Merge a97aa80 into 00bc0f0

SolidInvoice · May 29, 2023 · 68c536b · 68c536b
2 parents 00bc0f0 + a97aa80
commit 68c536b
Show file tree

Hide file tree

Showing 7 changed files with 126 additions and 186 deletions.
diff --git a/.github/workflows/automatic-release.yml b/.github/workflows/automatic-release.yml
@@ -12,32 +12,45 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@v2.4.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            archive.ubuntu.com:80
+            auth.docker.io:443
+            github.com:443
+            objects.githubusercontent.com:443
+            packagist.org:443
+            ppa.launchpadcontent.net:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            registry.yarnpkg.com:443
+            security.ubuntu.com:80
+            uploads.github.com:443
 
       - name: Checkout
-        uses: "actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f"
+        uses: "actions/checkout@v3"
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@d30ad8b1843ace22e6698ab99bbafaa747b6bd0d
+        uses: shivammathur/setup-php@v2
         with:
           php-version: 8.1
           extensions: intl, gd, opcache, mysql, pdo_mysql, soap, zip, :xdebug
           coverage: none
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+      - uses: actions/setup-node@v3
         with:
           node-version: 14
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
+        uses: docker/setup-qemu-action@v22
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c
+        uses: docker/setup-buildx-action@v2
 
       - name: Release
-        uses: laminas/automatic-releases@1b61a5fcf90ba3223c85130b7bc2a7f95311e79c
+        uses: laminas/automatic-releases@v1
         with:
           command-name: laminas:automatic-releases:release
         env:
@@ -50,7 +63,7 @@ jobs:
         run: "./scripts/build_dist.sh $(git rev-parse --abbrev-ref HEAD) ${{ github.event.milestone.title }}"
 
       - name: Upload Release Artifact
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
+        uses: softprops/action-gh-release@v1
         with:
           tag_name: ${{ github.event.milestone.title }}
           files: |
@@ -87,7 +100,7 @@ jobs:
             solidinvoice/solidinvoice:${{ github.event.milestone.title }}-full
 
       - name: Create Merge-Up Pull Request
-        uses: laminas/automatic-releases@1b61a5fcf90ba3223c85130b7bc2a7f95311e79c
+        uses: laminas/automatic-releases@v1
         with:
           command-name: laminas:automatic-releases:create-merge-up-pull-request
         env:
@@ -97,7 +110,7 @@ jobs:
           "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }}
 
       - name: Create new milestones
-        uses: laminas/automatic-releases@1b61a5fcf90ba3223c85130b7bc2a7f95311e79c
+        uses: laminas/automatic-releases@v1
         with:
           command-name: laminas:automatic-releases:create-milestones
         env:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,10 +1,7 @@
 name: "CodeQL"
 
 on:
-  push:
-    branches: [ 2.2.x ]
   pull_request:
-    branches: [ 2.2.x ]
   schedule:
     - cron: '26 23 * * 2'
 
@@ -27,44 +24,65 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@v2.4.0
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
 
     - name: Checkout repository
-      uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+      uses: actions/checkout@v3
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@67a35a08586135a9573f4327e904ecbf517a882d
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@67a35a08586135a9573f4327e904ecbf517a882d
+      uses: github/codeql-action/autobuild@v2
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@67a35a08586135a9573f4327e904ecbf517a882d
+      uses: github/codeql-action/analyze@v2
 
   qodana:
     permissions:
       actions: read  # for github/codeql-action/init to get workflow details
       contents: read  # for actions/checkout to fetch code
       security-events: write  # for github/codeql-action/autobuild to send a status report
-    
+
     name: Qodana
     runs-on: ubuntu-latest
-    
+
     steps:
-
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@v2.4.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.qodana.cloud:443
+            github.com:443
+            objects.githubusercontent.com:443
+            prod.fus.aws.intellij.net:443
+            production.cloudflare.docker.com:443
+            qc-results-prod.s3.eu-west-1.amazonaws.com:443
+            raw.githubusercontent.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            registry.npmjs.org:443
+            resources.jetbrains.com:443
+            schemastore.org:443
 
       - name: Checkout repository
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+        uses: actions/checkout@v3
 
       - name: 'Qodana Scan'
-        uses: JetBrains/qodana-action@main
+        uses: JetBrains/qodana-action@v2023.1.0
         env:
           QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
+
+      - uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml
@@ -13,14 +13,19 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@v2.4.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            packagist.org:443
 
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+      - uses: actions/checkout@v3
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@d30ad8b1843ace22e6698ab99bbafaa747b6bd0d
+        uses: shivammathur/setup-php@v2
         with:
           php-version: 7.4
           extensions: intl, gd, opcache, mysql, pdo_mysql
@@ -30,7 +35,7 @@ jobs:
         run: echo "::set-output name=dir::$(composer config cache-files-dir)"
 
       - name: Cache dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@v3
         with:
           path: ${{ steps.composercache.outputs.dir }}
           key: ${{ runner.os }}-php-74-composer-${{ hashFiles('composer.json composer.lock') }}
@@ -50,14 +55,21 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@v2.4.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            packagist.org:443
+            raw.githubusercontent.com:443
+            repo.packagist.org:443
 
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+      - uses: actions/checkout@v3
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@d30ad8b1843ace22e6698ab99bbafaa747b6bd0d
+        uses: shivammathur/setup-php@v2
         with:
           php-version: 8.1
 
@@ -80,26 +92,31 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@v2.4.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            registry.yarnpkg.com:443
 
       - name: Checkout Code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+      - uses: actions/setup-node@v3
         with:
           node-version: 14
 
       - run: yarn install
 
       - name: Super-Linter
-        uses: github/super-linter/slim@454ba4482ce2cd0c505bc592e83c06e1e37ade61
+        uses: github/super-linter/slim@v5
         env:
           VALIDATE_ALL_CODEBASE: false
-          DEFAULT_BRANCH: 2.1.x
+          DEFAULT_BRANCH: 2.3.x
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CSS_FILE_NAME: .stylelintrc.json
           VALIDATE_YAML: true

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/security-checker.yml b/.github/workflows/security-checker.yml
@@ -10,10 +10,13 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@v2.4.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
 
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
-      - uses: symfonycorp/security-checker-action@258311ef7ac571f1310780ef3d79fc5abef642b5
+      - uses: actions/checkout@v3
+      - uses: symfonycorp/security-checker-action@v4