From 90fc30114f9215bedda42202798fff9d5085ffea Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:06:49 +0300 Subject: [PATCH 1/9] Add zizmorify configuration --- .github/dependabot.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..6cc00712 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 From ddfc07cc93277f434a00c40123e50e64cfe7aa31 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 02:31:30 +0300 Subject: [PATCH 2/9] Add zizmorify workflow --- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..e9b7e067 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: true + persona: 'pedantic' From 7e640e59ec92fb5963e178c9f9325a370227836c Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:36:06 +0300 Subject: [PATCH 3/9] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..85ca7982 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 6e347ec8b80a2d7b57d7d74a37ec17250c5a2de8 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 12:05:43 +0300 Subject: [PATCH 4/9] Use master for yiisoft actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6cc00712..9322d3f0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,5 @@ updates: interval: "weekly" cooldown: default-days: 7 + ignore: + - dependency-name: "yiisoft/*" From 5a10b05ddfcc16a8f29986145686afa89350f485 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 19 Jun 2026 00:42:47 +0300 Subject: [PATCH 5/9] Harden GitHub workflows --- .github/workflows/docs.yml | 16 +++++++++++----- .github/workflows/github-pages.yml | 16 ++++++++++------ .github/workflows/translate.yml | 16 ++++++++++++---- 3 files changed, 33 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 34e479c9..b9876cbd 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -8,14 +8,19 @@ on: permissions: contents: read - checks: write jobs: build: + permissions: + checks: write + contents: read + runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: false - name: Fetch styles run: | @@ -24,7 +29,7 @@ jobs: unzip Microsoft.zip -d .github/styles - name: Check - uses: errata-ai/vale-action@reviewdog + uses: errata-ai/vale-action@85f9f7f2c5f449ac0ae5b66662961bae3f77ca6a with: reporter: github-check fail_on_error: false @@ -37,9 +42,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with: fetch-depth: 0 + persist-credentials: false - name: Find files to check id: links @@ -82,7 +88,7 @@ jobs: - name: Setup Node.js if: steps.links.outputs.count != '0' - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: 22 cache: npm diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml index 8e20176a..c248de5a 100644 --- a/.github/workflows/github-pages.yml +++ b/.github/workflows/github-pages.yml @@ -8,8 +8,6 @@ on: permissions: contents: read - pages: write - id-token: write concurrency: group: "pages" @@ -20,10 +18,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: 22 cache: npm @@ -35,12 +35,16 @@ jobs: run: npm run build - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b with: path: src/.vitepress/dist deploy: if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} + permissions: + pages: write + id-token: write + environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} @@ -49,4 +53,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e diff --git a/.github/workflows/translate.yml b/.github/workflows/translate.yml index 5b130cde..e13a119a 100644 --- a/.github/workflows/translate.yml +++ b/.github/workflows/translate.yml @@ -1,7 +1,7 @@ name: Update translations on: - pull_request_target: + pull_request: paths: - '_translations/**' push: @@ -10,31 +10,39 @@ on: - '_translations/**' - 'src/**' +permissions: + contents: write jobs: update-docs: name: Update docs runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: token: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} ref: ${{ github.head_ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Prepare po4a configuration run: _translations/prepare-config.sh - name: Use po4a - uses: vjik/docker-run@v1 + uses: vjik/docker-run@623c9adf6ee99fc8f9fa4e3b0b6b0c25859b69ee with: image: ghcr.io/yiisoft-contrib/po4a:0.74 volumes: ${{ github.workspace }}:/src workdir: /src/_translations command: po4a po4a.conf && po4a po4a.conf + - name: Configure Git credentials + env: + GH_TOKEN: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} + run: git config --global credential.helper '!f() { echo username=x-access-token; echo password=$GH_TOKEN; }; f' + - name: Commit changed files - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 with: commit_message: Update translation file_pattern: '_translations src' From 840434bf769c4fe59918d3028eaf925433c57529 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sat, 20 Jun 2026 11:36:00 +0300 Subject: [PATCH 6/9] Use master for yiisoft actions --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..85ca7982 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "yiisoft/*": any From 445e4f6972064476f1890d87f343dc514925bfc1 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Sun, 21 Jun 2026 15:00:30 +0300 Subject: [PATCH 7/9] Remove redundant zizmor config --- .github/zizmor.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml deleted file mode 100644 index 85ca7982..00000000 --- a/.github/zizmor.yml +++ /dev/null @@ -1,5 +0,0 @@ -rules: - unpinned-uses: - config: - policies: - "yiisoft/*": any From 8283bb802c587f65785397bd827674391207d6b0 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Wed, 24 Jun 2026 23:23:27 +0300 Subject: [PATCH 8/9] Fix Dependabot GitHub Actions updates --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9322d3f0..9fb62265 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,6 @@ version: 2 updates: + # Maintain dependencies for GitHub Actions. - package-ecosystem: "github-actions" directory: "/" schedule: From 6f5b5d8f99327f49128b6f446bff7815e0d62cc3 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Thu, 25 Jun 2026 00:46:25 +0300 Subject: [PATCH 9/9] Fix zizmor workflow findings --- .github/workflows/zizmor.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 94658469..430255de 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -14,8 +14,8 @@ on: - '.github/**.yaml' permissions: - actions: read - contents: read + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. jobs: zizmor: