Skip to content

[TASK] Update GitHub Actions to latest versions #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
CybotTM wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[TASK] Update GitHub Actions to latest versions #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
19756e8
[TASK] Add PHP 8.5 to CI test matrix (#1181)
CybotTM Feb 21, 2026
72db6fd
[TASK] Update GitHub Actions to latest versions
CybotTM Feb 22, 2026
e1a35ea
[TASK] Update actions/checkout in docker-test.yaml
CybotTM Feb 22, 2026
799f543
[TASK] Pin all GitHub Actions to commit SHAs
CybotTM Feb 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/deploy-azure-assets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Get the version
id: get-version
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docker-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2

- name: "Prepare action (adjust configure-guides-step)"
##################################################################
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/docker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
- linux/amd64
- linux/arm64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Prepare image name
run: |
Expand All @@ -31,7 +31,7 @@ jobs:

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
Expand All @@ -42,24 +42,24 @@ jobs:
type=semver,pattern={{major}}

- name: Log in to the Container registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Build and push
id: build
env:
TYPO3AZUREEDGEURIVERSION: ${{ env.DOCKER_METADATA_OUTPUT_VERSION }}
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
Expand All @@ -77,7 +77,7 @@ jobs:
touch "/tmp/digests/${digest#sha256:}"
-
name: Upload digest
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: digests-${{ env.PLATFORM_NAME }}
overwrite: true
Expand All @@ -97,18 +97,18 @@ jobs:

-
name: Download digests
uses: actions/download-artifact@v4
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
pattern: digests-*
merge-multiple: true
path: /tmp/digests
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
Expand All @@ -118,7 +118,7 @@ jobs:
type=raw,value=latest,enable=true

- name: Log in to the Container registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
Expand Down
19 changes: 10 additions & 9 deletions .github/workflows/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,20 @@ jobs:
- '8.2'
- '8.3'
- '8.4'
- '8.5'
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is described as only updating GitHub Actions versions, but this change also expands the test matrix to include PHP 8.5. If this is intentional, the PR description/test plan should mention it; otherwise, consider reverting to keep the PR scope to action updates. Also ensure the toolchain (shivammathur/setup-php + dependencies) supports PHP 8.5 in CI.

Copilot uses AI. Check for mistakes.
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: "Install PHP"
uses: "shivammathur/setup-php@v2"
uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2.36.0
with:
coverage: "none"
php-version: "${{ matrix.php }}"
extensions: 'inotify, pcntl'

- name: "Install dependencies with Composer"
uses: "ramsey/composer-install@v2"
uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1
with:
dependency-versions: "locked"

Expand All @@ -49,17 +50,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: "Install PHP"
uses: "shivammathur/setup-php@v2"
uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2.36.0
with:
coverage: "none"
php-version: "${{ env.DEFAULT_PHP_VERSION }}"
extensions: 'inotify, pcntl'

- name: "Install dependencies with Composer"
uses: "ramsey/composer-install@v2"
uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1
with:
dependency-versions: "locked"

Expand All @@ -86,17 +87,17 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2

- name: "Install PHP"
uses: "shivammathur/setup-php@v2"
uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2.36.0
with:
coverage: "none"
php-version: "${{ env.DEFAULT_PHP_VERSION }}"
extensions: 'inotify, pcntl'

- name: "Install dependencies with Composer"
uses: "ramsey/composer-install@v2"
uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1
with:
dependency-versions: "locked"

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pr-auto-approve.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v1
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pr-auto-merge.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
steps:
- name: Dependabot metadata
id: metadata
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a pull_request_target workflow (runs with elevated permissions), switching from a commit-SHA pin to a mutable tag increases supply-chain risk and can introduce unexpected behavior changes. Consider pinning dependabot/fetch-metadata to a specific commit SHA (and letting Dependabot/Renovate update it), or otherwise document why tracking the v2 tag is acceptable here.

Suggested change
id: metadata
id: metadata
# NOTE: We intentionally track the stable v2 tag instead of pinning a commit SHA.
# This workflow only runs for dependabot[bot] pull_request_target events and uses the
# official GitHub-maintained dependabot/fetch-metadata action, so we accept the risk
# of updates to the v2 major tag in exchange for receiving security and bug fixes.

Copilot uses AI. Check for mistakes.
uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"

Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/split-repositories.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,22 +20,22 @@ jobs:
runs-on: "ubuntu-latest"
name: "Publish Sub-split"
steps:
- uses: "actions/checkout@v4"
- uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
with:
fetch-depth: "0"
persist-credentials: "false"
- uses: "frankdejonge/use-github-token@1.0.2"
- uses: "frankdejonge/use-github-token@15e6289d07c12b3b1603268a628bb74f2e9765f4" # 1.1.0
with:
authentication: "typo3-documentation-team:${{ secrets.BOT_TOKEN }}"
user_name: "TYPO3 Documentation Team"
user_email: "documentation-automation@typo3.com"
- name: "Cache splitsh-lite"
id: "splitsh-cache"
uses: "actions/cache@v4"
uses: "actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306" # v5.0.3
with:
path: "./.splitsh"
key: "${{ runner.os }}-splitsh-d-101"
- uses: "frankdejonge/use-subsplit-publish@1.0.0"
- uses: "frankdejonge/use-subsplit-publish@0001015147267203898034927e8cccad3a7a9aa7" # 1.1.0
with:
source-branch: "main"
config-path: "./config.subsplit-publish.json"
Expand Down