ci: pin GitHub Action versions to commit SHA

[kjdev]

Summary by CodeRabbit

• Chores
  • CI workflows pinned to fixed action revisions for more reproducible runs and safer checkouts.
  • Linux and Windows pipelines unified with a clearer PHP/version/thread-mode matrix and simplified dependency setup.
  • Removed container/image-based execution and redundant submodule initialization to streamline and speed up CI.
  • APCu-related test setup simplified for more reliable extension handling.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Linux CI matrix split into matrix.php + matrix.ts, container/image execution removed, shivammathur/setup-php added and configured, checkout pinned with conditional submodules and safe-directory, library install switched to apt-get libzstd-dev, APCu test invocation changed to -d extension=apcu.so; Windows workflows pin several actions to commit SHAs.

Changes

CI Workflow pinning and checkout refactor

Layer / File(s)	Summary
Linux matrix and PHP setup .github/workflows/linux.yaml	Matrix restructured into matrix.php and matrix.ts, removed container/image strategy, added shivammathur/setup-php step (php-version, env.phpts, extensions), and adjusted APCu test invocation to use apcu.so.
Linux checkout pinning and package install .github/workflows/linux.yaml	Pinned actions/checkout with persist-credentials: false, set-safe-directory: true, conditional submodules based on matrix.library; switched library package install from Alpine to apt-get install libzstd-dev.
Windows action version pinning and checkout .github/workflows/windows.yaml	Pinned actions/checkout, actions/cache, actions/upload-artifact, and actions/download-artifact to specific commit SHAs; checkout with includes set-safe-directory and conditional submodules based on matrix.library.

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant actions_checkout as actions/checkout
  participant setup_php as shivammathur/setup-php
  participant apt_get as apt-get

  GitHubActions->>actions_checkout: checkout (persist-credentials:false, set-safe-directory, submodules conditional)
  GitHubActions->>setup_php: run with matrix.php and env.phpts (matrix.ts), extensions (xml,mbstring, optional apcu)
  setup_php->>apt_get: (when matrix.library) install libzstd-dev
  GitHubActions->>GitHubActions: run tests with Makefile option -d extension=apcu.so (when matrix.apcu)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through YAML, pinned each line,
Keys set safe, submodules align.
PHP threads split, apcu calls refined,
Apt fetches zstd for builds to find.
CI hums tidy — a small carrot sign.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'ci: pin GitHub Action versions to commit SHA' directly and accurately describes the main change across all modified workflow files (.github/workflows/linux.yaml, windows.yaml, and submodule.ps1), which involve pinning GitHub Actions to specific commit SHAs for security and reproducibility.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bump/ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/linux.yaml:
- Around line 67-72: The workflow step "Install PHP APCu extension" uses pie
which requires PHP >= 8.1 and will fail for matrix entries with PHP 7.x; update
the workflow so both the "Install PHP APCu extension" step and the related "Test
Preparation APCu" step are gated by a condition that checks PHP >= 8.1 (e.g.,
use if: ${{ matrix.apcu && matrix.php >= '8.1' }}) or implement a conditional
install path: when matrix.php < '8.1' use PECL to install apcu and when
matrix.php >= '8.1' use pie, referencing the step names "Install PHP APCu
extension" and "Test Preparation APCu" to locate and change the condition or
install logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f24a0004-e162-470a-b2c5-6cc6541dc7af

📥 Commits

Reviewing files that changed from the base of the PR and between cd2098f and 3b31ca1.

📒 Files selected for processing (1)

• .github/workflows/linux.yaml