Merge branch '6.x' into feature/add-cf-to-video-fieldtype

Author: edalzell

.github/CODEOWNERS

@@ -0,0 +1,8 @@
+/composer.json @statamic/security
+/src/helpers.php @statamic/security
+/src/namespaced_helpers.php @statamic/security
+/src/View/Blade/helpers.php @statamic/security
+
+/.github/CODEOWNERS @statamic/security
+/.github/workflows/tripwire.yml @statamic/security
+/scripts/check-autoload-files.sh @statamic/security

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7

.github/workflows/code-style-lint.yml

@@ -3,25 +3,38 @@ name: Lint code style issues
 on:
   pull_request:
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  lint-code-styling:
+  lint-code-styling: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v46
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
         with:
           files: |
             **.php
 
       - name: Check PHP code style issues
         if: steps.changed-files.outputs.any_modified == 'true'
-        uses: aglipanci/laravel-pint-action@v2
+        uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # 2.6
         with:
           testMode: true
           verboseMode: true
           pintVersion: 1.16.0
+
+      - name: Check Statamic\trans imports
+        run: bash scripts/check-trans-import.sh

.github/workflows/pr-title.yml

@@ -4,60 +4,13 @@ on:
   pull_request:
     types: [opened, edited, synchronize, reopened]
 
-jobs:
-  pr-title:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Validate PR title matches target branch
-        env:
-          PR_TITLE: ${{ github.event.pull_request.title }}
-          BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
-          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-        run: |
-          # Validates PR title against target branch
-          # Returns error message if invalid, empty string if valid
-          validate_pr_title() {
-            local target_branch="$1"
-            local pr_title="$2"
-            local default_branch="$3"
-
-            # Check if target branch is a version branch (e.g., 5.x, 4.x)
-            if [[ $target_branch =~ ^([0-9]+)\.x$ ]]; then
-              local version="${BASH_REMATCH[1]}"
-              if [[ ! $pr_title =~ ^\[$version\.x\][[:space:]] ]]; then
-                echo "PR targeting '$target_branch' must have title starting with '[$version.x] '"
-                return
-              fi
-
-            # Check if target branch is master (next major version)
-            elif [[ $target_branch == "master" ]]; then
-              local current_version="${default_branch//\.x/}"
-              local next_version=$((current_version + 1))
-              if [[ ! $pr_title =~ ^\[$next_version\.x\][[:space:]] ]]; then
-                echo "PR targeting 'master' must have title starting with '[$next_version.x] '"
-                return
-              fi
-
-            # For other branches, just enforce that there's a version prefix
-            else
-              if [[ ! $pr_title =~ ^\[[0-9]+\.x\][[:space:]] ]]; then
-                echo "PR title must start with a version prefix like '[5.x] '"
-                return
-              fi
-            fi
+permissions: {}
 
-            echo ""
-          }
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
-          echo "PR Title: $PR_TITLE"
-          echo "Base Branch: $BASE_BRANCH"
-          echo "Default Branch: $DEFAULT_BRANCH"
-
-          ERROR=$(validate_pr_title "$BASE_BRANCH" "$PR_TITLE" "$DEFAULT_BRANCH")
-
-          if [[ -n $ERROR ]]; then
-            echo $ERROR
-            exit 1
-          fi
-
-          echo "PR title validation passed"
+jobs:
+  pr-title:
+    uses: statamic/.github/.github/workflows/pr-title.yml@bebe92309b4276e45ebc0d0c65854fb2ecf786ba
+    permissions: {}

.github/workflows/pull-requests.yml

@@ -1,75 +1,18 @@
 name: Pull Requests
 
-# Credit: https://github.com/github/docs/blob/main/.github/workflows/notify-when-maintainers-cannot-edit.yaml
-#         https://github.com/laravel/.github/blob/main/.github/workflows/pull-requests.yml
-
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
       - opened
 
