From 29f776daac943588836c957dd9cdf33252e86649 Mon Sep 17 00:00:00 2001 From: lotyp Date: Sun, 12 May 2024 13:33:03 +0300 Subject: [PATCH] ci: refactor security workflow --- .github/workflows/lint-php-files.yml | 7 ++- .github/workflows/security.yml | 89 +++++++++++++--------------- 2 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/workflows/lint-php-files.yml b/.github/workflows/lint-php-files.yml index 51053b39..1f625a6c 100644 --- a/.github/workflows/lint-php-files.yml +++ b/.github/workflows/lint-php-files.yml @@ -18,10 +18,15 @@ name: ๐Ÿงน Fix PHP coding standards jobs: coding-standards: - runs-on: ubuntu-latest timeout-minutes: 4 + runs-on: ${{ matrix.os }} + concurrency: + cancel-in-progress: true + group: coding-standards-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} strategy: matrix: + os: + - ubuntu-latest php-version: - '8.2' dependencies: diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 3adb5889..ad220aaf 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,65 +1,60 @@ -name: Security +name: ๐Ÿ” Security analysis on: pull_request: - paths-ignore: - - 'docs/**' - - 'bin/**' - - 'resources/**' - - 'README.md' - - 'CHANGELOG.md' - - '.gitignore' - - '.gitattributes' - - '.editorconfig' - - 'psalm.xml' - push: - paths-ignore: - - 'docs/**' - - 'bin/**' - - 'resources/**' - - 'README.md' - - 'CHANGELOG.md' - - '.gitignore' - - '.gitattributes' - - '.editorconfig' - - 'psalm.xml' jobs: - security: - name: Security Checks (PHP ${{ matrix.php }}, OS ${{ matrix.os }}) + security-analysis: + timeout-minutes: 4 runs-on: ${{ matrix.os }} + concurrency: + cancel-in-progress: true + group: security-analysis-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} strategy: - fail-fast: false + fail-fast: true matrix: - # Note: This workflow requires only the LATEST version of PHP - php: [ 8.2 ] - os: [ ubuntu-latest ] + os: + - ubuntu-latest + php-version: + - '8.2' + dependencies: + - locked steps: - - name: Set up PHP ${{ matrix.php }} - uses: shivammathur/setup-php@v2 - with: - php-version: ${{ matrix.php }} - extensions: dom, sockets, grpc, curl + - name: ๐Ÿ“ฆ Check out the codebase + uses: actions/checkout@v4.1.4 - - name: Check Out Code - uses: actions/checkout@v4 + - name: ๐Ÿ› ๏ธ Setup PHP + uses: shivammathur/setup-php@2.30.4 with: - fetch-depth: 1 + php-version: ${{ matrix.php-version }} + extensions: none, ctype, dom, json, mbstring, phar, simplexml, tokenizer, xml, xmlwriter, sockets + ini-values: error_reporting=E_ALL + coverage: none + + - name: ๐Ÿ› ๏ธ Setup problem matchers + run: echo "::add-matcher::${{ runner.tool_cache }}/php.json" - - name: Get Composer Cache Directory - id: composer-cache - run: echo "::set-output name=dir::$(composer config cache-files-dir)" + - name: ๐Ÿค– Validate composer.json and composer.lock + run: composer validate --ansi --strict - - name: Cache Dependencies - uses: actions/cache@v3 + - name: ๐Ÿ” Get composer cache directory + uses: wayofdev/gh-actions/actions/composer/get-cache-directory@v3.0.0 + + - name: โ™ป๏ธ Restore cached dependencies installed with composer + uses: actions/cache@v4.0.2 with: - path: ${{ steps.composer-cache.outputs.dir }} - key: php-${{ matrix.php }}-${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} - restore-keys: php-${{ matrix.php }}-${{ runner.os }}-composer- + path: ${{ env.COMPOSER_CACHE_DIR }} + key: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ hashFiles('composer.lock') }} + restore-keys: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}- - - name: Install Composer Dependencies - run: composer install --prefer-dist --no-interaction + - name: ๐Ÿ“ฅ Install "${{ matrix.dependencies }}" dependencies + uses: wayofdev/gh-actions/actions/composer/install@v3.0.0 + with: + dependencies: ${{ matrix.dependencies }} - - name: Verify + - name: ๐Ÿ› Check installed packages using roave/security-advisories run: composer require --dev roave/security-advisories:dev-latest + + - name: ๐Ÿ› Check installed packages for security vulnerability advisories + run: composer audit --ansi