Skip to content
This repository has been archived by the owner on Mar 1, 2023. It is now read-only.

Commit

Permalink
feat: add Security Analysis workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@prisis
prisis committed Mar 28, 2021
1 parent 19cafa1 commit c733a99
Show file tree
Hide file tree
Showing 8 changed files with 107 additions and 9 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/coding-standard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
key: "coding-standard-v1" # change key (version) to clear cache
extensions: "mbstring"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer, cs2pr"
tools: "composer:v2, cs2pr"

steps:
- name: "Git checkout"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/continuous-integration.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
key: "continuous-integration-linux-v1" # change key (version) to clear cache
extensions: "mbstring"
ini-values: "date.timezone=Europe/Berlin, opcache.enable_cli=0, serialize_precision=14"
tools: "composer"
tools: "composer:v2"

steps:
- name: "Git checkout"
Expand Down Expand Up @@ -128,7 +128,7 @@ jobs:
key: "continuous-integration-windows-v1" # change key (version) to clear cache
extensions: "mbstring"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer"
tools: "composer:v2"

steps:
- name: "Git checkout"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/license-update.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
key: "license-update-linux-v1" # change key (version) to clear cache
extensions: "mbstring"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer, cs2pr"
tools: "composer:v2, cs2pr"

steps:
- name: "Git checkout"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/mutation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
min-msi: 100
extensions: "mbstring"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer"
tools: "composer:v2"

steps:
- name: "Git checkout"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rector-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
key: "rector-ci-v1" # change key (version) to clear cache
extensions: "mbstring, intl"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer, cs2pr"
tools: "composer:v2, cs2pr"

steps:
- name: "Git checkout"
Expand Down
98 changes: 98 additions & 0 deletions .github/workflows/security-analysis.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
# https://help.github.com/en/categories/automating-your-workflow-with-github-actions

name: "Security Analysis"

on: # yamllint disable-line rule:truthy
push:
paths:
- "**.php"
- "composer.json"
pull_request:
paths:
- "**.php"
- "composer.json"

jobs:
security-analysis:
name: "Security Analysis"

runs-on: "ubuntu-latest"

strategy:
matrix:
php-versions: ["8.0"]
dependencies: ["locked"]

env:
key: "security-analysis-v1" # change key (version) to clear cache
extensions: "mbstring"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer:v2"

steps:
- name: "Git checkout"
uses: "actions/checkout@v2"
with:
fetch-depth: 2
env:
GIT_COMMITTER_NAME: "GitHub Actions Shell"
GIT_AUTHOR_NAME: "GitHub Actions Shell"
EMAIL: "github-actions[bot]@users.noreply.github.com"

- name: "Setup cache environment"
id: "cache-env"
uses: "shivammathur/cache-extensions@v1"
with:
php-version: "${{ matrix.php-versions }}"
extensions: "${{ env.extensions }}"
key: "${{ env.key }}"

- name: "Cache extensions"
uses: "actions/cache@v2"
with:
path: "${{ steps.cache-env.outputs.dir }}"
key: "${{ steps.cache-env.outputs.key }}"
restore-keys: "${{ steps.cache-env.outputs.key }}"

- name: "Setup PHP"
uses: "shivammathur/setup-php@v2"
with:
php-version: "${{ matrix.php-versions }}"
extensions: "${{ env.extensions }}"
ini-values: "${{ env.ini-values }}"
tools: "${{ env.tools }}"
coverage: "pcov"

- name: "Setup Problem Matchers for PHP"
run: "echo '::add-matcher::${{ runner.tool_cache }}/php.json'"

- name: "Check PHP Version"
run: "php -v"

- name: "List all php extensions with versions"
run: "php -r 'foreach (get_loaded_extensions() as $extension) echo $extension . \" \" . phpversion($extension) . PHP_EOL;'"

- name: "Configure Container"
env:
GIT_USER_EMAIL: "${{ secrets.GIT_USER_EMAIL }}"
GIT_USER_USERNAME: "${{ secrets.GIT_USER_USERNAME }}"
run: |
EMAIL=${GIT_USER_EMAIL:-"github-actions[bot]@users.noreply.github.com"}
NAME=${GIT_USER_USERNAME:-"github-actions-shell"}
git config --global user.email "${EMAIL}"
git config --global user.name "${NAME}"
- name: "Check Composer Version"
run: "composer -V"

- name: "Validate composer.json and composer.json"
run: "composer validate --strict"

- name: "Install dependencies with Composer"
uses: "ramsey/composer-install@v1"
with:
dependency-versions: "${{ matrix.dependencies }}"

- name: "running security analysis ( psalm )"
run: "vendor/bin/psalm --output-format=github --taint-analysis"
2 changes: 1 addition & 1 deletion .github/workflows/semantic-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
key: "semantic-release-linux-v1" # change key (version) to clear cache
extensions: "mbstring"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer"
tools: "composer:v2"

steps:
- name: "Git checkout"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/static-analyze.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
key: "phpstan-static-analyze-v1" # change key (version) to clear cache
extensions: "mbstring, intl"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer, cs2pr"
tools: "composer:v2, cs2pr"

steps:
- name: "Git checkout"
Expand Down Expand Up @@ -111,7 +111,7 @@ jobs:
key: "psalm-static-analyze-v1 " # change key (version) to clear cache
extensions: "mbstring, intl"
ini-values: "date.timezone=Europe/Berlin, assert.exception=1, zend.assertions=1, opcache.enable=1, opcache.enable_cli=0, opcache.optimization_level=-1, opcache.jit=1255, opcache.jit_buffer_size=32M, serialize_precision=14"
tools: "composer"
tools: "composer:v2"

steps:
- name: "Git checkout"
Expand Down

0 comments on commit c733a99

Please sign in to comment.