GitHub Action that diffs composer.lock between current branch and default branch

Related tags

Build Tools github-action-composer.lock-diff
Overview

github-action-composer.lock-diff

GitHub Action that diffs composer.lock between current branch and default branch

Example output showing this action in action

Options (inputs)

This action supports the following option.

dryRun

Whether to run this action in dry-run mode or not. Setting this to yes will prevent this action from commenting.

  • Required: No
  • Type: string
  • Example: yes

Output

This action has two outputs: the production and development outputs respective tables for each set of dependencies.

Example

The following example comments on any PR, this example uses the pull_request_target trigger which gives it additional permissions. Be sure to read the documentation and this blog post on security for using this special trigger.

name: Composer Diff
on:
  ## To make this workflow work in the simplest way possible, without a PAT or juggling information between, we need to
  ## run it with permissions as if it was already merged.
  ## Refs: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
  ## Refs: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
  ## Refs: https://twitter.com/WyriHaximus/status/1393679576828686340
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
## This workflow needs the `pull-request` permissions to work
## Refs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
permissions:
  pull-requests: write
jobs:
  comment-composer-lock-diff:
    name: Comment composer.lock diff
    runs-on: ubuntu-latest
    steps:
      ## Use v1 as it will do a full checkout, where v2 will only do a partial and not fetch all heads, two of which
      ## we need to create the diff between the PR's branch and the PR's target branch.
      - uses: actions/checkout@v1
      - name: Comment composer.lock diff
        uses: WyriHaximus/github-action-composer.lock-diff@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

License

Copyright 2021 Cees-Jan Kiewiet

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Comments
  • Bump ion-bazan/composer-diff from 1.1.0 to 1.1.1

    Bump ion-bazan/composer-diff from 1.1.0 to 1.1.1

    Bumps ion-bazan/composer-diff from 1.1.0 to 1.1.1.

    Release notes

    Sourced from ion-bazan/composer-diff's releases.

    v1.1.1

    πŸ”§ Fix parsing platform versions like php: ^7.4.6 -> php: ^8.0 #2

    Commits
    • ae1fca2 Merge pull request #2 from IonBazan/bugfix/platform-versions
    • 124cbec fix parsing platform versions as they may contain the constraints there
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 15
  • Keeps incorrectly reporting packages as changed

    Keeps incorrectly reporting packages as changed

    image I keep getting false positives on two packages.

    As you can see above the roave/security-advisories package reports as downgraded, even though 9999999-dev 77e3164 is exactly the same version as dev-latest 77e3164.

    As for friendsofsymfony/oauth-server-bundle dev-master is a alias of 2.0.x-dev, so 2.0.x-dev 5940472 and dev-master 5940472 are also exactly the same versions.

    I guess the problem is not actually related to your code (after looking through it briefly) but more likely due to problems in the https://github.com/IonBazan/composer-diff plugin you are using.

    Bug 🐞 
    opened by tannyl 14
  • Usage of deprectated `set-output`

    Usage of deprectated `set-output`

    Hey there,

    thank you for this nice action. I found a small warning in our pipeline and wanted to drop you a note :-)

    image

    ... and plan to fully disable them on 31st May 2023

    https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

    opened by pheller24 2
  • Bump guzzlehttp/guzzle from 7.4.2 to 7.4.5

    Bump guzzlehttp/guzzle from 7.4.2 to 7.4.5

    Bumps guzzlehttp/guzzle from 7.4.2 to 7.4.5.

    Release notes

    Sourced from guzzlehttp/guzzle's releases.

    Release 7.4.5

    See change log for changes.

    Release 7.4.4

    See change log for changes.

    Release 7.4.3

    See change log for changes.

    Changelog

    Sourced from guzzlehttp/guzzle's changelog.

    7.4.5 - 2022-06-20

    • Fix change in port should be considered a change in origin
    • Fix CURLOPT_HTTPAUTH option not cleared on change of origin

    7.4.4 - 2022-06-09

    • Fix failure to strip Authorization header on HTTP downgrade
    • Fix failure to strip the Cookie header on change in host or HTTP downgrade

    7.4.3 - 2022-05-25

    • Fix cross-domain cookie leakage
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 2
  • Bump guzzlehttp/guzzle from 7.4.2 to 7.4.4

    Bump guzzlehttp/guzzle from 7.4.2 to 7.4.4

    Bumps guzzlehttp/guzzle from 7.4.2 to 7.4.4.

    Release notes

    Sourced from guzzlehttp/guzzle's releases.

    Release 7.4.4

    See change log for changes.

    Release 7.4.3

    See change log for changes.

    Changelog

    Sourced from guzzlehttp/guzzle's changelog.

    7.4.4 - 2022-06-09

    • Fix failure to strip Authorization header on HTTP downgrade
    • Fix failure to strip the Cookie header on change in host or HTTP downgrade

    7.4.3 - 2022-05-25

    • Fix cross-domain cookie leakage
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 2
  • Bump guzzlehttp/guzzle from 7.4.2 to 7.4.3

    Bump guzzlehttp/guzzle from 7.4.2 to 7.4.3

    Bumps guzzlehttp/guzzle from 7.4.2 to 7.4.3.

    Release notes

    Sourced from guzzlehttp/guzzle's releases.

    Release 7.4.3

    See change log for changes.

    Changelog

    Sourced from guzzlehttp/guzzle's changelog.

    7.4.3 - 2022-05-25

    • Fix cross-domain cookie leakage
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 2
  • Bump ion-bazan/composer-diff from 1.6.0 to 1.7.0

    Bump ion-bazan/composer-diff from 1.6.0 to 1.7.0

    Bumps ion-bazan/composer-diff from 1.6.0 to 1.7.0.

    Release notes

    Sourced from ion-bazan/composer-diff's releases.

    v1.7.0

    πŸ”— Use console hyperlinks for mdtable formatter. This is only supported by Symfony Console 4.3+ (when using as standalone) or Composer 2.3+ (when using as plugin). You may opt out of this feature (and other decorations) using --no-ansi flag. (#23) πŸ’― Add tests for console decorations for supported formatters (mdtable and mdlist) (#23)

    Full Changelog: https://github.com/IonBazan/composer-diff/compare/v1.6.1...v1.7.0

    v1.6.1

    πŸ—’οΈ Add better logging for git commands (#19) πŸ’― Remove remaining PHP 8.1 deprecations (#19) πŸš€ Fix Composer 2.3 compatibility in tests (#19)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 2
  • Bump ion-bazan/composer-diff from 1.6.0 to 1.6.1

    Bump ion-bazan/composer-diff from 1.6.0 to 1.6.1

    Bumps ion-bazan/composer-diff from 1.6.0 to 1.6.1.

    Release notes

    Sourced from ion-bazan/composer-diff's releases.

    v1.6.1

    πŸ—’οΈ Add better logging for git commands (#19) πŸ’― Remove remaining PHP 8.1 deprecations (#19) πŸš€ Fix Composer 2.3 compatibility in tests (#19)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 2
  • Bump composer/composer from 2.2.9 to 2.3.2

    Bump composer/composer from 2.2.9 to 2.3.2

    Bumps composer/composer from 2.2.9 to 2.3.2.

    Release notes

    Sourced from composer/composer's releases.

    2.3.2

    • Fixed type error when running exec command (#10672)
    • Fixed endless loop in plugin activation prompt when input is not fully interactive yet appears to be (#10648)
    • Fixed type error in ComposerRepository (#10675)
    • Fixed issues loading platform packages where the version of a library cannot be established (#10631)

    2.3.1

    • Fixed type error when HOME env var is not set (#10670)

    2.3.0

    Read the Composer 2.3 Release Announcement for more details on the release highlights.

    Complete Changelog

    • BC Break: the minimum PHP version is now 7.2.5+, use the Composer 2.2 LTS if you are stuck with an older PHP (#10343)
    • BC Break: added native parameter & return types to many internal APIs, we explicitly left the most extended/implemented symbols untouched but if this causes problems nonetheless please report it ASAP (#10547, #10561)
    • BC Break: added visibility to all constants, a few internal ones have been made private/protected, if this causes problems please report it ASAP (#10550)
    • BC Break: the minimum supported Symfony components version is now 5.4, this only affects you if you are requiring composer/composer directly however, which is generally frowned upon
    • Bumped composer-plugin-api to 2.3.0
    • Bumped bundled Symfony components from 2.8 to 5.4 πŸ₯³
    • Added declare(strict_types=1) to all the classes, which for sure could cause regressions in edge cases, please report with stack traces (#10567)
    • Added --patch-only to the outdated command to only show updates to patch versions and ignore new major/minor versions (#10589)
    • Added clickable links to various commands for terminals which support it (#10430)
    • Added ProcessExecutor ability to receive commands as arrays by (internals/plugin change only) (#10435)
    • Added abandoned flag to show/outdated commands JSON-formatted output (#10485)
    • Added config.reference option to path repositories to configure the way the reference is generated, and possibly reduce composer.lock conflicts (#10488)
    • Added automatic removal of allow-plugins rules when removing a plugin via the remove command (#10615)
    • Added COMPOSER_IGNORE_PLATFOR_REQ & COMPOSER_IGNORE_PLATFOR_REQS env vars to configure the equivalent flags (#10616)
    • Added support for Symfony 6.0 components
    • Added support for psr/log 3.x (#10454)
    • Fixed symlink creation in linux VM guest filesystems to be recognized by Windows (#10592)
    • Performance improvement in pool optimization step (#10585)
    • Performance improvement in Composer bootstrapping (version guessing) when on a feature branch (#10632)

    2.3.0-RC2

    • Fixed invalid return value in ComposerRepository::findPackage (#10622)
    • Fixed many show command issues due to a flipped condition (#10623)
    • Fixed phpversion() handling when it returns false due to an extension defining no version (#10631)
    • Fixed remove command failing when no allow-plugin is defined in config (#10629)
    • Performance improvement in Composer bootstrapping (version guessing) when on a feature branch (#10632)

    2.3.0-RC1

    Composer 2.3 is ready for a release, and we need your help to help test it and report any regression.

    This release is special as it contains almost only big internal changes allowing us to modernize our PHP code:

    • Upgraded minimum supported PHP version from 5.3.2 to 7.2.5
    • Upgraded symfony component dependencies from 2.8.x to 5.4.x
    • Added scalar parameter types where possible, this should not break anything as PHP 7.2 contravariance allows this
    • Added return types where possible. This will break code that extends ours and does not declare the same return types. For this reason, our most extended classes/interfaces have not been modified to retain BC: Composer\IO\*, Composer\Installer\*, Composer\Autoload\ClassLoader, Composer\InstalledVersions, Composer\Plugin\*, Composer\Repository\*, Composer\Util\{Filesystem,HttpDownloader,RemoteFilesystem} and a few select others. Hopefully this avoids most breakage, but we may still see some extensions break. If you can fix these breakages by adding return types and move on that would be the preferred way, but if they are breaking established plugins or others which cannot easily be updated everywhere they're used we will rollback those return type additions as needed.

    ... (truncated)

    Changelog

    Sourced from composer/composer's changelog.

    [2.3.2] 2022-03-30

    • Fixed type error when running exec command (#10672)
    • Fixed endless loop in plugin activation prompt when input is not fully interactive yet appears to be (#10648)
    • Fixed type error in ComposerRepository (#10675)
    • Fixed issues loading platform packages where the version of a library cannot be established (#10631)

    [2.3.1] 2022-03-30

    • Fixed type error when HOME env var is not set (#10670)

    [2.3.0] 2022-03-30

    [2.3.0-RC2] 2022-03-20

    • Fixed invalid return value in ComposerRepository::findPackage (#10622)
    • Fixed many show command issues due to a flipped condition (#10623)
    • Fixed phpversion() handling when it returns false due to an extension defining no version (#10631)
    • Fixed remove command failing when no allow-plugin is defined in config (#10629)
    • Performance improvement in Composer bootstrapping (version guessing) when on a feature branch (#10632)

    [2.3.0-RC1] 2022-03-16

    • BC Break: the minimum PHP version is now 7.2.5+, use the Composer 2.2 LTS if you are stuck with an older PHP (#10343)
    • BC Break: added native parameter & return types to many internal APIs, we explicitly left the most extended/implemented symbols untouched but if this causes problems nonetheless please report it ASAP (#10547, #10561)
    • BC Break: added visibility to all constants, a few internal ones have been made private/protected, if this causes problems please report it ASAP (#10550)
    • BC Break: the minimum supported Symfony components version is now 5.4, this only affects you if you are requiring composer/composer directly however, which is generally frowned upon
    • Bumped composer-plugin-api to 2.3.0
    • Bumped bundled Symfony components from 2.8 to 5.4 πŸ₯³
    • Added declare(strict_types=1) to all the classes, which for sure could cause regressions in edge cases, please report with stack traces (#10567)
    • Added --patch-only to the outdated command to only show updates to patch versions and ignore new major/minor versions (#10589)
    • Added clickable links to various commands for terminals which support it (#10430)
    • Added ProcessExecutor ability to receive commands as arrays by (internals/plugin change only) (#10435)
    • Added abandoned flag to show/outdated commands JSON-formatted output (#10485)
    • Added config.reference option to path repositories to configure the way the reference is generated, and possibly reduce composer.lock conflicts (#10488)
    • Added automatic removal of allow-plugins rules when removing a plugin via the remove command (#10615)
    • Added COMPOSER_IGNORE_PLATFOR_REQ & COMPOSER_IGNORE_PLATFOR_REQS env vars to configure the equivalent flags (#10616)
    • Added support for Symfony 6.0 components
    • Added support for psr/log 3.x (#10454)
    • Fixed symlink creation in linux VM guest filesystems to be recognized by Windows (#10592)
    • Performance improvement in pool optimization step (#10585)

