Skip to content

Bump shivammathur/setup-php from 083d5237d9340d541bf95e2a6eceaf3529b85892 to 3fa88f249467922a9b7f10bd5980d53bce780336 in the github-actions group across 1 directory#260

Merged
Kocal merged 1 commit into
2.xfrom
dependabot/github_actions/github-actions-6b06ace5da
Jun 24, 2026
Merged

Bump shivammathur/setup-php from 083d5237d9340d541bf95e2a6eceaf3529b85892 to 3fa88f249467922a9b7f10bd5980d53bce780336 in the github-actions group across 1 directory#260
Kocal merged 1 commit into
2.xfrom
dependabot/github_actions/github-actions-6b06ace5da

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 1 update in the / directory: shivammathur/setup-php.

Updates shivammathur/setup-php from 083d5237d9340d541bf95e2a6eceaf3529b85892 to 3fa88f249467922a9b7f10bd5980d53bce780336

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 24, 2026
@carsonbot carsonbot added the Status: Needs Review Needs to be reviewed label Jun 24, 2026
@Kocal

Kocal commented Jun 24, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps the github-actions group with 1 update in the / directory: [shivammathur/setup-php](https://github.com/shivammathur/setup-php).


Updates `shivammathur/setup-php` from 083d5237d9340d541bf95e2a6eceaf3529b85892 to 3fa88f249467922a9b7f10bd5980d53bce780336
- [Release notes](https://github.com/shivammathur/setup-php/releases)
- [Commits](shivammathur/setup-php@083d523...3fa88f2)

---
updated-dependencies:
- dependency-name: shivammathur/setup-php
  dependency-version: 3fa88f249467922a9b7f10bd5980d53bce780336
  dependency-type: direct:production
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump shivammathur/setup-php from 083d5237d9340d541bf95e2a6eceaf3529b85892 to 3fa88f249467922a9b7f10bd5980d53bce780336 in the github-actions group Bump shivammathur/setup-php from 083d5237d9340d541bf95e2a6eceaf3529b85892 to 3fa88f249467922a9b7f10bd5980d53bce780336 in the github-actions group across 1 directory Jun 24, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-6b06ace5da branch from e56404c to ff7b506 Compare June 24, 2026 07:24
@Kocal Kocal merged commit 5d177e3 into 2.x Jun 24, 2026
15 of 16 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/github-actions-6b06ace5da branch June 24, 2026 07:26
@OskarStark

Copy link
Copy Markdown

Is there a reason for not using a dedicated version?

@Kocal

Kocal commented Jun 24, 2026

Copy link
Copy Markdown
Member

It's for improving the security, tags can be silently replaced and introduce malicious code, where it's not possible for with a commit hash. You can read more at https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide

@stof

stof commented Jun 24, 2026

Copy link
Copy Markdown
Member

@Kocal a common convention is to have a comment next to it mentioning the version that we are targeting though.

@Kocal

Kocal commented Jun 24, 2026

Copy link
Copy Markdown
Member

Yeah, but AFAIK unfortunately Dependabot won't update the version-comment next to the commit hash, that's why I didn't add it (I prefer no information at all rather than wrong information)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code Status: Needs Review Needs to be reviewed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants