Skip to content

Use PHP Matrix v1; Switch to composite action #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 16, 2025
Merged

Use PHP Matrix v1; Switch to composite action #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions .env
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,3 @@ updates:
directory: /
schedule:
interval: weekly

- package-ecosystem: docker
directory: /
schedule:
interval: weekly

- package-ecosystem: composer
directory: /
schedule:
interval: weekly
30 changes: 0 additions & 30 deletions .github/workflows/composer-audit.yml
View file
Open in desktop

This file was deleted.

23 changes: 0 additions & 23 deletions .github/workflows/composer-normalize.yml
View file
Open in desktop

This file was deleted.

54 changes: 44 additions & 10 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,35 +19,71 @@ permissions: {}

jobs:
positive:
runs-on: ubuntu-latest
runs-on: ${{ matrix.runs-on }}
strategy:
matrix:
mode:
runs-on:
- ubuntu-latest
composer-json:
- composer.json
- not-named-composer.json
- sub/dir/composer.json
- ../not/under/workdpace/composer.json
mode:
- minor-only
- full
source:
- auto
- php.net
- offline
case:
# Use PHP v7 to ensure deterministic outcomes.
case:
- caret-7-3
- exactly-7-3-5
- complex

verify-attestation:
- false
include:
- runs-on: ubuntu-24.04-arm
composer-json: sub/dir/composer.json
mode: full
source: offline
case: complex
verify-attestation: true
- runs-on: ubuntu-latest
composer-json: sub/dir/composer.json
mode: full
source: offline
case: complex
verify-attestation: true
- runs-on: macos-latest
composer-json: sub/dir/composer.json
mode: full
source: offline
case: complex
verify-attestation: true
- runs-on: macos-15-intel
composer-json: sub/dir/composer.json
mode: full
source: offline
case: complex
verify-attestation: true
steps:
- uses: actions/checkout@v5
with:
path: local-action

- name: Create fake composer.json
run: cp local-action/testdata/${{ matrix.case }}.composer.json composer.json
run: |
mkdir -p $(dirname ${{ matrix.composer-json }})
cp local-action/testdata/${{ matrix.case }}.composer.json ${{ matrix.composer-json }}

- uses: ./local-action
id: subject
with:
composer-json: ${{ matrix.composer-json }}
mode: ${{ matrix.mode }}
source: ${{ matrix.source }}
verify-attestation: ${{ matrix.verify-attestation }}

- run: echo '${{ steps.subject.outputs.matrix }}' > actual.json

Expand All @@ -57,21 +93,20 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
mode:
mode:
- minor-only
- full
source:
- auto
- php.net
- offline
case:
case:
- empty-json
- invalid-constraint
- invalid-json
- match-none
- missing-php
- missing-require

steps:
- uses: actions/checkout@v5
with:
Expand Down Expand Up @@ -102,7 +137,6 @@ jobs:
- auto
- php.net
- offline

steps:
- uses: actions/checkout@v5
with:
Expand Down
1 change: 0 additions & 1 deletion .gitignore
View file
Open in desktop

This file was deleted.

17 changes: 0 additions & 17 deletions Dockerfile
View file
Open in desktop

This file was deleted.

112 changes: 110 additions & 2 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ branding:
color: black

inputs:
composer-json:
description: Path to composer.json
default: composer.json

mode:
description: Version format
default: minor-only
Expand All @@ -15,10 +19,114 @@ inputs:
description: Source of releases information
default: auto

version:
description: |
The version of php-matrix to use. Leave blank for latest. For example: v1.0.2
default: ''

verify-attestation:
description: Whether to verify PHP matrix tarball attestation
default: true

github-token:
description: GitHub token to use for authentication
default: ${{ github.token }}

outputs:
matrix:
description: The PHP version matrix
value: ${{ steps.generate-matrix.outputs.matrix }}

runs:
using: docker
image: Dockerfile
using: "composite"
steps:
- name: Download PHP Matrix (Linux arm64)
if: ${{ runner.os == 'Linux' && runner.arch == 'ARM64' }}
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
shell: bash
working-directory: ${{ github.action_path }}
env:
PATTERN: php-matrix_linux_arm64.tar.gz
TAG: ${{ inputs.version }}
GH_TOKEN: ${{ inputs.github-token }}

- name: Download PHP Matrix (Linux amd64)
if: ${{ runner.os == 'Linux' && runner.arch == 'x64' }}
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
shell: bash
working-directory: ${{ github.action_path }}
env:
PATTERN: php-matrix_linux_amd64.tar.gz
TAG: ${{ inputs.version }}
GH_TOKEN: ${{ github.token }}

- name: Download PHP Matrix (Darwin arm64)
if: ${{ runner.os == 'macOS' && runner.arch == 'ARM64' }}
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
shell: bash
working-directory: ${{ github.action_path }}
env:
PATTERN: php-matrix_darwin_arm64.tar.gz
TAG: ${{ inputs.version }}
GH_TOKEN: ${{ inputs.github-token }}

- name: Download PHP Matrix (Darwin amd64)
if: ${{ runner.os == 'macOS' && runner.arch == 'x64' }}
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
shell: bash
working-directory: ${{ github.action_path }}
env:
PATTERN: php-matrix_darwin_amd64.tar.gz
TAG: ${{ inputs.version }}
GH_TOKEN: ${{ inputs.github-token }}

- name: Verify Attestation
if: ${{ inputs.verify-attestation == 'true' }}
run: gh attestation verify --repo typisttech/php-matrix php-matrix.tar.gz
shell: bash
working-directory: ${{ github.action_path }}
env:
GH_TOKEN: ${{ inputs.github-token }}

- name: Unarchive the binary
run: |
mkdir bin
tar -xvf php-matrix.tar.gz -C ./bin php-matrix
shell: bash
working-directory: ${{ github.action_path }}

- name: Add the binary into PATH
run: echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"

Check warning

Code scanning / CodeQL

PATH environment variable built from user-controlled sources

Potential PATH environment variable injection in [echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"](1), which may be controlled by an external user.

Copilot Autofix

AI 8 days ago

To mitigate the risk, ensure the path added to $GITHUB_PATH cannot be manipulated by external or untrusted actors. The best method is to sanitize or validate ${ACTION_PATH} before use. Since ${{ github.action_path }} points to the location of the action's code (which may come from attacker-controlled repositories in some contexts), hardcoding trusted paths is preferred. However, if the binary must reside in the action path, validate that ${ACTION_PATH} matches an expected trusted base path before appending it to $GITHUB_PATH. At minimum, ensure the path does not contain dangerous characters (such as newlines, spaces, shell metacharacters), and that it is an absolute path under a safe parent directory.

Since only the snippet from action.yml is shown and shell commands are used, the most robust approach within the limitation of bash is to check the path prior to echoing. Insert a check ensuring ${ACTION_PATH} is absolute and does not contain suspicious characters. If validation fails, abort the workflow safely.

Specifically, replace the run line at line 99 with a script that:

  • Verifies ${ACTION_PATH}:
    • Is an absolute path ([[ $ACTION_PATH = /* ]])
    • Does not contain dangerous characters using a regex (e.g., no whitespace, no semicolon, no newline).
  • Optionally, restrict it to a specific safe base directory if known.
    If it passes, echo ${ACTION_PATH}/bin into $GITHUB_PATH; else, error and abort.

No additional imports/dependencies are required for bash.

Suggested changeset 1
action.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/action.yml b/action.yml
--- a/action.yml
+++ b/action.yml
@@ -96,7 +96,14 @@
       working-directory: ${{ github.action_path }}
 
     - name: Add the binary into PATH
-      run: echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
+      run: |
+        if [[ ! "$ACTION_PATH" =~ ^/ ]]; then
+          echo "::error::ACTION_PATH is not an absolute path"; exit 1
+        fi
+        if [[ "$ACTION_PATH" =~ [[:space:];`$"\\\]] ]]; then
+          echo "::error::ACTION_PATH contains invalid characters"; exit 1
+        fi
+        echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
       shell: bash
       env:
         ACTION_PATH: ${{ github.action_path }}
EOF
@@ -96,7 +96,14 @@
working-directory: ${{ github.action_path }}

- name: Add the binary into PATH
run: echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
run: |
if [[ ! "$ACTION_PATH" =~ ^/ ]]; then
echo "::error::ACTION_PATH is not an absolute path"; exit 1
fi
if [[ "$ACTION_PATH" =~ [[:space:];`$"\\\]] ]]; then
echo "::error::ACTION_PATH contains invalid characters"; exit 1
fi
echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
shell: bash
env:
ACTION_PATH: ${{ github.action_path }}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
shell: bash
env:
ACTION_PATH: ${{ github.action_path }}

- name: Print PHP Matrix Version
run: php-matrix --version
shell: bash

- name: Generate Matrix
id: generate-matrix
run: |
php-matrix composer --mode="${INPUT_MODE}" --source="${INPUT_SOURCE}" "${INPUT_COMPOSER_JSON}" > matrix 2>&1
retVal=$?

echo "::group::===> Matrix Output"
cat matrix
echo "::endgroup::"

if [ $retVal -ne 0 ]; then
echo "::error::Unable to generate matrix"
exit 1
fi

{
echo 'matrix<<EOF'
cat matrix
echo EOF
} >> "$GITHUB_OUTPUT"
shell: sh
env:
INPUT_COMPOSER_JSON: ${{ inputs.composer-json }}
INPUT_MODE: ${{ inputs.mode }}
INPUT_SOURCE: ${{ inputs.source }}
15 changes: 0 additions & 15 deletions bin/decode-php-constraint
View file
Open in desktop

This file was deleted.

41 changes: 0 additions & 41 deletions composer.json
View file
Open in desktop

This file was deleted.

Loading
Loading