chore: add security policy

chore(deps): limit dependabot to maintained branches (4.x + 5.x)
chore: enable Dependabot version updates for GitHub Actions (#1700 )
2026-06-05 02:52:12 +02:00 · 2026-05-12 02:48:25 +01:00 · 2026-05-12 02:34:08 +01:00 · 2026-05-11 22:12:07 -03:00 · 2026-05-12 02:08:47 +01:00
4 changed files with 38 additions and 6 deletions
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@ -0,0 +1,13 @@
+# Security Policy
+
+**PLEASE DON'T DISCLOSE SECURITY-RELATED ISSUES PUBLICLY, [SEE BELOW](#reporting-a-vulnerability).**
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Pest, please report it privately using one of the following channels:
+
+1. **GitHub Private Vulnerability Reporting** (preferred) — go to the repository's **Security** tab and click **"Report a vulnerability"**. This creates a private advisory visible only to maintainers and provides a structured workflow for triage, fix coordination, and CVE assignment.
+
+2. **Email** — send the details to Nuno Maduro at **enunomaduro@gmail.com**.
+
+All security vulnerabilities will be promptly addressed.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "5.x"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@ -28,10 +28,10 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

    - name: Setup PHP
-      uses: shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
      with:
        php-version: 8.3
        tools: composer:v2
@ -44,7 +44,7 @@ jobs:
      run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT

    - name: Cache Composer dependencies
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: ${{ steps.composer-cache.outputs.dir }}
        key: static-php-8.3-${{ matrix.dependency-version }}-composer-${{ hashFiles('**/composer.json', '**/composer.lock') }}
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -35,10 +35,10 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

    - name: Setup PHP
-      uses: shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
      with:
        php-version: ${{ matrix.php }}
        tools: composer:v2
@ -51,7 +51,7 @@ jobs:
      run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT

    - name: Cache Composer dependencies
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
      with:
        path: ${{ steps.composer-cache.outputs.dir }}
        key: ${{ matrix.os }}-php-${{ matrix.php }}-symfony-${{ matrix.symfony }}-composer-${{ hashFiles('**/composer.json', '**/composer.lock') }}
Author	SHA1	Message	Date
nuno maduro	d649de1988	chore: add security policy	2026-05-12 02:48:25 +01:00
nuno maduro	783ca4bcd6	chore(deps): limit dependabot to maintained branches (4.x + 5.x)	2026-05-12 02:34:08 +01:00
nuno maduro	ba07497219	chore: enable Dependabot version updates for GitHub Actions (#1700 )	2026-05-11 22:12:07 -03:00
nuno maduro	1ca021dea6	chore: pin GitHub Actions to commit SHAs (#1695 ) * chore: pin GitHub Actions to commit SHAs * chore: pin GitHub Actions to commit SHAs	2026-05-12 02:08:47 +01:00