Skip to content

Unpin setup-php (@v2), restore the macos-14/PHP 8.5 leg#1

Open
ericmann wants to merge 2 commits into
mainfrom
setup-php-2.37.2
Open

Unpin setup-php (@v2), restore the macos-14/PHP 8.5 leg#1
ericmann wants to merge 2 commits into
mainfrom
setup-php-2.37.2

Conversation

@ericmann

Copy link
Copy Markdown
Contributor

Why

The managed workflows have pinned shivammathur/setup-php@2.36.0 since the 2026-06-12 macOS breakage (empty-variable cascade in setup-php's brew path), which also forced a macos-14 × php 8.5 exclusion in the CI matrix — and left the release workflow's php8.5-arm64-darwin leg latently broken (2.36.0 predates 8.5). Meanwhile Dependabot flags 2.36.0 for two moderate advisories patched in 2.37.1 (command injection in repository-derived version resolution; Composer token exposure).

setup-php 2.37.2 fixes the macOS issue by marking the shivammathur/php and shivammathur/extensions taps as trusted.

Verification

Extended the macOS probe with 2.37.2 jobs on PHP 8.4 and 8.5, dispatched on macos-14: all five jobs pass (@v2, 2.37.2×8.4, 2.37.2×8.5, 2.37.1, 2.36.0) — run 29466902030.

Changes

  • template/managed/.github/workflows/{ci,release}.yml: @2.36.0@v2, incident comments removed
  • ci.yml: macos-14 / 8.5 exclusion dropped — macOS tests the full PHP spread again
  • macos-probe.yml deleted, per its own "delete when upstream recovers" header

Child repos pick the change up via bin/sync (ext-c2pa is synced already and its full matrix — including the restored macOS 8.5 leg — is green; ext-infer/ext-turbovec still need a sync pass).

ericmann added 2 commits July 15, 2026 19:34
2.37.2's changelog claims the macOS fix (trusted-tap marking for the
shivammathur/php and shivammathur/extensions brew taps). Probe it on
macos-14 before unpinning the managed workflows, including PHP 8.5 —
the leg the CI matrix excludes today.
The 2026-06-12 macOS breakage is fixed upstream: setup-php 2.37.2 marks
the shivammathur/php and shivammathur/extensions brew taps as trusted,
which resolves the empty-variable cascade in its brew path. The macOS
probe now passes on every job — @v2, 2.37.2 (on 8.4 AND 8.5), and even
2.37.1/2.36.0:
https://github.com/DisplaceTech/ext-template/actions/runs/29466902030

Accordingly:
- ci.yml / release.yml: 2.36.0 pin -> @v2. This also clears the four
  Dependabot advisories against <2.37.1 (command injection in
  repository-derived version resolution; Composer token exposure).
- ci.yml: drop the macos-14/8.5 matrix exclusion — 2.36.0 predated 8.5,
  @v2 installs it fine, so macOS now tests the full PHP spread. (The
  release workflow's php8.5-arm64-darwin leg was latently broken for
  the same reason; it becomes functional with this bump.)
- Delete the temporary macOS probe workflow, per its own header.

Child repos pick this up via bin/sync.
ericmann added a commit to ericmann/ext-c2pa that referenced this pull request Jul 16, 2026
bin/sync from ext-template's setup-php-2.37.2 branch
(DisplaceTech/ext-template#1): the 2026-06-12 macOS breakage is fixed
upstream in setup-php 2.37.2 (verified by the template's macOS probe,
run 29466902030 — including PHP 8.5 on macos-14), so the 2.36.0 pin and
the macos/8.5 matrix exclusion are gone. Clears all four Dependabot
alerts (advisories patched in 2.37.1). Release workflow's
php8.5-arm64-darwin leg becomes functional.

about.toml's [private] ignore block re-applied post-sync (the documented
local deviation).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant