From 10cc76cac842facbb61cd83272df93a3cf4412d5 Mon Sep 17 00:00:00 2001 From: Eser DENIZ Date: Mon, 18 May 2026 14:49:41 +0200 Subject: [PATCH 1/3] Harden GitHub Actions workflows against token disclosure Applies the hardening pattern from laravel/fortify#674, in response to Composer CVE-2026-45793 (GitHub Actions GITHUB_TOKEN disclosure via Composer error messages, May 12-13 2026). - Pin every action to a commit SHA with a trailing version comment - Add top-level permissions blocks (deny-all by default in pint.yml, contents:read in test.yml) with least-privilege per job - Set persist-credentials: false on actions/checkout in test.yml. pint.yml keeps persist-credentials: true explicitly because git-auto-commit-action needs the token persisted to push lint fixes - Add .github/dependabot.yml so pinned SHAs stay current (monthly, grouped, labelled) - Add .github/CODEOWNERS so future .github/ changes require review - Broaden pint.yml branches-ignore to dependabot/** (was npm_and_yarn only) so Dependabot PRs do not trigger an auto-commit back --- .github/CODEOWNERS | 2 ++ .github/dependabot.yml | 15 +++++++++++++++ .github/workflows/pint.yml | 17 ++++++++++++----- .github/workflows/test.yml | 13 +++++++++---- 4 files changed, 38 insertions(+), 9 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..b9a0681 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +.github/ @SRWieZ +.github/workflows/ @SRWieZ diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8771be3 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + time: "09:00" + timezone: "Europe/Paris" + labels: + - "dependencies" + - "ci" + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/pint.yml b/.github/workflows/pint.yml index 2868d8d..0693dbb 100644 --- a/.github/workflows/pint.yml +++ b/.github/workflows/pint.yml @@ -1,9 +1,13 @@ name: Linting + on: workflow_dispatch: push: branches-ignore: - - 'dependabot/npm_and_yarn/*' + - 'dependabot/**' + +permissions: {} + jobs: pint: runs-on: ubuntu-latest @@ -11,10 +15,13 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + # Credentials must persist so git-auto-commit-action can push lint fixes. + persist-credentials: true - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2.37.1 with: php-version: '8.3' tools: composer:v2 @@ -29,7 +36,7 @@ jobs: run: vendor/bin/pint - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@v4 + uses: stefanzweifel/git-auto-commit-action@be7095c202abcf573b09f20541e0ee2f6a3a9d9b # v4.9.2 with: commit_message: PHP Linting (Pint) - skip_fetch: true \ No newline at end of file + skip_fetch: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8a61436..3906351 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + jobs: test: runs-on: ${{ matrix.os }} @@ -19,10 +22,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2.37.1 with: php-version: ${{ matrix.php }} tools: composer:v2 @@ -41,7 +46,7 @@ jobs: echo "dir=$dir" >> $env:GITHUB_OUTPUT - name: Cache dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ steps.composer-cache-unix.outputs.dir || steps.composer-cache-windows.outputs.dir }} key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} @@ -51,4 +56,4 @@ jobs: run: composer update --no-interaction --prefer-dist - name: Run tests - run: ./vendor/bin/pest \ No newline at end of file + run: ./vendor/bin/pest From 48e41a96baa1dd93faf63537da94b68be19849e2 Mon Sep 17 00:00:00 2001 From: SRWieZ Date: Mon, 18 May 2026 12:50:26 +0000 Subject: [PATCH 2/3] PHP Linting (Pint) --- cli/publicip.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cli/publicip.php b/cli/publicip.php index 7bd3402..028a2fc 100644 --- a/cli/publicip.php +++ b/cli/publicip.php @@ -4,6 +4,7 @@ use KnotsPHP\PublicIP\Finders\PublicIP; use KnotsPHP\PublicIP\Finders\PublicIPv4; use KnotsPHP\PublicIP\Finders\PublicIPv6; +use NunoMaduro\Collision\Provider; error_reporting(E_ALL ^ E_DEPRECATED ^ E_NOTICE); @@ -12,7 +13,7 @@ } if (class_exists('\NunoMaduro\Collision\Provider')) { - (new \NunoMaduro\Collision\Provider)->register(); + (new Provider)->register(); } $ipVersion = null; From 6c49b776ba358014d6a57a1ae86eb4d265b8d8a8 Mon Sep 17 00:00:00 2001 From: Eser DENIZ Date: Mon, 18 May 2026 14:59:43 +0200 Subject: [PATCH 3/3] Switch pint workflow to --test mode (no more auto-commit) Auto-committing lint fixes from CI has two drawbacks worth avoiding: - Every contributor PR receives an extra commit attributed to the GITHUB_TOKEN identity, confusing review and breaking signed-commit policies. - Persisting credentials on actions/checkout (required by the git-auto-commit-action) widens the blast radius of any later step. Switching to `pint --test` makes the workflow fail on diff instead. Contributors run `composer pint` locally before pushing. - Drop the stefanzweifel/git-auto-commit-action dependency entirely (one less third-party action in the supply chain) - Set persist-credentials: false on the checkout (no push needed) - Drop the now-unused permissions: contents: write on the pint job; top-level permissions: contents: read is sufficient - Trigger on pull_request + push to main only (matches test.yml) - Drop the .env copy step (irrelevant for a library) - Simplify CODEOWNERS to a single repo-rooted entry --- .github/CODEOWNERS | 3 +-- .github/workflows/pint.yml | 26 ++++++++------------------ 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index b9a0681..a9908fa 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1 @@ -.github/ @SRWieZ -.github/workflows/ @SRWieZ +/.github/ @SRWieZ diff --git a/.github/workflows/pint.yml b/.github/workflows/pint.yml index 0693dbb..be473dd 100644 --- a/.github/workflows/pint.yml +++ b/.github/workflows/pint.yml @@ -2,23 +2,22 @@ name: Linting on: workflow_dispatch: + pull_request: push: - branches-ignore: - - 'dependabot/**' + branches: + - main -permissions: {} +permissions: + contents: read jobs: pint: runs-on: ubuntu-latest - permissions: - contents: write steps: - name: Checkout code uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - # Credentials must persist so git-auto-commit-action can push lint fixes. - persist-credentials: true + persist-credentials: false - name: Setup PHP uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2.37.1 @@ -26,17 +25,8 @@ jobs: php-version: '8.3' tools: composer:v2 - - name: Copy .env - run: php -r "file_exists('.env') || copy('.env.example', '.env');" - - name: Install Dependencies run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist - - name: Launch Pint inspection - run: vendor/bin/pint - - - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@be7095c202abcf573b09f20541e0ee2f6a3a9d9b # v4.9.2 - with: - commit_message: PHP Linting (Pint) - skip_fetch: true + - name: Run Pint + run: vendor/bin/pint --test