From 64ebe5db57d91f83a3012a4a8753b9584d290039 Mon Sep 17 00:00:00 2001
From: Kevin van Zonneveld <kevin@vanzonneveld.net>
Date: Mon, 8 Jun 2026 12:16:28 +0200
Subject: [PATCH 1/2] Replace Composer install action

---
 .github/workflows/ci.yml | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9e3db60..9af50b1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,10 +37,24 @@ jobs:
           php-version: ${{ matrix.php }}
           tools: php-cs-fixer, phpunit
           coverage: ${{ matrix.php == '8.1' && matrix.dependencies == 'locked' && 'xdebug' || 'none' }}
-      - uses: ramsey/composer-install@v3
-        with:
-          dependency-versions: ${{ matrix.dependencies }}
-          composer-options: '--ignore-platform-reqs'
+      - name: Install Composer dependencies
+        run: |
+          set -euo pipefail
+          case "${{ matrix.dependencies }}" in
+            locked)
+              composer install --no-interaction --prefer-dist --ignore-platform-reqs
+              ;;
+            lowest)
+              composer update --no-interaction --prefer-dist --ignore-platform-reqs --prefer-lowest
+              ;;
+            highest)
+              composer update --no-interaction --prefer-dist --ignore-platform-reqs
+              ;;
+            *)
+              echo "Unsupported dependency mode: ${{ matrix.dependencies }}" >&2
+              exit 1
+              ;;
+          esac
       - name: Test with Coverage
         if: matrix.php == '8.1' && matrix.dependencies == 'locked'
         run: |

From 2a647a7e93b7cccb202b037a466ef247b6138203 Mon Sep 17 00:00:00 2001
From: Kevin van Zonneveld <kevin@vanzonneveld.net>
Date: Mon, 8 Jun 2026 14:42:07 +0200
Subject: [PATCH 2/2] Harden GitHub Action references

---
 .github/workflows/ci.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9af50b1..5da4834 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,15 +24,15 @@ jobs:
           - highest
     name: PHP ${{ matrix.php }} - ${{ matrix.dependencies }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: '20'
       - name: Install tsx
         run: npm install -g tsx
-      - uses: shivammathur/setup-php@v2
+      - uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
         with:
           php-version: ${{ matrix.php }}
           tools: php-cs-fixer, phpunit
@@ -73,7 +73,7 @@ jobs:
           TEST_NODE_PARITY: 1
       - name: Publish Coverage Report
         if: github.event_name == 'pull_request' && matrix.php == '8.1' && matrix.dependencies == 'locked'
-        uses: lucassabreu/comment-coverage-clover@v0.13.0
+        uses: lucassabreu/comment-coverage-clover@03f6635d40eed0594269416270abb9f72dfeae4b # v0.16.0
         with:
           file: ./build/logs/clover.xml
           with-table: true