ci: workflow updates

wayofdev · Aug 1, 2024 · 9d0956b · 9d0956b
1 parent a61a958
commit 9d0956b
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 9 deletions.
diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml
@@ -24,7 +24,7 @@ jobs:
       pull-requests: read
     steps:
       - name: 📦 Check out the codebase
-        uses: actions/[email protected].6
+        uses: actions/[email protected].7
 
       - name: 🧐 Lint commits using "commitlint"
         uses: wagoid/[email protected]
@@ -45,7 +45,7 @@ jobs:
       pull-requests: read
     steps:
       - name: 📦 Check out the codebase
-        uses: actions/[email protected].6
+        uses: actions/[email protected].7
 
       - name: 🧐 Lint YAML files
         uses: ibiqlik/[email protected]
@@ -62,7 +62,7 @@ jobs:
       group: markdown-linting-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
     steps:
       - name: 📦 Check out the codebase
-        uses: actions/[email protected].6
+        uses: actions/[email protected].7
 
       - name: 🧐 Lint Markdown files
         uses: DavidAnson/[email protected]
@@ -92,7 +92,7 @@ jobs:
       contents: write
     steps:
       - name: 🛠️ Setup PHP
-        uses: shivammathur/setup-php@2.30.5
+        uses: shivammathur/setup-php@2.31.1
         with:
           php-version: ${{ matrix.php-version }}
           extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, pdo_mysql, sockets
@@ -101,7 +101,7 @@ jobs:
           tools: phive
 
       - name: 📦 Check out the codebase
-        uses: actions/[email protected].6
+        uses: actions/[email protected].7
 
       - name: 🛠️ Setup problem matchers
         run: |
@@ -162,15 +162,15 @@ jobs:
           git config --global core.eol lf
 
       - name: 🛠️ Setup PHP
-        uses: shivammathur/setup-php@2.30.5
+        uses: shivammathur/setup-php@2.31.1
         with:
           php-version: ${{ matrix.php-version }}
           extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, pdo_mysql, decimal
           ini-values: error_reporting=E_ALL
           coverage: none
 
       - name: 📦 Check out the codebase
-        uses: actions/[email protected].6
+        uses: actions/[email protected].7
 
       - name: 🛠️ Setup problem matchers
         run: |

diff --git a/.github/workflows/refactoring.yml b/.github/workflows/refactoring.yml
@@ -35,10 +35,10 @@ jobs:
           - locked
     steps:
       - name: 📦 Check out the codebase
-        uses: actions/[email protected].6
+        uses: actions/[email protected].7
 
       - name: 🛠️ Setup PHP
-        uses: shivammathur/setup-php@2.30.5
+        uses: shivammathur/setup-php@2.31.1
         with:
           php-version: ${{ matrix.php-version }}
           extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, pdo_mysql, sockets

diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml
@@ -0,0 +1,68 @@
+---
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - master
+      - develop
+
+name: 🔐 Security analysis
+
+env:
+  # Disable docker support in Makefile
+  APP_RUNNER: 'cd app &&'
+
+jobs:
+  security-analysis:
+    timeout-minutes: 4
+    runs-on: ${{ matrix.os }}
+    concurrency:
+      cancel-in-progress: true
+      group: security-analysis-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    strategy:
+      fail-fast: true
+      matrix:
+        os:
+          - ubuntu-latest
+        php-version:
+          - '8.3'
+        dependencies:
+          - locked
+    steps:
+      - name: 📦 Check out the codebase
+        uses: actions/[email protected]
+
+      - name: 🛠️ Setup PHP
+        uses: shivammathur/[email protected]
+        with:
+          php-version: ${{ matrix.php-version }}
+          extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, sockets
+          ini-values: error_reporting=E_ALL
+          coverage: none
+
+      - name: 🛠️ Setup problem matchers
+        run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
+
+      - name: 🤖 Validate composer.json and composer.lock
+        run: make validate-composer
+
+      - name: 🔍 Get composer cache directory
+        uses: wayofdev/gh-actions/actions/composer/[email protected]
+        with:
+          working-directory: app
+
+      - name: ♻️ Restore cached dependencies installed with composer
+        uses: actions/[email protected]
+        with:
+          path: ${{ env.COMPOSER_CACHE_DIR }}
+          key: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ hashFiles('composer.lock') }}
+          restore-keys: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-
+
+      - name: 📥 Install "${{ matrix.dependencies }}" dependencies with composer
+        uses: wayofdev/gh-actions/actions/composer/[email protected]
+        with:
+          working-directory: app
+          dependencies: ${{ matrix.dependencies }}
+
+      - name: 🐛 Check installed packages for security vulnerability advisories
+        run: make lint-audit
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -0,0 +1,23 @@
+---
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - master
+      - develop
+
+name: 🐞 Differential shell-check
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck:
+    uses: wayofdev/gh-actions/.github/workflows/[email protected]
+    with:
+      os: ubuntu-latest
+      severity: warning
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
+
+...