chore(deps): bump shivammathur/setup-php from 2.15.0 to 2.37.1 in /.github/workflows

[dependabot]

Bumps shivammathur/setup-php from 2.15.0 to 2.37.1.

Release notes

Sourced from shivammathur/setup-php's releases.

2.37.1

Changelog

Security Updates

• Fixed shell command escaping and PHP version input validation. (GHSA-pqwm-q9pv-ph8r / CVE-2026-46420)

[!NOTE] This can affect workflows that pass values from users or pull requests to setup-php, for example from comments, dispatch inputs, PR titles/branches, generated matrices, or files such as .php-version and composer.json. Be especially careful with pull_request_target workflows that use any value from the pull request. Workflows that only use fixed trusted values are not expected to be affected, but updating to 2.37.1 is recommended.

• Fixed GitHub auth handling for Composer versions affected by GHSA-f9f8-rm49-7jv2. It should now skip configuring GitHub OAuth if affected Composer versions are installed and show a warning to upgrade. (GHSA-5wxr-w449-57cm / CVE-2026-45793)

[!NOTE]
This only affects workflows where the composer version is pinned like composer:2.9.7, workflows that do not pin the version or use composer:v2 are not affected as those get automatic updates. In case you pin the version, it is highly recommended to upgrade and have automation to do such timely upgrades in your workflows.

Fixes and Improvements

• Fixed support for phalcon on Windows.

• Fixed restoring tools when using cached using previous runs.

• Improved enabling gearman extension on Linux.

• Fixed fallback when installing PhpManager and VcRedist modules on Windows.

• Fixed parsing extension inputs with backslash line continuation.

• Improved workflow examples

  • Added workflow examples for Drupal 11 composer-managed projects and WordPress plugins.
  • Added workflow examples for Yii3 web applications and replaced Yii2 Starter Kit examples.
  • Updated workflow examples to use currently supported PHP versions.

• Updated OS release mappings for newer Ubuntu releases.

• Updated internal workflows for Codecov v6 and NPM trusted publishing.

• Updated Node.js dependencies.

• Fixed composer version in README. (#1081)

Thanks @​Pyker for the contribution

For the complete list of changes, please refer to the Full Changelog

... (truncated)

Commits

• 7c071df Bump version to 2.37.1
• eeef37e GHSA-pqwm-q9pv-ph8r - Fix CWE-78 [skip ci]
• 0dc3306 Fix phalcon5 support on Windows
• 680a983 Fix phalcon version for PHP 8.0 [skip ci]
• 694649a Fix mutable tool cache restore
• 46a991b Merge pull request #1081 from Pyker/patch-1
• 7748c24 GHSA-f9f8-rm49-7jv2: Fix GitHub auth handling for composer in affected versions
• ac9c953 Fix composer v2 version in README
• 7729e41 Improve enabling gearman [skip ci]
• af2322b Fix fallback in Install-PSPackage on Windows
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[semgrep-code-sendgrid]

Semgrep identified an issue in your code:

The setup-php action is pinned to a version tag instead of a commit SHA, allowing tag manipulation attacks if the upstream repository is compromised.

More details about this

The setup-php action is pinned to a version tag (2.37.1) rather than a full-length commit SHA. Version tags can be moved or deleted by the action maintainer, potentially allowing a malicious actor to force your workflow to run a backdoored version of the action if they compromise the repository.

Exploit scenario:

1. An attacker gains access to the shivammathur/setup-php repository and modifies the code to inject a backdoor (e.g., stealing secrets or credentials).
2. The attacker then moves the 2.37.1 tag to point to a malicious commit with their backdoor code.
3. The next time your workflow runs, it checks out uses: shivammathur/setup-php@2.37.1, which now resolves to the attacker's compromised code instead of the original.
4. The backdoor executes during your build step—for example, exfiltrating ${{ secrets.GITHUB_TOKEN }} that's available in the workflow environment, allowing the attacker to push malicious code to your repository.

