From e1d8fa3137680899d3472c344572fcb91da2c85b Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Mon, 26 Jun 2023 02:51:13 -0500 Subject: [PATCH] Update workflows --- .../workflows/{sec_snyk.yml => cron_snyk.yml} | 14 ++++---- .github/workflows/php_composer_normalize.yml | 20 ----------- .github/workflows/php_composer_validate.yml | 20 ----------- .github/workflows/pr_await_changes.yml | 17 +++++++++ .github/workflows/pr_composer.yml | 32 +++++++++++++++++ .../workflows/{php_pest.yml => pr_pest.yml} | 11 +++--- .../{php_phpcsf.yml => pr_phpcsf.yml} | 9 +++-- .../{php_phpstan.yml => pr_phpstan.yml} | 11 +++--- .../workflows/{php_psalm.yml => pr_psalm.yml} | 11 +++--- .../{php_rector.yml => pr_rector.yml} | 9 +++-- .github/workflows/pr_snyk.yml | 35 +++++++++++++++++++ .github/workflows/sec_semgrep.yml | 23 ------------ 12 files changed, 114 insertions(+), 98 deletions(-) rename .github/workflows/{sec_snyk.yml => cron_snyk.yml} (73%) delete mode 100644 .github/workflows/php_composer_normalize.yml delete mode 100644 .github/workflows/php_composer_validate.yml create mode 100644 .github/workflows/pr_await_changes.yml create mode 100644 .github/workflows/pr_composer.yml rename .github/workflows/{php_pest.yml => pr_pest.yml} (68%) rename .github/workflows/{php_phpcsf.yml => pr_phpcsf.yml} (77%) rename .github/workflows/{php_phpstan.yml => pr_phpstan.yml} (61%) rename .github/workflows/{php_psalm.yml => pr_psalm.yml} (67%) rename .github/workflows/{php_rector.yml => pr_rector.yml} (76%) create mode 100644 .github/workflows/pr_snyk.yml delete mode 100644 .github/workflows/sec_semgrep.yml diff --git a/.github/workflows/sec_snyk.yml b/.github/workflows/cron_snyk.yml similarity index 73% rename from .github/workflows/sec_snyk.yml rename to .github/workflows/cron_snyk.yml index 9a9fa1b4..fdf3f658 100644 --- a/.github/workflows/sec_snyk.yml +++ b/.github/workflows/cron_snyk.yml @@ -1,12 +1,16 @@ -name: "Snyk" +name: "Snyk (Scheduled)" + +# This workflow will run after a push to the main branch and as a scheduled job. on: push: - branches: - - main + branches: ["master", "main"] + +permissions: {} jobs: snyk: + name: "Scan" runs-on: ubuntu-latest steps: @@ -19,8 +23,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - uses: actions/checkout@v3 - with: - persist-credentials: false - run: composer install --no-progress @@ -28,5 +30,3 @@ jobs: continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - args: --severity-threshold=high --sarif-file-output=snyk.sarif diff --git a/.github/workflows/php_composer_normalize.yml b/.github/workflows/php_composer_normalize.yml deleted file mode 100644 index 95c696c0..00000000 --- a/.github/workflows/php_composer_normalize.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "Composer Normalize" - -on: - pull_request: {} - push: - branches: - - main - -permissions: {} - -jobs: - normalize: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - with: - persist-credentials: false - - - uses: docker://ergebnis/composer-normalize-action diff --git a/.github/workflows/php_composer_validate.yml b/.github/workflows/php_composer_validate.yml deleted file mode 100644 index 487d814b..00000000 --- a/.github/workflows/php_composer_validate.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "Composer Validate" - -on: - pull_request: {} - push: - branches: - - main - -permissions: {} - -jobs: - validate: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - with: - persist-credentials: false - - - run: composer validate diff --git a/.github/workflows/pr_await_changes.yml b/.github/workflows/pr_await_changes.yml new file mode 100644 index 00000000..4c650b23 --- /dev/null +++ b/.github/workflows/pr_await_changes.yml @@ -0,0 +1,17 @@ +name: "Pull Request Changes" + +# Monitor for changes to pull requests. + +on: + pull_request: + types: [opened, synchronize, reopened, closed] + +permissions: {} + +jobs: + wait: + name: "Watching" + runs-on: ubuntu-latest + + steps: + - run: echo "Child workflows triggered." diff --git a/.github/workflows/pr_composer.yml b/.github/workflows/pr_composer.yml new file mode 100644 index 00000000..d24abb7c --- /dev/null +++ b/.github/workflows/pr_composer.yml @@ -0,0 +1,32 @@ +name: "Composer" + +on: + pull_request: + merge_group: + push: + branches: ["master", "main"] + +permissions: {} + +jobs: + validate: + name: "Validate" + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - run: composer validate + + normalize: + name: "Normalize" + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - run: composer require --dev ergebnis/composer-normalize + + - run: composer config allow-plugins.ergebnis/composer-normalize true + + - run: composer normalize diff --git a/.github/workflows/php_pest.yml b/.github/workflows/pr_pest.yml similarity index 68% rename from .github/workflows/php_pest.yml rename to .github/workflows/pr_pest.yml index 9436907b..971b8e4d 100644 --- a/.github/workflows/php_pest.yml +++ b/.github/workflows/pr_pest.yml @@ -1,21 +1,20 @@ name: "PEST" on: - pull_request: {} + pull_request: + merge_group: push: - branches: - - main + branches: ["master", "main"] permissions: {} jobs: pest: + name: "Scan" runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - with: - persist-credentials: false - uses: shivammathur/setup-php@v2 with: @@ -24,7 +23,7 @@ jobs: - run: composer install --no-progress - - run: vendor/bin/pest --order-by random --parallel + - run: vendor/bin/pest --order-by random --fail-on-risky --stop-on-defect --coverage --parallel - uses: codecov/codecov-action@v3 with: diff --git a/.github/workflows/php_phpcsf.yml b/.github/workflows/pr_phpcsf.yml similarity index 77% rename from .github/workflows/php_phpcsf.yml rename to .github/workflows/pr_phpcsf.yml index dd9bb6c9..753cce81 100644 --- a/.github/workflows/php_phpcsf.yml +++ b/.github/workflows/pr_phpcsf.yml @@ -1,21 +1,20 @@ name: "PHP CS Fixer" on: - pull_request: {} + pull_request: + merge_group: push: - branches: - - main + branches: ["master", "main"] permissions: {} jobs: phpcsf: + name: "Scan" runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - with: - persist-credentials: false - uses: shivammathur/setup-php@v2 with: diff --git a/.github/workflows/php_phpstan.yml b/.github/workflows/pr_phpstan.yml similarity index 61% rename from .github/workflows/php_phpstan.yml rename to .github/workflows/pr_phpstan.yml index aac8c128..55a08587 100644 --- a/.github/workflows/php_phpstan.yml +++ b/.github/workflows/pr_phpstan.yml @@ -1,21 +1,20 @@ name: "PHPStan" on: - pull_request: {} + pull_request: + merge_group: push: - branches: - - main + branches: ["master", "main"] permissions: {} jobs: phpstan: + name: "Scan" runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - with: - persist-credentials: false - uses: shivammathur/setup-php@v2 with: @@ -23,4 +22,4 @@ jobs: - run: composer install --no-progress - - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug + # - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug diff --git a/.github/workflows/php_psalm.yml b/.github/workflows/pr_psalm.yml similarity index 67% rename from .github/workflows/php_psalm.yml rename to .github/workflows/pr_psalm.yml index 7e1d0c6b..f1eced08 100644 --- a/.github/workflows/php_psalm.yml +++ b/.github/workflows/pr_psalm.yml @@ -1,21 +1,20 @@ name: "Psalm" on: - pull_request: {} + pull_request: + merge_group: push: - branches: - - main + branches: ["master", "main"] permissions: {} jobs: psalm: + name: "Scan" runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - with: - persist-credentials: false - uses: shivammathur/setup-php@v2 with: @@ -23,4 +22,4 @@ jobs: - run: composer install --no-progress - - run: vendor/bin/psalm + # - run: vendor/bin/psalm diff --git a/.github/workflows/php_rector.yml b/.github/workflows/pr_rector.yml similarity index 76% rename from .github/workflows/php_rector.yml rename to .github/workflows/pr_rector.yml index fd0851b1..594ca491 100644 --- a/.github/workflows/php_rector.yml +++ b/.github/workflows/pr_rector.yml @@ -1,21 +1,20 @@ name: "Rector" on: - pull_request: {} + pull_request: + merge_group: push: - branches: - - main + branches: ["master", "main"] permissions: {} jobs: rector: + name: "Scan" runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - with: - persist-credentials: false - uses: shivammathur/setup-php@v2 with: diff --git a/.github/workflows/pr_snyk.yml b/.github/workflows/pr_snyk.yml new file mode 100644 index 00000000..74852bdf --- /dev/null +++ b/.github/workflows/pr_snyk.yml @@ -0,0 +1,35 @@ +name: "Snyk" + +on: + workflow_run: + workflows: ["Pull Request Changes"] + types: + - completed + +permissions: {} + +jobs: + snyk: + name: "Scan" + runs-on: ubuntu-latest + + steps: + - uses: shivammathur/setup-php@v2 + with: + php-version: "8.1" + coverage: none + extensions: mbstring + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + github-token: ${{ secrets.GITHUB_TOKEN }} + + - run: composer install --no-progress + + - uses: snyk/actions/php@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/sec_semgrep.yml b/.github/workflows/sec_semgrep.yml deleted file mode 100644 index ca1ee291..00000000 --- a/.github/workflows/sec_semgrep.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "Semgrep" - -on: - push: - branches: - - main - - schedule: - - cron: '30 0 1,15 * *' - -jobs: - semgrep: - runs-on: ubuntu-latest - - container: - image: returntocorp/semgrep - - steps: - - uses: actions/checkout@v3 - - - run: semgrep ci - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}