chore(deps): update minor and patch updates

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/create-github-app-token	action	patch	v2.2.1 → v2.2.2
shivammathur/setup-php	action	minor	v2.32.0 → 2.37.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v2.2.2

Compare Source

shivammathur/setup-php (shivammathur/setup-php)

v2.37.0

Compare Source

Changelog

• Updated the action to use Node.js 24. (#​1049)

• Added support for master in the php-version input. It should now set up a nightly build from the master branch of php-src.

• Added support to install ioncube and zephir_parser extensions on PHP 8.5.

• Expanded support for installing extensions using Homebrew on macOS from the shivammathur/homebrew-extensions tap. This includes pdo_firebird, sqlsrv, pdo_sqlsrv, pecl_http, swow, xhprof, and several other supported extensions.

• Improved switching PHP versions on Linux. Missing alternatives should now be registered automatically before switching versions. #​1067

• Improved support for Homebrew on macOS. It should now retry stuck brew commands with an inactivity watchdog.

• Improved support for adding tools. It should now correctly use the latest release download URL when a version is not specified. (#​1064)

• Improved tool setup and caching on self-hosted runners.

• Improved support for sqlsrv and pdo_sqlsrv on PHP 8.1 and 8.2.

• Fixed installing pecl_http on Windows. Switched to downloads.php.net for fixing ICU version post install.

• Fixed cached couchbase installs on macOS using the shivammathur/cache-extensions action.

• Replaced @actions/core with local functions to reduce bundle size.

• Refactored to use ES2024+ features for Node 24.

• Updated actions used in examples to their latest versions.

• Updated Node.js dependencies.

Thanks @​theluckystrike for the contribution 🎉

Thanks @​code-kudu, @​ssddanbrown, @​RoundingWell, and @​ntzrbtr for the sponsorship ❤️

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.36.0

Compare Source

Changelog

• Added support for PHP 8.5 stable release.

- name: Setup PHP 8.5 (stable)
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.5'

• Added support for PHP 8.6.0-dev. Specifying 8.6 in the php-version input should now set up a nightly build from the master branch of php-src. (#​1002)

- name: Setup PHP 8.6.0-dev
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.6'

• Added support for pdo_ibm and ibm_db2 extensions.

- name: Setup PHP with pdo_ibm and ibm_db2 extensions
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.5'
    extensions: pdo_ibm, ibm_db2

• Added support to install blackfire extension on PHP 8.5.

- name: Setup PHP with blackfire extension
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.5'
    extensions: blackfire

• Improved support to detect the required libraries when building from source for common extensions. For example installing gnupg from source would install the required libgpgme library automatically. (#​1021)

- name: Setup PHP with amqp extension
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.5'
    extensions: gnupg-1.5.4

• Improved support for symfony-cli. It should now correctly set up the requested version. (#​1008)

- name: Setup PHP with symfony-cli
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.5'
    tools: symfony-cli:5.16.0

• Improved support for relay extension. Also added support to install the nightly version of the extension. (#​1011, #​1012)

• Improved installing PHP on macOS. Also fixed installing PHP on macos-15-intel GitHub runner. (#​1029)

• Improved support for deb822 format sources files on Linux. It should now set up the sources files in deb822 format on Ubuntu 24.04, Debian 13, and newer. It would automatically switch the format as well for the repositories added by the action to the new format when supported. (#​1027)

• Improved support for installing pdo_oci. (#​1028)

• Fixed installing gearman extension for PHP 5.6 and 7.0 on Linux.

• Fixed an edge case in tools setup to fall back to the latest version. (#​1024)

• Fixed support to build extensions with uppercase names from PECL. (#​1017)

• Fixed warning on redis setup on macOS after formula rename. (shivammathur/homebrew-extensions#5413)

• Fixed fallback link for composer setup. (#​1025)

• Updated the link for flex documentation in README. (#​1020)

• Updated Node.js dependencies.

Thanks @​shyim, @​tillkruss, and @​nicolas-grekas for the contributions 🎉

Thanks @​JetBrainsOfficial and @​cachewerk for the sponsorship ❤️

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.35.5

Compare Source

Changelog

• Added support for macOS 26 based environments.

runs-on: macos-26
steps:
- name: Setup PHP
  uses: shivammathur/setup-php@v2

• Fixed resolving tools' releases to the latest one for a version prefix in tools input. (#​1000)
  For example, this should install the latest release of PHPUnit with 10.5 as the prefix.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.1'
    tools: phpunit:10.5.x

• Improved installing intl extension with a particular ICU versions.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    extensions: intl-77.1

• Fixed tools setup to use the new github-token input value to avoid rate limits.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: phpcs: 4
    github-token: ${{ secrets.GITHUB_TOKEN }}

• Improved errors when tools fail to install. (#​991)

• Fixed warning in get function on request failure.

