827e170f50
GH Actions: Bump the action-runners group with 3 updates
...
Bumps the action-runners group with 3 updates: [JamesIves/github-pages-deploy-action](https://github.com/jamesives/github-pages-deploy-action ), [github/codeql-action](https://github.com/github/codeql-action ) and [codecov/codecov-action](https://github.com/codecov/codecov-action ).
Updates `JamesIves/github-pages-deploy-action` from 4.7.4 to 4.7.6
- [Release notes](https://github.com/jamesives/github-pages-deploy-action/releases )
- [Commits](4a3abc783e...9d877eea73https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cf1bb45a27...5d4e8d1acahttps://github.com/codecov/codecov-action/releases )
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md )
- [Commits](5a1091511a...671740ac38
2025-12-20 22:26:44 +00:00
d04efe78e1
GH Actions: Bump the action-runners group across 1 directory with 3 updates
...
Bumps the action-runners group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout ), [github/codeql-action](https://github.com/github/codeql-action ) and [shivammathur/setup-php](https://github.com/shivammathur/setup-php ).
Updates `actions/checkout` from 6.0.0 to 6.0.1
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](1af3b93b68...8e8c483db8https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](e12f017898...cf1bb45a27https://github.com/shivammathur/setup-php/releases )
- [Commits](bf6b4fbd49...44454db4f0
2025-12-08 06:02:37 +00:00
6dc895d1d9
Merge pull request #3278 from PHPMailer/dependabot/github_actions/actions/checkout-6.0.0
...
GH Actions: Bump actions/checkout from 5.0.0 to 6.0.0
2025-11-24 10:03:09 +01:00
606c699536
GH Actions: Bump actions/checkout from 5.0.0 to 6.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](08c6903cd8...1af3b93b68
2025-11-24 06:03:12 +00:00
abe4691505
GH Actions: Bump github/codeql-action in the action-runners group
...
Bumps the action-runners group with 1 update: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 4.31.2 to 4.31.4
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0499de31b9...e12f017898
2025-11-24 06:03:05 +00:00
9aa8367be6
GH Actions: Bump github/codeql-action in the action-runners group
...
Bumps the action-runners group with 1 update: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 4.31.0 to 4.31.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4e94bd11f7...0499de31b9
2025-11-03 06:03:34 +00:00
494e8d60e4
Merge pull request #3259 from PHPMailer/dependabot/github_actions/action-runners-499cb248b3
...
GH Actions: Bump github/codeql-action from 4.30.9 to 4.31.0 in the action-runners group
2025-10-27 09:58:54 +01:00
d9cf457a92
GH Actions: Bump github/codeql-action in the action-runners group
...
Bumps the action-runners group with 1 update: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 4.30.9 to 4.31.0
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](16140ae1a1...4e94bd11f7
2025-10-27 06:32:22 +00:00
060cf931c3
GH Actions: Bump actions/upload-artifact from 4.6.2 to 5.0.0
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.6.2 to 5.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](ea165f8d65...330a01c490
2025-10-27 06:15:15 +00:00
effe349964
GH Actions: Bump github/codeql-action in the action-runners group
...
Bumps the action-runners group with 1 update: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 4.30.8 to 4.30.9
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](f443b600d9...16140ae1a1
2025-10-20 06:11:04 +00:00
1cf86b0762
GH Actions: Bump github/codeql-action from 3.30.6 to 4.30.8
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.30.6 to 4.30.8.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](64d10c1313...f443b600d9
2025-10-13 06:03:01 +00:00
c60f5ab888
GH Actions: Bump the action-runners group with 2 updates
...
Bumps the action-runners group with 2 updates: [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) and [github/codeql-action](https://github.com/github/codeql-action ).
Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](05b42c6244...4eaacf0543https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3599b3baa1...64d10c1313
2025-10-06 06:02:48 +00:00
9b899a0f22
GH Actions: Bump github/codeql-action in the action-runners group
...
Bumps the action-runners group with 1 update: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 3.30.3 to 3.30.5
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](192325c861...3599b3baa1
2025-09-29 07:07:40 +00:00
7e878a18f1
Merge pull request #3230 from PHPMailer/dependabot/github_actions/actions/checkout-5.0.0
...
GH Actions: Bump actions/checkout from 4.3.0 to 5.0.0
2025-09-21 14:54:18 +01:00
0d6eaeb3a9
GH Actions: Bump actions/checkout from 4.3.0 to 5.0.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.3.0 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](08eba0b27e...08c6903cd8
2025-09-21 10:20:29 +00:00
80cd2d5f3a
Merge pull request #3228 from jrfnl/feature/ghactions-update-permissions-scorecard
...
GH Actions/scorecard: update permissions
2025-09-21 11:20:24 +01:00
086dfbe727
GH Actions: "pin" all action runners
...
Recently there has been more and more focus on securing GH Actions workflows - in part due to some incidents.
