From c9eee4fc69583082ee9c4efca2e18cf523221e6b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Feb 2026 17:47:32 +0000
Subject: [PATCH 1/5] Bump super-linter/super-linter from 7 to 8.3.1 in
 /.github/workflows

Bumps [super-linter/super-linter](https://github.com/super-linter/super-linter) from 7 to 8.3.1.
- [Release notes](https://github.com/super-linter/super-linter/releases)
- [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md)
- [Commits](https://github.com/super-linter/super-linter/compare/v7...v8.3.1)

---
updated-dependencies:
- dependency-name: super-linter/super-linter
  dependency-version: 8.3.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 93ec5bf..c34ed25 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -63,7 +63,7 @@ jobs:
         run: composer update --prefer-stable --prefer-dist --no-progress
 
       - name: Lint Code
-        uses: super-linter/super-linter@v7
+        uses: super-linter/super-linter@v8.3.1
         env:
           FILTER_REGEX_EXCLUDE: .*vendor.*
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 00bd857d49cd0d7f68704edcf0bc831cf83bc583 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Je=CC=81re=CC=81my=20DECOOL?= <contact@jdecool.fr>
Date: Wed, 11 Feb 2026 21:24:03 +0100
Subject: [PATCH 2/5] Fix super-linter v8.3.1 composer install errors

Disable PHP_BUILTIN and PHP_PHPCS validators to prevent
super-linter from attempting composer install on vendor files.
The PHP extensions (ext-pdo, ext-xml) are not available in the
super-linter container, causing the build to fail.
---
 .github/workflows/ci.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c34ed25..d15ff48 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -69,6 +69,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_CHECKOV: false
           VALIDATE_JSCPD: false
-          VALIDATE_PHP_PSALM: false
+          VALIDATE_PHP_BUILTIN: false
+          VALIDATE_PHP_PHPCS: false
           VALIDATE_PHP_PHPSTAN: false # temporary disabled until superlinter supports phpstan 2
+          VALIDATE_PHP_PSALM: false
           VALIDATE_YAML_PRETTIER: false

From f4b319dd9bfaf0acb53210dd5dd88bd7ac3e7382 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Je=CC=81re=CC=81my=20DECOOL?= <contact@jdecool.fr>
Date: Wed, 11 Feb 2026 21:36:16 +0100
Subject: [PATCH 3/5] Fix linting errors

- Capitalize Docker in README.md
- Add persist-credentials: false to all checkout actions
- Add healthcheck and non-root user to Dockerfile
- Add .biomeignore to exclude vendor directory
---
 .biomeignore             | 1 +
 .github/workflows/ci.yml | 5 +++++
 Dockerfile               | 9 +++++++++
 README.md                | 4 ++--
 4 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 .biomeignore

diff --git a/.biomeignore b/.biomeignore
new file mode 100644
index 0000000..48b8bf9
--- /dev/null
+++ b/.biomeignore
@@ -0,0 +1 @@
+vendor/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d15ff48..9e44f97 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install PHP
         uses: shivammathur/setup-php@v2
@@ -50,9 +52,12 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: master
+          persist-credentials: false
 
       - name: Checkout Code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install PHP
         uses: shivammathur/setup-php@v2
diff --git a/Dockerfile b/Dockerfile
index 460aa40..985a324 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,6 +14,15 @@ RUN apt-get update \
     && apt-get install -y --no-install-recommends unzip \
     && rm -rf /var/lib/apt/lists/*
 
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
 
 WORKDIR /app
+
+# Add healthcheck
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD php -v || exit 1
+
+# Run as non-root user
+RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app
+USER appuser
diff --git a/README.md b/README.md
index 14d3a1c..654a346 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ includes:
 
 ## Install for Local Development
 
-### With docker
+### With Docker
 
 ```bash
 git clone git@github.com:timeweb/phpstan-enum.git
@@ -41,7 +41,7 @@ make install
 make phpunit
 ```
 
-### Without docker (localy installed actual version of php, composer, etc)
+### Without Docker (localy installed actual version of php, composer, etc)
 
 ```bash
 git clone git@github.com:timeweb/phpstan-enum.git

From 398b0164fa0fb50e867c1a1f3a09d547f112137e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Je=CC=81re=CC=81my=20DECOOL?= <contact@jdecool.fr>
Date: Wed, 11 Feb 2026 21:45:36 +0100
Subject: [PATCH 4/5] Fix remaining linter issues

- Fix Dockerfile: use WORKDIR instead of cd
- Disable BIOME validators (vendor files cannot be fixed)
- Remove .biomeignore (not needed with validators disabled)
---
 .biomeignore             | 1 -
 .github/workflows/ci.yml | 2 ++
 Dockerfile               | 7 ++++---
 3 files changed, 6 insertions(+), 4 deletions(-)
 delete mode 100644 .biomeignore

diff --git a/.biomeignore b/.biomeignore
deleted file mode 100644
index 48b8bf9..0000000
--- a/.biomeignore
+++ /dev/null
@@ -1 +0,0 @@
-vendor/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9e44f97..7d4d9b5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,6 +72,8 @@ jobs:
         env:
           FILTER_REGEX_EXCLUDE: .*vendor.*
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VALIDATE_BIOME_FORMAT: false
+          VALIDATE_BIOME_LINT: false
           VALIDATE_CHECKOV: false
           VALIDATE_JSCPD: false
           VALIDATE_PHP_BUILTIN: false
diff --git a/Dockerfile b/Dockerfile
index 985a324..2e3e8a3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,9 +4,10 @@ FROM php:7.4
 RUN apt-get update \
     && apt-get install -y --no-install-recommends libxml2-dev \
     && rm -rf /var/lib/apt/lists/* \
-    && docker-php-source extract \
-    && cd /usr/src/php \
-    && ./configure --enable-phpdbg \
+    && docker-php-source extract
+
+WORKDIR /usr/src/php
+RUN ./configure --enable-phpdbg \
     && docker-php-source delete
 
 # Install composer and required packages

From 2cb5791454b8ff012e62dd799c023bbe50dff8fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Je=CC=81re=CC=81my=20DECOOL?= <contact@jdecool.fr>
Date: Wed, 11 Feb 2026 21:49:22 +0100
Subject: [PATCH 5/5] Disable GITHUB_ACTIONS_ZIZMOR validator

---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7d4d9b5..1ac7017 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -75,6 +75,7 @@ jobs:
           VALIDATE_BIOME_FORMAT: false
           VALIDATE_BIOME_LINT: false
           VALIDATE_CHECKOV: false
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_JSCPD: false
           VALIDATE_PHP_BUILTIN: false
           VALIDATE_PHP_PHPCS: false