diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml index 58f9d3d..7048b22 100644 --- a/.github/workflows/code-quality.yml +++ b/.github/workflows/code-quality.yml @@ -8,6 +8,9 @@ on: - main - master +permissions: + contents: read + jobs: code-quality: uses: wp-cli/.github/.github/workflows/reusable-code-quality.yml@main diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 5158ca6..44bdaa0 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -17,17 +17,17 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Check existence of composer.json file id: check_composer_file - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json" - name: Set up PHP environment if: steps.check_composer_file.outputs.files_exists == 'true' - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: 'latest' ini-values: zend.assertions=1, error_reporting=-1, display_errors=On @@ -38,7 +38,7 @@ jobs: - name: Install Composer dependencies & cache dependencies if: steps.check_composer_file.outputs.files_exists == 'true' - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # v3 env: COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }} with: diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index 14dffc5..6833470 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -13,6 +13,13 @@ name: Issue and PR Triage required: false type: string +permissions: + issues: write + pull-requests: write + actions: write + contents: read + models: read + jobs: issue-triage: uses: wp-cli/.github/.github/workflows/reusable-issue-triage.yml@main diff --git a/.github/workflows/regenerate-readme.yml b/.github/workflows/regenerate-readme.yml index c633d9d..6198d63 100644 --- a/.github/workflows/regenerate-readme.yml +++ b/.github/workflows/regenerate-readme.yml @@ -10,6 +10,10 @@ on: - "features/**" - "README.md" +permissions: + contents: write + pull-requests: write + jobs: regenerate-readme: uses: wp-cli/.github/.github/workflows/reusable-regenerate-readme.yml@main diff --git a/.github/workflows/reusable-check-branch-alias.yml b/.github/workflows/reusable-check-branch-alias.yml index 9fbdadc..da5e1c0 100644 --- a/.github/workflows/reusable-check-branch-alias.yml +++ b/.github/workflows/reusable-check-branch-alias.yml @@ -27,20 +27,20 @@ jobs: steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 # Fetch all history for all tags token: ${{ secrets.GITHUB_TOKEN }} - name: Set up PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: 'latest' tools: composer - name: Check existence of composer.json file id: check_composer_file - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json" @@ -126,7 +126,7 @@ jobs: - name: Create Pull Request if: steps.check_alias.outputs.needs_update == 'true' - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8 with: token: ${{ secrets.GITHUB_TOKEN }} base: ${{ github.event.repository.default_branch }} diff --git a/.github/workflows/reusable-code-quality.yml b/.github/workflows/reusable-code-quality.yml index 1aa144c..e8d75c4 100644 --- a/.github/workflows/reusable-code-quality.yml +++ b/.github/workflows/reusable-code-quality.yml @@ -9,6 +9,9 @@ on: required: false default: '' +permissions: + contents: read + # Cancels all previous workflow runs for the same branch that have not yet completed. concurrency: # The concurrency group contains the workflow name and the branch name. @@ -17,12 +20,12 @@ concurrency: jobs: - actionlint: #----------------------------------------------------------------------- + actionlint: name: Lint GitHub Actions workflows runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Add problem matcher run: | @@ -34,22 +37,22 @@ jobs: with: args: -color -shellcheck= - lint: #----------------------------------------------------------------------- + lint: name: Lint PHP files runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Check existence of composer.json file id: check_composer_file - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json" - name: Set up PHP environment if: steps.check_composer_file.outputs.files_exists == 'true' - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: 'latest' ini-values: zend.assertions=1, error_reporting=-1, display_errors=On @@ -59,7 +62,7 @@ jobs: - name: Install Composer dependencies & cache dependencies if: steps.check_composer_file.outputs.files_exists == 'true' - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 env: COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }} with: @@ -68,7 +71,7 @@ jobs: - name: Check existence of vendor/bin/parallel-lint file id: check_linter_file - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "vendor/bin/parallel-lint" @@ -95,15 +98,15 @@ jobs: env: ADDITIONAL_EXCLUDES: ${{ inputs.parallel-lint-excludes }} - lint-gherkin: #---------------------------------------------------------------- + lint-gherkin: name: Lint Gherkin Feature files runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 - name: Download lint rules run: curl https://raw.githubusercontent.com/wp-cli/.github/refs/heads/main/.gherkin-lintrc -o $RUNNER_TEMP/.gherkin-lintrc @@ -111,40 +114,40 @@ jobs: - name: Run linter run: npx --yes gherkin-lint -c $RUNNER_TEMP/.gherkin-lintrc - lint-spellcheck: #---------------------------------------------------------------- + lint-spellcheck: name: Spell check runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Check existence of config file id: check_files - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: ".typos.toml" - name: Check spelling if: steps.check_files.outputs.files_exists == 'true' - uses: crate-ci/typos@v1.42.1 + uses: crate-ci/typos@65120634e79d8374d1aa2f27e54baa0c364fff5a # v1.42.1 - phpcs: #---------------------------------------------------------------------- + phpcs: name: PHPCS runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Check existence of composer.json & phpcs.xml.dist files id: check_files - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json, phpcs.xml.dist" - name: Set up PHP environment if: steps.check_files.outputs.files_exists == 'true' - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: 'latest' tools: cs2pr @@ -153,7 +156,7 @@ jobs: - name: Install Composer dependencies & cache dependencies if: steps.check_files.outputs.files_exists == 'true' - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 env: COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }} with: @@ -162,7 +165,7 @@ jobs: - name: Check existence of vendor/bin/phpcs file id: check_phpcs_binary_file - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "vendor/bin/phpcs" @@ -177,23 +180,23 @@ jobs: cs2pr /tmp/phpcs-checkstyle-report.xml fi - phpstan: #---------------------------------------------------------------------- + phpstan: name: PHPStan runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Check existence of composer.json & phpcs.xml.dist files id: check_files - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json" - name: Set up PHP environment if: steps.check_files.outputs.files_exists == 'true' - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: 'latest' tools: cs2pr @@ -202,7 +205,7 @@ jobs: - name: Install Composer dependencies & cache dependencies if: steps.check_files.outputs.files_exists == 'true' - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 env: COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }} with: @@ -211,7 +214,7 @@ jobs: - name: Check existence of vendor/bin/phpstan file id: check_phpstan_binary_file - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "vendor/bin/phpstan" diff --git a/.github/workflows/reusable-issue-triage.yml b/.github/workflows/reusable-issue-triage.yml index 1a78f33..0c5f07f 100644 --- a/.github/workflows/reusable-issue-triage.yml +++ b/.github/workflows/reusable-issue-triage.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Get available labels id: get-labels - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const labels = await github.rest.issues.listLabelsForRepo({ @@ -53,7 +53,7 @@ jobs: - name: Analyze with AI id: ai-triage - uses: actions/ai-inference@v2 + uses: actions/ai-inference@a6101c89c6feaecc585efdd8d461f18bb7896f20 # v2 with: prompt: | ## Role @@ -105,7 +105,7 @@ jobs: - name: Apply labels if: steps.ai-triage.outputs.response != '' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: AI_RESPONSE: ${{ steps.ai-triage.outputs.response }} AVAILABLE_LABELS: ${{ env.AVAILABLE_LABELS }} @@ -174,7 +174,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Find and dispatch triage for unlabeled items - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | // Get all open issues (includes PRs) @@ -244,7 +244,7 @@ jobs: steps: - name: Get available labels id: get-labels - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const labels = await github.rest.issues.listLabelsForRepo({ @@ -257,7 +257,7 @@ jobs: - name: Get item details id: get-item - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const itemNumber = parseInt('${{ inputs.issue_number }}'); @@ -295,7 +295,7 @@ jobs: - name: Analyze with AI id: ai-triage - uses: actions/ai-inference@v2 + uses: actions/ai-inference@a6101c89c6feaecc585efdd8d461f18bb7896f20 # v2 with: prompt: | ## Role @@ -347,7 +347,7 @@ jobs: - name: Apply labels if: steps.ai-triage.outputs.response != '' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: AI_RESPONSE: ${{ steps.ai-triage.outputs.response }} ITEM_NUMBER: ${{ inputs.issue_number }} diff --git a/.github/workflows/reusable-manage-labels.yml b/.github/workflows/reusable-manage-labels.yml index 679a38e..6e80c27 100644 --- a/.github/workflows/reusable-manage-labels.yml +++ b/.github/workflows/reusable-manage-labels.yml @@ -15,10 +15,10 @@ jobs: if: ${{ github.repository_owner == 'wp-cli' }} steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Set up PHP environment - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: 'latest' env: @@ -26,7 +26,7 @@ jobs: - name: Check existence of composer.json file id: check_composer_file - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json" @@ -40,7 +40,7 @@ jobs: echo "Commands found: ${COMMANDS}" - name: Create/Update labels - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: COMMANDS_JSON: ${{ steps.get-commands.outputs.commands }} with: diff --git a/.github/workflows/reusable-regenerate-readme.yml b/.github/workflows/reusable-regenerate-readme.yml index 638f4b3..bb4b18c 100644 --- a/.github/workflows/reusable-regenerate-readme.yml +++ b/.github/workflows/reusable-regenerate-readme.yml @@ -3,6 +3,10 @@ name: Regenerate README file on: workflow_call: +permissions: + contents: write + pull-requests: write + # Cancels all previous workflow runs for the same branch that have not yet completed. concurrency: # The concurrency group contains the workflow name and the branch name. @@ -12,16 +16,16 @@ concurrency: jobs: - regenerate-readme: #---------------------------------------------------------- + regenerate-readme: name: Regenerate README.md file runs-on: ubuntu-latest if: ${{ github.repository_owner == 'wp-cli' && ! contains(fromJson('[".github", "wp-cli", "wp-cli-bundle", "wp-super-cache-cli", "php-cli-tools", "wp-config-transformer", "wp-cli.github.com"]'), github.event.repository.name) }} steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Set up PHP environment - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: 'latest' env: @@ -29,13 +33,13 @@ jobs: - name: Check existence of composer.json file id: check_composer_file - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json" - name: Install Composer dependencies & cache dependencies if: steps.check_composer_file.outputs.files_exists == 'true' - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 env: COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }} with: @@ -48,15 +52,18 @@ jobs: git config --global user.name "Alain Schlesser" - name: Check if remote branch exists - run: echo "REMOTE_BRANCH_EXISTS=$([[ -z $(git ls-remote --heads origin regenerate-readme) ]] && echo "0" || echo "1")" >> $GITHUB_ENV + id: check_remote_branch + run: > + echo "exists=$(git ls-remote --exit-code --heads origin regenerate-readme &>/dev/null + && echo "true" || echo "false")" >>"${GITHUB_OUTPUT}" - name: Create branch to base pull request on - if: env.REMOTE_BRANCH_EXISTS == 0 + if: ${{ steps.check_remote_branch.outputs.exists == 'false' }} run: | git checkout -b regenerate-readme - name: Fetch existing branch to add commits to - if: env.REMOTE_BRANCH_EXISTS == 1 + if: ${{ steps.check_remote_branch.outputs.exists == 'true' }} run: | git fetch --all --prune git checkout regenerate-readme @@ -74,25 +81,29 @@ jobs: wp scaffold package-readme --branch=${{ github.event.repository.default_branch }} --force . - name: Check if there are changes - run: echo "CHANGES_DETECTED=$([[ -z $(git status --porcelain) ]] && echo "0" || echo "1")" >> $GITHUB_ENV + id: check_changes + run: > + echo "detected=$(test -n "$(git status --porcelain 2>/dev/null)" + && echo "true" || echo "false")" >>"${GITHUB_OUTPUT}" - name: Commit changes - if: env.CHANGES_DETECTED == 1 + if: ${{ steps.check_changes.outputs.detected == 'true' }} run: | git add README.md git commit -m "Regenerate README file - $(date +'%Y-%m-%d')" git push origin regenerate-readme - name: Create pull request - if: | - env.CHANGES_DETECTED == 1 && - env.REMOTE_BRANCH_EXISTS == 0 - uses: repo-sync/pull-request@v2 + if: ${{ steps.check_changes.outputs.detected == 'true' && steps.check_remote_branch.outputs.exists == 'false' }} + uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2 with: source_branch: regenerate-readme destination_branch: ${{ github.event.repository.default_branch }} github_token: ${{ secrets.GITHUB_TOKEN }} pr_title: Regenerate README file - pr_body: "**This is an automated pull-request**\n\nRefreshes the `README.md` file with the latest changes to the docblocks in the source code." + pr_body: | + **This is an automated pull-request** + + Refreshes the `README.md` file with the latest changes to the docblocks in the source code. pr_reviewer: schlessera pr_label: scope:documentation diff --git a/.github/workflows/reusable-testing.yml b/.github/workflows/reusable-testing.yml index 74e564c..2084e75 100644 --- a/.github/workflows/reusable-testing.yml +++ b/.github/workflows/reusable-testing.yml @@ -24,6 +24,9 @@ on: required: false default: '{ "include": [], "exclude": [] }' +permissions: + contents: read + # Cancels all previous workflow runs for the same branch that have not yet completed. concurrency: # The concurrency group contains the workflow name and the branch name. @@ -233,11 +236,11 @@ jobs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Check existence of composer.json & phpunit.xml.dist files id: check_files - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json, phpunit.xml.dist" @@ -277,7 +280,7 @@ jobs: BASE_MATRIX: ${{ needs.get-matrix.outputs.matrix }} FILE_EXISTS: ${{ steps.check_files.outputs.files_exists == 'true' }} - unit: #----------------------------------------------------------------------- + unit: needs: prepare-unit if: ${{ needs.prepare-unit.outputs.matrix != '' }} name: Unit test / PHP ${{ matrix.php }}${{ matrix.coverage && ' (with coverage)' || '' }} ${{ startsWith( matrix.os, 'windows' ) && '(Windows)' || '' }} ${{ startsWith( matrix.os, 'macos' ) && '(macOS)' || '' }} @@ -290,10 +293,10 @@ jobs: steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Set up PHP environment - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: '${{ matrix.php }}' ini-values: zend.assertions=1, error_reporting=-1, display_errors=On @@ -303,7 +306,7 @@ jobs: COMPOSER_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Install Composer dependencies & cache dependencies - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 env: COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }} with: @@ -335,13 +338,13 @@ jobs: - name: Upload code coverage report if: ${{ matrix.coverage }} - uses: codecov/codecov-action@v5.5.2 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: directory: build/logs flags: unit token: ${{ secrets.CODECOV_TOKEN }} - prepare-functional: #--------------------------------------------------------- + prepare-functional: name: Prepare matrix for functional tests needs: get-matrix runs-on: ubuntu-22.04 @@ -349,11 +352,11 @@ jobs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Check existence of composer.json & behat.yml files id: check_files - uses: andstor/file-existence-action@v3 + uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3 with: files: "composer.json, behat.yml" @@ -397,7 +400,7 @@ jobs: BASE_MATRIX: ${{ needs.get-matrix.outputs.matrix }} FILE_EXISTS: ${{ steps.check_files.outputs.files_exists == 'true' }} - functional: #----------------------------------------------------------------- + functional: needs: prepare-functional if: ${{ needs.prepare-functional.outputs.matrix != '' }} name: Functional - WP ${{ matrix.wp }} on PHP ${{ matrix.php }} with ${{ matrix.dbtype != 'sqlite' && matrix.mysql || 'SQLite' }}${{ matrix.coverage && ' (with coverage)' || '' }} ${{ startsWith( matrix.os, 'windows' ) && '(Windows)' || '' }} ${{ startsWith( matrix.os, 'macos' ) && '(macOS)' || '' }} @@ -420,7 +423,7 @@ jobs: steps: - name: Check out source code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Install Ghostscript if: ${{ matrix.os == 'ubuntu-22.04' || matrix.os == '' }} @@ -429,7 +432,7 @@ jobs: sudo apt-get install ghostscript -y - name: Set up PHP environment - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 with: php-version: '${{ matrix.php }}' ini-values: zend.assertions=1, error_reporting=-1, display_errors=On @@ -445,7 +448,7 @@ jobs: sudo sed -i 's/^.