Skip to content

chore(security): pin GitHub Actions to commit SHAs#239

Merged
kishore7snehil merged 5 commits into
mainfrom
chore/pin-gha-actions
Jun 10, 2026
Merged

chore(security): pin GitHub Actions to commit SHAs#239
kishore7snehil merged 5 commits into
mainfrom
chore/pin-gha-actions

Conversation

@kishore7snehil

@kishore7snehil kishore7snehil commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Changes

  • Pin all third-party GitHub Actions to full-length commit SHAs (with version comments) across the release, rl-scanner, snyk, and tests workflows, improving security and reproducibility
  • Bump shivammathur/setup-php from 2.32.0 to 2.37.2
  • Fix SessionStore::delete() to capture the session once, removing redundant nullsafe operators flagged by PHPStan (nullsafe.neverNull)
  • Align Auth0Bundle::loadExtension() parameter names with the parent AbstractBundle/ConfigurableExtensionInterface signature, resolving a Psalm ParamNameMismatch
  • Add a .snyk policy to ignore the false-positive "Unknown license" flag for auth0/auth0-php (the package is MIT-licensed)

Based on #238 by (jcchavezs), and includes the shivammathur/setup-php bump from #237.

jcchavezs and others added 2 commits June 10, 2026 10:52
Bumps [shivammathur/setup-php](https://github.com/shivammathur/setup-php) from 2.32.0 to 2.37.2.
- [Release notes](https://github.com/shivammathur/setup-php/releases)
- [Commits](shivammathur/setup-php@9e72090...f3e473d)

---
updated-dependencies:
- dependency-name: shivammathur/setup-php
  dependency-version: 2.37.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@kishore7snehil
kishore7snehil requested a review from a team as a code owner June 10, 2026 05:25
- SessionStore::delete() now captures the session once so the
  non-null calls don't use redundant nullsafe operators (PHPStan
  nullsafe.neverNull)
- Auth0Bundle::loadExtension() param names match the parent
  AbstractBundle/ConfigurableExtensionInterface signature (Psalm
  ParamNameMismatch)
Snyk reports auth0/auth0-php@8.19.0 as "Unknown license" though the
package is MIT-licensed. Add a .snyk policy to ignore the license
issue so the vulnerability check passes.
Quote the license issue key and bump the policy version so Snyk
correctly parses and honors the auth0-php license ignore.

@tanya732 tanya732 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kishore7snehil
kishore7snehil merged commit b5caa27 into main Jun 10, 2026
18 checks passed
@kishore7snehil
kishore7snehil deleted the chore/pin-gha-actions branch June 10, 2026 06:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants