Security harden workflows

paulbalandan · paulbalandan · commit d4eeaa6d52e1 · 2026-04-10T15:52:18.000+08:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,8 +11,4 @@ updates:
     directory: /
     schedule:
       interval: daily
-    ignore:
-      - dependency-name: '*'
-        update-types:
-          - version-update:semver-minor
-          - version-update:semver-patch
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,15 +8,16 @@ on:
 jobs:
   build:
     name: Create a release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Create release
-        uses: crazy-max/ghaction-github-release@v2
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-          draft: true
-          prerelease: false
+        run: gh release create ${{ github.ref_name }} \
+          --title ${{ github.ref_name }} \
+          --draft \
+          --generate-notes
diff --git a/.github/workflows/test-coding-standards.yml b/.github/workflows/test-coding-standards.yml
@@ -26,16 +26,16 @@ jobs:
     strategy:
       matrix:
         php-version:
-          - '8.1'
-          - '8.2'
-          - '8.3'
+          - '8.5'
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+            persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
         with:
           php-version: ${{ matrix.php-version }}
           extensions: tokenizer
@@ -46,7 +46,7 @@ jobs:
         run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ${{ steps.composer-cache.outputs.COMPOSER_CACHE_FILES_DIR }}
           key: composer-${{ matrix.php-version }}-${{ hashFiles('**/composer.*') }}
@@ -58,7 +58,9 @@ jobs:
         run: composer config --global github-oauth.github.com ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install dependencies on tools
-        run: composer update --ansi
+        run: |
+          composer update --ansi
+          composer audit --ansi
 
       - name: Run PHP CS Fixer
-        run: vendor/bin/php-cs-fixer fix --verbose --ansi --dry-run --diff
+        run: vendor/bin/php-cs-fixer check --verbose --ansi --diff
diff --git a/.github/workflows/test-phpstan.yml b/.github/workflows/test-phpstan.yml
@@ -32,15 +32,16 @@ jobs:
       matrix:
         php-version:
           - '8.1'
-          - '8.2'
-          - '8.3'
+          - '8.5'
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+            persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
         with:
           php-version: ${{ matrix.php-version }}
           coverage: none
@@ -50,7 +51,7 @@ jobs:
         run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ${{ steps.composer-cache.outputs.COMPOSER_CACHE_FILES_DIR }}
           key: composer-${{ matrix.php-version }}-${{ hashFiles('**/composer.*') }}
@@ -73,7 +74,9 @@ jobs:
         run: composer config --global github-oauth.github.com ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install dependencies
-        run: composer update --ansi
+        run: |
+          composer update --ansi
+          composer audit --ansi
 
       - name: Run PHPStan
         run: vendor/bin/phpstan analyse --ansi --verbose
diff --git a/.github/workflows/test-phpunit.yml b/.github/workflows/test-phpunit.yml
@@ -23,7 +23,7 @@ on:
 jobs:
   extension-tests:
     name: PHPUnit Extension Tests [PHP ${{ matrix.php-version }}]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     strategy:
       fail-fast: false
@@ -32,13 +32,17 @@ jobs:
           - '8.1'
           - '8.2'
           - '8.3'
+          - '8.4'
+          - '8.5'
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+            persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
         with:
           php-version: ${{ matrix.php-version }}
           coverage: xdebug
@@ -48,7 +52,7 @@ jobs:
         run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ${{ steps.composer-cache.outputs.COMPOSER_CACHE_FILES_DIR }}
           key: composer-${{ matrix.php-version }}-${{ hashFiles('**/composer.*') }}
@@ -60,7 +64,9 @@ jobs:
         run: composer config --global github-oauth.github.com ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install dependencies
-        run: composer update --ansi
+        run: |
+          composer update --ansi
+          composer audit --ansi
 
       - name: Run Extension Tests
         run: vendor/bin/phpunit --no-coverage
