Feature/setup ci cd#2
Conversation
📝 WalkthroughWalkthroughAdds CI/CD and QA infrastructure: GitHub Actions workflows (CI, PHPCS, PHPUnit), Dependabot for Composer, Composer metadata and dev tooling, PHPCS/PHPUnit configs, .gitignore updates, CONTRIBUTING/README docs, and initial PHPUnit test bootstrap and sample tests. Changes
Sequence Diagram(s)mermaid Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
9-96: Consider de‑duplicating PHPCS/PHPUnit workflows.
This workflow runs PHPCS + PHPUnit while dedicatedphpcs.yml/phpunit.ymlworkflows also exist. That likely doubles CI time on every PR. Consider consolidating (e.g., keep one workflow and useworkflow_callor adjust triggers).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yml around lines 9 - 96, CI duplicates PHPCS and PHPUnit runs between the phpcs and phpunit jobs and the separate phpcs.yml/phpunit.yml workflows; to fix, remove duplication by turning this combined workflow into a caller or consolidating jobs: either delete the phpcs and/or phpunit jobs here and call the existing phpcs.yml/phpunit.yml via workflow_call, or keep this workflow and remove the separate workflow files and move their triggers into this file; update job names phpcs and phpunit and their steps accordingly and ensure matrix, services (mysql), and caching steps are preserved under the chosen single workflow so tests and linting run only once per PR.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 14-33: Replace mutable version tags with pinned commit SHAs for
all GitHub Action uses: change actions/checkout@v4, shivammathur/setup-php@v2,
and actions/cache@v4 to their respective full commit SHA refs (e.g.,
actions/checkout@<full-sha>) so the workflow references an immutable commit;
update the same pattern in the other occurrences (lines 62-82) and in phpcs.yml
and phpunit.yml to ensure every action use is pinned to a full commit SHA rather
than a tag.
In @.github/workflows/phpcs.yml:
- Around line 14-33: Replace mutable action references with pinned commit SHAs:
change uses: actions/checkout@v4, uses: shivammathur/setup-php@v2, and uses:
actions/cache@v4 to their corresponding full commit SHA pins (while keeping a
short comment indicating the original tag like "@v4" or "@v2" for
maintainability). Update the three "uses:" entries in the workflow to reference
the full SHAs for actions/checkout, shivammathur/setup-php, and actions/cache so
the workflow is immutable and add inline comments noting the semantic version
tag.
In @.github/workflows/phpunit.yml:
- Around line 31-48: Pin the GitHub Actions usages to full commit SHAs to
prevent tag drift: replace uses: actions/checkout@v4, uses:
shivammathur/setup-php@v2 and uses: actions/cache@v4 with their corresponding
full commit SHAs (e.g., actions/checkout@<full-commit-sha>,
shivammathur/setup-php@<full-commit-sha>, actions/cache@<full-commit-sha>), and
optionally append the human-friendly tag as a comment for traceability; obtain
the exact SHA from the GitHub UI or API as suggested and update those three
uses: entries accordingly.
In `@CONTRIBUTING.md`:
- Around line 33-37: Update CONTRIBUTING.md to remove or replace the invalid
reference to bin/install-wp-tests.sh: either add the missing script to the repo
or change the instructions to point to the correct test setup method used by
this project (e.g., provide steps for the actual test installer or the
alternative tool the repo uses), and ensure the example command and paths
mention the real script or tooling instead of bin/install-wp-tests.sh so users
can follow the instructions successfully.
In `@README.md`:
- Around line 13-16: The README's Dependabot schedule text ("Weekly (Monday
mornings)") doesn't match the actual Dependabot config, so either update the
Dependabot config to include explicit schedule fields (set day/time/timezone in
.github/dependabot.yml) or soften the README wording to remove the specific
day/time; update the README line under the Dependabot description to something
like "Weekly" or "Weekly (time configured in .github/dependabot.yml)" so the
docs can't drift from the config.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 9-96: CI duplicates PHPCS and PHPUnit runs between the phpcs and
phpunit jobs and the separate phpcs.yml/phpunit.yml workflows; to fix, remove
duplication by turning this combined workflow into a caller or consolidating
jobs: either delete the phpcs and/or phpunit jobs here and call the existing
phpcs.yml/phpunit.yml via workflow_call, or keep this workflow and remove the
separate workflow files and move their triggers into this file; update job names
phpcs and phpunit and their steps accordingly and ensure matrix, services
(mysql), and caching steps are preserved under the chosen single workflow so
tests and linting run only once per PR.
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up PHP | ||
| uses: shivammathur/setup-php@v2 | ||
| with: | ||
| php-version: '8.1' | ||
| coverage: none | ||
| tools: composer:v2 | ||
|
|
||
| - name: Get Composer Cache Directory | ||
| id: composer-cache | ||
| run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Cache Composer dependencies | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ${{ steps.composer-cache.outputs.dir }} | ||
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | ||
| restore-keys: ${{ runner.os }}-composer- |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if the workflow file exists and examine lines 14-33 and 62-82
if [ -f .github/workflows/ci.yml ]; then
echo "=== Lines 14-33 of ci.yml ==="
sed -n '14,33p' .github/workflows/ci.yml
echo ""
echo "=== Lines 62-82 of ci.yml ==="
sed -n '62,82p' .github/workflows/ci.yml
echo ""
echo "=== Full ci.yml file ==="
cat .github/workflows/ci.yml
else
echo "File not found: .github/workflows/ci.yml"
find . -name "*.yml" -path ".github/workflows/*" 2>/dev/null | head -20
fiRepository: raphaelsuzuki/pmpro-level-explorer
Length of output: 4370
🏁 Script executed:
#!/bin/bash
# Check for other workflow files in .github/workflows/
if [ -d .github/workflows ]; then
echo "=== Workflow files in .github/workflows/ ==="
ls -la .github/workflows/
else
echo "No .github/workflows directory"
fiRepository: raphaelsuzuki/pmpro-level-explorer
Length of output: 410
🏁 Script executed:
#!/bin/bash
echo "=== phpcs.yml ==="
cat .github/workflows/phpcs.yml
echo ""
echo "=== phpunit.yml ==="
cat .github/workflows/phpunit.ymlRepository: raphaelsuzuki/pmpro-level-explorer
Length of output: 3221
Pin GitHub Actions to full commit SHAs.
All three action uses in this file (and phpcs.yml/phpunit.yml) should be pinned to commit SHAs instead of version tags, which are mutable and create supply-chain risk.
🔒 Example pinning
- - name: Checkout code
- uses: actions/checkout@v4
+ - name: Checkout code
+ uses: actions/checkout@<full_sha>
- - name: Set up PHP
- uses: shivammathur/setup-php@v2
+ - name: Set up PHP
+ uses: shivammathur/setup-php@<full_sha>
- - name: Cache Composer dependencies
- uses: actions/cache@v4
+ - name: Cache Composer dependencies
+ uses: actions/cache@<full_sha>Also applies to: 62-82, and phpcs.yml / phpunit.yml
🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis
[warning] 18-18: .github/workflows/ci.yml#L18
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yml around lines 14 - 33, Replace mutable version tags
with pinned commit SHAs for all GitHub Action uses: change actions/checkout@v4,
shivammathur/setup-php@v2, and actions/cache@v4 to their respective full commit
SHA refs (e.g., actions/checkout@<full-sha>) so the workflow references an
immutable commit; update the same pattern in the other occurrences (lines 62-82)
and in phpcs.yml and phpunit.yml to ensure every action use is pinned to a full
commit SHA rather than a tag.
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up PHP | ||
| uses: shivammathur/setup-php@v2 | ||
| with: | ||
| php-version: '8.1' | ||
| coverage: none | ||
| tools: composer:v2 | ||
|
|
||
| - name: Get Composer Cache Directory | ||
| id: composer-cache | ||
| run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Cache Composer dependencies | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: ${{ steps.composer-cache.outputs.dir }} | ||
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | ||
| restore-keys: ${{ runner.os }}-composer- |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "phpcs.yml" -type fRepository: raphaelsuzuki/pmpro-level-explorer
Length of output: 107
🏁 Script executed:
cat -n .github/workflows/phpcs.ymlRepository: raphaelsuzuki/pmpro-level-explorer
Length of output: 1338
🌐 Web query:
GitHub Actions security best practices pin commit SHA 2025 2026
💡 Result:
GitHub Actions security best practices (2025–2026): pin to full commit SHAs
1) Prefer full-length commit SHA pinning for all third‑party actions
- Pinning to a full commit SHA is GitHub’s recommended way to make an action reference effectively immutable and reduce the risk of a compromised tag/branch being silently picked up by your workflows. [1]
- When choosing a SHA, verify it’s from the action’s official repository (not a fork). [1]
Example
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7(Adding the tag version as a comment helps humans track what the SHA corresponds to.) [2]
2) Pin SHAs that correspond to tagged releases (for maintainability)
- GitHub’s guidance recommends tying the SHA to a release/tagged version (not an arbitrary commit), and documenting the version in a comment. This makes upgrades clearer and helps dependency tooling propose clean updates. [2]
3) Enforce SHA pinning via policy (now explicitly supported)
- GitHub added policy controls to enforce SHA pinning (workflows fail if an action isn’t pinned) and to block specific actions or versions in the “allowed actions and reusable workflows” policy. [3]
4) Know the Dependabot trade-off (and compensate)
- GitHub notes that Dependabot alerts don’t get created for actions pinned to SHA values (it expects semver-style versions for alerting). If you pin to SHAs, compensate with other monitoring (e.g., reviewing advisories for the actions you use and scheduling regular update PRs). [4]
5) Reduce blast radius of compromised actions
- Because any single compromised action can potentially access secrets and the
GITHUB_TOKEN, GitHub recommends treating third‑party actions as high risk and mitigating with SHA pinning plus additional review/auditing. [1]
Sources: GitHub Docs on Actions hardening/pinning [1], GitHub Well‑Architected Actions security guidance [2], GitHub Changelog (Aug 15, 2025) on enforcing SHA pinning/blocking [3], GitHub Docs note on Dependabot/SHAs [4].
Pin GitHub Actions to full commit SHAs.
Using mutable tags (@v4, @v2) exposes the workflow to supply-chain risk. Pin to full SHAs for immutability, with version comments for maintainability.
Example pinning
- - name: Checkout code
- uses: actions/checkout@v4
+ - name: Checkout code
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- - name: Set up PHP
- uses: shivammathur/setup-php@v2
+ - name: Set up PHP
+ uses: shivammathur/setup-php@<full_sha> # v2.x.x
- - name: Cache Composer dependencies
- uses: actions/cache@v4
+ - name: Cache Composer dependencies
+ uses: actions/cache@13aacd865c20de7dacf956762e386575464c9241 # v4.0.0🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis
[warning] 18-18: .github/workflows/phpcs.yml#L18
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/phpcs.yml around lines 14 - 33, Replace mutable action
references with pinned commit SHAs: change uses: actions/checkout@v4, uses:
shivammathur/setup-php@v2, and uses: actions/cache@v4 to their corresponding
full commit SHA pins (while keeping a short comment indicating the original tag
like "@v4" or "@v2" for maintainability). Update the three "uses:" entries in
the workflow to reference the full SHAs for actions/checkout,
shivammathur/setup-php, and actions/cache so the workflow is immutable and add
inline comments noting the semantic version tag.
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up PHP | ||
| uses: shivammathur/setup-php@v2 | ||
| with: | ||
| php-version: ${{ matrix.php-versions }} | ||
| extensions: mysqli, zip, gd | ||
| coverage: xdebug | ||
| tools: composer:v2, wp-cli | ||
|
|
||
| - name: Get Composer Cache Directory | ||
| id: composer-cache | ||
| run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Cache Composer dependencies | ||
| uses: actions/cache@v4 | ||
| with: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/phpunit.yml | head -60Repository: raphaelsuzuki/pmpro-level-explorer
Length of output: 2378
🌐 Web query:
GitHub Actions security best practices pinning commit SHA
💡 Result:
Best practice: pin GitHub Actions to a full-length commit SHA
Why
- Pinning to a full-length commit SHA is currently the most reliable way to make an action reference immutable, reducing supply-chain risk from moved/retagged versions or a compromised upstream repo. GitHub explicitly recommends this for third-party actions. [1], [2]
How (recommended pattern)
Use a SHA in uses: and (optionally) keep the human-readable version as a comment:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7This improves traceability while keeping the dependency immutable. [2]
What to pin
- Prefer SHAs that correspond to a tagged release, not an arbitrary commit on
main, and verify the SHA is from the official repo (not a fork). [1], [2]
Keeping SHAs up to date safely
- Use Dependabot version updates to propose PRs that move you from one known-good SHA to the next. [1]
- Note: Dependabot alerts may not be generated for actions pinned to SHAs (GitHub documents this limitation), so pair SHA pinning with other monitoring/review practices. [1]
Enforce it with policy (recommended for orgs)
- GitHub provides repository/org/enterprise policies to require SHA pinning (and newer policy controls also support blocking specific actions/versions). [1], [2], [3]
Sources: GitHub Docs security hardening guidance [1], GitHub Well-Architected Actions security recommendations [2], GitHub Changelog (policy updates) [3].
Pin GitHub Actions to full commit SHAs for supply‑chain safety.