-permissions:
-  pull-requests: write
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
   uneditable:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/github-script@v7
-        with:
-          script: |
-            const repo = context.repo.repo;
-
-            const query = `
-              query($number: Int!) {
-                repository(owner: "statamic", name: "${repo}") {
-                  pullRequest(number: $number) {
-                    headRepositoryOwner {
-                      login
-                    }
-                    maintainerCanModify
-                    state
-                  }
-                }
-              }
-            `;
-
-            const pullNumber = context.issue.number;
-            const variables = { number: pullNumber };
-
-            try {
-              console.log(`Check for maintainer edit access ...`);
-              const result = await github.graphql(query, variables);
-              console.log(JSON.stringify(result, null, 2));
-              const pullRequest = result.repository.pullRequest;
-
-              if (pullRequest.headRepositoryOwner.login === 'statamic') {
-                console.log('PR owned by statamic');
-                return;
-              }
-
-              if (pullRequest.state !== 'OPEN') {
-                 console.log('PR has already been closed or merged');
-                 return;
-              }
-
-              if (!pullRequest.maintainerCanModify) {
-                console.log('PR not owned by statamic and does not have maintainer edits enabled');
-
-                await github.rest.issues.createComment({
-                  issue_number: pullNumber,
-                  owner: 'statamic',
-                  repo,
-                  body: "Thanks for submitting a PR!\n\nIn order to review and merge PRs most efficiently, we require that all PRs grant maintainer edit access before we review them. For information on how to do this, [see the relevant GitHub documentation](https://docs.github.com/en/github/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork). Additionally, GitHub doesn't allow maintainer permissions from organization accounts. Please resubmit this PR from a personal GitHub account with maintainer permissions enabled."
-                });
-
-                await github.rest.pulls.update({
-                  pull_number: pullNumber,
-                  owner: 'statamic',
-                  repo,
-                  state: 'closed'
-                });
-              }
-            } catch(e) {
-              console.log(e);
-            }
+    uses: statamic/.github/.github/workflows/pull-requests.yml@bebe92309b4276e45ebc0d0c65854fb2ecf786ba
+    permissions:
+      pull-requests: write # post comment and close PRs that don't allow maintainer edits

.github/workflows/release.yml

@@ -1,21 +1,28 @@
 name: Create Release
 
-on:
+on: # zizmor: ignore[concurrency-limits]
   push:
     tags:
       - 'v*'
 
+permissions: {}
+
 jobs:
-  build:
+  build: # zizmor: ignore[anonymous-definition]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # create GitHub release and upload assets
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Use Node.js 20.19.0
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20.19.0
+          package-manager-cache: false
 
       - name: Install dependencies
         run: npm ci
@@ -25,62 +32,27 @@ jobs:
 
       - name: Get Changelog
         id: changelog
-        uses: statamic/changelog-action@v1
+        uses: statamic/changelog-action@5d112d0d790cdeeb5adca3e584e37edc474ab51b # v1.0.2
         with:
           version: ${{ github.ref }}
 
       - name: Create release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ steps.changelog.outputs.version }}
-          release_name: ${{ steps.changelog.outputs.version }}
-          body: ${{ steps.changelog.outputs.text }}
-          prerelease: false
-
-      - name: Upload dist zip to release
-        uses: actions/upload-release-asset@v1.0.1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist.tar.gz
-          asset_name: dist.tar.gz
-          asset_content_type: application/tar+gz
-
-      - name: Upload dist-dev zip to release
-        uses: actions/upload-release-asset@v1.0.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist-dev.tar.gz
-          asset_name: dist-dev.tar.gz
-          asset_content_type: application/tar+gz
-
-      - name: Upload dist-frontend zip to release
-        uses: actions/upload-release-asset@v1.0.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist-frontend.tar.gz
-          asset_name: dist-frontend.tar.gz
-          asset_content_type: application/tar+gz
-
-      - name: Upload dist-package zip to release
-        uses: actions/upload-release-asset@v1.0.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./resources/dist-package.tar.gz
-          asset_name: dist-package.tar.gz
-          asset_content_type: application/tar+gz
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_VERSION: ${{ steps.changelog.outputs.version }}
+          RELEASE_NOTES: ${{ steps.changelog.outputs.text }}
+        run: |
+          gh release create "$RELEASE_VERSION" \
+            --title "$RELEASE_VERSION" \
+            --notes "$RELEASE_NOTES" \
+            ./resources/dist.tar.gz \
+            ./resources/dist-dev.tar.gz \
+            ./resources/dist-frontend.tar.gz \
+            ./resources/dist-package.tar.gz
 
       - name: Deploy Storybook to Forge
         continue-on-error: true
+        env:
+          FORGE_STORYBOOK_WEBHOOK: ${{ secrets.FORGE_STORYBOOK_WEBHOOK }}
         run: |
-          curl -X POST "${{ secrets.FORGE_STORYBOOK_WEBHOOK }}"
+          curl -X POST "$FORGE_STORYBOOK_WEBHOOK"

.github/workflows/stale.yml

@@ -1,22 +1,13 @@
 name: "Close stale issues"
-on:
+on: # zizmor: ignore[concurrency-limits]
   workflow_dispatch:
   schedule:
   - cron: "30 1 * * *"
 
+permissions: {}
+
 jobs:
   stale:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/stale@v9
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        days-before-stale: 60
-        days-before-close: 7
-        ascending: true
-        only-labels: 'needs more info'
-        stale-issue-label: stale
-        stale-issue-message: >
-          This issue has not had recent activity and has been marked as stale — by me, a robot.
-          Simply reply to keep it open and send me away. If you do nothing, I will close it in
-          a week. I have no feelings, so whatever you do is fine by me.
+    uses: statamic/.github/.github/workflows/stale.yml@bebe92309b4276e45ebc0d0c65854fb2ecf786ba
+    permissions:
+      issues: write # mark issues stale and close them