sarif-report.yml

name: Security Checks

on:
    push:
        branches: [main] # bugfix (should be activated when the psalm baseline gets part of the bugfix branch)
    schedule: # runs every week at 00:00 on Sunday UTC time.
        -   cron: '0 0 * * 0'

permissions:
    contents: read

jobs:
    psalm-taint-sarif-report:
        name: psalm taint sarif report
        runs-on: ubuntu-latest
        timeout-minutes: 30
        permissions:
            contents: read  # for actions/checkout to fetch code
            security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results

        steps:
            -   name: Checkout
                uses: actions/checkout@v3

            -   name: Setup PHP
                uses: shivammathur/setup-php@v2
                with:
                    php-version: '8.2'
                    coverage: none # disable xdebug, pcov

            -   name: Composer install
                uses: ramsey/composer-install@v2
                with:
                    composer-options: --ansi --prefer-dist

            -   name: Create sarif report
                run: vendor/bin/psalm --report=results.sarif --use-baseline=.tools/psalm/baseline-taint.xml --taint-analysis --no-cache

            -   name: Upload Security Analysis results to GitHub
                uses: github/codeql-action/upload-sarif@v2
                with:
                    sarif_file: results.sarif