diff --git a/.github/workflows/claude-react-on-comment.yml b/.github/workflows/claude-react-on-comment.yml index 982a027..8d00d6c 100644 --- a/.github/workflows/claude-react-on-comment.yml +++ b/.github/workflows/claude-react-on-comment.yml @@ -28,6 +28,11 @@ jobs: outputs: triggered: ${{ steps.check.outputs.triggered }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Check for trigger phrase" id: check env: @@ -47,11 +52,16 @@ jobs: timeout-minutes: 60 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "React to feedback" - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@35a9e0292d36f1186f5d842b14eb575074e8b450 # v1.0.57 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} trigger_phrase: "@phpstan-bot" diff --git a/.github/workflows/lock-closed-issues.yml b/.github/workflows/lock-closed-issues.yml index 7d84dc8..fda7bbb 100644 --- a/.github/workflows/lock-closed-issues.yml +++ b/.github/workflows/lock-closed-issues.yml @@ -4,11 +4,21 @@ on: schedule: - cron: '4 0 * * *' +permissions: + contents: read + jobs: lock: + permissions: + issues: write # for dessant/lock-threads to lock issues runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: github-token: ${{ github.token }} issue-inactive-days: '31' diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml index 9b24b78..d896756 100644 --- a/.github/workflows/phpstan.yml +++ b/.github/workflows/phpstan.yml @@ -13,15 +13,23 @@ on: - 'extractor/**' - '.github/workflows/phpstan.yml' +permissions: + contents: read + jobs: phpstan: name: "PHPStan" runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.3" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a6b963..c0a43d5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,16 +9,26 @@ on: concurrency: release +permissions: + contents: read + jobs: deploy: + permissions: + contents: write # for softprops/action-gh-release to create GitHub release name: "Deploy" runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: "Create release" - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: token: ${{ secrets.PHPSTAN_BOT_TOKEN }} diff --git a/.github/workflows/send-pr.yml b/.github/workflows/send-pr.yml index 94faded..85e54fd 100644 --- a/.github/workflows/send-pr.yml +++ b/.github/workflows/send-pr.yml @@ -6,19 +6,27 @@ on: release: types: [published] +permissions: + contents: read + jobs: send-pr: name: "Send pull request" runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.3" - name: "Checkout phpstan-src" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: repository: phpstan/phpstan-src ref: 2.1.x @@ -40,7 +48,7 @@ jobs: - name: "Create Pull Request" id: create-pr - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: token: ${{ secrets.PHPSTAN_BOT_TOKEN }} path: ./phpstan-src diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 42c6c23..bab4640 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -16,18 +16,23 @@ jobs: name: "Update stubs" runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout to commit" if: github.event_name != 'pull_request' - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{ github.head_ref }} fetch-depth: '0' token: ${{ secrets.PHPSTAN_BOT_TOKEN }} - name: "Checkout to only read" if: github.event_name == 'pull_request' - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 with: coverage: "none" php-version: "8.3" @@ -35,7 +40,7 @@ jobs: run: "composer install" working-directory: ./extractor - name: "Checkout" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: repository: "php/php-src" path: "php-src" @@ -47,7 +52,7 @@ jobs: - name: "Delete checked out php-src repo" run: "rm -rf php-src" - name: "Checkout PHP 8.1" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: repository: "php/php-src" path: "php-src" @@ -60,7 +65,7 @@ jobs: - name: "Delete checked out php-src repo" run: "rm -rf php-src" - name: "Checkout PHP 8.2" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: repository: "php/php-src" path: "php-src" @@ -73,7 +78,7 @@ jobs: - name: "Delete checked out php-src repo" run: "rm -rf php-src" - name: "Checkout PHP 8.3" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: repository: "php/php-src" path: "php-src" @@ -86,7 +91,7 @@ jobs: - name: "Delete checked out php-src repo" run: "rm -rf php-src" - name: "Checkout PHP 8.4" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: repository: "php/php-src" path: "php-src" @@ -99,7 +104,7 @@ jobs: - name: "Delete checked out php-src repo" run: "rm -rf php-src" - name: "Checkout PHP 8.5" - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: repository: "php/php-src" path: "php-src" @@ -111,17 +116,17 @@ jobs: - name: 'Get previous tag' id: previous_tag - uses: "WyriHaximus/github-action-get-previous-tag@v1" + uses: "WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce" # v1.4.0 with: fallback: 0.1.0 - name: 'Get next minor version' id: semvers - uses: "WyriHaximus/github-action-next-semvers@v1" + uses: "WyriHaximus/github-action-next-semvers@d079934efaf011a4cf8912d4637097fe35d32b93" # v1 with: version: ${{ steps.previous_tag.outputs.tag }} - name: "Commit changes" if: github.event_name != 'pull_request' - uses: "stefanzweifel/git-auto-commit-action@v6" + uses: "stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0" # v6.0.1 id: "commit" with: commit_message: "Update stubs"