    [2.2.10] 2022-03-29

    • Fixed Bitbucket authorization detection due to API changes (#10657)
    • Fixed validate command warning about dist/source keys if defined (#10655)
    • Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)
    Commits
    • c3777ea Release 2.3.2
    • 3d04c56 Update changelog
    • f1e3ba7 Allow passing null to $prettyVersion to handle gracefully cases where a versi...
    • 146e036 Fix parsing of openssl versions with odd suffixes, refs #10631
    • bf01905 Update changelog
    • f1ff455 Fix handling of true return value for loadRootServerFile, fixes #10675
    • c3484ea Avoid endless loop when input looks interactive but isnt, fixes #10648
    • a71985c Update baseline (2150, 103)
    • b46dba2 Allow addListener to work with strings, fixes #10672
    • dca5e45 Reverting release version changes
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 2
  • Bump guzzlehttp/psr7 from 2.1.0 to 2.2.1

    Bump guzzlehttp/psr7 from 2.1.0 to 2.2.1

    Bumps guzzlehttp/psr7 from 2.1.0 to 2.2.1.

    Release notes

    Sourced from guzzlehttp/psr7's releases.

    2.2.1

    See change log for changes.

    2.2.0

    See change log for changes.

    2.1.2

    See change log for changes.

    2.1.1

    See change log for changes.

    Changelog

    Sourced from guzzlehttp/psr7's changelog.

    2.2.1 - 2022-03-20

    Fixed

    • Correct header value validation

    2.2.0 - 2022-03-20

    Added

    • A more compressive list of mime types
    • Add JsonSerializable to Uri
    • Missing return types

    Fixed

    • Bug MultipartStream no uri metadata
    • Bug MultipartStream with filename for data:// streams
    • Fixed new line handling in MultipartStream
    • Reduced RAM usage when copying streams
    • Updated parsing in Header::normalize()

    2.1.1 - 2022-03-20

    Fixed

    • Validate header values properly
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 2
  • Bump composer/composer from 2.2.1 to 2.2.5

    Bump composer/composer from 2.2.1 to 2.2.5

    Bumps composer/composer from 2.2.1 to 2.2.5.

    Release notes

    Sourced from composer/composer's releases.

    2.2.5

    • Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#10458)
    • Fixed artifact repositories crashing if a phar file was present in the directory (#10406)
    • Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#10468)
    • Fixed handling of non-string versions in package repositories metadata (#10470)

    2.2.4

    • Fixed handling of process timeout when running async processes during installation
    • Fixed GitLab API handling when projects have a repository disabled (#10440)
    • Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)
    • Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)
    • Fixed support for sourcing binaries via the new bin proxies (#10389)
    • Fixed messaging when GitHub tokens need SSO authorization (#10432)

    2.2.3

    • Fixed issue with PHPUnit and process isolation now including PHPUnit <6.5 (#10387)
    • Fixed interoperability issue with laminas/laminas-zendframework-bridge and Composer 2.2 (#10401)
    • Fixed binary proxies for shell scripts to work correctly when they are symlinked (jakzal/phpqa#336)
    • Fixed overly greedy pool optimization in cases where a locked package is not required by anything anymore in a partial update (#10405)

    2.2.2

    • Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with $BASH_SOURCES[0] will need to update their binaries (#10402)
    • Fixed issue when new binary proxies are combined with PHPUnit and process isolation (#10387)
    • Fixed deprecation warnings when using Symfony 5.4+ and requiring composer/composer itself (#10404)
    • Fixed UX of plugin warnings (#10381)
    Changelog

    Sourced from composer/composer's changelog.

    [2.2.5] 2022-01-21

    • Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#10458)
    • Fixed artifact repositories crashing if a phar file was present in the directory (#10406)
    • Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#10468)
    • Fixed handling of non-string versions in package repositories metadata (#10470)

    [2.2.4] 2022-01-08

    • Fixed handling of process timeout when running async processes during installation
    • Fixed GitLab API handling when projects have a repository disabled (#10440)
    • Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)
    • Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)
    • Fixed support for sourcing binaries via the new bin proxies (#10389)
    • Fixed messaging when GitHub tokens need SSO authorization (#10432)

    [2.2.3] 2021-12-31

    • Fixed issue with PHPUnit and process isolation now including PHPUnit <6.5 (#10387)
    • Fixed interoperability issue with laminas/laminas-zendframework-bridge and Composer 2.2 (#10401)
    • Fixed binary proxies for shell scripts to work correctly when they are symlinked (jakzal/phpqa#336)
    • Fixed overly greedy pool optimization in cases where a locked package is not required by anything anymore in a partial update (#10405)

    [2.2.2] 2021-12-29

    • Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with $BASH_SOURCES[0] will need to update their binaries (#10402)
    • Fixed issue when new binary proxies are combined with PHPUnit and process isolation (#10387)
    • Fixed deprecation warnings when using Symfony 5.4+ and requiring composer/composer itself (#10404)
    • Fixed UX of plugin warnings (#10381)
    Commits
    • 22c41ef Release 2.2.5
    • ac5ae4e Update changelog
    • 8c0b4ff Also retry for HTTP2 stream errors, fixes #10462
    • 3b4afaa ArrayLoader/ValidatingArrayLoader: handle non-string values for version/versi...
    • 6b8f140 report error if binary is a directory (#10463)
    • af60130 Ignore phar files in artifact repo, fixes #10406
    • 0228e5b Clean up properly if self-update fails (#10475)
    • e3d99ca Fix phpstan issues, update baseline and pin PHPStan version in 2.2 branch (#1...
    • e103ee0 Remove getenv workaround on fixed PHP versions
    • db64534 Fixed bin proxies on PHP < 8 to support stream_seek (#10468)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    Dependencies πŸ“¦ PHP 🐘 
    opened by dependabot[bot] 2
  • Comparison should happen with the branch point instead of current main branch

    Comparison should happen with the branch point instead of current main branch

    I noticed something weird with this great action (thanks for that πŸ’™):

    I merged a PR from Dependabot that upgraded spaze/phpstan-disallowed-calls from v2.3.1 to v2.3.2.

    Then a new PR popped up, that upgraded symfony/dependency-injection from 6.0.7 to 6.0.8 and this action commented this: Screenshot 2022-04-28 at 11 19 54@2x

    The top comment is correct, but the bottom comment is not. The PR doesn't downgrade at all!

    The reason for this, is that the action compares against the composer.json from main at the time of running the action.

    Instead, it should not do this at all. It should find the branch point (parent commit) and compare against the composer.json from that commit instead.

    This is a snippet that I use in another action:

    branchPoint=$(
    git log --no-merges --graph --oneline --decorate origin/main..$(git branch --show-current) | \
    tac | \
    grep -o '[a-f0-9]\{7,11\}' | \
    head -n 1 | \
    xargs -I '{}' git rev-parse "{}^"
)

git show $branchPoint:schema.graphql | cat > schema.old.graphql
    opened by ruudk 12
  • Actions v2 and fetch-depth

    Actions v2 and fetch-depth

    According to the documentation of https://github.com/actions/checkout

        # Number of commits to fetch. 0 indicates all history for all branches and tags.
    # Default: 1
    fetch-depth: ''

    Perhaps this action would work with a fetch-depth of 0? checkout v2 has numerous other improvements so moving to v1 might not be possible for everyone.

    opened by NanoSector 3
Releases(v1.3.0)
Owner
Cees-Jan Kiewiet
@WyriMaps, @reactphp core maintainer, highly interested in asynchronous programming, and generic maniac
Cees-Jan Kiewiet
GitHub
The tool converts different error reporting standards for deep compatibility with popular CI systems (TeamCity, IntelliJ IDEA, GitHub Actions, etc).

JBZoo / CI-Report-Converter Why? Installing Using as GitHub Action Example GitHub Action workflow Available Directions Help description in terminal Co

JBZoo Toolbox 17 Jun 16, 2022
An application for building and managing Phars.

This project has been moved to https://github.com/box-project/box If you are looking to upgrade, don't forget to have a look at the upgrade guide. Box

Box Project 1.2k Nov 9, 2022
Hi I'm Bob! I'm a tiny and messy build tool for PHP projects

Bob, your friendly builder Hello World Put this in a file named bob_config.php in your project's root: <?php namespace Bob\BuildConfig; task('defaul

Christoph Hochstrasser 105 Mar 4, 2022
Danger runs during your CI process, and gives teams the chance to automate common code review chores.