The three actions (actions/checkout@v4, shivammathur/setup-php@v2, actions/cache@v4) are unpinned to version tags, which can drift or be retagged. Pin each to its full commit SHA. GitHub officially recommends this to reduce supply-chain risk from tag reassignment or compromised upstream repos.
To find the SHA: use the GitHub UI (Actions tab → click the action run → scroll to see the actual SHA used), or query the release tag via GitHub API.
Optionally include the version tag as a comment for traceability:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: shivammathur/setup-php@<full-commit-sha> # v2.x.x
uses: actions/cache@<full-commit-sha> # v4.x.x🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis
[warning] 35-35: .github/workflows/phpunit.yml#L35
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/phpunit.yml around lines 31 - 48, Pin the GitHub Actions
usages to full commit SHAs to prevent tag drift: replace uses:
actions/checkout@v4, uses: shivammathur/setup-php@v2 and uses: actions/cache@v4
with their corresponding full commit SHAs (e.g.,
actions/checkout@<full-commit-sha>, shivammathur/setup-php@<full-commit-sha>,
actions/cache@<full-commit-sha>), and optionally append the human-friendly tag
as a comment for traceability; obtain the exact SHA from the GitHub UI or API as
suggested and update those three uses: entries accordingly.
| 1. **Prepare the test environment:** | ||
| You need a local MySQL database for testing. Run the following command to set up the WordPress test library (replace `db_user` and `db_password` as needed): | ||
| ```bash | ||
| bash bin/install-wp-tests.sh wordpress_tests db_user 'db_password' localhost latest | ||
| ``` |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Search for the install-wp-tests.sh script in the repository
fd --hidden --no-ignore -t f 'install-wp-tests\.sh'Repository: raphaelsuzuki/pmpro-level-explorer
Length of output: 60
🏁 Script executed:
#!/bin/bash
# Check CONTRIBUTING.md content around lines 33-37
echo "=== CONTRIBUTING.md lines 33-37 ==="
sed -n '33,37p' CONTRIBUTING.md
echo -e "\n=== Check if bin directory exists ==="
ls -la bin/ 2>/dev/null || echo "bin directory does not exist"
echo -e "\n=== Search for any test-related scripts ==="
fd --hidden --no-ignore -t f '(test|install)' | head -20
echo -e "\n=== Search for any shell scripts ==="
fd --hidden --no-ignore -t f '\.sh$' | head -20Repository: raphaelsuzuki/pmpro-level-explorer
Length of output: 595
Remove or fix the non-existent test installer script reference.
The bin/install-wp-tests.sh script and bin directory do not exist in the repository. Either add the missing script or update CONTRIBUTING.md with the correct test setup instructions.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@CONTRIBUTING.md` around lines 33 - 37, Update CONTRIBUTING.md to remove or
replace the invalid reference to bin/install-wp-tests.sh: either add the missing
script to the repo or change the instructions to point to the correct test setup
method used by this project (e.g., provide steps for the actual test installer
or the alternative tool the repo uses), and ensure the example command and paths
mention the real script or tooling instead of bin/install-wp-tests.sh so users
can follow the instructions successfully.
| - **What it does:** Automatically checks for outdated or vulnerable Composer dependencies and opens pull requests. | ||
| - **Schedule:** Weekly (Monday mornings). | ||
| - **How to review:** When a Dependabot PR is opened, review the included changelog and verify that the CI checks (PHPCS and PHPUnit) have passed. | ||
| - **How to merge:** Once verified, you can merge the PR directly through the GitHub interface. |
There was a problem hiding this comment.
Align Dependabot schedule text with configuration.
The README claims “Weekly (Monday mornings)”, but the config doesn’t specify day/time/timezone. Consider either setting day/time in .github/dependabot.yml or softening the README to avoid drift.
📝 Suggested README tweak
-- **Schedule:** Weekly (Monday mornings).
+- **Schedule:** Weekly (per `.github/dependabot.yml` settings).📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - **What it does:** Automatically checks for outdated or vulnerable Composer dependencies and opens pull requests. | |
| - **Schedule:** Weekly (Monday mornings). | |
| - **How to review:** When a Dependabot PR is opened, review the included changelog and verify that the CI checks (PHPCS and PHPUnit) have passed. | |
| - **How to merge:** Once verified, you can merge the PR directly through the GitHub interface. | |
| - **What it does:** Automatically checks for outdated or vulnerable Composer dependencies and opens pull requests. | |
| - **Schedule:** Weekly (per `.github/dependabot.yml` settings). | |
| - **How to review:** When a Dependabot PR is opened, review the included changelog and verify that the CI checks (PHPCS and PHPUnit) have passed. | |
| - **How to merge:** Once verified, you can merge the PR directly through the GitHub interface. |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@README.md` around lines 13 - 16, The README's Dependabot schedule text
("Weekly (Monday mornings)") doesn't match the actual Dependabot config, so
either update the Dependabot config to include explicit schedule fields (set
day/time/timezone in .github/dependabot.yml) or soften the README wording to
remove the specific day/time; update the README line under the Dependabot
description to something like "Weekly" or "Weekly (time configured in
.github/dependabot.yml)" so the docs can't drift from the config.
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/phpunit.yml (1)
19-28: Pin the MySQL service image to a digest for reproducible CI.
mysql:5.7is a mutable tag; pinning a digest avoids unexpected changes across runs.🧷 Example digest pin
- image: mysql:5.7 + image: mysql@sha256:<digest> # 5.7.x🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/phpunit.yml around lines 19 - 28, The CI uses the mutable tag services.mysql.image set to "mysql:5.7"; replace that mutable tag with a pinned digest (e.g., use services.mysql.image = mysql@sha256:<digest>) so the MySQL image is immutable and reproducible across runs—obtain the correct sha256 digest for the desired 5.7 manifest from Docker Hub or by pulling the image locally (docker pull mysql:5.7 && docker inspect --format='{{index .RepoDigests 0}}' mysql:5.7) and update the image value accordingly in the workflow..github/workflows/ci.yml (1)
50-59: Pin the MySQL service image to a digest for reproducible CI.
mysql:5.7is a mutable tag; pinning a digest avoids unexpected changes across runs.🧷 Example digest pin
- image: mysql:5.7 + image: mysql@sha256:<digest> # 5.7.x🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yml around lines 50 - 59, Replace the mutable tag in the CI service declaration by pinning the mysql image to a specific digest: change the service entry that sets image: mysql:5.7 (the "mysql" service) to image: mysql@sha256:<actual-digest>; obtain the correct sha256 digest for the desired 5.7 manifest (for example via docker pull mysql:5.7 && docker inspect --format='{{index .RepoDigests 0}}' mysql:5.7 or by checking the official MySQL manifest list) and update the workflow YAML so CI uses that immutable image reference.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 14-33: The workflow uses mutable action tags (actions/checkout@v4,
shivammathur/setup-php@v2, actions/cache@v4), so replace each referenced action
tag with the corresponding full commit SHA pin (e.g.,
actions/checkout@<full-sha>, shivammathur/setup-php@<full-sha>,
actions/cache@<full-sha>) to avoid tag drift; update every occurrence in the
file (including the similar blocks around lines 62-82) and verify by running a
workflow lint or dry-run that the pinned SHAs resolve correctly.
In @.github/workflows/phpunit.yml:
- Around line 31-48: The workflow uses mutable action tags (actions/checkout@v4,
shivammathur/setup-php@v2, actions/cache@v4); replace each tag with the
corresponding full commit SHA for that action (e.g.,
actions/checkout@<full-sha>, shivammathur/setup-php@<full-sha>,
actions/cache@<full-sha>) so the runs are pinned to an immutable revision —
update the three uses: the Checkout step, the Set up PHP step, and the Cache
Composer dependencies step to reference the full commit SHAs and commit the
updated workflow file.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 50-59: Replace the mutable tag in the CI service declaration by
pinning the mysql image to a specific digest: change the service entry that sets
image: mysql:5.7 (the "mysql" service) to image: mysql@sha256:<actual-digest>;
obtain the correct sha256 digest for the desired 5.7 manifest (for example via
docker pull mysql:5.7 && docker inspect --format='{{index .RepoDigests 0}}'
mysql:5.7 or by checking the official MySQL manifest list) and update the
workflow YAML so CI uses that immutable image reference.
In @.github/workflows/phpunit.yml:
- Around line 19-28: The CI uses the mutable tag services.mysql.image set to
"mysql:5.7"; replace that mutable tag with a pinned digest (e.g., use
services.mysql.image = mysql@sha256:<digest>) so the MySQL image is immutable
and reproducible across runs—obtain the correct sha256 digest for the desired
5.7 manifest from Docker Hub or by pulling the image locally (docker pull
mysql:5.7 && docker inspect --format='{{index .RepoDigests 0}}' mysql:5.7) and
update the image value accordingly in the workflow.
Summary by CodeRabbit
Chores
Tests
Documentation