Pinning to an immutable commit SHA (like @abc123def456...) ensures that even if the tag is moved, your workflow always runs the exact code you verified.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	uses: shivammathur/setup-php@2.37.1
	- name: Setup PHP Action
	# Replace the placeholder below with the verified full 40-character commit SHA for shivammathur/setup-php release 2.37.1 from the action's GitHub tag/release page.
	uses: shivammathur/setup-php@<full-40-character-commit-sha-for-2.37.1>
	with:
	php-version: ${{ matrix.php }}
	id: php
	- name: Setup PHP
	# Replace the placeholder below with the verified full 40-character commit SHA for shivammathur/setup-php release 2.37.1 from the action's GitHub tag/release page.
	uses: shivammathur/setup-php@<full-40-character-commit-sha-for-2.37.1>
	with:
	php-version: '8.1'
	id: php

View step-by-step instructions

1. Replace the third-party action reference shivammathur/setup-php@2.37.1 with a full 40-character commit SHA that corresponds to the 2.37.1 release, for example shivammathur/setup-php@<full-commit-sha>.
2. Keep the same action name and inputs, and only change the value after @. This makes the workflow use an immutable action revision instead of a mutable tag.
3. Get the correct SHA from the action's GitHub release or tag page for version 2.37.1, and pin both occurrences shown here:
   • uses: shivammathur/setup-php@<full-commit-sha> in the test job
   • uses: shivammathur/setup-php@<full-commit-sha> in the deploy job
4. Avoid short SHAs or version tags such as @v2, @main, or @2.37.1, because they can be moved to a different commit later.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-sendgrid]

Semgrep identified an issue in your code:

GitHub Action is pinned to a mutable version tag instead of an immutable commit SHA, allowing attackers to inject malicious code if they compromise the repository.

More details about this

The GitHub Action shivammathur/setup-php is pinned to a version tag (2.37.1) instead of a full commit SHA. This creates a security risk because tags can be re-pushed or overwritten by an attacker who gains access to the repository.

Here's how an attacker could exploit this:

1. The attacker gains write access to the shivammathur/setup-php repository (through credential theft, social engineering, or compromised CI/CD access)
2. They inject malicious code into the action (for example, adding a reverse shell or credential stealer into the PHP setup script)
3. They force-push the 2.37.1 tag to point to their malicious commit instead of the original one
4. The next time your workflow runs, GitHub Actions fetches the tag 2.37.1 and downloads the attacker's malicious version
5. The malicious code executes in your CI/CD pipeline with access to your repository secrets (like GITHUB_TOKEN) and can steal credentials, inject backdoors into your code, or compromise your build artifacts

Using a full commit SHA (e.g., uses: shivammathur/setup-php@a1e9c3c1d7e8b9f7e8c5d4a2b1c9d8e7f6a5b4c3) makes the reference immutable—even if someone re-pushes the tag, your workflow will continue using the exact commit you specified.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	uses: shivammathur/setup-php@2.37.1
	# TODO: Replace the placeholder below with the verified full 40-character commit SHA that the 2.37.1 tag points to in shivammathur/setup-php.
	# Example format:
	# uses: shivammathur/setup-php@0123456789abcdef0123456789abcdef01234567
	uses: shivammathur/setup-php@REPLACE_WITH_VERIFIED_40_CHAR_COMMIT_SHA

View step-by-step instructions

1. Replace shivammathur/setup-php@2.37.1 with a full 40-character commit SHA for the exact action release you want to keep using.
2. Update each uses: entry for this action in the workflow, for example change uses: shivammathur/setup-php@2.37.1 to uses: shivammathur/setup-php@<full-40-char-commit-sha>.
3. Get the SHA from the shivammathur/setup-php repository by finding the commit that the 2.37.1 tag points to, and copy the full commit hash instead of the version tag. This makes the workflow use an immutable action revision.
4. Keep the rest of the step unchanged, including with: and id: values, so only the action reference changes.

Alternatively, if you want to upgrade while fixing this, pin to the full commit SHA for a newer trusted release instead of the SHA behind 2.37.1.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-sendgrid]

Semgrep identified an issue in your code:

GitHub Actions step uses a mutable semantic version tag (2.37.1) instead of a pinned commit SHA, allowing the action owner to silently inject malicious code into your workflow.

More details about this

The workflow uses shivammathur/setup-php@2.37.1, which pins to a semantic version tag instead of a specific commit SHA. An attacker who controls the shivammathur/setup-php repository could force-push the 2.37.1 tag to point to malicious code without warning.

