ยซ Changelog History


setup-php v2.37.2 Release Notes

Release Date: 2026-06-08 // 8 days ago

  • ๐Ÿ”„ Changelog

    • ๐Ÿ›  Fixed macOS setup by marking shivammathur/php and shivammathur/extensions as trusted taps.

    • ๐Ÿ Switched to Visual Studio 18 (vs18) builds for PHP 8.6 on Windows.

    • ๐Ÿ‘Œ Improved looking up environment variables.

    • ๐Ÿ”’ Tightened security in internal GitHub action workflows.

    • โšก๏ธ Updated Node.js dependencies.

    For the complete list of changes, please refer to the Full Changelog

    โšก๏ธ Follow for updates

    setup-php redditsetup-php twittersetup-php status


Previous changes from v2.37.1

  • ๐Ÿ”„ Changelog

    โšก๏ธ Security Updates

    • ๐Ÿ›  Fixed shell command escaping and PHP version input validation. (GHSA-pqwm-q9pv-ph8r / CVE-2026-46420)

    Note

    This can affect workflows that pass values from users or pull requests to setup-php, for example from comments, dispatch inputs, PR titles/branches, generated matrices, or files such as .php-version and composer.json.
    Be especially careful with pull_request_target workflows that use any value from the pull request. Workflows that only use fixed trusted values are not expected to be affected, but updating to 2.37.1 is recommended.

    • ๐Ÿ›  Fixed GitHub auth handling for Composer versions affected by GHSA-f9f8-rm49-7jv2. It should now skip configuring GitHub OAuth if affected Composer versions are installed and show a warning to upgrade. (GHSA-5wxr-w449-57cm / CVE-2026-45793)

    Note

    โšก๏ธ This only affects workflows where the composer version is pinned like composer:2.9.7, workflows that do not pin the version or use composer:v2 are not affected as those get automatic updates. In case you pin the version, it is highly recommended to upgrade and have automation to do such timely upgrades in your workflows.

    ๐Ÿ›  Fixes and Improvements

    • ๐Ÿ›  Fixed support for phalcon on Windows.

    • ๐Ÿ›  Fixed restoring tools when using cached using previous runs.

    • ๐Ÿ‘Œ Improved enabling gearman extension on Linux.

    • ๐Ÿ›  Fixed fallback when installing PhpManager and VcRedist modules on Windows.

    • ๐Ÿ›  Fixed parsing extension inputs with backslash line continuation.

    • ๐Ÿ‘Œ Improved workflow examples

    • ๐Ÿš€ Updated OS release mappings for newer Ubuntu releases.

    • โšก๏ธ Updated internal workflows for Codecov v6 and NPM trusted publishing.

    • โšก๏ธ Updated Node.js dependencies.

    • ๐Ÿ›  Fixed composer version in README. (#1081)

    Thanks @Pyker for the contribution

    For the complete list of changes, please refer to the Full Changelog

    โšก๏ธ Follow for updates

    setup-php redditsetup-php twittersetup-php status