chore: enforce security hardening for GitHub Actions workflows by paulbalandan · Pull Request #10038 · codeigniter4/CodeIgniter4

paulbalandan · 2026-03-14T15:35:48Z

Description
Ref: https://docs.github.com/en/actions/reference/security/secure-use

Checklist:

Securely signed commits
Component(s) with PHPDoc blocks, only if necessary or adds value (without duplication)
Unit testing, with >80% coverage
User guide updated
Conforms to style guide

michalsn

Question - can Dependabot update GitHub Actions that are pinned to a full commit SHA?

I noticed that test-phpcpd.yml does not use a pinned version. Is there a specific reason for this, or is it just a missing update?

.github/workflows/deploy-apidocs.yml

paulbalandan · 2026-03-14T17:41:19Z

Question - can Dependabot update GitHub Actions that are pinned to a full commit SHA?

Yes. It actually can update the pinned SHA. It has done this to my other repo.

I noticed that test-phpcpd.yml does not use a pinned version. Is there a specific reason for this, or is it just a missing update?

It uses the reusable workflow from codeigniter/.github repo instead of an action. I can update that.

michalsn · 2026-03-14T19:25:17Z

It uses the reusable workflow from codeigniter/.github repo instead of an action. I can update that.

I'm getting blind - I haven't noticed that it links to the repo...

chore: set explicit workflow permissions defaults

13cba77

paulbalandan added the github_actions Pull requests that update Github_actions code label Mar 14, 2026

michalsn reviewed Mar 14, 2026

View reviewed changes

.github/workflows/deploy-apidocs.yml Show resolved Hide resolved

paulbalandan added 2 commits March 15, 2026 01:51

chore: disable persisted checkout credentials

9d1e4dd

chore: centralize secure authenticated git push

707ee53

paulbalandan force-pushed the security-hardening branch from cd0db76 to f5bf01c Compare March 14, 2026 17:51

paulbalandan added 2 commits March 15, 2026 01:56

chore: pin workflow actions to immutable SHAs

6b33001

chore: group dependabot updates

fd357a8

paulbalandan force-pushed the security-hardening branch from f5bf01c to fd357a8 Compare March 14, 2026 17:56

michalsn approved these changes Mar 14, 2026

View reviewed changes

paulbalandan merged commit c1cfd45 into codeigniter4:develop Mar 15, 2026
56 checks passed

paulbalandan deleted the security-hardening branch March 15, 2026 17:33

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: enforce security hardening for GitHub Actions workflows#10038

chore: enforce security hardening for GitHub Actions workflows#10038
paulbalandan merged 5 commits intocodeigniter4:developfrom
paulbalandan:security-hardening

paulbalandan commented Mar 14, 2026

Uh oh!

michalsn left a comment

Uh oh!

Uh oh!

paulbalandan commented Mar 14, 2026

Uh oh!

michalsn commented Mar 14, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

paulbalandan commented Mar 14, 2026

Uh oh!

michalsn left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

paulbalandan commented Mar 14, 2026

Uh oh!

michalsn commented Mar 14, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants