - git config --local user.name "${{ github.repository_owner }}" + git config --local user.email "$GIT_USER_EMAIL" + git config --local user.name "$GIT_USER_NAME" - name: Combine run: | for os in ubuntu-24.04 ubuntu-22.04 windows-2025 windows-2022 windows-2019 macos-13 macos-14 macos-15 macos-26; do @@ -130,9 +137,12 @@ jobs: done rm -rf ./lists - name: Update + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + WIKI_REPOSITORY: ${{ github.repository }} run: | if [ "$(git status --porcelain=v1 2>/dev/null | wc -l)" != "0" ]; then git add . git commit -m "Update PHP extensions on wiki - $(date +'%d-%m-%y')" - git push -f https://${{ github.repository_owner }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.wiki.git master || true + git push -f https://x-access-token:${GITHUB_TOKEN}@github.com/${WIKI_REPOSITORY}.wiki.git master || true fi diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml index f25b55d7..93e4bb72 100644 --- a/.github/workflows/node.yml +++ b/.github/workflows/node.yml @@ -18,10 +18,14 @@ on: - 'examples/**' permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: run: name: Run + environment: codecov runs-on: ${{ matrix.operating-system }} strategy: fail-fast: false @@ -29,12 +33,13 @@ jobs: operating-system: [ubuntu-latest, windows-latest, macos-latest] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 + persist-credentials: false - name: Setup Node.js 24.x - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24.x @@ -54,7 +59,7 @@ jobs: run: npm audit - name: Send Coverage - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: coverage/lcov.info diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 6fd6cee7..2d55f7c4 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -19,8 +19,11 @@ on: - 'examples/**' permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true env: - default-php-version: '8.2' + default-php-version: '8.5' jobs: run: name: Run @@ -39,18 +42,20 @@ jobs: key: cache-v5 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup cache environment id: cache-env - uses: shivammathur/cache-extensions@develop + uses: shivammathur/cache-extensions@256729b5fef535345e27904657f78048c0990f81 # v1 with: php-version: ${{ matrix.php-versions || env.default-php-version }} extensions: ${{ env.extensions }} key: ${{ env.key }} - name: Cache extensions - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ${{ steps.cache-env.outputs.dir }} key: ${{ steps.cache-env.outputs.key }} @@ -58,8 +63,10 @@ jobs: - name: Stage php-version-file if: ${{ matrix.php-version-file == 'php-version-file' }} + env: + DEFAULT_PHP_VERSION: ${{ env.default-php-version }} run: | - echo ${{ env.default-php-version }} > php-version-file + echo "$DEFAULT_PHP_VERSION" > php-version-file - name: Setup PHP with extensions and custom config run: node dist/index.js @@ -70,9 +77,11 @@ jobs: ini-values: post_max_size=256M, short_open_tag=On, date.timezone=Asia/Kolkata - name: Testing PHP version + env: + EXPECTED_PHP_VERSION: ${{ matrix.php-versions || env.default-php-version }} run: | php -v - php -r "if(strpos(phpversion(), '${{ matrix.php-versions || env.default-php-version }}') === false) {throw new Exception('Wrong PHP version Installed');}" + php -r '$expected = getenv("EXPECTED_PHP_VERSION"); if(strpos(phpversion(), $expected) === false) {throw new Exception("Wrong PHP version Installed");}' - name: Testing Composer version run: | diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f861d8d8..68f8e832 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,29 +10,39 @@ on: tag: description: Tag name required: true +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false +permissions: + contents: read jobs: build: - runs-on: ubuntu-latest + name: Build and Publish permissions: - contents: read - packages: write - id-token: write + contents: read # for actions/checkout + packages: write # For publishing to GitHub Packages + id-token: write # For authentication with npm registry + runs-on: ubuntu-latest steps: - name: Checkout release if: github.event_name != 'workflow_dispatch' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Checkout tag - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: github.event_name == 'workflow_dispatch' with: ref: ${{ github.event.inputs.tag }} + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '24.x' registry-url: https://registry.npmjs.org + package-manager-cache: false - name: Install dependencies and add lib run: | @@ -45,9 +55,10 @@ jobs: run: npm publish --access public - name: Change to GitHub Packages registry - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: registry-url: https://npm.pkg.github.com + package-manager-cache: false scope: '@shivammathur' - name: Patch package.json