build(deps): bump shivammathur/setup-php from 2.37.1 to 2.37.2#23
Open
dependabot[bot] wants to merge 53 commits into
Open
build(deps): bump shivammathur/setup-php from 2.37.1 to 2.37.2#23dependabot[bot] wants to merge 53 commits into
dependabot[bot] wants to merge 53 commits into
Conversation
…e chaves estrangeiras, índices e colunas ENUM
…visos sobre índices não suportados no Postgres
… de bytes e gerenciamento de memória
- Introduced a new chunked upload mechanism in ImportModal.tsx to handle large .flarum archive uploads. - Added fallback chunk size and retry logic for failed chunks. - Created new API endpoints for handling chunk uploads and inspecting the uploaded files. - Updated UploadImportController to initialize chunked uploads and validate file sizes. - Added ChunkImportController to append chunks to the staging file and ensure idempotency. - Implemented InspectImportController to validate the completeness of the uploaded file and retrieve metadata.
…de branches, além de melhorias na validação de identificadores e na estrutura do projeto
feat: Adicionar workflows de CI, limpeza de releases e sincronização …
…bility - Standardized string quotes from single to double across ImportModal.tsx, index.tsx, api.ts, errorBoundary.tsx, and other files. - Improved formatting and indentation for better code clarity. - Updated error handling messages to ensure consistent usage of translation functions. - Removed unnecessary comments and streamlined code logic in various functions. - Enhanced the user interface by ensuring consistent alert messages and button labels.
…o Composer e instalação de dependências JS
…ersões e documentação
Update CI and release workflows for better version management
- MysqlIntrospector: normaliza COLUMN_DEFAULT do MariaDB 10.2.7+ (literais entre aspas, string "NULL" como NULL real) e remove deprecation do str_getcsv() no PHP 8.4. - PostgresIntrospector: literais true/false do PG passam a ser reconhecidos como booleanos (antes eram emitidos como bareword, inválido no MySQL DDL). - MysqlEmitter: suprime DEFAULT em colunas TEXT/BLOB/JSON, que o MySQL/MariaDB rejeitam (erro 1101); essencial no caminho PG -> MySQL, onde VARCHARs originais aparecem como TEXT. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Added `ImportCommand` to restore a .flarum archive into the running install. - Implemented options for confirming the import, selecting specific components to restore (database, assets, storage, extensions). - Introduced `CliTransferE2ETest` to validate the export and import process via CLI, ensuring data integrity across transfers. - Created `CrossEngineTransferTest` to verify data preservation across different database engines. - Developed support classes (`Engines`, `Fixture`, `Transfer`) to facilitate database connections and data handling for tests. - Added unit tests for `Dialect` to ensure correct engine detection and parsing.
fix: corrigir a detecção do driver de banco de dados no enum Dialect
…s operações de exportação e importação
Adicionar suporte a progresso detalhado e contagem de linhas nas operações de exportação e importação
… implementar lógica de recuperação de estado em operações de importação e exportação
feat: Alterar permissões de diretórios para 0700 em ensureDir para maior segurança
…workflows Troca os pins mutáveis (@v4/@v2/@v7) por SHA de 40 caracteres com comentário de versão (§35.13 C2/C3 — o Dependabot mantém os SHAs frescos preservando o pin), alinhando com os repos irmãos. Adiciona step-security/harden-runner v2.19.4 em modo audit como primeiro passo de todos os jobs (§35.13 I3), promove o ci.yml a permissions default-deny com grant por job (§35.13 C1) e sobe o harden-runner do release-management de v2.11.0 para v2.19.4.
Análise semanal + por PR com queries security-extended e security-and-quality (§35.13 I2). O CodeQL não suporta PHP — essa cobertura virá do Semgrep (security.yml) e do PHPStan/Psalm. Os passos init/analyze levam continue-on-error porque code scanning em repo privado exige GHAS; quando habilitado, o job vale sozinho.
