From 2e3083809b851265f58c4f71cb34db2269faf748 Mon Sep 17 00:00:00 2001 From: El Mehdi Abenhazou Date: Thu, 4 Jun 2026 21:38:32 +0000 Subject: [PATCH 1/2] ci: pin GitHub Actions to full commit SHAs Pins all third-party GitHub Actions from mutable version tags (e.g. @v4, @v5) to exact commit SHAs, following GitHub's security hardening guide and OpenSSF Scorecard recommendations. This prevents silent supply chain attacks if an action's tag is moved to a malicious commit. Each pinned action retains the version tag as a comment for readability. Signed-off-by: El Mehdi Abenhazou --- .github/workflows/close-needs-feedback.yml | 2 +- .../close-stale-feature-requests.yml | 2 +- .github/workflows/close-stale-prs.yml | 2 +- .github/workflows/docs.yml | 4 +-- .github/workflows/labeler.yml | 2 +- .github/workflows/real-time-benchmark.yml | 10 +++--- .github/workflows/remove-needs-feedback.yml | 4 +-- .github/workflows/test-suite.yml | 34 +++++++++---------- .github/workflows/test.yml | 4 +-- .github/workflows/unit-tests.yml | 4 +-- .github/workflows/verify-bundled-files.yml | 4 +-- 11 files changed, 36 insertions(+), 36 deletions(-) diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml index 761618075d2c..8bbd155b1b99 100644 --- a/.github/workflows/close-needs-feedback.yml +++ b/.github/workflows/close-needs-feedback.yml @@ -16,7 +16,7 @@ jobs: pull-requests: write steps: - name: Close old issues that need feedback - uses: dwieeb/needs-reply@v2 + uses: dwieeb/needs-reply@71e8d5144caa0d4a1e292348bfafa3866d08c855 # v2 with: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-label: "Status: Needs Feedback" diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml index 5e2956d0ab85..ea8e095b7898 100644 --- a/.github/workflows/close-stale-feature-requests.yml +++ b/.github/workflows/close-stale-feature-requests.yml @@ -15,7 +15,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@e42e6681d2906409c5dde4a315af6214eaa890ee # v9 with: days-before-close: 14 days-before-stale: 90 diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml index 9530bae99edb..15e6858321dc 100644 --- a/.github/workflows/close-stale-prs.yml +++ b/.github/workflows/close-stale-prs.yml @@ -15,7 +15,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@e42e6681d2906409c5dde4a315af6214eaa890ee # v9 with: days-before-close: 7 days-before-stale: 60 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ffb45c9a20cd..63850fc1405d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -17,14 +17,14 @@ jobs: if: github.repository == 'php/php-src' steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 - name: Install dependencies run: pip install -r docs/requirements.txt - name: Check formatting run: make -C docs check-formatting - name: Publish if: github.event_name == 'push' - uses: sphinx-notes/pages@v3 + uses: sphinx-notes/pages@71e8d5144caa0d4a1e292348bfafa3866d08c855 # v3 with: checkout: false documentation_path: docs/source diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 4cf6357c491f..94343e1091f2 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,6 +12,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v6 + - uses: actions/labeler@18f1af5e3544586314bbe15c0273249c770b2daf # v6 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/real-time-benchmark.yml b/.github/workflows/real-time-benchmark.yml index dc28e8438db2..f034aefea2f3 100644 --- a/.github/workflows/real-time-benchmark.yml +++ b/.github/workflows/real-time-benchmark.yml @@ -108,21 +108,21 @@ jobs: sudo apt-get update -y sudo apt-get install -y terraform=1.5.7-* - name: Checkout benchmark suite - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: repository: 'kocsismate/php-version-benchmarks' ref: 'main' fetch-depth: 1 path: 'php-version-benchmarks' - name: Checkout php-src (benchmarked version) - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: repository: '${{ env.REPOSITORY }}' ref: '${{ env.COMMIT }}' fetch-depth: 100 path: 'php-version-benchmarks/tmp/php_${{ env.ID }}' - name: Checkout php-src (baseline version) - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: repository: '${{ env.REPOSITORY }}' ref: '${{ env.BASELINE_COMMIT }}' @@ -136,7 +136,7 @@ jobs: rm -rf ./php-version-benchmarks/docs/results - name: Checkout benchmark data if: github.event_name != 'workflow_dispatch' - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: repository: php/real-time-benchmark-data ssh-key: ${{ secrets.PHP_VERSION_BENCHMARK_RESULTS_DEPLOY_KEY }} @@ -285,7 +285,7 @@ jobs: echo "NEWEST_RESULT_DIRECTORY=$(ls -td ${{ github.workspace }}/php-version-benchmarks/docs/results/${{ env.YEAR }}/*/ | head -1)" >> $GITHUB_ENV - name: Upload artifacts id: upload - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: results path: | diff --git a/.github/workflows/remove-needs-feedback.yml b/.github/workflows/remove-needs-feedback.yml index ed6898341488..63bc60c34634 100644 --- a/.github/workflows/remove-needs-feedback.yml +++ b/.github/workflows/remove-needs-feedback.yml @@ -16,9 +16,9 @@ jobs: issues: write pull-requests: write steps: - - uses: actions-ecosystem/action-remove-labels@v1 + - uses: actions-ecosystem/action-remove-labels@f27b608878404679385c85cfa523b85ccb86e213 # v1 with: labels: "Status: Needs Feedback" - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@e79a6962e0d4c0c17b229090214935d2e33f8354 # v1 with: labels: "Status: Needs Triage" diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml index 7b1850aa1075..0052b3b39d1e 100644 --- a/.github/workflows/test-suite.yml +++ b/.github/workflows/test-suite.yml @@ -18,7 +18,7 @@ jobs: runs-on: [self-hosted, gentoo, ppc64] steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: System info @@ -59,7 +59,7 @@ jobs: image: 'alpine:3.22' steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: apk @@ -132,7 +132,7 @@ jobs: runs-on: ubuntu-${{ fromJson(inputs.branch).config.ubuntu_version }} steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: Create MSSQL container @@ -254,7 +254,7 @@ jobs: FIREBIRD_PASSWORD: test steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: apt @@ -311,7 +311,7 @@ jobs: runs-on: macos-${{ matrix.arch == 'X64' && '15-intel' || fromJson(inputs.branch).jobs.MACOS.config.arm64_version }} steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: Update clang @@ -388,7 +388,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: Create MSSQL container @@ -416,7 +416,7 @@ jobs: - name: Generate coverage report if: ${{ !cancelled() }} run: make gcovr-xml - - uses: codecov/codecov-action@v6 + - uses: codecov/codecov-action@5bef64f19d7facfb25b37b414482c7164d639639 # v6 if: ${{ !cancelled() }} with: disable_search: true @@ -438,7 +438,7 @@ jobs: USE_TRACKED_ALLOC: 1 steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: apt @@ -644,7 +644,7 @@ jobs: runs-on: ubuntu-${{ fromJson(inputs.branch).config.ubuntu_version }} steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: Create MSSQL container @@ -707,7 +707,7 @@ jobs: runs-on: ubuntu-${{ fromJson(inputs.branch).config.ubuntu_version }} steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: apt @@ -798,7 +798,7 @@ jobs: runs-on: ubuntu-${{ fromJson(inputs.branch).config.ubuntu_version }} steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: apt @@ -851,7 +851,7 @@ jobs: - name: git config run: git config --global core.autocrlf false && git config --global core.eol lf - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: Setup @@ -870,7 +870,7 @@ jobs: timeout-minutes: 50 steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} - name: FreeBSD @@ -886,7 +886,7 @@ jobs: timeout-minutes: 50 steps: - name: git checkout - uses: actions/checkout@v5 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v5 with: ref: ${{ fromJson(inputs.branch).ref }} - name: Solaris @@ -901,7 +901,7 @@ jobs: timeout-minutes: 50 steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: ref: ${{ fromJson(inputs.branch).ref }} fetch-depth: 0 @@ -963,7 +963,7 @@ jobs: mysql -uroot -proot -e "CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'wordpress'; FLUSH PRIVILEGES;" mysql -uroot -proot -e "GRANT ALL PRIVILEGES ON *.* TO 'wordpress'@'localhost' WITH GRANT OPTION;" - name: git checkout benchmarking-data - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: repository: php/benchmarking-data ssh-key: ${{ secrets.BENCHMARKING_DATA_DEPLOY_KEY }} @@ -994,7 +994,7 @@ jobs: ${{ github.sha }} \ ${{ github.event.pull_request.base.sha }} \ > $GITHUB_STEP_SUMMARY - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: profiles path: ${{ github.workspace }}/benchmark/profiles diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index eafedec5eafa..58b38404e880 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -40,7 +40,7 @@ jobs: all_variations: ${{ steps.set-matrix.outputs.all_variations }} branches: ${{ steps.set-matrix.outputs.branches }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 with: # When running nightly, set fetch-depth to 0 to clone the full # repository including all branches. This is required to find the @@ -48,7 +48,7 @@ jobs: fetch-depth: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && '0' || '1' }} - name: Grab the commit mapping if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} - uses: actions/cache@v5 + uses: actions/cache@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: path: branch-commit-cache.json # The cache key needs to change every time for the diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 6338a1cb945d..52a77e585378 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -35,7 +35,7 @@ jobs: timeout-minutes: 20 steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 - name: Install dependencies run: | @@ -53,7 +53,7 @@ jobs: ccache - name: ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.2 with: key: "unit-tests-${{hashFiles('main/php_version.h')}}" append-timestamp: false diff --git a/.github/workflows/verify-bundled-files.yml b/.github/workflows/verify-bundled-files.yml index 473d6e2d8f4d..ca8940292fcf 100644 --- a/.github/workflows/verify-bundled-files.yml +++ b/.github/workflows/verify-bundled-files.yml @@ -23,11 +23,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: git checkout - uses: actions/checkout@v6 + uses: actions/checkout@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v6 - name: Detect changed files if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }} - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@27d5ce7f107fe9357f9df03efb73ab90386fccae # v3 id: changes with: filters: | From 347f6080a3376e09f3fde18bcfb88ff772793327 Mon Sep 17 00:00:00 2001 From: XananasX Date: Thu, 4 Jun 2026 23:10:24 +0000 Subject: [PATCH 2/2] ci: update dwieeb/needs-reply version comment to v2.0.0 --- .github/workflows/close-needs-feedback.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml index 8bbd155b1b99..e33dff730c8e 100644 --- a/.github/workflows/close-needs-feedback.yml +++ b/.github/workflows/close-needs-feedback.yml @@ -16,7 +16,7 @@ jobs: pull-requests: write steps: - name: Close old issues that need feedback - uses: dwieeb/needs-reply@71e8d5144caa0d4a1e292348bfafa3866d08c855 # v2 + uses: dwieeb/needs-reply@71e8d5144caa0d4a1e292348bfafa3866d08c855 # v2.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-label: "Status: Needs Feedback"