Merge pull request #982 from jrfnl/feature/ghactions-dont-run-cronjobs-on-forks

GH Actions: don't run cron jobs on forks

.github/workflows/codeql.yml

@@ -8,6 +8,7 @@ permissions:
 
 jobs:
   codeql:
+    if: github.event.repository.fork == false
     permissions:
       actions: read  # for github/codeql-action/init to get workflow details
       contents: read  # for actions/checkout to fetch code

.github/workflows/docs.yml

@@ -8,6 +8,7 @@ permissions:
 
 jobs:
   create:
+    if: github.event.repository.fork == false
     permissions:
       contents: none
     name: Create
@@ -92,6 +93,7 @@ jobs:
           name: lists-php${{ matrix.php-versions }}-${{ matrix.operating-system }}.md
           path: php${{ matrix.php-versions }}-${{ matrix.operating-system }}.md
   update:
+    if: github.event.repository.fork == false
     permissions:
       contents: write  # for Git to git push
     name: Update

README.md

@@ -465,6 +465,7 @@ Disable coverage for these reasons:
 - Specify the GitHub token to use for authentication.
 - Accepts a `string`.
 - By default, `GITHUB_TOKEN` secret provided by GitHub Actions is used.
+- For GitHub Enterprise users, it is recommended to use a Personal Access Token (PAT).
 
 ### Outputs
 
@@ -797,8 +798,6 @@ restore-keys: ${{ runner.os }}-composer-${{ matrix.prefer }}-
 
 By default, setup-php uses the `GITHUB_TOKEN` secret that is generated for each workflow run. In case you want to use a Personal Access Token (PAT) instead, you can set the `github-token` input.
 
-The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
-
 ```yaml
 - name: Setup PHP
   uses: shivammathur/setup-php@v2
@@ -807,6 +806,10 @@ The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecat
     github-token: ${{ secrets.YOUR_PAT_TOKEN }}
 ```
 
+The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
+
+For GitHub Enterprise users, the `github-token` input does not default to the `GITHUB_TOKEN` secret. Therefore, it's recommended to set the `github-token` input to a Personal Access Token (PAT).
+
 ### Private Packagist Authentication
 
 If you use Private Packagist for your private composer dependencies, you can set the `PACKAGIST_TOKEN` environment variable to authenticate.

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "setup-php",
-  "version": "2.35.1",
+  "version": "2.35.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "setup-php",
-      "version": "2.35.1",
+      "version": "2.35.2",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "^1.11.1",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "setup-php",
-  "version": "2.35.1",
+  "version": "2.35.2",
   "private": false,
   "description": "Setup PHP for use with GitHub Actions",
   "main": "lib/install.js",

src/scripts/tools/add_tools.ps1

@@ -28,8 +28,8 @@ Function Edit-ComposerConfig() {
   Set-ComposerAuth
 }
 
-# Function to merge auth.json fragments.
+# Function to update auth.json.
-Function Get-MergedAuthJson {
+Function Update-AuthJson {
   [CmdletBinding()]
   param(
     [Parameter(Mandatory)][string[]] $ComposerAuth
@@ -58,7 +58,20 @@ Function Get-MergedAuthJson {
       }
     }
   }
-  return $existing | ConvertTo-Json -Depth 5
+  Set-Content -Path $composer_home\auth.json -Value ($existing | ConvertTo-Json -Depth 5)
+}
+
+function Test-GitHubPublicAccess {
+  param(
+    [Parameter(Mandatory=$true)]
+    [string]$Token
+  )
+  try {
+    Invoke-RestMethod -Uri 'https://api.github.com/' -Headers @{ Authorization = "token $Token" } -ErrorAction Stop | Out-Null
+    return $true
+  } catch {
+    return $false
+  }
 }
 
 # Function to setup authentication in composer.
@@ -74,14 +87,18 @@ Function Set-ComposerAuth() {
   if(Test-Path env:PACKAGIST_TOKEN) {
     $composer_auth += '"http-basic": {"repo.packagist.com": { "username": "token", "password": "' + $env:PACKAGIST_TOKEN + '"}}'
   }
-  if(-not(Test-Path env:GITHUB_TOKEN) -and (Test-Path env:COMPOSER_TOKEN)) {
+  $write_token = $true
-    $env:GITHUB_TOKEN = $env:COMPOSER_TOKEN
+  $token = if ($env:COMPOSER_TOKEN) { $env:COMPOSER_TOKEN } else { $env:GITHUB_TOKEN }
-  }
+  if ($token) {
-  if (Test-Path env:GITHUB_TOKEN) {
+    if ($env:GITHUB_SERVER_URL -ne "https://github.com" -and -not(Test-GitHubPublicAccess $token)) {
-    $composer_auth += '"github-oauth": {"github.com": "' + $env:GITHUB_TOKEN + '"}'
+      $write_token = $false
+    }
+    if($write_token) {
+      $composer_auth += '"github-oauth": {"github.com": "' + $token + '"}'
+    }
   }
   if($composer_auth.length) {
-    Set-Content -Path $composer_home\auth.json -Value (Get-MergedAuthJson $composer_auth)
+    Update-AuthJson $composer_auth
   }
 }
 

src/scripts/tools/add_tools.sh

@@ -47,7 +47,7 @@ configure_composer() {
 }
 
 # Function to merge auth.json fragments.
-get_merged_auth_json() {
+update_auth_json() {
   local auth_file="$composer_home/auth.json"
   local merged
   [[ -f "$auth_file" ]] && merged=$(<"$auth_file") || merged='{}'
@@ -62,7 +62,12 @@ get_merged_auth_json() {
       end
     ')
   done
-  printf '%s' "$merged"
+  printf '%s' "$merged" > "$composer_home/auth.json"
+}
+
+# Function to check if public GitHub token authentication is possible.
+can_access_public_github() {
+  curl --fail -s -H "Authorization: token $1" 'https://api.github.com/' >/dev/null 2>&1
 }
 
 # Function to setup authentication in composer.
@@ -78,11 +83,18 @@ set_composer_auth() {
   if [ -n "$PACKAGIST_TOKEN" ]; then
     composer_auth+=( '"http-basic": {"repo.packagist.com": { "username": "token", "password": "'"$PACKAGIST_TOKEN"'"}}' )
   fi
-  if [ -n "${GITHUB_TOKEN:-$COMPOSER_TOKEN}" ]; then
+  token="${COMPOSER_TOKEN:-$GITHUB_TOKEN}"
-    composer_auth+=( '"github-oauth": {"github.com": "'"${GITHUB_TOKEN:-$COMPOSER_TOKEN}"'"}' )
+  if [ -n "$token" ]; then
+    write_token=true
+    if [ "$GITHUB_SERVER_URL" != "https://github.com" ]; then
+      can_access_public_github "$token" || write_token=false
+    fi
+    if [ "$write_token" = 'true' ]; then
+      composer_auth+=( '"github-oauth": {"github.com": "'"$token"'"}' )
+    fi
   fi
   if ((${#composer_auth[@]})); then
-    get_merged_auth_json "${composer_auth[@]}" | tee "$composer_home/auth.json" >/dev/null
+    update_auth_json "${composer_auth[@]}"
   fi
 }