Danger runs during your CI process, and gives teams the chance to automate common code review chores. This project ports Danger to PHP. This project is still in the early phase. Feel free to try it out and contribute!

Shyim 55 Dec 7, 2022
Unpacking and packaging for Qualcomm splash images

Magic Splash Wand Magic Splash!! Wand Unpacking and packaging for Qualcomm splash images. How to use Download and install PHP for your system from the

Jim Wu 6 Oct 25, 2022
A composer plugin, to install differenty types of composer packages in custom directories outside the default composer default installation path which is in the vendor folder.

composer-custom-directory-installer A composer plugin, to install differenty types of composer packages in custom directories outside the default comp

Mina Nabil Sami 136 Dec 30, 2022
GitHub action to setup PHP with required extensions, php.ini configuration, code-coverage support and various tools like composer...

Setup PHP in GitHub Actions Setup PHP with required extensions, php.ini configuration, code-coverage support and various tools like composer in GitHub

Shivam Mathur 2.4k Jan 6, 2023
GitHub action to setup PHP with required extensions, php.ini configuration, code-coverage support and various tools like composer...

Setup PHP in GitHub Actions Setup PHP with required extensions, php.ini configuration, code-coverage support and various tools like composer in GitHub

Shivam Mathur 2.4k Jan 6, 2023
Engine for performing and rendering text diffs

Text_Diff Engine for performing and rendering text diffs This package provides a text-based diff engine and renderers for multiple diff output formats

PEAR - PHP Extension and Application Repository 15 Jan 4, 2022
Textpattern-default-theme - Textpattern CMS default theme.

Textpattern CMS default theme This project is the source for the default theme that ships as standard with Textpattern CMS. It is intended as a starti

Textpattern CMS 61 Nov 21, 2022
GitHub action to set up PHP with extensions, php.ini configuration, coverage drivers, and various tools.

GitHub action to set up PHP with extensions, php.ini configuration, coverage drivers, and various tools.

Shivam Mathur 2.4k Jan 6, 2023
GitHub Action to dynamically update CONTRIBUTORS file

Generate / Update CONTRIBUTORS File - GitHub Action This GitHub Action updates a CONTRIBUTORS file with the top contributors from the specified projec

minicli 86 Dec 21, 2022
πŸ€– GitHub Action to run symfony console commands.

Symfony Console GitHub Action Usage You can use it as a Github Action like this: # .github/workflows/lint.yml name: "Lint" on: pull_request: push

Nucleos 3 Oct 20, 2022
Github Action which checks Security issues scanning package manager files

security-checker-action This action checks your composer.lock for known vulnerabilities in your package dependencies. Inputs lock optional The path to

Druid 0 May 5, 2022
Simple library that abstracts different metrics collectors. I find this necessary to have a consistent and simple metrics (functional) API that doesn't cause vendor lock-in.

Metrics Simple library that abstracts different metrics collectors. I find this necessary to have a consistent and simple metrics API that doesn't cau

Benjamin Eberlei 311 Nov 20, 2022
Lock library to provide serialized execution of PHP code.

Requirements | Installation | Usage | License and authors | Donations php-lock/lock This library helps executing critical code in concurrent situation

null 875 Jan 7, 2023
Mutex lock implementation

Yii Mutex This package provides mutex implementation and allows mutual execution of concurrent processes in order to prevent "race conditions". This i

Yii Software 30 Dec 28, 2022
A custom WordPress nav walker class to fully implement the Twitter Bootstrap 4.0+ navigation style (v3-branch available for Bootstrap 3) in a custom theme using the WordPress built in menu manager.

WP Bootstrap Navwalker This code in the main repo branch is undergoing a big shakeup to bring it in line with recent standards and to merge and test t

WP Bootstrap 3.3k Jan 5, 2023
a distributed-redis-lock implementation for hyperf2.*

hyperf-redis-lock English | δΈ­ζ–‡ an easy redis-based distributed-lock implementation for hyperf 2.*。 This extension features distributed-lock includes b

lysice 11 Nov 8, 2022
Personal Knowledge Management. Use branch "minimal change" to deploy as laravel package.

Knowfox Knowfox is my Personal Knowledge Management system. Having been an keen Evernote user since 2012, I finally got around to taking my precious n

null 180 Dec 28, 2022