From ee71465936389c9e411d6f79d25eddb297d086e5 Mon Sep 17 00:00:00 2001
From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com>
Date: Sat, 4 Apr 2026 19:27:09 +0100
Subject: [PATCH] ci: Replace third-party GitHub Actions with trusted
 alternatives

---
 .github/workflows/ci.yml                  |  9 ++++++---
 .github/workflows/release-automated.yml   | 18 ++++++++++++++----
 .github/workflows/release-manual-docs.yml | 18 ++++++++++++++----
 3 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e27ed36f..6dd442f1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,9 +15,12 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Check NPM lock file version
-        uses: mansona/npm-lockfile-version@v1
-        with:
-          version: 2
+        run: |
+          version=$(node -e "console.log(require('./package-lock.json').lockfileVersion)")
+          if [ "$version" != "2" ]; then
+            echo "::error::Expected lockfileVersion 2, got $version"
+            exit 1
+          fi
   build:
     runs-on: ubuntu-20.04
     timeout-minutes: 30
diff --git a/.github/workflows/release-automated.yml b/.github/workflows/release-automated.yml
index 0ed96651..0444891d 100644
--- a/.github/workflows/release-automated.yml
+++ b/.github/workflows/release-automated.yml
@@ -30,6 +30,12 @@ jobs:
     if: needs.release.outputs.current_tag != ''
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deploy.outputs.page_url }}
     steps:
       - uses: actions/checkout@v3
         with:
@@ -49,8 +55,12 @@ jobs:
           npm run document
         env:
           SOURCE_TAG: ${{ needs.release.outputs.current_tag }}
-      - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3.7.3
+      - name: Configure Pages
+        uses: actions/configure-pages@v5
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v4
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: ./.phpdoc/build
+          path: ./.phpdoc/build
+      - name: Deploy to GitHub Pages
+        id: deploy
+        uses: actions/deploy-pages@v4
diff --git a/.github/workflows/release-manual-docs.yml b/.github/workflows/release-manual-docs.yml
index cd04c28a..a5bf41f2 100644
--- a/.github/workflows/release-manual-docs.yml
+++ b/.github/workflows/release-manual-docs.yml
@@ -13,6 +13,12 @@ jobs:
     if: github.event.inputs.tag != ''
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deploy.outputs.page_url }}
     steps:
       - uses: actions/checkout@v3
         with:
@@ -32,8 +38,12 @@ jobs:
           npm run document
         env:
           SOURCE_TAG: ${{ github.event.inputs.tag }}
-      - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3.7.3
+      - name: Configure Pages
+        uses: actions/configure-pages@v5
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v4
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: ./.phpdoc/build
+          path: ./.phpdoc/build
+      - name: Deploy to GitHub Pages
+        id: deploy
+        uses: actions/deploy-pages@v4