From 590a8f3e3eb06539a3acf6496cab91c685cfcefc Mon Sep 17 00:00:00 2001 From: Mathias Elle Date: Wed, 13 May 2026 14:50:41 +0200 Subject: [PATCH 1/3] security: pin all GitHub Actions to commit SHAs (GHSA-f9f8-rm49-7jv2) - Update shivammathur/setup-php to accd6127 (v2, post Composer 2.9.8 fix) - Add tools: composer:v2 to phpcs workflow to enforce patched Composer - Add permissions: contents: read to magento-compatibility workflow - Pin actions/checkout, actions/cache, actions/labeler, googleapis/release-please-action to verified commit SHAs --- .github/workflows/functional-tests.yml | 2 +- .github/workflows/label.yml | 2 +- .github/workflows/magento-compatibility.yml | 5 ++++- .github/workflows/phpcs.yml | 5 +++-- .github/workflows/phpstan.yml | 6 +++--- .github/workflows/release-please.yml | 2 +- 6 files changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index 1329d882..339bec3e 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -42,7 +42,7 @@ jobs: path: mageforge - name: Setup PHP - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f with: php-version: "8.4" extensions: mbstring, intl, gd, xml, soap, zip, bcmath, pdo_mysql, curl, sockets diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index d23c4d40..7cfcc2fc 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -17,6 +17,6 @@ jobs: pull-requests: write steps: - - uses: actions/labeler@v5 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/magento-compatibility.yml b/.github/workflows/magento-compatibility.yml index 4cff845d..5c9e20e4 100644 --- a/.github/workflows/magento-compatibility.yml +++ b/.github/workflows/magento-compatibility.yml @@ -7,6 +7,9 @@ on: branches: [main] workflow_dispatch: +permissions: + contents: read + jobs: magento-compatibility-matrix: name: Magento ${{ matrix.magento-version }} with PHP ${{ matrix.php-version }} @@ -60,7 +63,7 @@ jobs: path: mageforge - name: Setup PHP - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f with: php-version: ${{ matrix.php-version }} extensions: mbstring, intl, gd, xml, soap, zip, bcmath, pdo_mysql, curl, sockets diff --git a/.github/workflows/phpcs.yml b/.github/workflows/phpcs.yml index eb23150c..891a0270 100644 --- a/.github/workflows/phpcs.yml +++ b/.github/workflows/phpcs.yml @@ -14,12 +14,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 with: php-version: ${{ env.PHP_VERSION }} + tools: composer:v2 - name: Install Magento Coding Standard run: composer create-project magento/magento-coding-standard --stability=dev /tmp/magento-coding-standard diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml index 643b8cdc..c64c63f7 100644 --- a/.github/workflows/phpstan.yml +++ b/.github/workflows/phpstan.yml @@ -37,12 +37,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: path: mageforge - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2 with: php-version: "8.4" extensions: mbstring, intl, gd, xml, soap, zip, bcmath, pdo_mysql, curl, sockets @@ -50,7 +50,7 @@ jobs: - name: Cache Composer packages id: composer-cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.composer/cache/files key: ${{ runner.os }}-composer-2.4.8-${{ hashFiles('**/composer.json') }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 7830d26d..3cd2c99f 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run Release Please - uses: googleapis/release-please-action@v4 + uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4 with: # The GitHub token for creating releases and pull requests token: ${{ secrets.GITHUB_TOKEN }} From 4f8f410eeedfb6cd0b0cc5d8ffd88511715f5bd9 Mon Sep 17 00:00:00 2001 From: Mathias Elle Date: Wed, 13 May 2026 14:56:31 +0200 Subject: [PATCH 2/3] fix: fix mysql startup and magento compatibilitytests for patch p5 and p10 --- .github/workflows/functional-tests.yml | 7 ++++++- .github/workflows/magento-compatibility.yml | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index 339bec3e..dac6c47d 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -23,7 +23,12 @@ jobs: MYSQL_DATABASE: magento ports: - 3306:3306 - options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3 + options: >- + --health-cmd="mysqladmin ping -h 127.0.0.1 -uroot -pmagento --silent" + --health-interval=10s + --health-timeout=5s + --health-retries=10 + --health-start-period=30s opensearch: image: opensearchproject/opensearch:2.11.0 diff --git a/.github/workflows/magento-compatibility.yml b/.github/workflows/magento-compatibility.yml index 5c9e20e4..ae8883bc 100644 --- a/.github/workflows/magento-compatibility.yml +++ b/.github/workflows/magento-compatibility.yml @@ -18,10 +18,10 @@ jobs: fail-fast: false matrix: include: - - magento-version: "2.4.7-p9" + - magento-version: "2.4.7-p10" php-version: "8.3" search-engine-name: "opensearch" - - magento-version: "2.4.8-p4" + - magento-version: "2.4.8-p5" php-version: "8.4" search-engine-name: "opensearch" - magento-version: "2.4.9-beta1" From 57f7537f2e36dcbd01fe4d2f7e0e7a8541e4149e Mon Sep 17 00:00:00 2001 From: Mathias Elle Date: Wed, 13 May 2026 15:03:20 +0200 Subject: [PATCH 3/3] feat: add 2.4.9 to compatibilty test-workflow --- .github/workflows/magento-compatibility.yml | 5 +---- .github/workflows/release-please.yml | 4 ++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/magento-compatibility.yml b/.github/workflows/magento-compatibility.yml index ae8883bc..6a0f5543 100644 --- a/.github/workflows/magento-compatibility.yml +++ b/.github/workflows/magento-compatibility.yml @@ -24,10 +24,7 @@ jobs: - magento-version: "2.4.8-p5" php-version: "8.4" search-engine-name: "opensearch" - - magento-version: "2.4.9-beta1" - php-version: "8.4" - search-engine-name: "opensearch" - - magento-version: "2.4.9-beta1" + - magento-version: "2.4.9" php-version: "8.5" search-engine-name: "opensearch" diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 3cd2c99f..d77e0595 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -18,9 +18,9 @@ jobs: with: # The GitHub token for creating releases and pull requests token: ${{ secrets.GITHUB_TOKEN }} - + # Path to release-please-config.json config-file: release-please-config.json - + # Path to .release-please-manifest.json manifest-file: .release-please-manifest.json