[TASK] Update GitHub Actions to latest versions#3
Closed
Conversation
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions workflow dependencies to newer major versions across the repository’s CI, Docker build, Dependabot automation, and sub-split publishing pipelines.
Changes:
- Bump multiple GitHub Actions versions across 5 workflows (checkout, composer install, cache, artifacts, buildx, dependabot metadata, subsplit-related actions).
- Update Dependabot metadata action usage in auto-merge/auto-approve workflows.
- Expand the CI test matrix to include PHP 8.5.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/split-repositories.yaml | Updates checkout/cache and subsplit helper actions used for publishing sub-splits. |
| .github/workflows/pr-auto-merge.yaml | Updates Dependabot metadata action used to drive auto-merge decisions. |
| .github/workflows/pr-auto-approve.yaml | Updates Dependabot metadata action used to drive auto-approve behavior. |
| .github/workflows/main.yaml | Updates checkout/composer actions and adds PHP 8.5 to the test matrix. |
| .github/workflows/docker.yaml | Updates checkout/buildx and artifact upload/download actions used in Docker publish pipeline. |
| .github/workflows/deploy-azure-assets.yaml | Updates checkout action for Azure assets deployment workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - '8.2' | ||
| - '8.3' | ||
| - '8.4' | ||
| - '8.5' |
There was a problem hiding this comment.
This PR is described as only updating GitHub Actions versions, but this change also expands the test matrix to include PHP 8.5. If this is intentional, the PR description/test plan should mention it; otherwise, consider reverting to keep the PR scope to action updates. Also ensure the toolchain (shivammathur/setup-php + dependencies) supports PHP 8.5 in CI.
| @@ -17,7 +17,7 @@ jobs: | |||
| steps: | |||
| - name: Dependabot metadata | |||
| id: metadata | |||
There was a problem hiding this comment.
In a pull_request_target workflow (runs with elevated permissions), switching from a commit-SHA pin to a mutable tag increases supply-chain risk and can introduce unexpected behavior changes. Consider pinning dependabot/fetch-metadata to a specific commit SHA (and letting Dependabot/Renovate update it), or otherwise document why tracking the v2 tag is acceptable here.
Suggested change
| id: metadata | |
| id: metadata | |
| # NOTE: We intentionally track the stable v2 tag instead of pinning a commit SHA. | |
| # This workflow only runs for dependabot[bot] pull_request_target events and uses the | |
| # official GitHub-maintained dependabot/fetch-metadata action, so we accept the risk | |
| # of updates to the v2 major tag in exchange for receiving security and bug fixes. |
## Summary Upgrade league/flysystem from abandoned v1 (EOL since 2022) to v3. The upstream `phpdocumentor/guides` already supports flysystem v3 via its `FileSystem` interface shim. ### Dependency changes - `league/flysystem`: `^1.1.10` → `^3.29` (resolved: 3.32.0) - `league/flysystem-local`: new transitive dependency (3.31.0) - `phpdocumentor/flyfinder`: 1.1.0 → 2.0.0 (flysystem v3 compatible) ### Code changes | File | Change | |------|--------| | `CopyResources.php` | `Adapter\Local` → `LocalFilesystemAdapter`, `FilesystemException` try/catch/finally for both `readStream()` and `putStream()` with proper stream cleanup | | `TwigExtension.php` | `League\Flysystem\Exception` → `League\Flysystem\FilesystemException` | | `IncludeDirective.php` | Removed 3 `@throws FileNotFoundException` docblocks (class removed in v3) | | `SiteSetSettingsDirective.php` | Removed 1 `@throws FileNotFoundException` docblock | | Integration test logs | Updated expected error messages: "Path is outside of the defined root" → "Path traversal detected" | ### Error handling In v3, `readStream()` throws `UnableToReadFile` and `writeStream()` throws `UnableToWriteFile` instead of returning false. A `try/catch(FilesystemException)` block wraps both read and write operations with a `finally` clause to ensure `fclose()` on the stream. Individual file failures are logged and skipped — a single unreadable/unwritable file will not abort the entire resource copy loop. ### Compatibility The phpdocumentor `FileSystem` interface shim (`phpdocumentor/filesystem`) provides backward compatibility. The `FilesystemInterface` union type in `IncludeDirective` is preserved since the shim provides a polyfill for the v1 interface. ## Test plan - [x] PHPStan passes (0 errors) - [x] Unit tests pass (83/83) - [x] Integration tests pass (113/113) - [x] CI green Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
- actions/checkout: v4 -> v6 - ramsey/composer-install: v2 -> v3 - docker/setup-buildx-action: v2 -> v3 (merge job) - actions/upload-artifact: v4 -> v6 - actions/download-artifact: v4 -> v7 - actions/cache: v4 -> v5 - dependabot/fetch-metadata: v1/pinned SHA -> v2 - frankdejonge/use-github-token: 1.0.2 -> 1.1.0 - frankdejonge/use-subsplit-publish: 1.0.0 -> 1.1.0
Update actions/checkout from v4 to v6 in docker-test.yaml, which was missed in the initial actions update commit.
Pin all GitHub Actions to their exact commit SHAs for supply chain security. Version comments are included for maintainability.
CybotTM
force-pushed
the
feature/update-actions
branch
from
c8903b8 to
123d809
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates 9 GitHub Actions across 5 workflow files to their latest versions.
Test plan