Merge pull request #982 from jrfnl/feature/ghactions-dont-run-cronjobs-on-forks

GH Actions: don't run cron jobs on forks
2025-08-07 06:04:41 +07:00 · 2025-08-04 20:07:42 +05:30 · 2025-08-04 16:23:49 +02:00 · 2025-08-02 12:12:58 +05:30 · 2025-07-30 22:30:05 +05:30 · 2025-07-29 19:08:58 +05:30
8 changed files with 107 additions and 16 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -8,6 +8,7 @@ permissions:

 jobs:
  codeql:
+    if: github.event.repository.fork == false
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@ -8,6 +8,7 @@ permissions:

 jobs:
  create:
+    if: github.event.repository.fork == false
    permissions:
      contents: none
    name: Create
@ -92,6 +93,7 @@ jobs:
          name: lists-php${{ matrix.php-versions }}-${{ matrix.operating-system }}.md
          path: php${{ matrix.php-versions }}-${{ matrix.operating-system }}.md
  update:
+    if: github.event.repository.fork == false
    permissions:
      contents: write  # for Git to git push
    name: Update
--- a/README.md
+++ b/README.md
@ -465,6 +465,7 @@ Disable coverage for these reasons:
 - Specify the GitHub token to use for authentication.
 - Accepts a `string`.
 - By default, `GITHUB_TOKEN` secret provided by GitHub Actions is used.
+- For GitHub Enterprise users, it is recommended to use a Personal Access Token (PAT).

 ### Outputs

@ -797,8 +798,6 @@ restore-keys: ${{ runner.os }}-composer-${{ matrix.prefer }}-

 By default, setup-php uses the `GITHUB_TOKEN` secret that is generated for each workflow run. In case you want to use a Personal Access Token (PAT) instead, you can set the `github-token` input.

-The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
-
 ```yaml
 - name: Setup PHP
  uses: shivammathur/setup-php@v2
@ -807,6 +806,10 @@ The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecat
    github-token: ${{ secrets.YOUR_PAT_TOKEN }}
 ```

+The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
+
+For GitHub Enterprise users, the `github-token` input does not default to the `GITHUB_TOKEN` secret. Therefore, it's recommended to set the `github-token` input to a Personal Access Token (PAT).
+
 ### Private Packagist Authentication

 If you use Private Packagist for your private composer dependencies, you can set the `PACKAGIST_TOKEN` environment variable to authenticate.
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "setup-php",
-  "version": "2.35.0",
+  "version": "2.35.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "setup-php",
-      "version": "2.35.0",
+      "version": "2.35.2",
      "license": "MIT",
      "dependencies": {
        "@actions/core": "^1.11.1",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "setup-php",
-  "version": "2.35.0",
+  "version": "2.35.2",
  "private": false,
  "description": "Setup PHP for use with GitHub Actions",
  "main": "lib/install.js",
--- a/src/scripts/extensions/patches/geos.sh
+++ b/src/scripts/extensions/patches/geos.sh
@ -1,7 +1,11 @@
 patch_geos() {
-  if [ "$(php -r "echo PHP_VERSION_ID;")" -ge 70000 ]; then
+  php_version_id="$(php -r "echo PHP_VERSION_ID;")"
+  if [ "$php_version_id" -ge 70000 ]; then
    sed -i~ -e "s/, ce->name/, ZSTR_VAL(ce->name)/; s/ulong /zend_ulong /" geos.c
  fi
+  if [ "$php_version_id" -ge 80500 ]; then
+    sed -i~ -e "s/zend_exception_get_default(TSRMLS_C)/zend_ce_exception/" geos.c
+  fi
  get -q -n /tmp/php8.patch https://git.remirepo.net/cgit/rpms/php/php-geos.git/plain/0003-add-all-arginfo-and-fix-build-with-PHP-8.patch
  get -q -n /tmp/toString.patch https://git.remirepo.net/cgit/rpms/php/php-geos.git/plain/0006-fix-__toString-with-8.2.patch
  patch -p1 < /tmp/php8.patch 2>/dev/null || true
--- a/src/scripts/tools/add_tools.ps1
+++ b/src/scripts/tools/add_tools.ps1
@ -28,6 +28,52 @@ Function Edit-ComposerConfig() {
  Set-ComposerAuth
 }

+# Function to update auth.json.
+Function Update-AuthJson {
+  [CmdletBinding()]
+  param(
+    [Parameter(Mandatory)][string[]] $ComposerAuth
+  )
+  if (Test-Path $composer_home\auth.json) {
+    try {
+      $existing = Get-Content $composer_home\auth.json -Raw | ConvertFrom-Json
+    } catch {
+      $existing = [PSCustomObject]@{}
+    }
+  } else {
+    $existing = [PSCustomObject]@{}
+  }
+  foreach ($fragment in $ComposerAuth) {
+    $piece = ('{' + $fragment + '}') | ConvertFrom-Json
+    foreach ($prop in $piece.PSObject.Properties) {
+      if ($prop.Name -eq 'http-basic') {
+        if (-not $existing.'http-basic') {
+          $existing | Add-Member -MemberType NoteProperty -Name 'http-basic' -Value ([PSCustomObject]@{}) -Force
+        }
+        foreach ($domainProp in $prop.Value.PSObject.Properties) {
+          $existing.'http-basic' | Add-Member -MemberType NoteProperty -Name $domainProp.Name -Value $domainProp.Value -Force
+        }
+      } else {
+        $existing | Add-Member -MemberType NoteProperty -Name $prop.Name -Value $prop.Value -Force
+      }
+    }
+  }
+  Set-Content -Path $composer_home\auth.json -Value ($existing | ConvertTo-Json -Depth 5)
+}
+
+function Test-GitHubPublicAccess {
+  param(
+    [Parameter(Mandatory=$true)]
+    [string]$Token
+  )
+  try {
+    Invoke-RestMethod -Uri 'https://api.github.com/' -Headers @{ Authorization = "token $Token" } -ErrorAction Stop | Out-Null
+    return $true
+  } catch {
+    return $false
+  }
+}
+
 # Function to setup authentication in composer.
 Function Set-ComposerAuth() {
  if(Test-Path env:COMPOSER_AUTH_JSON) {
@ -41,14 +87,18 @@ Function Set-ComposerAuth() {
  if(Test-Path env:PACKAGIST_TOKEN) {
    $composer_auth += '"http-basic": {"repo.packagist.com": { "username": "token", "password": "' + $env:PACKAGIST_TOKEN + '"}}'
  }
-  if(-not(Test-Path env:GITHUB_TOKEN) -and (Test-Path env:COMPOSER_TOKEN)) {
-    $env:GITHUB_TOKEN = $env:COMPOSER_TOKEN
-  }
-  if (Test-Path env:GITHUB_TOKEN) {
-    $composer_auth += '"github-oauth": {"github.com": "' + $env:GITHUB_TOKEN + '"}'
+  $write_token = $true
+  $token = if ($env:COMPOSER_TOKEN) { $env:COMPOSER_TOKEN } else { $env:GITHUB_TOKEN }
+  if ($token) {
+    if ($env:GITHUB_SERVER_URL -ne "https://github.com" -and -not(Test-GitHubPublicAccess $token)) {
+      $write_token = $false
+    }
+    if($write_token) {
+      $composer_auth += '"github-oauth": {"github.com": "' + $token + '"}'
+    }
  }
  if($composer_auth.length) {
-    Add-Env COMPOSER_AUTH ('{' + ($composer_auth -join ',') + '}')
+    Update-AuthJson $composer_auth
  }
 }

--- a/src/scripts/tools/add_tools.sh
+++ b/src/scripts/tools/add_tools.sh
@ -11,7 +11,7 @@ get_tool_version() {
  alp="[a-zA-Z0-9\.]"
  version_regex="[0-9]+((\.{1}$alp+)+)(\.{0})(-$alp+){0,1}"
  if [ "$tool" = "composer" ]; then
-    composer_alias_version="$(grep -Ea "const\sBRANCH_ALIAS_VERSION" "$tool_path_dir/composer" | grep -Eo "$version_regex")"
+    composer_alias_version="$(grep -Ea "const\sBRANCH_ALIAS_VERSION" "${tool_path_dir:?}/composer" | grep -Eo "$version_regex")"
    if [[ -n "$composer_alias_version" ]]; then
      composer_version="$composer_alias_version+$(grep -Ea "const\sVERSION" "$tool_path_dir/composer" | grep -Eo "$alp+" | tail -n 1)"
    else
@ -46,6 +46,30 @@ configure_composer() {
  set_composer_auth
 }