The problem with "unpinned" action runners is as follows:
* Tags are mutable, which means that a tag could point to a safe commit today, but to a malicious commit tomorrow.
Note that GitHub is currently beta-testing a new "immutable releases" feature (= tags and release artifacts can not be changed anymore once the release is published), but whether that has much effect depends on the ecosystem of the packages using the feature.
Aside from that, it will likely take years before all projects adopt _immutable releases_.
* Action runners often don't even point to a tag, but to a branch, making the used action runner a moving target.
_Note: this type of "floating major" for action runners used to be promoted as good practice when the ecosystem was "young". Insights have since changed._
While it is convenient to use "floating majors" of action runners, as this means you only need to update the workflows on a new major release of the action runner, the price is higher risk of malicious code being executed in workflows.
Dependabot, by now, can automatically submit PRs to update pinned action runners too, as long as the commit-hash pinned runner is followed by a comment listing the released version the commit is pointing to.
So, what with Dependabot being capable of updating workflows with pinned action runners, I believe it is time to update the workflows to the _current_ best practice of using commit-hash pinned action runners.
The downside of this change is that there will be more frequent Dependabot PRs.
If this would become a burden/irritating, the following mitigations can be implemented:
1. Updating the Dependabot config to group updates instead of sending individual PRs per action runner.
2. A workflow to automatically merge Dependabot PRs as long as CI passes.
Includes updating the version for `ossf/scorecard-action` as it was a couple of version behind.
Ref: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
2025-09-20 05:10:21 +02:00
63540d8cf3
GH Actions/scorecard: update permissions
...
... to match the current recommendations.
I've removed the "read" permissions as those should only be needed for "private" repos.
Ref: https://github.com/ossf/scorecard-action#additional-permissions-for-private-repositories
2025-09-20 05:09:45 +02:00
fc8c76f3be
GH Actions: don't run cron jobs on forks
...
While workflows are disabled by default in forks, it is quite common for contributors to enable them to verify CI will pass before submitting a pull request.
When enabling workflow runs in forks, it's "all or nothing".
This means that:
* All workflows which are only intended to be run on the canonical repo will also be enabled.
These workflows will also often need access to repo-specific secrets and will typically fail when run from a fork.
* Workflows which contain cron jobs will also be enabled.
Depending on the type of account the contributor has, this can burn through their "CI minutes".
This commit is based on a review of workflows containing cron jobs and disables running the jobs when a cron job is triggered in a fork.
2025-08-04 18:10:23 +02:00
a93c0f2eb1
GH Actions: Bump ossf/scorecard-action from 2.3.1 to 2.4.0
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.3.1 to 2.4.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](0864cf1902...62b2cac7ed
2024-07-29 06:02:58 +00:00
5372c1694d
Merge pull request #2996 from PHPMailer/dependabot/github_actions/actions/upload-artifact-4
...
GH Actions: Bump actions/upload-artifact from 3 to 4
2023-12-18 08:46:07 +01:00
2b95ac8a56
GH Actions: Bump actions/upload-artifact from 3 to 4
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 06:16:47 +00:00
8c65fb5bae
GH Actions: Bump github/codeql-action from 2 to 3
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v2...v3 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 06:16:42 +00:00
66b6c7e97d
Merge pull request #2971 from PHPMailer/dependabot/github_actions/ossf/scorecard-action-2.3.1
...
GH Actions: Bump ossf/scorecard-action from 2.2.0 to 2.3.1
2023-11-23 09:15:16 +01:00
7071666cf4
Merge pull request #2952 from PHPMailer/dependabot/github_actions/actions/checkout-4
...
GH Actions: Bump actions/checkout from 3 to 4
2023-11-23 09:14:44 +01:00
a26a3cb738
GH Actions: Bump ossf/scorecard-action from 2.2.0 to 2.3.1
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.2.0 to 2.3.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](08b4669551...0864cf1902
2023-10-30 06:08:11 +00:00
edce283afc
GH Actions: Bump actions/checkout from 3 to 4
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 06:14:09 +00:00
e184d1f92c
GH Actions: Bump ossf/scorecard-action from 2.1.3 to 2.2.0
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.1.3 to 2.2.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](80e868c13c...08b4669551
2023-06-26 06:58:25 +00:00
4ad37c38ce
GH Actions: Bump ossf/scorecard-action from 2.1.2 to 2.1.3
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.1.2 to 2.1.3.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](e38b1902ae...80e868c13c
2023-04-03 06:59:05 +00:00
2e21dd3778
GH Actions: Bump ossf/scorecard-action from 2.1.0 to 2.1.2
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.1.0 to 2.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](937ffa90d7...e38b1902ae
2022-12-26 06:03:39 +00:00
1a81c80dc9
GH Actions: Bump ossf/scorecard-action from 2.0.6 to 2.1.0
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.0.6 to 2.1.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](99c53751e0...937ffa90d7
2022-12-19 06:04:12 +00:00
c7e3d7302d
GH Actions: Bump ossf/scorecard-action from 2.0.4 to 2.0.6
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.0.4 to 2.0.6.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](e363bfca00...99c53751e0
2022-10-24 06:16:13 +00:00
5a8c04a9d6
GH Actions: use semver branch/tag references instead of commit references
...
