diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 17760cd2..c4a656b5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,9 +1,16 @@ +name: build + on: pull_request: push: branches: [ 'master' ] -name: build +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: tests: @@ -24,10 +31,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Install PHP with extensions - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 env: update: true with: @@ -36,13 +45,13 @@ jobs: coverage: xdebug - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1 - name: Run tests with PHPUnit run: vendor/bin/phpunit --colors=always --coverage-clover=coverage.xml - name: Upload coverage to Coveralls if: matrix.os == 'ubuntu-latest' - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2 with: file: ./coverage.xml diff --git a/.github/workflows/code-style.yml b/.github/workflows/code-style.yml index 0b4fb5c8..4792a012 100644 --- a/.github/workflows/code-style.yml +++ b/.github/workflows/code-style.yml @@ -1,28 +1,37 @@ name: Code Style -on: [ pull_request ] +on: + pull_request: + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: - php-cs-fixer: + cs: + name: PHP CS Fixer + Rector runs-on: ubuntu-latest permissions: - contents: write + contents: write # needed to push auto-fixed commits back to the PR branch steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: ${{ github.head_ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: php-version: 8.2 tools: composer:v2 coverage: none - name: Install Composer dependencies - uses: "ramsey/composer-install@v4" + uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # 4.0.0 - name: Run PHP CS Fixer run: composer cs-fix @@ -31,8 +40,13 @@ jobs: run: ./vendor/bin/rector --output-format=github - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@v7 - with: - commit_message: "Apply PHP CS Fixer and Rector changes (CI)" - file_pattern: '*.php' - disable_globbing: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + HEAD_REF: ${{ github.head_ref }} + REPOSITORY: ${{ github.repository }} + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add '*.php' + git diff --staged --quiet || git commit -m "Apply PHP CS Fixer and Rector changes (CI)" + git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${REPOSITORY}.git" "HEAD:${HEAD_REF}" diff --git a/.github/workflows/composer-dependency-analyser.yml b/.github/workflows/composer-dependency-analyser.yml index 90fc024a..92038c4d 100644 --- a/.github/workflows/composer-dependency-analyser.yml +++ b/.github/workflows/composer-dependency-analyser.yml @@ -1,9 +1,16 @@ +name: Composer Dependency Analyser + on: pull_request: push: branches: [ 'master' ] -name: Composer Dependency Analyser +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: composer-require-checker: @@ -23,16 +30,18 @@ jobs: steps: - name: Checkout. - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: php-version: ${{ matrix.php }} coverage: none - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1 - name: Check dependencies run: vendor/bin/composer-dependency-analyser diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml index 25ceac3f..ffba79dd 100644 --- a/.github/workflows/mutation.yml +++ b/.github/workflows/mutation.yml @@ -1,9 +1,16 @@ +name: mutation test + on: pull_request: push: branches: [ 'master' ] -name: mutation test +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: mutation: @@ -11,28 +18,32 @@ jobs: runs-on: ${{ matrix.os }} + environment: + name: ${{ github.event_name == 'push' && 'Mutation testing' || '' }} + deployment: false + strategy: matrix: - os: - - ubuntu-latest - php: - - "8.5" + os: [ubuntu-latest] + php: ["8.5"] steps: - - name: Checkout. - uses: actions/checkout@v6 + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - - name: Install PHP with extensions. - uses: shivammathur/setup-php@v2 + - name: Install PHP with extensions + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: php-version: "${{ matrix.php }}" ini-values: memory_limit=-1 coverage: xdebug - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1 - - name: Run infection. + - name: Run infection run: vendor/bin/infection --threads=max --ignore-msi-with-no-mutations env: - STRYKER_DASHBOARD_API_KEY: ${{ secrets.STRYKER_DASHBOARD_API_KEY }} + STRYKER_DASHBOARD_API_KEY: ${{ github.event_name == 'push' && secrets.STRYKER_DASHBOARD_API_KEY || '' }} diff --git a/.github/workflows/psalm.yml b/.github/workflows/psalm.yml index d4b844b4..a8f344b7 100644 --- a/.github/workflows/psalm.yml +++ b/.github/workflows/psalm.yml @@ -1,10 +1,17 @@ +name: static analysis + on: pull_request: push: branches: - master -name: static analysis +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: psalm: @@ -24,17 +31,21 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Install PHP with extensions - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # v2 with: coverage: none php-version: ${{ matrix.php }} tools: composer:v2, cs2pr - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1 - name: Static analysis - run: vendor/bin/psalm --shepherd --stats --output-format=checkstyle --php-version=${{ matrix.php }} | cs2pr --graceful-warnings --colorize + env: + PHP_VERSION: ${{ matrix.php }} + run: vendor/bin/psalm --shepherd --stats --output-format=checkstyle --php-version=$PHP_VERSION | cs2pr --graceful-warnings --colorize diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..0498c97c --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,31 @@ +name: zizmor + +on: + push: + branches: [ 'master' ] + pull_request: + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # needed to upload SARIF results to GitHub Security tab + contents: read # needed to clone the repo + actions: read # needed for upload-sarif to read workflow run info + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + persona: auditor diff --git a/Makefile b/Makefile index 4feb02e0..061b2acd 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,20 @@ .DEFAULT_GOAL := help +zizmor: ARGS ?= --persona auditor --color always +zizmor: ## Run zizmor security audit (1.25.2) + docker run \ + --volume .:/project:ro \ + --rm \ + ghcr.io/zizmorcore/zizmor@sha256:14ea7f5cc7c67933394a35b5a38a277397818d232602635edb2010b313afb110 \ + $(ARGS) /project + scaffolder: ## Run scaffolder docker run \ --volume .:/project \ --user $(shell id -u):$(shell id -g) \ --interactive --tty --rm --init \ - ghcr.io/phptg/scaffolder:latest \ - $(RUN_ARGS) + ghcr.io/phptg/scaffolder@sha256:29ce3c9aa63e4ae93bffccec1c80cf46701ebc7c70d6469a3f39e2cbb6885154 \ + $(ARGS) # Output the help for each task, see https://marmelab.com/blog/2016/02/29/auto-documented-makefile.html help: ## This help.