From 19756e8f5119da9553b9fa5407c66a3b2d5da79f Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sat, 21 Feb 2026 09:20:42 +0100 Subject: [PATCH 1/4] [TASK] Add PHP 8.5 to CI test matrix (#1181) ## Summary - Adds PHP 8.5 (stable since Nov 2025, current: 8.5.3) to the CI test matrix - Tests unit and integration suites against PHP 8.5 - No dependency or config changes needed (`platform.php: 8.1.27` ensures locked install works) ## Changes - `.github/workflows/main.yaml`: Added `'8.5'` to `matrix.php` in the `tests` job ## Context PHP 8.5 has been GA since November 2025. The existing `composer.json` constraint (`^8.1`) already allows 8.5. The `config.platform.php: 8.1.27` setting ensures `composer install --locked` succeeds regardless of runtime PHP version. ## Test plan - [ ] CI runs unit tests on PHP 8.5 - [ ] CI runs integration tests on PHP 8.5 - [ ] Existing PHP 8.1-8.4 jobs unaffected --- .github/workflows/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 287b00f89..2ff7270ff 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -22,6 +22,7 @@ jobs: - '8.2' - '8.3' - '8.4' + - '8.5' steps: - name: Checkout uses: actions/checkout@v4 From 72db6fd8d377b1b894240a249a58700a5b91bb09 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sun, 22 Feb 2026 12:27:06 +0100 Subject: [PATCH 2/4] [TASK] Update GitHub Actions to latest versions - actions/checkout: v4 -> v6 - ramsey/composer-install: v2 -> v3 - docker/setup-buildx-action: v2 -> v3 (merge job) - actions/upload-artifact: v4 -> v6 - actions/download-artifact: v4 -> v7 - actions/cache: v4 -> v5 - dependabot/fetch-metadata: v1/pinned SHA -> v2 - frankdejonge/use-github-token: 1.0.2 -> 1.1.0 - frankdejonge/use-subsplit-publish: 1.0.0 -> 1.1.0 --- .github/workflows/deploy-azure-assets.yaml | 2 +- .github/workflows/docker.yaml | 8 ++++---- .github/workflows/main.yaml | 12 ++++++------ .github/workflows/pr-auto-approve.yaml | 2 +- .github/workflows/pr-auto-merge.yaml | 2 +- .github/workflows/split-repositories.yaml | 8 ++++---- 6 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/deploy-azure-assets.yaml b/.github/workflows/deploy-azure-assets.yaml index ecd296108..397c63e8d 100644 --- a/.github/workflows/deploy-azure-assets.yaml +++ b/.github/workflows/deploy-azure-assets.yaml @@ -18,7 +18,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Get the version id: get-version diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index d756b3003..3922dd77c 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -20,7 +20,7 @@ jobs: - linux/amd64 - linux/arm64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Prepare image name run: | @@ -77,7 +77,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: digests-${{ env.PLATFORM_NAME }} overwrite: true @@ -97,14 +97,14 @@ jobs: - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: digests-* merge-multiple: true path: /tmp/digests - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Docker meta id: meta diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 2ff7270ff..36d626825 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -25,7 +25,7 @@ jobs: - '8.5' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Install PHP" uses: "shivammathur/setup-php@v2" @@ -35,7 +35,7 @@ jobs: extensions: 'inotify, pcntl' - name: "Install dependencies with Composer" - uses: "ramsey/composer-install@v2" + uses: "ramsey/composer-install@v3" with: dependency-versions: "locked" @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: "Install PHP" uses: "shivammathur/setup-php@v2" @@ -60,7 +60,7 @@ jobs: extensions: 'inotify, pcntl' - name: "Install dependencies with Composer" - uses: "ramsey/composer-install@v2" + uses: "ramsey/composer-install@v3" with: dependency-versions: "locked" @@ -87,7 +87,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Checkout" - uses: "actions/checkout@v4" + uses: "actions/checkout@v6" - name: "Install PHP" uses: "shivammathur/setup-php@v2" @@ -97,7 +97,7 @@ jobs: extensions: 'inotify, pcntl' - name: "Install dependencies with Composer" - uses: "ramsey/composer-install@v2" + uses: "ramsey/composer-install@v3" with: dependency-versions: "locked" diff --git a/.github/workflows/pr-auto-approve.yaml b/.github/workflows/pr-auto-approve.yaml index fe43162e0..e86a2db60 100644 --- a/.github/workflows/pr-auto-approve.yaml +++ b/.github/workflows/pr-auto-approve.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v1 + uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/pr-auto-merge.yaml b/.github/workflows/pr-auto-merge.yaml index 013e8efc3..d2906892a 100644 --- a/.github/workflows/pr-auto-merge.yaml +++ b/.github/workflows/pr-auto-merge.yaml @@ -17,7 +17,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 + uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/split-repositories.yaml b/.github/workflows/split-repositories.yaml index 295699d1c..c1864a4d7 100644 --- a/.github/workflows/split-repositories.yaml +++ b/.github/workflows/split-repositories.yaml @@ -20,22 +20,22 @@ jobs: runs-on: "ubuntu-latest" name: "Publish Sub-split" steps: - - uses: "actions/checkout@v4" + - uses: "actions/checkout@v6" with: fetch-depth: "0" persist-credentials: "false" - - uses: "frankdejonge/use-github-token@1.0.2" + - uses: "frankdejonge/use-github-token@1.1.0" with: authentication: "typo3-documentation-team:${{ secrets.BOT_TOKEN }}" user_name: "TYPO3 Documentation Team" user_email: "documentation-automation@typo3.com" - name: "Cache splitsh-lite" id: "splitsh-cache" - uses: "actions/cache@v4" + uses: "actions/cache@v5" with: path: "./.splitsh" key: "${{ runner.os }}-splitsh-d-101" - - uses: "frankdejonge/use-subsplit-publish@1.0.0" + - uses: "frankdejonge/use-subsplit-publish@1.1.0" with: source-branch: "main" config-path: "./config.subsplit-publish.json" From e1a35ea5b084ac4c90fffcc0d4713ff2ac271e4f Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sun, 22 Feb 2026 13:17:38 +0100 Subject: [PATCH 3/4] [TASK] Update actions/checkout in docker-test.yaml Update actions/checkout from v4 to v6 in docker-test.yaml, which was missed in the initial actions update commit. --- .github/workflows/docker-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-test.yaml b/.github/workflows/docker-test.yaml index 5ca1346fd..2caa15f9c 100644 --- a/.github/workflows/docker-test.yaml +++ b/.github/workflows/docker-test.yaml @@ -19,7 +19,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Checkout" - uses: "actions/checkout@v4" + uses: "actions/checkout@v6" - name: "Prepare action (adjust configure-guides-step)" ################################################################## From 799f543e7e93ac21b954b0e3317db9f86919fecd Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sun, 22 Feb 2026 13:29:27 +0100 Subject: [PATCH 4/4] [TASK] Pin all GitHub Actions to commit SHAs Pin all GitHub Actions to their exact commit SHAs for supply chain security. Version comments are included for maintainability. --- .github/workflows/deploy-azure-assets.yaml | 2 +- .github/workflows/docker-test.yaml | 2 +- .github/workflows/docker.yaml | 22 +++++++++++----------- .github/workflows/main.yaml | 18 +++++++++--------- .github/workflows/pr-auto-approve.yaml | 2 +- .github/workflows/pr-auto-merge.yaml | 2 +- .github/workflows/split-repositories.yaml | 8 ++++---- 7 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/deploy-azure-assets.yaml b/.github/workflows/deploy-azure-assets.yaml index 397c63e8d..f1174db96 100644 --- a/.github/workflows/deploy-azure-assets.yaml +++ b/.github/workflows/deploy-azure-assets.yaml @@ -18,7 +18,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get the version id: get-version diff --git a/.github/workflows/docker-test.yaml b/.github/workflows/docker-test.yaml index 2caa15f9c..b0a2ac6b2 100644 --- a/.github/workflows/docker-test.yaml +++ b/.github/workflows/docker-test.yaml @@ -19,7 +19,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Checkout" - uses: "actions/checkout@v6" + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2 - name: "Prepare action (adjust configure-guides-step)" ################################################################## diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 3922dd77c..eec067dc4 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -20,7 +20,7 @@ jobs: - linux/amd64 - linux/arm64 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Prepare image name run: | @@ -31,7 +31,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -42,24 +42,24 @@ jobs: type=semver,pattern={{major}} - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build and push id: build env: TYPO3AZUREEDGEURIVERSION: ${{ env.DOCKER_METADATA_OUTPUT_VERSION }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . push: ${{ github.event_name != 'pull_request' }} @@ -77,7 +77,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: digests-${{ env.PLATFORM_NAME }} overwrite: true @@ -97,18 +97,18 @@ jobs: - name: Download digests - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: digests-* merge-multiple: true path: /tmp/digests - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -118,7 +118,7 @@ jobs: type=raw,value=latest,enable=true - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 36d626825..071d93d8c 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -25,17 +25,17 @@ jobs: - '8.5' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2.36.0 with: coverage: "none" php-version: "${{ matrix.php }}" extensions: 'inotify, pcntl' - name: "Install dependencies with Composer" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: dependency-versions: "locked" @@ -50,17 +50,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2.36.0 with: coverage: "none" php-version: "${{ env.DEFAULT_PHP_VERSION }}" extensions: 'inotify, pcntl' - name: "Install dependencies with Composer" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: dependency-versions: "locked" @@ -87,17 +87,17 @@ jobs: runs-on: "ubuntu-latest" steps: - name: "Checkout" - uses: "actions/checkout@v6" + uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2 - name: "Install PHP" - uses: "shivammathur/setup-php@v2" + uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2.36.0 with: coverage: "none" php-version: "${{ env.DEFAULT_PHP_VERSION }}" extensions: 'inotify, pcntl' - name: "Install dependencies with Composer" - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: dependency-versions: "locked" diff --git a/.github/workflows/pr-auto-approve.yaml b/.github/workflows/pr-auto-approve.yaml index e86a2db60..b575acbe4 100644 --- a/.github/workflows/pr-auto-approve.yaml +++ b/.github/workflows/pr-auto-approve.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/pr-auto-merge.yaml b/.github/workflows/pr-auto-merge.yaml index d2906892a..24ba26948 100644 --- a/.github/workflows/pr-auto-merge.yaml +++ b/.github/workflows/pr-auto-merge.yaml @@ -17,7 +17,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/split-repositories.yaml b/.github/workflows/split-repositories.yaml index c1864a4d7..57ca11dc3 100644 --- a/.github/workflows/split-repositories.yaml +++ b/.github/workflows/split-repositories.yaml @@ -20,22 +20,22 @@ jobs: runs-on: "ubuntu-latest" name: "Publish Sub-split" steps: - - uses: "actions/checkout@v6" + - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2 with: fetch-depth: "0" persist-credentials: "false" - - uses: "frankdejonge/use-github-token@1.1.0" + - uses: "frankdejonge/use-github-token@15e6289d07c12b3b1603268a628bb74f2e9765f4" # 1.1.0 with: authentication: "typo3-documentation-team:${{ secrets.BOT_TOKEN }}" user_name: "TYPO3 Documentation Team" user_email: "documentation-automation@typo3.com" - name: "Cache splitsh-lite" id: "splitsh-cache" - uses: "actions/cache@v5" + uses: "actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306" # v5.0.3 with: path: "./.splitsh" key: "${{ runner.os }}-splitsh-d-101" - - uses: "frankdejonge/use-subsplit-publish@1.1.0" + - uses: "frankdejonge/use-subsplit-publish@0001015147267203898034927e8cccad3a7a9aa7" # 1.1.0 with: source-branch: "main" config-path: "./config.subsplit-publish.json"