Update workflows

auth0 · Jun 26, 2023 · e1d8fa3 · e1d8fa3
1 parent 27aeb8f
commit e1d8fa3
Show file tree

Hide file tree

Showing 12 changed files with 114 additions and 98 deletions.
diff --git a/.github/workflows/sec_snyk.yml → .github/workflows/cron_snyk.yml b/.github/workflows/sec_snyk.yml → .github/workflows/cron_snyk.yml
@@ -1,12 +1,16 @@
-name: "Snyk"
+name: "Snyk (Scheduled)"
+
+# This workflow will run after a push to the main branch and as a scheduled job.
 
 on:
   push:
-    branches:
-      - main
+    branches: ["master", "main"]
+
+permissions: {}
 
 jobs:
   snyk:
+    name: "Scan"
     runs-on: ubuntu-latest
 
     steps:
@@ -19,14 +23,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: actions/checkout@v3
-        with:
-          persist-credentials: false
 
       - run: composer install --no-progress
 
       - uses: snyk/actions/php@master
         continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --severity-threshold=high --sarif-file-output=snyk.sarif
diff --git a/.github/workflows/php_composer_normalize.yml b/.github/workflows/php_composer_normalize.yml
diff --git a/.github/workflows/php_composer_validate.yml b/.github/workflows/php_composer_validate.yml
diff --git a/.github/workflows/pr_await_changes.yml b/.github/workflows/pr_await_changes.yml
@@ -0,0 +1,17 @@
+name: "Pull Request Changes"
+
+# Monitor for changes to pull requests.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, closed]
+
+permissions: {}
+
+jobs:
+  wait:
+    name: "Watching"
+    runs-on: ubuntu-latest
+
+    steps:
+      - run: echo "Child workflows triggered."
diff --git a/.github/workflows/pr_composer.yml b/.github/workflows/pr_composer.yml
@@ -0,0 +1,32 @@
+name: "Composer"
+
+on:
+  pull_request:
+  merge_group:
+  push:
+    branches: ["master", "main"]
+
+permissions: {}
+
+jobs:
+  validate:
+    name: "Validate"
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - run: composer validate
+
+  normalize:
+    name: "Normalize"
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - run: composer require --dev ergebnis/composer-normalize
+
+      - run: composer config allow-plugins.ergebnis/composer-normalize true
+
+      - run: composer normalize
diff --git a/.github/workflows/php_pest.yml → .github/workflows/pr_pest.yml b/.github/workflows/php_pest.yml → .github/workflows/pr_pest.yml
@@ -1,21 +1,20 @@
 name: "PEST"
 
 on:
-  pull_request: {}
+  pull_request:
+  merge_group:
   push:
-    branches:
-      - main
+    branches: ["master", "main"]
 
 permissions: {}
 
 jobs:
   pest:
+    name: "Scan"
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
-        with:
-          persist-credentials: false
 
       - uses: shivammathur/setup-php@v2
         with:
@@ -24,7 +23,7 @@ jobs:
 
       - run: composer install --no-progress
 
-      - run: vendor/bin/pest --order-by random --parallel
+      - run: vendor/bin/pest --order-by random --fail-on-risky --stop-on-defect --coverage --parallel
 
       - uses: codecov/codecov-action@v3
         with:

diff --git a/.github/workflows/php_phpcsf.yml → .github/workflows/pr_phpcsf.yml b/.github/workflows/php_phpcsf.yml → .github/workflows/pr_phpcsf.yml
@@ -1,21 +1,20 @@
 name: "PHP CS Fixer"
 
 on:
-  pull_request: {}
+  pull_request:
+  merge_group:
   push:
-    branches:
-      - main
+    branches: ["master", "main"]
 
 permissions: {}
 
 jobs:
   phpcsf:
+    name: "Scan"
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
-        with:
-          persist-credentials: false
 
       - uses: shivammathur/setup-php@v2
         with:

diff --git a/.github/workflows/php_phpstan.yml → .github/workflows/pr_phpstan.yml b/.github/workflows/php_phpstan.yml → .github/workflows/pr_phpstan.yml
@@ -1,26 +1,25 @@
 name: "PHPStan"
 
 on:
-  pull_request: {}
+  pull_request:
+  merge_group:
   push:
-    branches:
-      - main
+    branches: ["master", "main"]
 
 permissions: {}
 
 jobs:
   phpstan:
+    name: "Scan"
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
-        with:
-          persist-credentials: false
 
       - uses: shivammathur/setup-php@v2
         with:
           php-version: "8.1"
 
       - run: composer install --no-progress
 
-      - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug
+      # - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug
diff --git a/.github/workflows/php_psalm.yml → .github/workflows/pr_psalm.yml b/.github/workflows/php_psalm.yml → .github/workflows/pr_psalm.yml
@@ -1,26 +1,25 @@
 name: "Psalm"
 
 on:
-  pull_request: {}
+  pull_request:
+  merge_group:
   push:
-    branches:
-      - main
+    branches: ["master", "main"]
 
 permissions: {}
 
 jobs:
   psalm:
+    name: "Scan"
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
-        with:
-          persist-credentials: false
 
       - uses: shivammathur/setup-php@v2
         with:
           php-version: "8.1"
 
       - run: composer install --no-progress
 
-      - run: vendor/bin/psalm
+      # - run: vendor/bin/psalm
diff --git a/.github/workflows/php_rector.yml → .github/workflows/pr_rector.yml b/.github/workflows/php_rector.yml → .github/workflows/pr_rector.yml
@@ -1,21 +1,20 @@
 name: "Rector"
 
 on:
-  pull_request: {}
+  pull_request:
+  merge_group:
   push:
-    branches:
-      - main
+    branches: ["master", "main"]
 
 permissions: {}
 
 jobs:
   rector:
+    name: "Scan"
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
-        with:
-          persist-credentials: false
 
       - uses: shivammathur/setup-php@v2
         with:

diff --git a/.github/workflows/pr_snyk.yml b/.github/workflows/pr_snyk.yml
@@ -0,0 +1,35 @@
+name: "Snyk"
+
+on:
+  workflow_run:
+    workflows: ["Pull Request Changes"]
+    types:
+      - completed
+
+permissions: {}
+
+jobs:
+  snyk:
+    name: "Scan"
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.1"
+          coverage: none
+          extensions: mbstring
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: composer install --no-progress
+
+      - uses: snyk/actions/php@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/sec_semgrep.yml b/.github/workflows/sec_semgrep.yml