phpstan
diff --git a/‎.github/workflows/build-identifier-extractor.yml‎
Lines changed: 11 additions & 3 deletions b/‎.github/workflows/build-identifier-extractor.yml‎
Lines changed: 11 additions & 3 deletions
diff --git a/‎.github/workflows/docker-nightly.yml‎
Lines changed: 13 additions & 5 deletions b/‎.github/workflows/docker-nightly.yml‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎.github/workflows/docker-stable.yml‎
Lines changed: 13 additions & 5 deletions b/‎.github/workflows/docker-stable.yml‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎.github/workflows/extension-tests-run.yml‎
Lines changed: 7 additions & 2 deletions b/‎.github/workflows/extension-tests-run.yml‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎.github/workflows/extension-tests.yml‎
Lines changed: 17 additions & 7 deletions b/‎.github/workflows/extension-tests.yml‎
Lines changed: 17 additions & 7 deletions
diff --git a/‎.github/workflows/extract-identifiers.yml‎
Lines changed: 26 additions & 11 deletions b/‎.github/workflows/extract-identifiers.yml‎
Lines changed: 26 additions & 11 deletions
diff --git a/‎.github/workflows/integration-tests-run.yml‎
Lines changed: 7 additions & 2 deletions b/‎.github/workflows/integration-tests-run.yml‎
Lines changed: 7 additions & 2 deletions
@@ -14,6 +14,9 @@ on:
       - 'identifier-extractor/**'
       - '.github/workflows/build-identifier-extractor.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build-identifier-extractor:
     name: "Build Identifier Extractor"
@@ -22,17 +25,22 @@ jobs:
     timeout-minutes: 60
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: "Install PHP"
-        uses: "shivammathur/setup-php@v2"
+        uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2
         with:
           coverage: "none"
           php-version: "8.1"
 
       - name: "Install Extractor dependencies"
-        uses: "ramsey/composer-install@v3"
+        uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
         with:
           working-directory: "identifier-extractor"
 
 
@@ -15,6 +15,9 @@ on:
       - '.phar-checksum'
       - 'bootstrap.php'
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -36,25 +39,30 @@ jobs:
           - docker-file: "./docker/Dockerfile.php.8.4"
             image-tag-suffix: "-php8.4"
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to ghcr
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ./docker
 
@@ -9,6 +9,9 @@ on:
     tags:
       - '2.*'
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -30,18 +33,23 @@ jobs:
           - docker-file: "./docker/Dockerfile.php.8.4"
             image-tag-suffix: "-php8.4"
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to ghcr
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -52,7 +60,7 @@ jobs:
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ./docker
 
@@ -24,10 +24,15 @@ jobs:
   upload-phar:
     runs-on: "ubuntu-latest"
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: phar-file
           path: phpstan.phar
 
@@ -21,8 +21,13 @@ jobs:
     outputs:
       checksum-result: ${{ steps.checksum-difference.outputs.result }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           repository: "phpstan/phpstan"
           ref: ${{ inputs.ref }}
@@ -79,25 +84,30 @@ jobs:
             php-version: "8.5"
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           repository: "phpstan/phpstan"
           ref: ${{ inputs.ref }}
 
       - name: "Install PHP"
-        uses: "shivammathur/setup-php@v2"
+        uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2
         with:
           coverage: "none"
           php-version: "${{ matrix.php-version }}"
           ini-file: development
           ini-values: memory_limit=768M
           extensions: soap
 
-      - uses: "ramsey/composer-install@v3"
+      - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
 
       - name: "Download phpstan.phar"
-        uses: Wandalen/[email protected]
+        uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0
         with:
           action: actions/download-artifact@v4
           with: |
@@ -106,12 +116,12 @@ jobs:
           attempt_delay: 1000
 
       - name: "Checkout extension"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           repository: "phpstan/${{ matrix.extension-name }}"
           path: extension
 
-      - uses: "ramsey/composer-install@v3"
+      - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
         with:
           working-directory: "extension"
 
 
@@ -16,6 +16,9 @@ concurrency:
   group: extract-identifiers-${{ github.ref }} # will be canceled on subsequent pushes
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   extract:
     name: "Extract identifiers"
@@ -38,23 +41,28 @@ jobs:
           - "phpstan/phpstan-mockery"
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           repository: ${{ matrix.repository }}
           path: "identifier-extractor/repo"
 
       - name: "Install PHP"
-        uses: "shivammathur/setup-php@v2"
+        uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2
         with:
           coverage: "none"
           php-version: "8.1"
 
       - name: "Install Extractor dependencies"
-        uses: "ramsey/composer-install@v3"
+        uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
         with:
           working-directory: "identifier-extractor"
 
@@ -74,35 +82,42 @@ jobs:
           REPO: ${{ matrix.repository }}
           BRANCH: ${{ steps.branch-name.outputs.name }}
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: identifiers-${{ steps.repo-name.outputs.name }}
           path: identifier-extractor/${{ steps.repo-name.outputs.name }}.json
 
   merge:
+    permissions:
+      contents: write  # for stefanzweifel/git-auto-commit-action to push code in repo
     name: "Merge and commit identifiers"
     needs: extract
 
     runs-on: "ubuntu-latest"
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           token: ${{ secrets.PHPSTAN_BOT_TOKEN }}
 
       - name: "Install PHP"
-        uses: "shivammathur/setup-php@v2"
+        uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2
         with:
           coverage: "none"
           php-version: "8.1"
 
       - name: "Install Extractor dependencies"
-        uses: "ramsey/composer-install@v3"
+        uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
         with:
           working-directory: "identifier-extractor"
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           pattern: identifiers-*
           path: identifier-extractor/tmp
@@ -112,7 +127,7 @@ jobs:
         run: "php merge.php > ../website/src/errorsIdentifiers.json"
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
         with:
           gpg_private_key: ${{ secrets.GPG_PHPSTANBOT_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PHPSTANBOT_KEY_PASSPHRASE }}
@@ -121,7 +136,7 @@ jobs:
           git_commit_gpgsign: true
 
       - name: "Commit changes"
-        uses: "stefanzweifel/git-auto-commit-action@v5"
+        uses: "stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403" # v5.2.0
         id: "commit"
         with:
           commit_message: "Update errors identifiers"
 
@@ -26,10 +26,15 @@ jobs:
   upload-phar:
     runs-on: "ubuntu-latest"
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: "Checkout"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: phar-file
           path: phpstan.phar