From eddb7b48d21f2133c26ef252e73c1f0c04200eef Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Tue, 18 Jul 2023 12:38:55 -0500 Subject: [PATCH] Update GitHub Workflows --- .github/workflows/cron_semgrep.yml | 27 ++++++++++++++++++++++++++ .github/workflows/cron_snyk.yml | 9 ++++++--- .github/workflows/pr_await_changes.yml | 6 +++++- .github/workflows/pr_composer.yml | 3 ++- .github/workflows/pr_pest.yml | 7 ++++--- .github/workflows/pr_phpcsf.yml | 5 +++-- .github/workflows/pr_phpstan.yml | 7 ++++--- .github/workflows/pr_psalm.yml | 7 ++++--- .github/workflows/pr_rector.yml | 5 +++-- .github/workflows/pr_semgrep.yml | 27 ++++++++++++++++++++++++++ .github/workflows/pr_snyk.yml | 4 ++-- 11 files changed, 87 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/cron_semgrep.yml create mode 100644 .github/workflows/pr_semgrep.yml diff --git a/.github/workflows/cron_semgrep.yml b/.github/workflows/cron_semgrep.yml new file mode 100644 index 00000000..314e4ee2 --- /dev/null +++ b/.github/workflows/cron_semgrep.yml @@ -0,0 +1,27 @@ +name: "Semgrep (Scheduled)" + +# This workflow will run after a push to the main branch and as a scheduled job. + +on: + push: + branches: + - main + schedule: + - cron: "30 0 1,15 * *" + +permissions: {} + +jobs: + semgrep: + name: "Scan" + runs-on: ubuntu-latest + + container: + image: returntocorp/semgrep + + steps: + - uses: actions/checkout@v3 + + - run: semgrep ci + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/.github/workflows/cron_snyk.yml b/.github/workflows/cron_snyk.yml index fdf3f658..339b978d 100644 --- a/.github/workflows/cron_snyk.yml +++ b/.github/workflows/cron_snyk.yml @@ -4,7 +4,10 @@ name: "Snyk (Scheduled)" on: push: - branches: ["master", "main"] + branches: + - main + schedule: + - cron: "30 0 1,15 * *" permissions: {} @@ -14,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 with: php-version: "8.1" coverage: none @@ -26,7 +29,7 @@ jobs: - run: composer install --no-progress - - uses: snyk/actions/php@master + - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/pr_await_changes.yml b/.github/workflows/pr_await_changes.yml index 4c650b23..0a5c3c60 100644 --- a/.github/workflows/pr_await_changes.yml +++ b/.github/workflows/pr_await_changes.yml @@ -4,7 +4,11 @@ name: "Pull Request Changes" on: pull_request: - types: [opened, synchronize, reopened, closed] + types: + - opened + - synchronize + - reopened + - closed permissions: {} diff --git a/.github/workflows/pr_composer.yml b/.github/workflows/pr_composer.yml index d24abb7c..8e169584 100644 --- a/.github/workflows/pr_composer.yml +++ b/.github/workflows/pr_composer.yml @@ -4,7 +4,8 @@ on: pull_request: merge_group: push: - branches: ["master", "main"] + branches: + - main permissions: {} diff --git a/.github/workflows/pr_pest.yml b/.github/workflows/pr_pest.yml index 971b8e4d..ab851d13 100644 --- a/.github/workflows/pr_pest.yml +++ b/.github/workflows/pr_pest.yml @@ -4,7 +4,8 @@ on: pull_request: merge_group: push: - branches: ["master", "main"] + branches: + - main permissions: {} @@ -16,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 with: php-version: "8.1" coverage: pcov @@ -25,7 +26,7 @@ jobs: - run: vendor/bin/pest --order-by random --fail-on-risky --stop-on-defect --coverage --parallel - - uses: codecov/codecov-action@v3 + - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4 with: directory: ./coverage/ flags: unittests diff --git a/.github/workflows/pr_phpcsf.yml b/.github/workflows/pr_phpcsf.yml index 753cce81..b80c22e4 100644 --- a/.github/workflows/pr_phpcsf.yml +++ b/.github/workflows/pr_phpcsf.yml @@ -4,7 +4,8 @@ on: pull_request: merge_group: push: - branches: ["master", "main"] + branches: + - main permissions: {} @@ -16,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 with: php-version: "8.1" diff --git a/.github/workflows/pr_phpstan.yml b/.github/workflows/pr_phpstan.yml index 55a08587..84b0f37b 100644 --- a/.github/workflows/pr_phpstan.yml +++ b/.github/workflows/pr_phpstan.yml @@ -4,7 +4,8 @@ on: pull_request: merge_group: push: - branches: ["master", "main"] + branches: + - main permissions: {} @@ -16,10 +17,10 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 with: php-version: "8.1" - run: composer install --no-progress - # - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug + - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug diff --git a/.github/workflows/pr_psalm.yml b/.github/workflows/pr_psalm.yml index f1eced08..d8286eef 100644 --- a/.github/workflows/pr_psalm.yml +++ b/.github/workflows/pr_psalm.yml @@ -4,7 +4,8 @@ on: pull_request: merge_group: push: - branches: ["master", "main"] + branches: + - main permissions: {} @@ -16,10 +17,10 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 with: php-version: "8.1" - run: composer install --no-progress - # - run: vendor/bin/psalm + - run: vendor/bin/psalm diff --git a/.github/workflows/pr_rector.yml b/.github/workflows/pr_rector.yml index 594ca491..66554aae 100644 --- a/.github/workflows/pr_rector.yml +++ b/.github/workflows/pr_rector.yml @@ -4,7 +4,8 @@ on: pull_request: merge_group: push: - branches: ["master", "main"] + branches: + - main permissions: {} @@ -16,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 with: php-version: "8.1" diff --git a/.github/workflows/pr_semgrep.yml b/.github/workflows/pr_semgrep.yml new file mode 100644 index 00000000..e8949f5b --- /dev/null +++ b/.github/workflows/pr_semgrep.yml @@ -0,0 +1,27 @@ +name: "Semgrep" + +on: + workflow_run: + workflows: ["Pull Request Changes"] + types: + - completed + +permissions: {} + +jobs: + wait: + name: "Scan" + runs-on: ubuntu-latest + + container: + image: returntocorp/semgrep + + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + github-token: ${{ secrets.GITHUB_TOKEN }} + + - run: semgrep ci + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/.github/workflows/pr_snyk.yml b/.github/workflows/pr_snyk.yml index 74852bdf..9aa41e40 100644 --- a/.github/workflows/pr_snyk.yml +++ b/.github/workflows/pr_snyk.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 with: php-version: "8.1" coverage: none @@ -29,7 +29,7 @@ jobs: - run: composer install --no-progress - - uses: snyk/actions/php@master + - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}