• Added a fallback source for composer phar archives. (#​956)

• Added a fallback source for PPA keys. (#​996)

• Fixed opcache.jit_buffer_size config on arm environments. (#​999)

• Updated Node.js dependencies.

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.35.4

Compare Source

Changelog

• Fixed updating brew core tap before installing PHP on macOS.

• Updated actions in internal workflows.

• Updated Node.js dependencies.

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.35.3

Compare Source

Changelog

• Improved github-token support for GitHub Enterprise. (#​981).

  For GitHub Enterprise users, the github-token input does not default to the GITHUB_TOKEN secret. Therefore, it's recommended to set the github-token input to a Personal Access Token (PAT).

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    github-token: ${{ secrets.YOUR_PAT_TOKEN }}

• Fixed support for relay extension for PHP 7.4 on macOS.

• Updated internal workflows to not run on forks. (#​982)

• Updated Node.js dependencies.

Thanks @​jrfnl for the contributions 🎉

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.35.2

Compare Source

Changelog

• Fixed race condition in updating composer auth.json. (#​980)

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.35.1

Compare Source

Changelog

• Fixed regression in composer authentication in 2.35.0. (#​979)

• Fixed installing geos extension on PHP 8.5.

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.35.0

Compare Source

Changelog

• Added support for github-token input. (#​969)
  It uses the GITHUB_TOKEN secret by default and should prevent any rate limiting issues while installing your composer dependencies or while adding any tools supported by setup-php.

  Also, it can used to specify a personal access token (PAT) to authenticate with GitHub if you need that for your composer dependencies.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    github-token: ${{ secrets.PAT }}

• Added support for carthage-software/mago. (#​898, #​975)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: mago

• Added support for Roave/BackwardCompatibilityCheck. (#​911, #​974)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: backward-compatibility-check

• Added support for shipmonk/name-collision-detector. (#​932, #​973)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: name-collision-detector

• Fixed fallback behavior on adding a specific version of extension when fail-fast is set to true. (#​972)

• Fixed enabling extensions on Windows. (#​978)

• Fixed installing gearman extension on PHP 8.5.

• Cleaned up the cubrid extension script.

• Removed ondrej/pkg-gearman ppa in gearman extension setup.

• Switched to ppa.setup-php.com for ondrej/php ppa fallback mirror.

• Update default composer version in README. (#​966)

• Fixed a broken link in README. (#​967)

• Updated Node.js dependencies.

Thanks @​jrfnl and @​OskarStark for the contributions 🎉

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.34.1

Compare Source

Changelog

• Fixed tool-cache directory on self-hosted runners.

• Fixed generating lock path in unix.sh on verbose branch.

• Updated Node.js dependencies.

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.34.0

Compare Source

Changelog

• Added support for pie. (#​948)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: pie

• Added support to allow composer plugins by specifying the list of plugins in COMPOSER_ALLOW_PLUGINS env.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
  env:
    COMPOSER_ALLOW_PLUGINS: composer/installers, composer/satis

• Added fallback for fetching the manifest for PHP versions. (#​952)

• Added support to specify tools directory using SETUP_PHP_TOOLS_DIR env. (#​943, #​945)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
  env:
    SETUP_PHP_TOOLS_DIR: /tmp/tools

• Improved detecting linux self-hosted runners if runner env is not specified. (#​947)

• Improved locking mechanism while fetching files on self-hosted runners.

• Dropped support for using dependency files in shivammathur/extension tap.

• Fixed errors on macOS regarding missing taps.

• Fixed logic to fail on first error in extension setup from source. (#​951)

• Fixed error about missing self_hosted_helper function on macOS.

• Fixed the file name of the sources list to match the name used by apt-add-repository. (#​953)

• Fixed installing hiredis on macOS during relay setup.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    extensions: relay

• Updated Node.js dependencies.

Thanks @​alcaeus, @​JMoodyFWD, and @​cmb69 for the contributions 🎉

For the complete list of changes, please refer to the Full Changelog

Follow for updates

v2.33.0

Compare Source

Changelog

• Added support for Arm Ubuntu runners ubuntu-24.04-arm and ubuntu-22.04-arm. (#​848)

jobs:
  run:
    runs-on: ubuntu-24.04-arm # or ubuntu-22.04-arm
    steps:
    - name: Setup PHP
      uses: shivammathur/setup-php@v2
      with:
        php-version: '8.4'

• Dropped support for Ubuntu 20.04 (ubuntu-20.04) for both GitHub hosted and self-hosted runners. Please migrate your workflows to ubuntu-22.04 or ubuntu-24.04. (#​939)
  Ref: https://github.com/shivammathur/setup-php#github-hosted-runners

• Improved support for installing PHPUnit around new releases. Now setup-php will fallback to the previous release till new release is available on the phpunit.de website after it is tagged. (#​913, #​938)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: phpunit

• Switched to using https://ppa.launchpadcontent.net for launchpad PPAs instead of http://ppa.launchpad.net. (#​927, #​928)

• Added a fallback to calling launchpad's API for getting PPA signatures to reduce reported failures on self-hosted runners. (#​935)

• Added support for specifying tools' directory using TOOLS_DIR env. (#​937)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
  env:
    TOOLS_DIR: '/tmp/tools'

• Fixed cache support for openswoole. (#​917, shivammathur/cache-extensions#47)

• Fixed the version of composer-normalize in the logs. (#​899)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: composer-normalize

• Updated the repository for PHP-CS-Fixer. (#​900)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: php-cs-fixer

• Added support for blackfire and ionCube extensions for PHP 8.4.

• Improved support for phalcon and zephir_parser extensions.

• Improved support for OCI extensions pdo_oci and oci8 on self-hosted runners. (#​929)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    extensions: pdo_oci, oci8

• Improved locking mechanism while fetching files on self-hosted runners. (#​912)

• Fixed a warning on macOS while patching extensions.

• Fixed linking hiredis library during relay setup.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    extensions: relay

• Updated Node.js dependencies.

Thanks @​deguif, @​DanielEScherzer, @​voodooism, @​hms5232, and @​jg-development for the contributions 🎉

Thanks @​complex-gmbh and @​WorkOfStan for the sponsorship ❤️

For the complete list of changes, please refer to the Full Changelog

Follow for updates

---

Configuration

📅 Schedule: Branch creation - "on the 15th day of the month before 12pm" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[greptile-apps]

Greptile Summary

Automated Renovate PR that bumps two GitHub Actions dependencies in CI workflows:

• shivammathur/setup-php: v2.32.0 → 2.36.0 (minor update adding PHP 8.5/8.6 support, bug fixes, and extension improvements)
• actions/create-github-app-token: v2.2.1 → v2.2.2 (patch update)

Both actions are pinned to full commit SHAs, which is a security best practice. The changes are strictly version bumps with no modifications to workflow logic, job configuration, or PHP version matrix.

Confidence Score: 5/5

• This PR is safe to merge — it contains only minor/patch CI dependency bumps with no workflow logic changes.
• Both changes are version bumps of well-known, widely-used GitHub Actions pinned to commit SHAs. No workflow logic, job configuration, or application code is modified. The updates include only bug fixes and new feature support from upstream.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Bumps shivammathur/setup-php from v2.32.0 to 2.36.0 (pin updated to new commit SHA). No functional workflow changes.
.github/workflows/release-please.yml	Bumps actions/create-github-app-token from v2.2.1 to v2.2.2 (pin updated to new commit SHA). No functional workflow changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push to main / PR] --> B[CI Workflow]
    A --> C[Release Please Workflow]
    
    B --> D["actions/checkout v6.0.2"]
    D --> E["shivammathur/setup-php\n❌ v2.32.0 → ✅ 2.36.0"]
    E --> F[Cache Composer packages]
    F --> G[Install dependencies]
    G --> H[Lint & format check]
    G --> I[Run tests]
    
    C --> J["actions/create-github-app-token\n❌ v2.2.1 → ✅ v2.2.2"]
    J --> K["googleapis/release-please-action v4.4.0"]

Loading

_{Last reviewed commit: ddabf39}

[greptile-apps]

Inconsistent version comment prefix
The version comment changed from # v2.32.0 to # 2.36.0, dropping the v prefix. All other pinned actions in this repo use the v prefix convention (e.g., # v6.0.2, # v5.0.3, # v2.2.2). This matches the upstream tag naming (setup-php tags without v), so it's technically accurate, but it breaks the visual consistency across your workflow files. Consider adding the v prefix for uniformity.

Suggested change

	- uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
	- uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}