chore(deps): refresh Go and PHP dependencies, align CI tooling#52
Merged
miguelsanchez-upsun merged 9 commits intomainfrom Apr 29, 2026
Merged
chore(deps): refresh Go and PHP dependencies, align CI tooling#52miguelsanchez-upsun merged 9 commits intomainfrom
miguelsanchez-upsun merged 9 commits intomainfrom
Conversation
Bumps go directive from 1.25 to 1.26.2, and runs `go get -u ./...` followed by `go mod tidy` to update direct and indirect dependencies to their latest minor/patch releases. Direct dependency updates: - alecthomas/chroma/v2: v2.20.0 -> v2.23.1 - fatih/color: v1.18.0 -> v1.19.0 - go-chi/chi/v5: v5.2.3 -> v5.2.5 - go-playground/validator/v10: v10.27.0 -> v10.30.2 - gofrs/flock: v0.12.1 -> v0.13.0 - spf13/cobra: v1.10.1 -> v1.10.2 - symfony-cli/terminal: v1.0.7 -> v1.0.9 - upsun/whatsun: v0.1.0 -> v0.2.0 - golang.org/x/crypto: v0.42.0 -> v0.50.0 - golang.org/x/oauth2: v0.31.0 -> v0.36.0 - golang.org/x/sync: v0.17.0 -> v0.20.0 - golang.org/x/term: v0.35.0 -> v0.42.0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Runs `composer update` to pick up the latest minor/patch releases of the direct and indirect dependencies of the legacy CLI. Direct dependency updates: - composer/ca-bundle: 1.5.5 -> 1.5.11 - friendsofphp/php-cs-fixer: 3.92.3 -> 3.95.1 - giggsey/libphonenumber-for-php-lite: 8.13.52 -> 8.13.55 - guzzlehttp/guzzle: 7.9.2 -> 7.10.0 - phpunit/phpunit: 11.5.1 -> 11.5.55 - symfony/config: 7.2.0 -> 7.4.8 - symfony/console: 7.4.1 -> 7.4.8 - symfony/dependency-injection: 7.2.0 -> 7.4.8 - symfony/event-dispatcher: 7.4.0 -> 7.4.8 - symfony/filesystem: 7.4.0 -> 7.4.8 - symfony/finder: 7.4.0 -> 7.4.8 - symfony/polyfill-iconv: 1.31.0 -> 1.37.0 - symfony/polyfill-mbstring: 1.33.0 -> 1.37.0 - symfony/process: 7.4.0 -> 7.4.8 - symfony/var-dumper: 7.3.0 -> 7.4.8 - symfony/yaml: 7.2.0 -> 7.4.8 Includes a php-cs-fixer auto-fix on four source files (closures with inline bodies expanded to multi-line) following the upgrade to 3.95, and a phpstan-baseline pattern refresh after the bump to phpstan 1.12.33. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The CI workflow was pinned to golangci-lint v2.7 (resolved to v2.7.2) while contributors running newer versions locally hit nine gosec findings that CI never surfaced. Bumps the pinned version to v2.11 to keep local and CI in step. Adds a path-based exclusion so gosec no longer scans the test infrastructure under pkg/mockapi/, pkg/mockssh/, and integration-tests/, where its taint analysis only produces false positives. Removes the inline //nolint:gosec directives that the exclusion makes redundant. Suppresses three production-code findings inline with reasons: - internal/config/config.go (G304): config path comes from an env var the operator deliberately sets; - internal/config/dir.go (G301): 0o700 already restricts to the user; - internal/init/command.go (G115): file descriptors fit in an int. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Aligns the workflows on the current major version of each action. - actions/checkout: v4 -> v6 (ci.yml, security.yml, release.yml; the newer test-installer.yml workflow was already on v6) - actions/cache: v4 -> v5 - actions/add-to-project: RELEASE_VERSION -> v1 (the placeholder from the upstream README example was never replaced, so this workflow was failing silently on every issue) - trufflesecurity/trufflehog: main -> v3 (pin to a major tag rather than a moving branch) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The release workflow was lagging on five actions whose latest majors all primarily bumped to Node 24 alongside small input/env cleanups. None of the removed inputs are referenced here, and GitHub-hosted runners (ubuntu-latest, ubuntu-24.04-arm) meet the required runner version, so this should be a transparent upgrade. - aws-actions/configure-aws-credentials: v4 -> v6 - actions/create-github-app-token: v2 -> v3 - docker/setup-buildx-action: v3 -> v4 - docker/login-action: v3 -> v4 - docker/build-push-action: v5 -> v7 Kept as a separate commit from the safe action bumps so it can be reverted independently if the next release surfaces an issue. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The earlier change pinned this to v3 on the assumption it was a moving major-version tag, but trufflesecurity/trufflehog only ships specific patch tags, so v3 fails to resolve. Pin to the current latest tag instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reverts the earlier pin. Trufflehog only ships specific patch tags (no moving v3 tag), and for a secret scanner we want every run to use the latest detector set rather than freezing the rule set the day a tag was cut. Adds a comment so the next person doesn't try to pin it again. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Routine dependency updates across the Go and legacy PHP codebases, plus CI/workflow alignment (including updated golangci-lint pinning and gosec handling) to keep local and CI tooling consistent.
Changes:
- Updated Go module dependencies and adjusted gosec handling (path exclusions + targeted inline suppressions).
- Updated legacy PHP dependencies (composer.lock), refreshed phpstan baseline, and applied php-cs-fixer formatting changes.
- Refreshed GitHub Actions workflow versions and fixed a broken action pin.
Reviewed changes
Copilot reviewed 18 out of 20 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
go.mod |
Bumps Go version directive and updates Go dependencies. |
.golangci.yml |
Excludes mock/integration paths from gosec to reduce false positives. |
internal/config/config.go |
Adds scoped gosec suppression for reading config path from env. |
internal/config/dir.go |
Adds scoped gosec suppression for MkdirAll permissions finding. |
internal/init/command.go |
Adds scoped gosec suppression for terminal FD conversion (G115). |
integration-tests/tests.go |
Removes redundant inline gosec suppression in excluded test harness. |
pkg/mockapi/id.go |
Removes redundant inline gosec suppressions in excluded mock code. |
pkg/mockapi/auth_server.go |
Removes redundant inline gosec suppressions in excluded mock code. |
pkg/mockssh/server.go |
Removes redundant inline gosec suppression in excluded mock code. |
legacy/composer.lock |
Updates PHP dependencies to latest minor/patch versions. |
legacy/phpstan-baseline.neon |
Updates an ignore pattern to match phpstan’s refined message. |
legacy/src/Service/ActivityMonitor.php |
php-cs-fixer formatting changes (closure expansion). |
legacy/src/Command/Resources/ResourcesCommandBase.php |
php-cs-fixer formatting changes (closure expansion). |
legacy/src/Command/Organization/OrganizationCreateCommand.php |
php-cs-fixer formatting changes (closure expansion). |
legacy/src/Command/Autoscaling/AutoscalingSettingsSetCommand.php |
php-cs-fixer formatting changes (closure expansion). |
.github/workflows/ci.yml |
Updates checkout/cache actions and golangci-lint version pin. |
.github/workflows/security.yml |
Updates checkout and trufflehog action pins. |
.github/workflows/release.yml |
Updates checkout/cache/docker/aws/app-token action pins. |
.github/workflows/add-to-project.yml |
Fixes broken actions/add-to-project pin. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Update the bundled PHP runtime from 8.4.16 to 8.4.20. Binaries are downloaded at build time from upsun/cli-php-builds. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
miguelsanchez-upsun
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Routine dependency hygiene across the Go and PHP halves of the CLI, plus a couple of CI fixes uncovered along the way. Each step is a separate commit, in order:
Go (
./)godirective from1.25to1.26.2. CI picks the toolchain up viago-version-file: ./go.mod.go get -u ./...andgo mod tidyto take the latest minor/patch of every dependency. Direct module bumps:alecthomas/chroma/v2v2.20.0 → v2.23.1fatih/colorv1.18.0 → v1.19.0go-chi/chi/v5v5.2.3 → v5.2.5go-playground/validator/v10v10.27.0 → v10.30.2gofrs/flockv0.12.1 → v0.13.0spf13/cobrav1.10.1 → v1.10.2symfony-cli/terminalv1.0.7 → v1.0.9upsun/whatsunv0.1.0 → v0.2.0golang.org/x/cryptov0.42.0 → v0.50.0golang.org/x/oauth2v0.31.0 → v0.36.0golang.org/x/syncv0.17.0 → v0.20.0golang.org/x/termv0.35.0 → v0.42.0PHP (
./legacy)composer updatefor the latest minor/patch of every dependency. Direct package bumps:composer/ca-bundle1.5.5 → 1.5.11friendsofphp/php-cs-fixer3.92.3 → 3.95.1giggsey/libphonenumber-for-php-lite8.13.52 → 8.13.55guzzlehttp/guzzle7.9.2 → 7.10.0phpunit/phpunit11.5.1 → 11.5.55symfony/config7.2.0 → 7.4.8symfony/console7.4.1 → 7.4.8symfony/dependency-injection7.2.0 → 7.4.8symfony/event-dispatcher7.4.0 → 7.4.8symfony/filesystem7.4.0 → 7.4.8symfony/finder7.4.0 → 7.4.8symfony/polyfill-iconv1.31.0 → 1.37.0symfony/polyfill-mbstring1.33.0 → 1.37.0symfony/process7.4.0 → 7.4.8symfony/var-dumper7.3.0 → 7.4.8symfony/yaml7.2.0 → 7.4.8phpstan-baseline.neonpattern after the bump from phpstan 1.12.13 to 1.12.33 (one ignored error pattern needed updating to match phpstan's refined message).AutoscalingSettingsSetCommand.php,OrganizationCreateCommand.php,ResourcesCommandBase.php, andActivityMonitor.php.Three direct PHP packages had a major version available that I deliberately did not take under the routine-hygiene framing — worth tracking separately:
doctrine/cache1 → 2 (and abandoned upstream),giggsey/libphonenumber-for-php-lite8 → 9, andrector/rector1 → 2.Bundled PHP runtime
Bumped the PHP runtime that ships with the CLI from 8.4.16 to 8.4.20 by updating
PHP_VERSIONin the Makefile. Binaries are downloaded at build time from upsun/cli-php-builds, so this is a one-line change.CI alignment + new gosec findings
CI was pinning
golangci/golangci-lint-action@v9toversion: v2.7(resolves to v2.7.2), while contributors running newer versions locally were hitting nine gosec findings that CI never surfaced. Bumped the pinned version tov2.11so the two stay in step.Addressed the nine new findings as follows:
pkg/mockapi/,pkg/mockssh/, andintegration-tests/fromgosecin.golangci.yml. Those directories are mock servers and the integration test harness, where gosec's taint analysis is just noise. Removed four inline//nolint:gosecdirectives that the path exclusion makes redundant.//nolint:gosecwith reasons:internal/config/config.goG304: the config path comes from$CLI_CONFIG_FILE, which the operator is deliberately pointing the CLI at.internal/config/dir.goG301:0o700already restricts to the user, and the path is the user's own cache dir.internal/init/command.goG115: file descriptors fit in aninton all supported platforms (standard idiom forterm.IsTerminal).Workflow action versions
Audit found one broken pin and several actions a major or two behind. Split into two commits so the higher-risk release-path bumps can be reverted independently if the next tagged release surfaces an issue.
Safe bumps (
04ae5082):actions/checkoutv4 → v6 (inci.yml,security.yml,release.yml;test-installer.ymlwas already on v6)actions/cachev4 → v5actions/add-to-projectRELEASE_VERSION→ v1 — the placeholder from the upstream README example was never substituted, so the issue-to-project workflow has been failing silentlytrufflesecurity/trufflehogleft on@mainintentionally, with a comment explaining why. I initially tried to pin it to@v3, but trufflehog only ships specific patch tags (no moving major-version tag). Since this is a secret scanner we want every run to use the latest detector set rather than freezing the rule set on the day a tag was cut.Release-path bumps (
417878dc):aws-actions/configure-aws-credentialsv4 → v6actions/create-github-app-tokenv2 → v3docker/setup-buildx-actionv3 → v4docker/login-actionv3 → v4docker/build-push-actionv5 → v7The common breaking change across those five is Node 24 + small input/env cleanup. None of the removed inputs or envs are referenced in
release.yml, and the GitHub-hosted runners already exceed the required runner version, so this should be transparent on the next release.Supersedes
This PR rolls eleven open Dependabot PRs into one consistent update so they can be closed together: #1, #3, #4, #5, #6, #7, #8, #9, #10, #11, #12. Two of those (#3 libphonenumber 8 → 9 and #7 rector 1 → 2) are major-version bumps that this PR does not take — leaving them for a deliberate, separate look.
🤖 Generated with Claude Code