chore(ci): add security baseline (SECURITY.md, audit, CodeQL, dependabot, concurrency)

.github/dependabot.yml

@@ -0,0 +1,42 @@
+version: 2
+
+updates:
+  - package-ecosystem: composer
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Etc/UTC
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+    groups:
+      php-static-analysis:
+        patterns:
+          - "phpstan/*"
+          - "rector/*"
+      php-testing:
+        patterns:
+          - "phpunit/*"
+          - "guzzlehttp/*"
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Etc/UTC
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - github-actions
+
+  - package-ecosystem: docker
+    directory: "/docker/php"
+    schedule:
+      interval: monthly
+    labels:
+      - dependencies
+      - docker

.github/workflows/codeql.yml

@@ -0,0 +1,44 @@
+name: 'CodeQL'
+
+on:
+  push:
+    branches: ['9.x']
+  pull_request:
+    branches: ['9.x']
+  schedule:
+    # Run weekly to catch newly published advisories.
+    - cron: '17 6 * * 1'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  analyze:
+    name: 'Analyze (${{ matrix.language }})'
+    runs-on: 'ubuntu-24.04'
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['actions']
+        # PHP support in CodeQL is in beta as of 2026; revisit and add 'php'
+        # to the matrix once it leaves beta.
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@v4'
+
+      - name: 'Initialize CodeQL'
+        uses: 'github/codeql-action/init@v3'
+        with:
+          languages: ${{ matrix.language }}
+          queries: 'security-and-quality'
+
+      - name: 'Perform CodeQL Analysis'
+        uses: 'github/codeql-action/analyze@v3'
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/continuous-integration.yaml

@@ -1,7 +1,34 @@
 name: 'Continuous integration'
 on: ['push', 'pull_request']
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
+  audit:
+    runs-on: 'ubuntu-24.04'
+    name: 'Composer audit'
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@v4'
+
+      - name: 'Setup PHP'
+        uses: 'shivammathur/setup-php@v2'
+        with:
+          php-version: '8.4'
+          coverage: 'none'
+          tools: 'composer:v2'
+
+      - name: 'Install dependencies with Composer'
+        uses: 'ramsey/composer-install@v3'
+        with:
+          composer-options: '--prefer-dist'
+
+      - name: 'Run composer audit'
+        run: composer audit --abandoned=report --no-interaction
+
   cs:
     runs-on: 'ubuntu-24.04'
     name: 'Coding style'
     steps:

CHANGELOG.md

@@ -16,6 +16,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Removed
 ### Fixed
 ### Security
+* Added a `SECURITY.md` file describing the supported branches and the private vulnerability-disclosure process.
+* Added a `composer audit` job to the CI pipeline so PRs surface known advisories early.
+* Added a CodeQL workflow that runs `security-and-quality` queries on the repository's GitHub Actions on every push, pull request, and weekly on a schedule.
+* Added Dependabot configuration to keep Composer, GitHub Actions, and Docker dependencies up to date.
+* Added a workflow `concurrency` group to cancel in-progress runs when a new commit lands on the same pull request.
 
 
 ## [9.0.0](https://github.com/ruflin/Elastica/compare/8.x...9.0.0)

SECURITY.md

@@ -0,0 +1,54 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are provided for the latest minor release of each supported
+major version. The supported branches at any time mirror the
+[Elasticsearch end-of-life schedule](https://www.elastic.co/support/eol).
+
+| Branch | Elasticsearch | PHP        | Status                |
+|--------|---------------|------------|-----------------------|
+| 9.x    | 9.x           | 8.1 – 8.5  | Active development    |
+| 8.x    | 8.x           | 8.0 – 8.3  | Security fixes only   |
+| 7.x    | 7.x           | 7.2+       | End of life           |
+| 6.x    | 6.x           | 7.0+       | End of life           |
+
+Anything older than 7.x is unmaintained.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Elastica, **please do not open
+a public GitHub issue**. Instead use one of the following private channels:
+
+- Open a [GitHub Security Advisory](https://github.com/ruflin/Elastica/security/advisories/new)
+  on the repository (preferred).
+- Or email the maintainer directly at `spam@ruflin.com` with the subject
+  prefix `[Elastica security]`.
+
+Please include:
+
+- A description of the vulnerability and its impact.
+- Steps to reproduce, ideally with a minimal proof of concept.
+- The Elastica version and PHP version you tested against.
+- Any suggested mitigation, if available.
+
+You can expect an initial acknowledgement within **5 business days** and a
+coordinated disclosure window of up to **90 days** while a fix is prepared
+and released. Credits are given in the release notes unless you ask to
+remain anonymous.
+
+## Scope
+
+The following are in scope:
+
+- Code published as part of the [`ruflin/elastica`](https://packagist.org/packages/ruflin/elastica)
+  Composer package.
+- Continuous-integration workflows and reusable scripts shipped with the
+  repository.
+
+Out of scope:
+
+- Vulnerabilities in third-party dependencies (please report those upstream
+  to their maintainers); we will track and bump impacted versions once a
+  fix is available there.
+- Vulnerabilities in user code that incorrectly uses Elastica.