diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..829fb89ae --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,42 @@ +version: 2 + +updates: + - package-ecosystem: composer + directory: "/" + schedule: + interval: weekly + day: monday + time: "06:00" + timezone: Etc/UTC + open-pull-requests-limit: 10 + labels: + - dependencies + groups: + php-static-analysis: + patterns: + - "phpstan/*" + - "rector/*" + php-testing: + patterns: + - "phpunit/*" + - "guzzlehttp/*" + + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + day: monday + time: "06:00" + timezone: Etc/UTC + open-pull-requests-limit: 5 + labels: + - dependencies + - github-actions + + - package-ecosystem: docker + directory: "/docker/php" + schedule: + interval: monthly + labels: + - dependencies + - docker diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..726dd2c48 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,44 @@ +name: 'CodeQL' + +on: + push: + branches: ['9.x'] + pull_request: + branches: ['9.x'] + schedule: + # Run weekly to catch newly published advisories. + - cron: '17 6 * * 1' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + analyze: + name: 'Analyze (${{ matrix.language }})' + runs-on: 'ubuntu-24.04' + timeout-minutes: 30 + permissions: + contents: read + security-events: write + actions: read + strategy: + fail-fast: false + matrix: + language: ['actions'] + # PHP support in CodeQL is in beta as of 2026; revisit and add 'php' + # to the matrix once it leaves beta. + steps: + - name: 'Checkout' + uses: 'actions/checkout@v4' + + - name: 'Initialize CodeQL' + uses: 'github/codeql-action/init@v3' + with: + languages: ${{ matrix.language }} + queries: 'security-and-quality' + + - name: 'Perform CodeQL Analysis' + uses: 'github/codeql-action/analyze@v3' + with: + category: '/language:${{ matrix.language }}' diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml index 5746081c0..99175e956 100644 --- a/.github/workflows/continuous-integration.yaml +++ b/.github/workflows/continuous-integration.yaml @@ -1,6 +1,33 @@ name: 'Continuous integration' on: ['push', 'pull_request'] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: + audit: + runs-on: 'ubuntu-24.04' + name: 'Composer audit' + steps: + - name: 'Checkout' + uses: 'actions/checkout@v4' + + - name: 'Setup PHP' + uses: 'shivammathur/setup-php@v2' + with: + php-version: '8.4' + coverage: 'none' + tools: 'composer:v2' + + - name: 'Install dependencies with Composer' + uses: 'ramsey/composer-install@v3' + with: + composer-options: '--prefer-dist' + + - name: 'Run composer audit' + run: composer audit --abandoned=report --no-interaction + cs: runs-on: 'ubuntu-24.04' name: 'Coding style' diff --git a/CHANGELOG.md b/CHANGELOG.md index b4e7e1579..b1ad3e9f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Removed ### Fixed ### Security +* Added a `SECURITY.md` file describing the supported branches and the private vulnerability-disclosure process. +* Added a `composer audit` job to the CI pipeline so PRs surface known advisories early. +* Added a CodeQL workflow that runs `security-and-quality` queries on the repository's GitHub Actions on every push, pull request, and weekly on a schedule. +* Added Dependabot configuration to keep Composer, GitHub Actions, and Docker dependencies up to date. +* Added a workflow `concurrency` group to cancel in-progress runs when a new commit lands on the same pull request. ## [9.0.0](https://github.com/ruflin/Elastica/compare/8.x...9.0.0) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..d897e8759 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,54 @@ +# Security Policy + +## Supported Versions + +Security fixes are provided for the latest minor release of each supported +major version. The supported branches at any time mirror the +[Elasticsearch end-of-life schedule](https://www.elastic.co/support/eol). + +| Branch | Elasticsearch | PHP | Status | +|--------|---------------|------------|-----------------------| +| 9.x | 9.x | 8.1 – 8.5 | Active development | +| 8.x | 8.x | 8.0 – 8.3 | Security fixes only | +| 7.x | 7.x | 7.2+ | End of life | +| 6.x | 6.x | 7.0+ | End of life | + +Anything older than 7.x is unmaintained. + +## Reporting a Vulnerability + +If you discover a security vulnerability in Elastica, **please do not open +a public GitHub issue**. Instead use one of the following private channels: + +- Open a [GitHub Security Advisory](https://github.com/ruflin/Elastica/security/advisories/new) + on the repository (preferred). +- Or email the maintainer directly at `spam@ruflin.com` with the subject + prefix `[Elastica security]`. + +Please include: + +- A description of the vulnerability and its impact. +- Steps to reproduce, ideally with a minimal proof of concept. +- The Elastica version and PHP version you tested against. +- Any suggested mitigation, if available. + +You can expect an initial acknowledgement within **5 business days** and a +coordinated disclosure window of up to **90 days** while a fix is prepared +and released. Credits are given in the release notes unless you ask to +remain anonymous. + +## Scope + +The following are in scope: + +- Code published as part of the [`ruflin/elastica`](https://packagist.org/packages/ruflin/elastica) + Composer package. +- Continuous-integration workflows and reusable scripts shipped with the + repository. + +Out of scope: + +- Vulnerabilities in third-party dependencies (please report those upstream + to their maintainers); we will track and bump impacted versions once a + fix is available there. +- Vulnerabilities in user code that incorrectly uses Elastica.