statamic · jasonvarga · May 18, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
       github-actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/code-style-lint.yml b/.github/workflows/code-style-lint.yml
@@ -3,13 +3,23 @@ name: Lint code style issues
 on:
   pull_request:
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  lint-code-styling:
+  lint-code-styling: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Get changed files
         id: changed-files
@@ -20,7 +30,7 @@ jobs:
 
       - name: Check PHP code style issues
         if: steps.changed-files.outputs.any_modified == 'true'
-        uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # v2.6
+        uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # 2.6
         with:
           testMode: true
           verboseMode: true

diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -4,9 +4,16 @@ on:
   pull_request:
     types: [opened, edited, synchronize, reopened]
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  pr-title:
+  pr-title: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Validate PR title matches target branch
         env:

diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml
@@ -4,16 +4,21 @@ name: Pull Requests
 #         https://github.com/laravel/.github/blob/main/.github/workflows/pull-requests.yml
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
       - opened
 
-permissions:
-  pull-requests: write
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
-  uneditable:
+  uneditable: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # post comment and close PRs that don't allow maintainer edits
     steps:
       - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,21 +1,28 @@
 name: Create Release
 
-on:
+on: # zizmor: ignore[concurrency-limits]
   push:
     tags:
       - 'v*'
 
+permissions: {}
+
 jobs:
-  build:
+  build: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # create GitHub release and upload assets
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Use Node.js 20.19.0
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20.19.0
+          package-manager-cache: false
 
       - name: Install dependencies
         run: npm ci
@@ -30,57 +37,22 @@ jobs:
           version: ${{ github.ref }}
 
       - name: Create release
-        id: create_release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ steps.changelog.outputs.version }}
-          release_name: ${{ steps.changelog.outputs.version }}
-          body: ${{ steps.changelog.outputs.text }}
-          prerelease: false
-
-      - name: Upload dist zip to release
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist.tar.gz
-          asset_name: dist.tar.gz
-          asset_content_type: application/tar+gz
-
-      - name: Upload dist-dev zip to release
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist-dev.tar.gz
-          asset_name: dist-dev.tar.gz
-          asset_content_type: application/tar+gz
-
-      - name: Upload dist-frontend zip to release
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist-frontend.tar.gz
-          asset_name: dist-frontend.tar.gz
-          asset_content_type: application/tar+gz
-
-      - name: Upload dist-package zip to release
-        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist-package.tar.gz
-          asset_name: dist-package.tar.gz
-          asset_content_type: application/tar+gz
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_VERSION: ${{ steps.changelog.outputs.version }}
+          RELEASE_NOTES: ${{ steps.changelog.outputs.text }}
+        run: |
+          gh release create "$RELEASE_VERSION" \
+            --title "$RELEASE_VERSION" \
+            --notes "$RELEASE_NOTES" \
+            ./resources/dist.tar.gz \
+            ./resources/dist-dev.tar.gz \
+            ./resources/dist-frontend.tar.gz \
+            ./resources/dist-package.tar.gz
 
       - name: Deploy Storybook to Forge
         continue-on-error: true
+        env:
+          FORGE_STORYBOOK_WEBHOOK: ${{ secrets.FORGE_STORYBOOK_WEBHOOK }}
         run: |
-          curl -X POST "${{ secrets.FORGE_STORYBOOK_WEBHOOK }}"
+          curl -X POST "$FORGE_STORYBOOK_WEBHOOK"
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -1,12 +1,17 @@
 name: "Close stale issues"
-on:
+on: # zizmor: ignore[concurrency-limits]
   workflow_dispatch:
   schedule:
   - cron: "30 1 * * *"
 
+permissions: {}
+
 jobs:
-  stale:
+  stale: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
+    permissions:
+      issues: write # mark issues stale and close them
+      pull-requests: write # mark pull requests stale and close them
     steps:
     - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
       with:

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -9,10 +9,18 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   php-tests:
     runs-on: ${{ matrix.os }}
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
+    permissions:
+      contents: read
 
     strategy:
       matrix:
@@ -31,6 +39,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Get changed files
         id: changed-files
@@ -96,12 +106,16 @@ jobs:
   js-tests:
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
+    permissions:
+      contents: read
 
     name: JavaScript tests
 
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Get changed files
         id: changed-files
@@ -146,16 +160,21 @@ jobs:
     name: Slack Notification
     runs-on: ubuntu-latest
     needs: [php-tests, js-tests]
+    permissions:
+      actions: read # required by workflow-conclusion-action to determine overall workflow status
     if: always()
     steps:
       - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3
       - name: Send Slack notification
-        uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3
+        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
         if: env.WORKFLOW_CONCLUSION == 'failure' && github.event_name == 'schedule'
         with:
-          status: failure
-          fields: repo,message,commit,author,action,eventName,ref,workflow
-          author_name: ${{ github.actor }}
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          webhook: ${{ secrets.SLACK_WEBHOOK }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: ":x: *${{ github.repository }}* tests failed"
+            blocks:
+              - type: section
+                text:
+                  type: mrkdwn
+                  text: ":x: *${{ github.repository }}* tests failed\n*Ref:* ${{ github.ref }}\n*Author:* ${{ github.actor }}\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,36 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches:
+      - master
+      - '*.x'
+    paths:
+      - '.github/**.yml'
+  pull_request:
+    paths:
+      - '.github/**.yml'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+          annotations: true
+          persona: pedantic