-
-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: ci-cd workflows #79
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lotyp
changed the title
fix: use .build directory for all development tools
refactor: ci-cd workflows
May 12, 2024
roxblnfk
reviewed
May 12, 2024
Co-authored-by: Aleksei Gagarin <[email protected]>
roxblnfk
approved these changes
May 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What was changed
Note
This is a subsidiary PR of the parent #77
Please review and approve the parent pull request FIRST.
.editorconfig
yamllint
make lint-yaml
, utilizing thecytopia/yamllint:latest
Docker image..yml
and.yaml
files to ensure they adhere to our coding standards.actionlint
make lint-actions
command which usesrhysd/actionlint:latest
docker image..github
directory to maintain the integrity and functionality of our GitHub Actions workflows..github/workflows/build-release.yml
.github/workflows/lint-php-files.yml
cs-fixser.yml
tolint-php-files.yml
to standardize naming conventions across our actions, focusing on the type of action performed (e.g., lint, check, build, create).wayofdev/gh-actions
, ensuring consistency and reliability in our dependency management.fetch-depth: 1
fromactions/checkout
as it is the default value, simplifying the configuration without altering functionality.set-output
commands have been removed in line with GitHub's best practices to avoid deprecated operations as detailed here.composer cs:fix
for the PHP coding standard fixes instead of the manual full path./vendor/bin
command, which aligns with our standardization efforts and simplifies the command structure.on
section to usepaths:
instead ofpaths-ignore
. This adjustment makes it easier to define the action to run only on PHP files, simplifying maintenance and reducing the risk of unintentionally ignoring important changes..github/workflows/static-analysis.yml
psalm.yml
tostatic-analysis.yml
to standardize naming conventions across our actions, as this workflow may also perform PHPStan analysis in the future.fetch-depth: 1
set-output
commands have been removedcomposer psalm:ci
for Psalm static analysis instead of the manual full path./vendor/bin
command. This aligns with our standardization efforts and simplifies the command structure. Thecomposer psalm:ci
command is specifically designed for CI environments, with flags such as:--output-format=github
to optimize output for GitHub Actions--threads=4
to improve performance by parallel processingon
section to usepaths:
.github/workflows/security.yml
paths-ignore:
to ensure that security checks are run more frequently. Previously, checks were skipped for almost all files, meaning critical files likecomposer.lock
orcomposer.json
could change and not trigger a security check until much later, potentially allowing vulnerabilities to go undetected for an extended period. As vulnerabilities can be identified in dependencies at any time, it's crucial to run security checks on every change to catch issues as soon as they are introduced.composer audit --ansi
andcomposer require --dev roave/security-advisories:dev-latest
.fetch-depth: 1
set-output
commands have been removed.github/workflows/testing.yml
make lint-yaml
.gitignore
composer.lock
: Removedcomposer.lock
from the.gitignore
file. This change allows us to cache dependencies in GitHub Actions, leveraging consistent environments across builds and reducing build times.composer.json
platform
Configuration: Included theplatform
field in thecomposer.json
to ensure that dependencies are installed against a specific PHP version. This resolves issues encountered in GitHub Actions where thecomposer.lock
file generated for one PHP version conflicts with another PHP version used during CI.scripts
Section: Added ascripts
section similar to how Node.js repositories usepackage.json
. This standardizes how we run commands within the project, making our build process more consistent and maintainable.Important
Steps bellow should be performed by @roxblnfk or @butschster to fully complete this and parent PR: #77
Please follow these instructions to generate and add GPG keys for PHAR signing.
📜 GPG Guide
This pull request introduces necessary changes and configurations to integrate GPG keys into our GitHub Actions workflow for securely signing PHAR archives. As our project is open-source, ensuring the authenticity of our releases via GPG signatures is crucial to protect our users from malicious tampering and to maintain the integrity of our codebase. The following guide is split into three parts: actions to be performed on the local PC, settings adjustments in the GitHub UI, and updates needed within our GitHub Actions workflow.
💻 Part 1: On Local PC
Perform these steps on your local machine to generate and prepare your GPG keys for integration with the repository.
Step 1: Generate GPG Keys
Open a terminal and run the following command to create a new GPG key pair:
Follow the prompts to configure your key (choose RSA, 4096 bits, and a 2-year expiration).
After you have finished with prompt, create passphrase for this GPG key:
Final output:
Step 2: Export GPG Keys
Export your generated public and private keys using:
Second GPG command will require you to enter passphrase from
Step 1: Generate GPG Keys
:Step 3: Encrypt the Private Key
Encrypt your private key with a strong passphrase, as it will be kept encrypted in public
buggregator/trap
repository:Enter passphrase:
Step 4: Copy encrypted key into repository:
cd ./buggregator-trap mkdir ./phar cp ../keys.asc.gpg ./phar/keys.asc.gpg
Step 5: Commit and push encrypted key:
git add phar/keys.asc.gpg git commit -m "ci: add gpg encrypted private key for PHAR signing" git push
🪄 Part 2: In GitHub UI
Adjust https://github.com/buggregator/trap repository settings
Step 1: Add Secrets
Go to your repository on GitHub, select Settings > Secrets > Actions, and add the following secrets:
keys.asc.gpg
, fromStep 3: Encrypt the Private Key
Step 1: Generate GPG Keys
Given the sensitive nature of the operations performed within this repository, particularly those involving GPG keys for signing, it is crucial to adopt stringent security measures to safeguard the integrity and confidentiality of our cryptographic assets. Here are the recommended security practices:
1. Internalize Critical Dependencies
wayofdev/gh-actions
into thebuggregator
GitHub namespace.2. Limit Automatic Commit Actions
stefanzweifel/[email protected]
from our workflows and configurephp-cs-fixer
to run indiff
mode only, notfix
mode.php-cs-fixer
todiff
mode prevents automatic code modifications that might reveal GPG passphrases or other sensitive information embedded in the code.3. Secure Asset Uploads
actions/github-script
for raw assets upload directly in our workflows instead of relying on third-party actions.Closes: #20