+# Function to merge auth.json fragments.
+update_auth_json() {
+  local auth_file="$composer_home/auth.json"
+  local merged
+  [[ -f "$auth_file" ]] && merged=$(<"$auth_file") || merged='{}'
+  for frag in "$@"; do
+    local obj="{$frag}"
+    merged=$(jq -n --argjson b "$merged" --argjson n "$obj" '
+      if $n|has("http-basic") then
+        (($b["http-basic"]//{}) + $n["http-basic"]) as $hb
+        | ($b + $n) | .["http-basic"] = $hb
+      else
+        $b + $n
+      end
+    ')
+  done
+  printf '%s' "$merged" > "$composer_home/auth.json"
+}
+
+# Function to check if public GitHub token authentication is possible.
+can_access_public_github() {
+  curl --fail -s -H "Authorization: token $1" 'https://api.github.com/' >/dev/null 2>&1
+}
+
 # Function to setup authentication in composer.
 set_composer_auth() {
  if [ -n "$COMPOSER_AUTH_JSON" ]; then
@ -59,11 +83,18 @@ set_composer_auth() {
  if [ -n "$PACKAGIST_TOKEN" ]; then
    composer_auth+=( '"http-basic": {"repo.packagist.com": { "username": "token", "password": "'"$PACKAGIST_TOKEN"'"}}' )
  fi
-  if [ -n "${GITHUB_TOKEN:-$COMPOSER_TOKEN}" ]; then
-    composer_auth+=( '"github-oauth": {"github.com": "'"${GITHUB_TOKEN:-$COMPOSER_TOKEN}"'"}' )
+  token="${COMPOSER_TOKEN:-$GITHUB_TOKEN}"
+  if [ -n "$token" ]; then
+    write_token=true
+    if [ "$GITHUB_SERVER_URL" != "https://github.com" ]; then
+      can_access_public_github "$token" || write_token=false
+    fi
+    if [ "$write_token" = 'true' ]; then
+      composer_auth+=( '"github-oauth": {"github.com": "'"$token"'"}' )
+    fi
  fi
  if ((${#composer_auth[@]})); then
-    add_env COMPOSER_AUTH "{$(IFS=$','; echo "${composer_auth[*]}")}"
+    update_auth_json "${composer_auth[@]}"
  fi
 }
Author	SHA1	Message	Date
Shivam Mathur	0ac4874a14	Merge pull request #982 from jrfnl/feature/ghactions-dont-run-cronjobs-on-forks GH Actions: don't run cron jobs on forks	2025-08-04 20:07:42 +05:30
jrfnl	c9735bcc02	GH Actions: don't run cron jobs on forks While workflows are disabled by default in forks, it is quite common for contributors to enable them to verify CI will pass before submitting a pull request. When enabling workflow runs in forks, it's "all or nothing". This means that: * All workflows which are only intended to be run on the canonical repo will also be enabled. These workflows will also often need access to repo-specific secrets and will typically fail when run from a fork. * Workflows which contain cron jobs will also be enabled. Depending on the type of account the contributor has, this can burn through their "CI minutes". This commit is based on a review of workflows containing cron jobs and disables running the jobs when a cron job is triggered in a fork.	2025-08-04 16:23:49 +02:00
Shivam Mathur	89b2566bb0	Check github-token on enterprise On GitHub enterprise we may get a Personal Access token or a default token generated by GitHub that maybe not have the permissions required to access public GitHub, so we check and add it only if it can authenticate with the public GitHub API	2025-08-02 12:12:58 +05:30
Shivam Mathur	dcec1cf0b4	Override GITHUB_TOKEN if COMPOSER_TOKEN is set	2025-07-30 22:30:05 +05:30
Shivam Mathur	ccf2c627fe	Bump version to 2.35.2	2025-07-29 19:08:58 +05:30
Shivam Mathur	2a597f617d	Fix race condition	2025-07-29 02:08:56 +05:30
Shivam Mathur	2282b6a082	Bump version to 2.35.1	2025-07-28 20:33:43 +05:30
Shivam Mathur	11373c6dce	Fix shellcheck in add_tools.sh [skip ci]	2025-07-28 20:13:02 +05:30
Shivam Mathur	50ad25710d	Use auth.json for composer authentication	2025-07-28 20:11:02 +05:30
Shivam Mathur	c1c6c51867	Update geos patch [skip ci]	2025-07-28 17:22:40 +05:30