Skip to content
Security & Standards

Merge pull request #16 from infocyph/feature/improvement-25 #51

Sign in to view logs

Merge pull request #16 from infocyph/feature/improvement-25

Merge pull request #16 from infocyph/feature/improvement-25 #51

Workflow file for this run

.github/workflows/build.yml at 00b454d
name: "Security & Standards"
on:
schedule:
- cron: '0 0 * * 0'
push:
branches: [ "main", "master" ]
pull_request:
branches: [ "main", "master", "develop", "development" ]
jobs:
prepare:
name: Prepare CI matrix
runs-on: ubuntu-latest
outputs:
php_versions: ${{ steps.matrix.outputs.php_versions }}
dependency_versions: ${{ steps.matrix.outputs.dependency_versions }}
steps:
- name: Define shared matrix values
id: matrix
run: |
echo 'php_versions=["8.4","8.5"]' >> "$GITHUB_OUTPUT"
echo 'dependency_versions=["prefer-lowest","prefer-stable"]' >> "$GITHUB_OUTPUT"
run:
needs: prepare
runs-on: ${{ matrix.operating-system }}
strategy:
matrix:
operating-system: [ ubuntu-latest ]
php-versions: ${{ fromJson(needs.prepare.outputs.php_versions) }}
dependency-version: ${{ fromJson(needs.prepare.outputs.dependency_versions) }}
name: Code Analysis - PHP ${{ matrix.php-versions }} - ${{ matrix.dependency-version }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php-versions }}
tools: composer:v2
coverage: xdebug
- name: Check PHP Version
run: php -v
- name: Validate Composer
run: composer validate --strict
- name: Resolve dependencies (${{ matrix.dependency-version }})
run: composer update --no-interaction --prefer-dist --no-progress --${{ matrix.dependency-version }}
- name: Test
run: |
composer test:syntax
composer test:code
composer test:lint
composer test:sniff
composer test:refactor
if [ "${{ matrix.dependency-version }}" != "prefer-lowest" ]; then
composer test:static
fi
if [ "${{ matrix.dependency-version }}" != "prefer-lowest" ]; then
composer test:security
fi
analyze:
needs: prepare
name: Security Analysis - PHP ${{ matrix.php-versions }}
runs-on: ubuntu-latest
strategy:
matrix:
php-versions: ${{ fromJson(needs.prepare.outputs.php_versions) }}
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php-versions }}
tools: composer:v2
coverage: xdebug
- name: Install dependencies
run: composer install --no-interaction --prefer-dist --no-progress
- name: Composer Audit (Release Guard)
run: composer release:audit
- name: Quality Gate (PHPStan)
run: composer test:static
- name: Security Gate (Psalm)
run: composer test:security
- name: Run PHPStan (Code Scanning)
run: |
php ./vendor/bin/phpstan analyse --configuration=phpstan.neon.dist --memory-limit=1G --no-progress --error-format=json > phpstan-results.json || true
php .github/scripts/phpstan-sarif.php phpstan-results.json phpstan-results.sarif
continue-on-error: true
- name: Upload PHPStan Results
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: phpstan-results.sarif
category: "phpstan-${{ matrix.php-versions }}"
if: always() && hashFiles('phpstan-results.sarif') != ''
# Run Psalm (Deep Taint Analysis)
- name: Run Psalm Security Scan
run: |
php ./vendor/bin/psalm --config=psalm.xml --security-analysis --threads=1 --report=psalm-results.sarif || true
continue-on-error: true
- name: Upload Psalm Results
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: psalm-results.sarif
category: "psalm-${{ matrix.php-versions }}"
if: always() && hashFiles('psalm-results.sarif') != ''