*policy.*coder.*none.*PDF.*//' /etc/ImageMagick-6/policy.xml - name: Install Composer dependencies & cache dependencies - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 env: COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }} with: @@ -455,7 +458,7 @@ jobs: - name: Setup MySQL Server id: setup-mysql if: ${{ matrix.dbtype != 'sqlite' }} - uses: shogo82148/actions-setup-mysql@v1 + uses: shogo82148/actions-setup-mysql@27e74fac04c136a9f4c2dc2ed457df57331b3e0c # v1 with: mysql-version: ${{ matrix.mysql }} auto-start: true @@ -496,7 +499,7 @@ jobs: - name: Upload code coverage report if: ${{ matrix.coverage }} - uses: codecov/codecov-action@v5.5.2 + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: # Because somehow providing `directory: build/logs` doesn't work for these files files: ${{ steps.coverage_files.outputs.files }} diff --git a/.github/workflows/reusable-welcome-new-contributors.yml b/.github/workflows/reusable-welcome-new-contributors.yml index b88547a..065f479 100644 --- a/.github/workflows/reusable-welcome-new-contributors.yml +++ b/.github/workflows/reusable-welcome-new-contributors.yml @@ -11,14 +11,14 @@ jobs: steps: - name: detect bot author id: bot-author-check - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: result-encoding: string script: return String(context.payload.sender.type === 'Bot' || context.payload.sender.login?.endsWith('[bot]')); - name: First Interaction if: steps.bot-author-check.outputs.result != 'true' - uses: actions/first-interaction@v3 + uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # v3 with: repo_token: ${{ secrets.GITHUB_TOKEN }} # Not currently used but must be supplied. diff --git a/.github/workflows/sync-workflows.yml b/.github/workflows/sync-workflows.yml index 64cfbc8..12a3933 100644 --- a/.github/workflows/sync-workflows.yml +++ b/.github/workflows/sync-workflows.yml @@ -9,15 +9,18 @@ on: schedule: - cron: '*/10 * * * *' # Run every 10 minutes. +permissions: + contents: write + jobs: - sync-workflows: #------------------------------------------------------------- + sync-workflows: name: Sync GitHub Actions workflows runs-on: ubuntu-latest if: ${{ github.repository_owner == 'wp-cli' }} steps: - name: Sync files - uses: adrianjost/files-sync-action@v2.1.0 + uses: adrianjost/files-sync-action@55d577a25b7106ebc3001353d981ecf8b0150df4 # v2.1.0 with: FILE_PATTERNS: | ^.actrc @@ -75,13 +78,13 @@ jobs: wp-cli/wp-super-cache-cli GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT }} - sync-dependabot: #------------------------------------------------------------ + sync-dependabot: name: Sync Dependabot configuration runs-on: ubuntu-latest if: ${{ github.repository_owner == 'wp-cli' }} steps: - name: Sync files - uses: adrianjost/files-sync-action@v2.1.0 + uses: adrianjost/files-sync-action@55d577a25b7106ebc3001353d981ecf8b0150df4 # v2.1.0 with: FILE_PATTERNS: | ^.github/dependabot.yml diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index bf67592..35d7562 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -10,6 +10,9 @@ on: schedule: - cron: '17 1 * * *' # Run every day on a seemly random time. +permissions: + contents: read + jobs: test: uses: wp-cli/.github/.github/workflows/reusable-testing.yml@main diff --git a/.github/workflows/welcome-new-contributors.yml b/.github/workflows/welcome-new-contributors.yml index c38e033..bc01490 100644 --- a/.github/workflows/welcome-new-contributors.yml +++ b/.github/workflows/welcome-new-contributors.yml @@ -7,6 +7,9 @@ on: - main - master +permissions: + pull-requests: write + jobs: welcome: uses: wp-cli/.github/.github/workflows/reusable-welcome-new-contributors.yml@main