Most predefined action runners offer a long-running branch or a tag which gets moved every release to allow staying on the "latest" version of a certain major of their action, without having to update the workflow scripts on every release of the action runner.
This works well for action runners which follow semver.
I've reviewed the existing workflows and tweaked the versions used whenever possible to make optimal use of this.
* For the `ossf/scorecard-action` action runner, I have not been able to find a workable tag/branch to fix this on.
Note: I have remove the "# v1.1.1" comment though as it doesn't get updated by Dependabot and was sorely out of date (you are currently on version `2.0.4`).
With the changes in this PR, Dependabot should become less noisy and will only send in PRs to update the action runner versions when a new major release has been tagged. (save for the one exceptions mentioned above)
I would recommend watching the following repos for new releases:
* https://github.com/actions/checkout
* https://github.com/actions/upload-artifact
* https://github.com/shivammathur/setup-php
* https://github.com/ramsey/composer-install
* https://github.com/nick-fields/retry
* https://github.com/codecov/codecov-action
* https://github.com/JamesIves/github-pages-deploy-action
* https://github.com/ossf/scorecard-action
* https://github.com/github/codeql-action
This will ensure you will get an email with the changelogs for those action runners on all releases, so you can still monitor for changes in the action runners you need to be aware of.
2022-10-10 19:23:47 +02:00
29cdd9af52
Merge pull request #2784 from PHPMailer/dependabot/github_actions/ossf/scorecard-action-2.0.4
...
GH Actions: Bump ossf/scorecard-action from 2.0.3 to 2.0.4
2022-10-03 21:05:11 +02:00
d579dc362a
GH Actions: Bump ossf/scorecard-action from 2.0.3 to 2.0.4
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.0.3 to 2.0.4.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](865b409285...e363bfca00
2022-10-03 06:17:55 +00:00
56ce2fd740
GH Actions: Bump github/codeql-action from 2.1.24 to 2.1.26
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.24 to 2.1.26.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](904260d7d9...e0e5ded33c
2022-10-03 06:17:51 +00:00
de69dfc97f
GH Actions: Bump github/codeql-action from 2.1.22 to 2.1.24
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.22 to 2.1.24.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b398f525a5...904260d7d9
2022-09-21 13:49:27 +00:00
a47284acc9
GH Actions: Bump ossf/scorecard-action from 2.0.2 to 2.0.3
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.0.2 to 2.0.3.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](68bf5b3327...865b409285
2022-09-19 06:12:05 +00:00
6105356343
GH Actions: Bump ossf/scorecard-action from 1.1.2 to 2.0.2
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 1.1.2 to 2.0.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](ce330fde6b...68bf5b3327
2022-09-12 06:24:09 +00:00
58a18c33f8
GH Actions: Bump github/codeql-action from 2.1.21 to 2.1.22
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.21 to 2.1.22.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c7f292ea4f...b398f525a5
2022-09-05 14:15:08 +00:00
971792a11d
GH Actions: Bump github/codeql-action from 2.1.19 to 2.1.21
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.19 to 2.1.21.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](f5d217be74...c7f292ea4f
2022-08-29 06:18:36 +00:00
6a8157c086
Merge pull request #2757 from PHPMailer/dependabot/github_actions/github/codeql-action-2.1.19
...
GH Actions: Bump github/codeql-action from 1.0.26 to 2.1.19
2022-08-22 10:01:45 +02:00
dfe2167f34
Merge pull request #2750 from PHPMailer/dependabot/github_actions/actions/upload-artifact-3.1.0
...
GH Actions: Bump actions/upload-artifact from 3.0.0 to 3.1.0
2022-08-22 10:01:32 +02:00
a66b21a875
GH Actions: Bump github/codeql-action from 1.0.26 to 2.1.19
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 1.0.26 to 2.1.19.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](5f53256358...f5d217be74
2022-08-22 06:27:25 +00:00
7b407e0c50
GH Actions: Bump actions/upload-artifact from 3.0.0 to 3.1.0
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](6673cd052c...3cea537223
2022-08-15 06:21:16 +00:00
c15ff12611
GH Actions: Bump ossf/scorecard-action from 1.1.1 to 1.1.2
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 1.1.1 to 1.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](3e15ea8318...ce330fde6b
2022-08-15 06:21:10 +00:00
fadcb6abe1
Create scorecards.yml
...
Add OSSF scorecard config
2022-08-11 13:32:11 +02:00
dependabot[bot]
Marcus Bointon
jrfnl