…loqueantes Workflow novo em duas camadas, no padrão do marketplace: rulesets genéricos (p/php, p/security-audit, p/owasp-top-ten, p/secrets, p/javascript) informativos + 22 regras Flarum v2 (.github/semgrep/ flarum-v2.yaml) bloqueantes em modo diff-aware no pull_request (--baseline-commit <base> --error); em push/schedule só informam. Checkout com fetch-depth: 0. Verificado localmente com semgrep 1.166.0: 22 regras válidas; 10 achados legados (server-side-fetch nos jobs de export/import, capsule em testes) que não travam o gate e ficam no SARIF para revisão.
…eante) Workflow dedicado que varre o histórico git completo (fetch-depth: 0) atrás de credenciais hardcoded e reprova o PR se encontrar. A varredura local (gitleaks 8.30.0, 29 commits) achou só uma chave de exemplo em docs num README antigo, ignorada por fingerprint no .gitleaksignore — com isso o histórico fecha limpo e o gate nasce verde. Actions SHA-pinadas, harden-runner em audit e permissions default-deny.
O repo não tinha .github/dependabot.yml — entra a config padrão dos repos irmãos (composer, npm em /js e github-actions, semanal, label dependencias). O workflow de auto-merge aprova e liga o merge automático (squash + delete-branch) só para PRs do próprio Dependabot com update patch/minor; major fica para revisão manual. pull_request_target sem checkout do código do PR — nenhum código não-confiável executa com o token de escrita.
O pacote em require-dev conflita com qualquer versão de dependência com advisory publicado — a resolução do composer falha em vez de instalar versão vulnerável. Verificado localmente: instala limpo, "No security vulnerability advisories found".
O repo não tinha análise estática nenhuma. Entram phpstan/phpstan ^2.0 em require-dev, phpstan.neon (nível 6, src + extend.php) e um job novo na CI rodando vendor/bin/phpstan — bloqueante desde o início. Os 41 achados pré-existentes ficam congelados em phpstan-baseline.neon; código novo é cobrado no nível 6. Verificado localmente com o phpstan 2.2.2 (o mesmo que a CI resolve): [OK] No errors.
ci(security): SHA-pinagem de todas as actions + harden-runner v2.19.4
ci(security): CodeQL para o frontend JS/TS
ci(security): Security Scan com Semgrep + regras Flarum-v2 bloqueantes (diff-aware)
ci(security): varredura de segredos com Gitleaks (gate bloqueante)
ci: Dependabot + auto-merge de PRs patch/minor com CI verde
ci(security): roave/security-advisories como gate duro de CVE
ci(security): PHPStan nível 6 bloqueante com baseline dedicado
Rastreia fluxo origem→sink em PHP (SQLi, XSS, path traversal) — a cobertura que o CodeQL não dá para PHP, relevante num repo que extrai arquivos, monta dumps SQL e fala com múltiplos engines. vimeo/psalm ^6 em require-dev, psalm.xml com escopo src/ + extend.php e workflow dedicado com SARIF. O gate já nasce bloqueante: taint pré-verificado limpo localmente (psalm 6.x, "No errors found", 93,2% dos tipos inferidos).
Bumps [shivammathur/setup-php](https://github.com/shivammathur/setup-php) from 2.37.1 to 2.37.2. - [Release notes](https://github.com/shivammathur/setup-php/releases) - [Commits](shivammathur/setup-php@7c071df...f3e473d) --- updated-dependencies: - dependency-name: shivammathur/setup-php dependency-version: 2.37.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
ci(security): Psalm taint analysis (PHP data-flow), bloqueante
Owner
|
Generated by Claude Code |
Owner
|
Generated by Claude Code |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps shivammathur/setup-php from 2.37.1 to 2.37.2.
Release notes
Sourced from shivammathur/setup-php's releases.
Commits
f3e473dBump version to 2.37.28be473cTrust brew taps083d523Bump the github-actions group with 2 updates (#1085)a919ff5Update FUNDING.ymldeb2299Harden GitHub Actions workflows5825be4Harden environment lookup8d45593Add CODEOWNERSba8d163Update PHP versions in SECURITY.mdDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)