Skip to content

Improve and extend the security checklist #8129

Improve and extend the security checklist

Improve and extend the security checklist #8129

Workflow file for this run

name: "Build & test documentation"
on:
push:
branches:
- master
- "[0-9]+.[0-9]+"
pull_request: ~
jobs:
build:
permissions:
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents: write
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python-version }}
- uses: "ramsey/composer-install@v3"
with:
working-directory: "tools/php-cs-fixer"
dependency-versions: highest
- name: Run PHP CS Fixer
run: tools/php-cs-fixer/vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php -v --show-progress=dots
- name: Commit changes
uses: stefanzweifel/git-auto-commit-action@v4
with:
commit_message: PHP CS Fixes
- name: Install dependencies
run: |
python -m pip install --upgrade pip
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
- name: Run build
run: |
mkdocs build --strict
vale-check:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
- name: Get Vale.sh configs
env:
TOKEN: ${{ secrets.EZROBOT_PAT }}
run: |
curl -H "Authorization: token $TOKEN" -L https://github.com/ibexa/vale-styles/archive/refs/heads/main.zip -o vale.zip
unzip vale.zip
rm vale.zip
mv vale-styles-main/* vale-styles-main/.vale.ini .
- name: Run Vale.sh
uses: errata-ai/vale-action@reviewdog
with:
reporter: github-check
filter_mode: added
code-samples:
name: Validate code samples
runs-on: "ubuntu-22.04"
strategy:
matrix:
php:
- "8.3"
steps:
- uses: actions/checkout@v4
- name: Setup PHP Action
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
coverage: none
extensions: "pdo_sqlite, gd"
tools: cs2pr
- name: Add composer keys for private packagist
run: |
composer config http-basic.updates.ibexa.co $SATIS_NETWORK_KEY $SATIS_NETWORK_TOKEN
composer config github-oauth.github.com $TRAVIS_GITHUB_TOKEN
env:
SATIS_NETWORK_KEY: ${{ secrets.SATIS_NETWORK_KEY }}
SATIS_NETWORK_TOKEN: ${{ secrets.SATIS_NETWORK_TOKEN }}
TRAVIS_GITHUB_TOKEN: ${{ secrets.TRAVIS_GITHUB_TOKEN }}
- uses: ramsey/composer-install@v3
with:
dependency-versions: highest
- name: Run PHPStan analysis
run: composer phpstan
code-samples-inclusion-check:
name: Check code samples inclusion
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
permissions:
# Needed to manage the comment
pull-requests: write
steps:
- name: List modified files
id: list
run: |
URL="https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files"
echo 'CODE_SAMPLES_CHANGE<<CODE_SAMPLES_CHANGE_DELIMITER' >> "$GITHUB_OUTPUT"
curl -s -X GET -G $URL | jq -r '.[] | .filename,.previous_filename' | grep '^code_samples/' | tr '\n' ' ' >> "$GITHUB_OUTPUT"
echo '' >> "$GITHUB_OUTPUT"
echo 'CODE_SAMPLES_CHANGE_DELIMITER' >> "$GITHUB_OUTPUT"
- name: Checkout target branch (base_ref)
if: steps.list.outputs.CODE_SAMPLES_CHANGE != ''
uses: actions/checkout@v3
with:
ref: ${{ github.base_ref }}
- name: Log target branch code_samples usage
if: steps.list.outputs.CODE_SAMPLES_CHANGE != ''
run: |
git fetch origin
git checkout origin/${{ github.head_ref }} -- tools/code_samples/code_samples_usage.php
php tools/code_samples/code_samples_usage.php ${{ steps.list.outputs.CODE_SAMPLES_CHANGE }} > $HOME/code_samples_usage_target.txt
- name: Checkout source branch (head_ref)
if: steps.list.outputs.CODE_SAMPLES_CHANGE != ''
uses: actions/checkout@v3
with:
ref: ${{ github.head_ref }}
- name: Log source branch code_samples usage
if: steps.list.outputs.CODE_SAMPLES_CHANGE != ''
run: php tools/code_samples/code_samples_usage.php ${{ steps.list.outputs.CODE_SAMPLES_CHANGE }} > $HOME/code_samples_usage_source.txt
- name: Compare code_samples usages (diff --unified)
if: steps.list.outputs.CODE_SAMPLES_CHANGE != ''
# diff returns 1 if there is a difference, this is normal but seen as an error by the job.
continue-on-error: true
run: |
source_length=`wc -l < $HOME/code_samples_usage_source.txt`
target_length=`wc -l < $HOME/code_samples_usage_target.txt`
diff -U $(( source_length > target_length ? source_length : target_length )) $HOME/code_samples_usage_target.txt $HOME/code_samples_usage_source.txt > $HOME/code_samples_usage.diff
- name: Check for differences
id: diff
if: steps.list.outputs.CODE_SAMPLES_CHANGE != ''
run: |
echo "CODE_SAMPLES_DIFF=$(wc -l < $HOME/code_samples_usage.diff | xargs)" >> "$GITHUB_OUTPUT"
- name: Convert code_samples usages differences (diff2html)
if: steps.list.outputs.CODE_SAMPLES_CHANGE != '' && steps.diff.outputs.CODE_SAMPLES_DIFF != '0'
run: |
npm install -g diff2html-cli
diff2html -f html -s side -t 'code_samples/ changes report' --su hidden --fct false -o stdout -i file -- $HOME/code_samples_usage.diff > $HOME/code_samples_usage.diff.html
- name: Upload code_samples usages differences artifact
id: artifact
if: steps.list.outputs.CODE_SAMPLES_CHANGE != '' && steps.diff.outputs.CODE_SAMPLES_DIFF != '0'
uses: actions/upload-artifact@v4
with:
name: code_samples_usage.diff.html
path: ~/code_samples_usage.diff.html
overwrite: true
- name: Convert code_samples usages for comment
if: steps.list.outputs.CODE_SAMPLES_CHANGE != '' && steps.diff.outputs.CODE_SAMPLES_DIFF != '0'
run: |
echo '# code_samples/ change report' >> code_samples_usage.diff.md
echo '' >> code_samples_usage.diff.md
php tools/code_samples/code_samples_usage_diff2html.php $HOME/code_samples_usage.diff >> code_samples_usage.diff.md
echo '<a href="${{ steps.artifact.outputs.artifact-url }}">Download colorized diff</a>' >> code_samples_usage.diff.md
- name: Find Comment
id: find-comment
uses: peter-evans/find-comment@v3
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: 'code_samples/ change report'
- name: Delete comment
if: steps.find-comment.outputs.comment-id != ''
uses: actions/github-script@v6
with:
script: |
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: ${{ steps.find-comment.outputs.comment-id }}
})
- name: Create comment
if: steps.list.outputs.CODE_SAMPLES_CHANGE != '' && steps.diff.outputs.CODE_SAMPLES_DIFF != '0'
uses: peter-evans/create-or-update-comment@v4
with:
issue-number: ${{ github.event.pull_request.number }}
body-path: code_samples_usage.diff.md
edit-mode: replace