From a3e6da0beb3c2ce27394514b3e67e499b147981c Mon Sep 17 00:00:00 2001 From: lotyp Date: Thu, 1 Aug 2024 21:25:04 +0300 Subject: [PATCH] ci: workflow updates --- .github/workflows/coding-standards.yml | 14 ++--- .github/workflows/refactoring.yml | 4 +- .github/workflows/security-analysis.yml | 68 +++++++++++++++++++++++++ .github/workflows/shellcheck.yml | 23 +++++++++ 4 files changed, 100 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/security-analysis.yml create mode 100644 .github/workflows/shellcheck.yml diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index ad74399..4a1fe7b 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -24,7 +24,7 @@ jobs: pull-requests: read steps: - name: 📦 Check out the codebase - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v4.1.7 - name: 🧐 Lint commits using "commitlint" uses: wagoid/commitlint-github-action@v6.0.1 @@ -45,7 +45,7 @@ jobs: pull-requests: read steps: - name: 📦 Check out the codebase - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v4.1.7 - name: 🧐 Lint YAML files uses: ibiqlik/action-yamllint@v3.1.1 @@ -62,7 +62,7 @@ jobs: group: markdown-linting-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} steps: - name: 📦 Check out the codebase - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v4.1.7 - name: 🧐 Lint Markdown files uses: DavidAnson/markdownlint-cli2-action@v16.0.0 @@ -92,7 +92,7 @@ jobs: contents: write steps: - name: 🛠️ Setup PHP - uses: shivammathur/setup-php@2.30.5 + uses: shivammathur/setup-php@2.31.1 with: php-version: ${{ matrix.php-version }} extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, pdo_mysql, sockets @@ -101,7 +101,7 @@ jobs: tools: phive - name: 📦 Check out the codebase - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v4.1.7 - name: 🛠️ Setup problem matchers run: | @@ -162,7 +162,7 @@ jobs: git config --global core.eol lf - name: 🛠️ Setup PHP - uses: shivammathur/setup-php@2.30.5 + uses: shivammathur/setup-php@2.31.1 with: php-version: ${{ matrix.php-version }} extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, pdo_mysql, decimal @@ -170,7 +170,7 @@ jobs: coverage: none - name: 📦 Check out the codebase - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v4.1.7 - name: 🛠️ Setup problem matchers run: | diff --git a/.github/workflows/refactoring.yml b/.github/workflows/refactoring.yml index dbcbecd..b40a8cf 100644 --- a/.github/workflows/refactoring.yml +++ b/.github/workflows/refactoring.yml @@ -35,10 +35,10 @@ jobs: - locked steps: - name: 📦 Check out the codebase - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v4.1.7 - name: 🛠️ Setup PHP - uses: shivammathur/setup-php@2.30.5 + uses: shivammathur/setup-php@2.31.1 with: php-version: ${{ matrix.php-version }} extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, pdo_mysql, sockets diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml new file mode 100644 index 0000000..3154734 --- /dev/null +++ b/.github/workflows/security-analysis.yml @@ -0,0 +1,68 @@ +--- + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - master + - develop + +name: 🔐 Security analysis + +env: + # Disable docker support in Makefile + APP_RUNNER: 'cd app &&' + +jobs: + security-analysis: + timeout-minutes: 4 + runs-on: ${{ matrix.os }} + concurrency: + cancel-in-progress: true + group: security-analysis-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + strategy: + fail-fast: true + matrix: + os: + - ubuntu-latest + php-version: + - '8.3' + dependencies: + - locked + steps: + - name: 📦 Check out the codebase + uses: actions/checkout@v4.1.7 + + - name: 🛠️ Setup PHP + uses: shivammathur/setup-php@2.31.1 + with: + php-version: ${{ matrix.php-version }} + extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo + ini-values: error_reporting=E_ALL + coverage: none + + - name: 🛠️ Setup problem matchers + run: echo "::add-matcher::${{ runner.tool_cache }}/php.json" + + - name: 🤖 Validate composer.json and composer.lock + run: make validate-composer + + - name: 🔍 Get composer cache directory + uses: wayofdev/gh-actions/actions/composer/get-cache-directory@v3.1.1 + with: + working-directory: app + + - name: ♻️ Restore cached dependencies installed with composer + uses: actions/cache@v4.0.2 + with: + path: ${{ env.COMPOSER_CACHE_DIR }} + key: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ hashFiles('composer.lock') }} + restore-keys: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}- + + - name: 📥 Install "${{ matrix.dependencies }}" dependencies with composer + uses: wayofdev/gh-actions/actions/composer/install@v3.1.1 + with: + working-directory: app + dependencies: ${{ matrix.dependencies }} + + - name: 🐛 Check installed packages for security vulnerability advisories + run: make lint-audit diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml new file mode 100644 index 0000000..ea848d6 --- /dev/null +++ b/.github/workflows/shellcheck.yml @@ -0,0 +1,23 @@ +--- + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - master + - develop + +name: 🐞 Differential shell-check + +permissions: + contents: read + +jobs: + shellcheck: + uses: wayofdev/gh-actions/.github/workflows/shellcheck.yml@v3.1.1 + with: + os: ubuntu-latest + severity: warning + secrets: + token: ${{ secrets.GITHUB_TOKEN }} + +...