Exploit scenario:

1. An attacker gains control of the shivammathur/setup-php repository (or the maintainer's account gets compromised)
2. They force-push the 2.37.1 tag to a new commit containing a backdoor that exfiltrates ${{ secrets.GITHUB_TOKEN }}
3. Your workflow runs and fetches the updated tag, executing the malicious action
4. The attacker uses the stolen token to push code to your repository or access other secrets
5. This could be repeated across thousands of projects using this action, as happened with the trivy-action and kics-github-action compromises

The version tag 2.37.1 is mutable—it can be repointed by the repository owner at any time, making it unsafe for supply-chain security.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	uses: shivammathur/setup-php@2.37.1
	# TODO: Replace the placeholder below with the verified 40-character commit SHA for shivammathur/setup-php tag 2.37.1 from the action's release/tag page.
	uses: shivammathur/setup-php@<FULL_40_CHARACTER_COMMIT_SHA> # 2.37.1

View step-by-step instructions

1. Replace the mutable action reference shivammathur/setup-php@2.37.1 with a full 40-character commit SHA for the same release, for example shivammathur/setup-php@<full-commit-sha> # 2.37.1.
2. Keep the version as a YAML comment after the SHA so the pinned release is still easy to identify, such as uses: shivammathur/setup-php@<full-commit-sha> # 2.37.1.
3. Get the correct SHA from the action's release or tag page before updating the workflow. Pinning to a commit SHA prevents the tag from being silently moved to different code later.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-sendgrid]

Semgrep identified an issue in your code:

GitHub Actions step uses a mutable version tag (@2.37.1) that can be repointed to malicious code, allowing supply-chain attacks. Pin to a full commit SHA instead.

More details about this

The Setup PHP Action step references the shivammathur/setup-php action using a mutable version tag (@2.37.1) instead of a pinned commit SHA.

Attack scenario:

1. An attacker compromises the shivammathur/setup-php repository or the maintainer's account.
2. The attacker re-tags the 2.37.1 release to point to a malicious commit that injects code (e.g., stealing secrets from the environment, exfiltrating source code, or modifying build artifacts).
3. Your workflow runs and pulls the compromised action code. The action receives access to ${{ secrets.GITHUB_TOKEN }} and environment variables with sensitive data.
4. The malicious code executes during the Setup PHP step before any of your legitimate build steps run, giving it full access to your CI/CD environment.
5. The attacker can steal credentials, modify your compiled output, or inject backdoors into your dependencies.

Even though 2.37.1 looks specific, the tag can be silently moved to a different commit at any time. This is how the trivy-action and kics-github-action compromises occurred in real attacks.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	uses: shivammathur/setup-php@2.37.1
	name: Test and Deploy
	on:
	push:
	branches: [ '*' ]
	tags: [ '*' ]
	pull_request:
	branches: [ main ]
	schedule:
	# Run automatically at 8AM PST Monday-Friday
	- cron: '0 15 * * 1-5'
	workflow_dispatch:
	jobs:
	test:
	name: Test
	runs-on: ubuntu-latest
	timeout-minutes: 20
	strategy:
	matrix:
	php: [ '7.3', '7.4', '8.0', '8.1' ]
	dependencies:
	- "lowest"
	- "highest"
	steps:
	- name: Checkout smtpapi-php
	uses: actions/checkout@v2
	- name: Setup PHP Action
	# NOTE: Replace the SHA below with the exact 40-character commit for shivammathur/setup-php v2.37.1 from the upstream release/tag page.
	uses: shivammathur/setup-php@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V2_37_1> # v2.37.1
	with:
	php-version: ${{ matrix.php }}
	id: php
	- name: Composer webhook config
	run: composer config -g github-oauth.github.com ${{ secrets.GITHUB_TOKEN }}
	- name: Install dependencies
	run: composer install
	- name: Update Dependencies
	if: ${{ matrix.dependencies == 'lowest' }}
	run: composer update --prefer-lowest --prefer-stable -n
	- name: Run Tests
	run: make test
	deploy:
	name: Deploy
	if: success() && github.ref_type == 'tag'
	needs: [ test ]
	runs-on: ubuntu-latest
	steps:
	- name: Checkout smtpapi-php
	uses: actions/checkout@v2
	- name: Setup PHP
	# NOTE: Use the same exact pinned commit SHA as above for shivammathur/setup-php v2.37.1.
	uses: shivammathur/setup-php@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V2_37_1> # v2.37.1
	with:
	php-version: '8.1'
	id: php

View step-by-step instructions

1. Replace the mutable action reference with a full 40-character commit SHA for shivammathur/setup-php instead of the version tag @2.37.1.
2. Keep the human-readable version as a comment after the SHA, for example: uses: shivammathur/setup-php@<full-40-char-commit-sha> # v2.37.1
3. Get the correct commit SHA from the v2.37.1 release page or tag in the action's repository, then use that exact SHA in the workflow. Pinning to a commit SHA prevents the tag from being moved to different code later.
4. Update the other shivammathur/setup-php@2.37.1 step in this workflow the same way so both job steps use the same pinned commit.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

_{You can view more details about this finding in the Semgrep AppSec Platform.}