Conversation
## Summary - Adds PHP 8.5 (stable since Nov 2025, current: 8.5.3) to the CI test matrix - Tests unit and integration suites against PHP 8.5 - No dependency or config changes needed (`platform.php: 8.1.27` ensures locked install works) ## Changes - `.github/workflows/main.yaml`: Added `'8.5'` to `matrix.php` in the `tests` job ## Context PHP 8.5 has been GA since November 2025. The existing `composer.json` constraint (`^8.1`) already allows 8.5. The `config.platform.php: 8.1.27` setting ensures `composer install --locked` succeeds regardless of runtime PHP version. ## Test plan - [ ] CI runs unit tests on PHP 8.5 - [ ] CI runs integration tests on PHP 8.5 - [ ] Existing PHP 8.1-8.4 jobs unaffected
- actions/checkout: v4 -> v6 - ramsey/composer-install: v2 -> v3 - docker/setup-buildx-action: v2 -> v3 (merge job) - actions/upload-artifact: v4 -> v6 - actions/download-artifact: v4 -> v7 - actions/cache: v4 -> v5 - dependabot/fetch-metadata: v1/pinned SHA -> v2 - frankdejonge/use-github-token: 1.0.2 -> 1.1.0 - frankdejonge/use-subsplit-publish: 1.0.0 -> 1.1.0
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions workflow dependencies to newer major versions across the repository’s CI, Docker build, Dependabot automation, and sub-split publishing pipelines.
Changes:
- Bump multiple GitHub Actions versions across 5 workflows (checkout, composer install, cache, artifacts, buildx, dependabot metadata, subsplit-related actions).
- Update Dependabot metadata action usage in auto-merge/auto-approve workflows.
- Expand the CI test matrix to include PHP 8.5.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/split-repositories.yaml | Updates checkout/cache and subsplit helper actions used for publishing sub-splits. |
| .github/workflows/pr-auto-merge.yaml | Updates Dependabot metadata action used to drive auto-merge decisions. |
| .github/workflows/pr-auto-approve.yaml | Updates Dependabot metadata action used to drive auto-approve behavior. |
| .github/workflows/main.yaml | Updates checkout/composer actions and adds PHP 8.5 to the test matrix. |
| .github/workflows/docker.yaml | Updates checkout/buildx and artifact upload/download actions used in Docker publish pipeline. |
| .github/workflows/deploy-azure-assets.yaml | Updates checkout action for Azure assets deployment workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - '8.2' | ||
| - '8.3' | ||
| - '8.4' | ||
| - '8.5' |
There was a problem hiding this comment.
This PR is described as only updating GitHub Actions versions, but this change also expands the test matrix to include PHP 8.5. If this is intentional, the PR description/test plan should mention it; otherwise, consider reverting to keep the PR scope to action updates. Also ensure the toolchain (shivammathur/setup-php + dependencies) supports PHP 8.5 in CI.
| @@ -17,7 +17,7 @@ jobs: | |||
| steps: | |||
| - name: Dependabot metadata | |||
| id: metadata | |||
There was a problem hiding this comment.
In a pull_request_target workflow (runs with elevated permissions), switching from a commit-SHA pin to a mutable tag increases supply-chain risk and can introduce unexpected behavior changes. Consider pinning dependabot/fetch-metadata to a specific commit SHA (and letting Dependabot/Renovate update it), or otherwise document why tracking the v2 tag is acceptable here.
| id: metadata | |
| id: metadata | |
| # NOTE: We intentionally track the stable v2 tag instead of pinning a commit SHA. | |
| # This workflow only runs for dependabot[bot] pull_request_target events and uses the | |
| # official GitHub-maintained dependabot/fetch-metadata action, so we accept the risk | |
| # of updates to the v2 major tag in exchange for receiving security and bug fixes. |
Update actions/checkout from v4 to v6 in docker-test.yaml, which was missed in the initial actions update commit.
Pin all GitHub Actions to their exact commit SHAs for supply chain security. Version comments are included for maintainability.
1 participant
Summary
Updates 9 GitHub Actions across 5 workflow files to their latest versions.
Test plan