From d11c505e62f70cef5553cb88c0774f869c4d5b1f Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Fri, 25 Aug 2023 01:32:07 -0500 Subject: [PATCH] Update workflows --- .github/actions/setup/action.yml | 40 +++++ .github/dependabot.yml | 6 + .github/workflows/common.checks.create.yml | 59 ------- .github/workflows/common.pr-details.get.yml | 40 ----- .github/workflows/common.pr-details.save.yml | 34 ---- ...equest.edited.run-conventional-commits.yml | 30 ---- .../workflows/common.pull-request.edited.yml | 27 --- .../common.pull-request.labeled.vetted.yml | 28 ---- .../workflows/common.pull-request.labeled.yml | 26 --- .../common.pull-request.modified.unvet.yml | 47 ------ .../common.pull-request.modified.yml | 29 ---- .../common.pull-request.run-checks.yml | 23 --- ...common.pull-request.unlabeled.unvetted.yml | 28 ---- .../common.pull-request.unlabeled.yml | 26 --- .github/workflows/matrix.json | 7 + .../workflows/merged.composer.normalize.yml | 31 ---- .../workflows/merged.composer.validate.yml | 27 --- .github/workflows/merged.pest.yml | 39 ----- .github/workflows/merged.phpcsf.yml | 33 ---- .github/workflows/merged.phpstan.yml | 33 ---- .github/workflows/merged.psalm.yml | 33 ---- .github/workflows/merged.rector.yml | 33 ---- .github/workflows/merged.semgrep.yml | 34 ---- .github/workflows/merged.snyk.yml | 42 ----- .github/workflows/pull-request.checks.yml | 74 --------- .../pull-request.composer.normalize.yml | 80 --------- .../pull-request.composer.validate.yml | 76 --------- .github/workflows/pull-request.pest.yml | 83 ---------- .github/workflows/pull-request.phpcsf.yml | 78 --------- .github/workflows/pull-request.phpstan.yml | 78 --------- .github/workflows/pull-request.psalm.yml | 78 --------- .github/workflows/pull-request.rector.yml | 76 --------- .github/workflows/pull-request.semgrep.yml | 71 -------- .github/workflows/pull-request.snyk.yml | 79 --------- .github/workflows/semgrep.yml | 47 ++++++ .github/workflows/snyk.yml | 45 +++++ .github/workflows/tests.yml | 156 ++++++++++++++++++ 37 files changed, 301 insertions(+), 1475 deletions(-) create mode 100644 .github/actions/setup/action.yml create mode 100644 .github/dependabot.yml delete mode 100644 .github/workflows/common.checks.create.yml delete mode 100644 .github/workflows/common.pr-details.get.yml delete mode 100644 .github/workflows/common.pr-details.save.yml delete mode 100644 .github/workflows/common.pull-request.edited.run-conventional-commits.yml delete mode 100644 .github/workflows/common.pull-request.edited.yml delete mode 100644 .github/workflows/common.pull-request.labeled.vetted.yml delete mode 100644 .github/workflows/common.pull-request.labeled.yml delete mode 100644 .github/workflows/common.pull-request.modified.unvet.yml delete mode 100644 .github/workflows/common.pull-request.modified.yml delete mode 100644 .github/workflows/common.pull-request.run-checks.yml delete mode 100644 .github/workflows/common.pull-request.unlabeled.unvetted.yml delete mode 100644 .github/workflows/common.pull-request.unlabeled.yml create mode 100644 .github/workflows/matrix.json delete mode 100644 .github/workflows/merged.composer.normalize.yml delete mode 100644 .github/workflows/merged.composer.validate.yml delete mode 100644 .github/workflows/merged.pest.yml delete mode 100644 .github/workflows/merged.phpcsf.yml delete mode 100644 .github/workflows/merged.phpstan.yml delete mode 100644 .github/workflows/merged.psalm.yml delete mode 100644 .github/workflows/merged.rector.yml delete mode 100644 .github/workflows/merged.semgrep.yml delete mode 100644 .github/workflows/merged.snyk.yml delete mode 100644 .github/workflows/pull-request.checks.yml delete mode 100644 .github/workflows/pull-request.composer.normalize.yml delete mode 100644 .github/workflows/pull-request.composer.validate.yml delete mode 100644 .github/workflows/pull-request.pest.yml delete mode 100644 .github/workflows/pull-request.phpcsf.yml delete mode 100644 .github/workflows/pull-request.phpstan.yml delete mode 100644 .github/workflows/pull-request.psalm.yml delete mode 100644 .github/workflows/pull-request.rector.yml delete mode 100644 .github/workflows/pull-request.semgrep.yml delete mode 100644 .github/workflows/pull-request.snyk.yml create mode 100644 .github/workflows/semgrep.yml create mode 100644 .github/workflows/snyk.yml create mode 100644 .github/workflows/tests.yml diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml new file mode 100644 index 00000000..fb6da93e --- /dev/null +++ b/.github/actions/setup/action.yml @@ -0,0 +1,40 @@ +name: Prepare PHP +description: Prepare the PHP environment + +inputs: + php: + description: The PHP version to use + required: true + coverage: + description: The coverage extension to use + required: false + default: 'none' + extensions: + description: The PHP extensions to use + required: false + default: 'none, mbstring' + +runs: + using: composite + + steps: + - name: Setup PHP + uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 + with: + php-version: ${{ input.php }} + extensions: ${{ input.extensions }} + coverage: ${{ input.coverage }} + + - name: Get Composer cache directory + id: composer-cache + run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT + + - name: Cache dependencies + uses: actions/cache@v3 + with: + path: ${{ steps.composer-cache.outputs.dir }} + key: ${{ runner.os }}-composer-${{ input.php }}-${{ hashFiles('**/composer.lock') }} + restore-keys: ${{ runner.os }}-composer-${{ input.php }}- + + - name: Install dependencies + run: composer install --prefer-dist --no-progress diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..12301490 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/common.checks.create.yml b/.github/workflows/common.checks.create.yml deleted file mode 100644 index d34dad83..00000000 --- a/.github/workflows/common.checks.create.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: "Create a Check" - -on: - workflow_call: - inputs: - name: - description: "The name of the check" - required: true - type: string - status: - description: "the status of the check `queued`, `in_progress` or `completed`" - required: true - type: string - title: - description: "the title to put on the check panel" - required: true - type: string - summary: - description: "The summary of the check runs current result" - required: true - type: string - details: - description: "The details for the check" - required: false - type: string - outputs: - check_run_id: - description: "contains the check run id of the check created " - value: ${{ jobs.check.outputs.result }} - -jobs: - check: - name: "Prepare" - runs-on: ubuntu-latest - - outputs: - result: ${{ steps.create.outputs }} - - steps: - - uses: actions/github-script@v6 - id: create - with: - return-encoding: string - script: | - let body = { - owner: process.env.GITHUB_REPOSITORY.split('/')[0], - repo: process.env.GITHUB_REPOSITORY.split('/')[1], - name: ${{ inputs.name || github.event.repository.name }}, - head_sha: process.env.GITHUB_SHA, - status: ${{ inputs.status }}, - output: { - title: ${{ inputs.title }}, - summary: ${{ inputs.summary }}, - text: ${{ inputs.details }} - } - }; - - const check = await github.rest.checks.create(body); - return check.data.id diff --git a/.github/workflows/common.pr-details.get.yml b/.github/workflows/common.pr-details.get.yml deleted file mode 100644 index 96821018..00000000 --- a/.github/workflows/common.pr-details.get.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Retrieve Pull Request Details - -on: - workflow_call: - outputs: - number: - value: ${{ jobs.get.outputs.number }} - sha: - value: ${{ jobs.get.outputs.sha }} - -jobs: - get: - name: "Prepare" - runs-on: ubuntu-latest - - outputs: - number: ${{ steps.details.outputs.number }} - sha: ${{ steps.details.outputs.sha }} - - steps: - - uses: actions/checkout@v3 - - - run: | - RUN_ID=`gh run list --workflow "Pull Request / Modified" --json databaseId --jq .[0].databaseId` - gh run download ${RUN_ID} -n pr_details - env: - GH_TOKEN: ${{ github.token }} - - - id: details - uses: actions/github-script@v6 - with: - script: | - let fs = require('fs'); - let number = fs.readFileSync('./number').toString('utf8'); - let sha = fs.readFileSync('./sha').toString('utf8'); - - core.setOutput('number', number.replace(/\r|\n/g, '')); - core.setOutput('sha', sha.replace(/\r|\n/g, '')); - - - run: exit 0 diff --git a/.github/workflows/common.pr-details.save.yml b/.github/workflows/common.pr-details.save.yml deleted file mode 100644 index a459aab4..00000000 --- a/.github/workflows/common.pr-details.save.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Save Pull Request Details - -on: - workflow_call: - inputs: - number: - required: true - type: number - sha: - required: true - type: string - -jobs: - save: - name: "Prepare" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - env: - PR_NUMBER: ${{ github.event.number }} - PR_SHA: ${{ github.sha }} - run: | - mkdir -p ./pr - echo $PR_NUMBER > ./pr/number - echo $PR_SHA > ./pr/sha - - - uses: actions/upload-artifact@v3 - with: - name: pr_details - path: pr/ - - - run: exit 0 diff --git a/.github/workflows/common.pull-request.edited.run-conventional-commits.yml b/.github/workflows/common.pull-request.edited.run-conventional-commits.yml deleted file mode 100644 index fcaf2153..00000000 --- a/.github/workflows/common.pull-request.edited.run-conventional-commits.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: "Pull Request / Edited: Conventional Commits" - -on: - workflow_run: - workflows: - - "Pull Request / Edited" - types: - - completed - -permissions: - pull-requests: read - -concurrency: - group: "common.pull-request.edited.run-conventional-commits-${{ github.ref }}" - cancel-in-progress: true - -jobs: - check: - name: "Run" - runs-on: ubuntu-latest - - steps: - # Dependabot. Success. - - if: ${{ github.actor == 'dependabot[bot]' }} - run: exit 0 - - - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # pin@5.2.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/common.pull-request.edited.yml b/.github/workflows/common.pull-request.edited.yml deleted file mode 100644 index d6498376..00000000 --- a/.github/workflows/common.pull-request.edited.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: "Pull Request / Edited" - -# ----------------------------------------------------------------------------- -# -# Fired when a pull request title or body is edited. -# -# ----------------------------------------------------------------------------- - -on: - pull_request: - types: - - opened - - edited - -permissions: {} - -concurrency: - group: "common.pull-request.edited-${{ github.ref }}" - cancel-in-progress: true - -jobs: - check: - name: "Trigger" - uses: "./.github/workflows/common.pr-details.save.yml" - with: - number: ${{ github.event.number }} - sha: ${{ github.sha }} diff --git a/.github/workflows/common.pull-request.labeled.vetted.yml b/.github/workflows/common.pull-request.labeled.vetted.yml deleted file mode 100644 index 2dba1efb..00000000 --- a/.github/workflows/common.pull-request.labeled.vetted.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: "Pull Request / Labeled: Vetted" - -on: - workflow_run: - workflows: - - "Pull Request / Labeled" - types: - - completed - -permissions: {} - -concurrency: - group: "common.pull-request.labeled.vetted-${{ github.ref }}" - cancel-in-progress: true - -jobs: - check: - name: "Run" - runs-on: ubuntu-latest - - steps: - # Dependabot. Success. - - if: ${{ github.actor == 'dependabot[bot]' }} - run: exit 0 - - # Is receiving the 'Vetted' label. Success. - - if: ${{ github.event.label.name == 'Vetted' }} - run: exit 0 diff --git a/.github/workflows/common.pull-request.labeled.yml b/.github/workflows/common.pull-request.labeled.yml deleted file mode 100644 index 44dcb927..00000000 --- a/.github/workflows/common.pull-request.labeled.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: "Pull Request / Labeled" - -# ----------------------------------------------------------------------------- -# -# Fired when a pull request is labeled. -# -# ----------------------------------------------------------------------------- - -on: - pull_request: - types: - - labeled - -permissions: {} - -concurrency: - group: "common.pull-request.labeled-${{ github.ref }}" - cancel-in-progress: true - -jobs: - check: - name: "Trigger" - uses: "./.github/workflows/common.pr-details.save.yml" - with: - number: ${{ github.event.number }} - sha: ${{ github.sha }} diff --git a/.github/workflows/common.pull-request.modified.unvet.yml b/.github/workflows/common.pull-request.modified.unvet.yml deleted file mode 100644 index 940e130b..00000000 --- a/.github/workflows/common.pull-request.modified.unvet.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Pull Request / Modified: Unvet" - -on: - workflow_run: - workflows: - - "Pull Request / Modified" - types: - - completed - -permissions: - contents: read - issues: write - pull-requests: write - -concurrency: - group: "common.pull-request.modified.unvet-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - check: - needs: pull-request - - name: "Run" - runs-on: ubuntu-latest - - steps: - - if: ${{ github.actor == 'dependabot[bot]' }} - run: exit 0 - - - if: ${{ contains(github.event.pull_request.labels.*.name, 'Vetted') }} - run: exit 0 - - - uses: actions/checkout@v3 - - - uses: actions/github-script@v6 - with: - script: | - github.rest.issues.removeLabel({ - issue_number: '${{ needs.pull-request.outputs.number }}', - owner: context.repo.owner, - repo: context.repo.repo, - name: ["Vetted"] - }).catch(error => core.setFailed(error.message)) diff --git a/.github/workflows/common.pull-request.modified.yml b/.github/workflows/common.pull-request.modified.yml deleted file mode 100644 index 4b77d8fd..00000000 --- a/.github/workflows/common.pull-request.modified.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Pull Request / Modified" - -# ----------------------------------------------------------------------------- -# -# Fired when a pull request's head branch is updated. -# -# ----------------------------------------------------------------------------- - -on: - pull_request: - types: - - opened - - synchronize - - closed - - reopened - -permissions: {} - -concurrency: - group: "common.pull-request.modified-${{ github.ref }}" - cancel-in-progress: true - -jobs: - check: - name: "Trigger" - uses: "./.github/workflows/common.pr-details.save.yml" - with: - number: ${{ github.event.number }} - sha: ${{ github.sha }} diff --git a/.github/workflows/common.pull-request.run-checks.yml b/.github/workflows/common.pull-request.run-checks.yml deleted file mode 100644 index ca0951cf..00000000 --- a/.github/workflows/common.pull-request.run-checks.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "Pull Request / Run Checks" - -on: - workflow_run: - workflows: - - "Pull Request / Labeled: Vetted" - types: - - completed - -permissions: - checks: write - -concurrency: - group: "common.pull-request.run-checks-${{ github.ref }}" - cancel-in-progress: true - -jobs: - check: - name: "Run" - runs-on: ubuntu-latest - - steps: - - run: exit 0 diff --git a/.github/workflows/common.pull-request.unlabeled.unvetted.yml b/.github/workflows/common.pull-request.unlabeled.unvetted.yml deleted file mode 100644 index e314ee0f..00000000 --- a/.github/workflows/common.pull-request.unlabeled.unvetted.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: "Pull Request / Unlabelled: Unvetted" - -on: - workflow_run: - workflows: - - "Pull Request / Unlabelled" - types: - - completed - -permissions: {} - -concurrency: - group: "common.pull-request.unlabeled.unvetted-${{ github.ref }}" - cancel-in-progress: true - -jobs: - check: - name: "Maintainer Approval" - runs-on: ubuntu-latest - - steps: - # Dependabot. Success. - - if: ${{ github.actor == 'dependabot[bot]' }} - run: exit 0 - - # Is having the 'Vetted' label removed. Success. - - if: ${{ github.event.label.name == 'Vetted' }} - run: exit 0 diff --git a/.github/workflows/common.pull-request.unlabeled.yml b/.github/workflows/common.pull-request.unlabeled.yml deleted file mode 100644 index 384adba5..00000000 --- a/.github/workflows/common.pull-request.unlabeled.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: "Pull Request / Unlabelled" - -# ----------------------------------------------------------------------------- -# -# Fired when a pull request is labeled. -# -# ----------------------------------------------------------------------------- - -on: - pull_request: - types: - - unlabeled - -permissions: {} - -concurrency: - group: "common.pull-request.unlabeled-${{ github.ref }}" - cancel-in-progress: true - -jobs: - check: - name: "Trigger" - uses: "./.github/workflows/common.pr-details.save.yml" - with: - number: ${{ github.event.number }} - sha: ${{ github.sha }} diff --git a/.github/workflows/matrix.json b/.github/workflows/matrix.json new file mode 100644 index 00000000..b27baa53 --- /dev/null +++ b/.github/workflows/matrix.json @@ -0,0 +1,7 @@ +{ + "include": [ + { "php": "8.0" }, + { "php": "8.1" }, + { "php": "8.2" } + ] +} diff --git a/.github/workflows/merged.composer.normalize.yml b/.github/workflows/merged.composer.normalize.yml deleted file mode 100644 index 087c66c7..00000000 --- a/.github/workflows/merged.composer.normalize.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: "CI" -run-name: "Composer Normalize" - -# This workflow will run after a merge to the main branch from a pull request. - -on: - merge_group: - push: - branches: - - main - -permissions: - contents: read - -concurrency: - group: "merged.composer.normalize-${{ github.ref }}" - cancel-in-progress: true - -jobs: - normalize: - name: "Composer Normalize" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - run: composer require --dev ergebnis/composer-normalize - - - run: composer config allow-plugins.ergebnis/composer-normalize true - - - run: composer normalize diff --git a/.github/workflows/merged.composer.validate.yml b/.github/workflows/merged.composer.validate.yml deleted file mode 100644 index b69fa20d..00000000 --- a/.github/workflows/merged.composer.validate.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: "CI" -run-name: "Composer Validate" - -# This workflow will run after a merge to the main branch from a pull request. - -on: - merge_group: - push: - branches: - - main - -permissions: - contents: read - -concurrency: - group: "merged.composer.validate-${{ github.ref }}" - cancel-in-progress: true - -jobs: - validate: - name: "Composer Validate" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - run: composer validate diff --git a/.github/workflows/merged.pest.yml b/.github/workflows/merged.pest.yml deleted file mode 100644 index 16ea36a7..00000000 --- a/.github/workflows/merged.pest.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: "CI" -run-name: "PEST" - -# This workflow will run after a merge to the main branch from a pull request. - -on: - merge_group: - push: - branches: - - main - -permissions: - contents: read - -concurrency: - group: "merged.pest-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pest: - name: "PEST" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: pcov - - - run: composer install --no-progress - - - run: vendor/bin/pest --order-by random --fail-on-risky --stop-on-defect --coverage --parallel - - - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4 - with: - directory: ./coverage/ - flags: unittests diff --git a/.github/workflows/merged.phpcsf.yml b/.github/workflows/merged.phpcsf.yml deleted file mode 100644 index 6a734907..00000000 --- a/.github/workflows/merged.phpcsf.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: "CI" -run-name: "PHP CS Fixer" - -# This workflow will run after a merge to the main branch from a pull request. - -on: - merge_group: - push: - branches: - - main - -permissions: - contents: read - -concurrency: - group: "merged.phpcsf-${{ github.ref }}" - cancel-in-progress: true - -jobs: - phpcsf: - name: "PHP CS Fixer" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - - - run: composer install --no-progress - - - run: vendor/bin/php-cs-fixer fix src --dry-run --diff diff --git a/.github/workflows/merged.phpstan.yml b/.github/workflows/merged.phpstan.yml deleted file mode 100644 index 2fd5a0a5..00000000 --- a/.github/workflows/merged.phpstan.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: "CI" -run-name: "PHPStan" - -# This workflow will run after a merge to the main branch from a pull request. - -on: - merge_group: - push: - branches: - - main - -permissions: - contents: read - -concurrency: - group: "merged.phpstan-${{ github.ref }}" - cancel-in-progress: true - -jobs: - phpstan: - name: "PHPStan" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - - - run: composer install --no-progress - - - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug diff --git a/.github/workflows/merged.psalm.yml b/.github/workflows/merged.psalm.yml deleted file mode 100644 index 06c34d92..00000000 --- a/.github/workflows/merged.psalm.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: "CI" -run-name: "Psalm" - -# This workflow will run after a merge to the main branch from a pull request. - -on: - merge_group: - push: - branches: - - main - -permissions: - contents: read - -concurrency: - group: "merged.psalm-${{ github.ref }}" - cancel-in-progress: true - -jobs: - psalm: - name: "Psalm" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - - - run: composer install --no-progress - - - run: vendor/bin/psalm diff --git a/.github/workflows/merged.rector.yml b/.github/workflows/merged.rector.yml deleted file mode 100644 index b7fbd226..00000000 --- a/.github/workflows/merged.rector.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: "CI" -run-name: "Rector" - -# This workflow will run after a merge to the main branch from a pull request. - -on: - merge_group: - push: - branches: - - main - -permissions: - contents: read - -concurrency: - group: "merged.rector-${{ github.ref }}" - cancel-in-progress: true - -jobs: - rector: - name: "Rector" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - - - run: composer install --no-progress - - - run: vendor/bin/rector process --dry-run diff --git a/.github/workflows/merged.semgrep.yml b/.github/workflows/merged.semgrep.yml deleted file mode 100644 index 54d5f890..00000000 --- a/.github/workflows/merged.semgrep.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: "CI" -run-name: "Semgrep" - -# This workflow will run after a merge to the main branch from a pull request, and as a scheduled job. - -on: - merge_group: - push: - branches: - - main - schedule: - - cron: "30 0 1,15 * *" - -permissions: - contents: read - -concurrency: - group: "merged.semgrep-${{ github.ref }}" - cancel-in-progress: true - -jobs: - semgrep: - name: "Semgrep" - runs-on: ubuntu-latest - - container: - image: returntocorp/semgrep - - steps: - - uses: actions/checkout@v3 - - - run: semgrep ci - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/.github/workflows/merged.snyk.yml b/.github/workflows/merged.snyk.yml deleted file mode 100644 index 612e6884..00000000 --- a/.github/workflows/merged.snyk.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: "CI" -run-name: "Snyk" - -# This workflow will run after a merge to the main branch from a pull request, and as a scheduled job. - -on: - merge_group: - push: - branches: - - main - schedule: - - cron: "30 0 1,15 * *" - -permissions: - contents: read - -concurrency: - group: "merged.snyk-${{ github.ref }}" - cancel-in-progress: true - -jobs: - snyk: - name: "Snyk" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: none - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer install --no-progress - - - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/pull-request.checks.yml b/.github/workflows/pull-request.checks.yml deleted file mode 100644 index 7d994df3..00000000 --- a/.github/workflows/pull-request.checks.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: "Pull Request CI / Status" - -on: - workflow_run: - workflows: - - "pull-request.composer.normalize.yml" - - "pull-request.composer.validate.yml" - - "pull-request.pest.yml" - - "pull-request.phpstan.yml" - - "pull-request.psalm.yml" - - "pull-request.rector.yml" - - "pull-request.semgrep.yml" - - "pull-request.snyk.yml" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.checks-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - check: - needs: pull-request - - name: "Passed" - runs-on: ubuntu-latest - - steps: - - id: request-status - uses: octokit/graphql-action@v2.x - with: - query: | - query status($owner: String!, $repo: String!, $pull_number: Int!) { - repository(owner: $owner, name:$repo) { - pullRequest(number:$pull_number) { - commits(last: 1) { - nodes { - commit { - statusCheckRollup { - state - } - } - } - } - } - } - } - owner: ${{ github.event.repository.owner.name }} - repo: ${{ github.event.repository.name }} - pull_number: ${{ github.event.repository.name }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - id: extract-status - uses: actions/github-script@v6 - with: - script: | - const [{ commit: lastCommit }] = ${{ steps.request-status.outputs.data }} - return lastCommit.statusCheckRollup.state === "SUCCESS" - - - id: report-failure - if: ${{ !steps.extract-status.outputs.result }} - run: exit 1 - - - id: report-success - run: exit 0 diff --git a/.github/workflows/pull-request.composer.normalize.yml b/.github/workflows/pull-request.composer.normalize.yml deleted file mode 100644 index a0cfc2a9..00000000 --- a/.github/workflows/pull-request.composer.normalize.yml +++ /dev/null @@ -1,80 +0,0 @@ -name: "Pull Request CI / Composer Normalize" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.composer.normalize-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - normalize: - needs: pull-request - - name: "Composer Normalize" - runs-on: ubuntu-latest - - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "Composer Normalize", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: pcov - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer require --dev ergebnis/composer-normalize - - - run: composer config allow-plugins.ergebnis/composer-normalize true - - - run: composer normalize - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "Composer Normalize", - status: "completed", - conclusion: "${{ github.event.workflow_run.conclusion }}", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/pull-request.composer.validate.yml b/.github/workflows/pull-request.composer.validate.yml deleted file mode 100644 index 40669fa6..00000000 --- a/.github/workflows/pull-request.composer.validate.yml +++ /dev/null @@ -1,76 +0,0 @@ -name: "Pull Request CI / Composer Validate" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.composer.validate-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - validate: - needs: pull-request - - name: "Composer Validate" - runs-on: ubuntu-latest - - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "Composer Validate", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: pcov - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer validate - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "Composer Validate", - status: "completed", - conclusion: "${{ github.event.workflow_run.conclusion }}", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/pull-request.pest.yml b/.github/workflows/pull-request.pest.yml deleted file mode 100644 index b4e99d3e..00000000 --- a/.github/workflows/pull-request.pest.yml +++ /dev/null @@ -1,83 +0,0 @@ -name: "Pull Request CI / PEST" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.pest-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - pest: - needs: pull-request - - name: "PEST" - runs-on: ubuntu-latest - - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "PEST", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: pcov - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer install --no-progress - - - run: vendor/bin/pest --order-by random --fail-on-risky --stop-on-defect --coverage --parallel - - - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4 - with: - directory: ./coverage/ - flags: unittests - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "PEST", - status: "completed", - conclusion: "${{ github.event.workflow_run.conclusion }}", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/pull-request.phpcsf.yml b/.github/workflows/pull-request.phpcsf.yml deleted file mode 100644 index 0a494b24..00000000 --- a/.github/workflows/pull-request.phpcsf.yml +++ /dev/null @@ -1,78 +0,0 @@ -name: "Pull Request CI / PHP CS Fixer" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.phpcsf-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - phpcsf: - needs: pull-request - - name: "PHP CS Fixer" - runs-on: ubuntu-latest - - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "PHP CS Fixer", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: none - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer install --no-progress - - - run: vendor/bin/php-cs-fixer fix src --dry-run --diff - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "PHP CS Fixer", - status: "completed", - conclusion: "${{ github.event.workflow_run.conclusion }}", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/pull-request.phpstan.yml b/.github/workflows/pull-request.phpstan.yml deleted file mode 100644 index 43df2834..00000000 --- a/.github/workflows/pull-request.phpstan.yml +++ /dev/null @@ -1,78 +0,0 @@ -name: "Pull Request CI / PHPStan" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.phpstan-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - phpstan: - needs: pull-request - - name: "PHPStan" - runs-on: ubuntu-latest - - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "PHPStan", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: none - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer install --no-progress - - - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "PHPStan", - status: "completed", - conclusion: "${{ github.event.workflow_run.conclusion }}", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/pull-request.psalm.yml b/.github/workflows/pull-request.psalm.yml deleted file mode 100644 index 618b0213..00000000 --- a/.github/workflows/pull-request.psalm.yml +++ /dev/null @@ -1,78 +0,0 @@ -name: "Pull Request CI / Psalm" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.psalm-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - psalm: - needs: pull-request - - name: "Psalm" - runs-on: ubuntu-latest - - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "Psalm", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: none - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer install --no-progress - - - run: vendor/bin/psalm - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "Psalm", - status: "completed", - conclusion: "${{ github.event.workflow_run.conclusion }}", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/pull-request.rector.yml b/.github/workflows/pull-request.rector.yml deleted file mode 100644 index 2080943c..00000000 --- a/.github/workflows/pull-request.rector.yml +++ /dev/null @@ -1,76 +0,0 @@ -name: "Pull Request CI / Rector" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.rector-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - rector: - needs: pull-request - - name: "Rector" - runs-on: ubuntu-latest - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "Rector", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: none - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer install --no-progress - - - run: vendor/bin/rector process --dry-run - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "Rector", - status: "completed", - conclusion: "${{ github.event.workflow_run.conclusion }}", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/pull-request.semgrep.yml b/.github/workflows/pull-request.semgrep.yml deleted file mode 100644 index fe28caa0..00000000 --- a/.github/workflows/pull-request.semgrep.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: "Pull Request CI / Semgrep" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.semgrep-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - semgrep: - needs: pull-request - - name: "Semgrep" - runs-on: ubuntu-latest - - container: - image: returntocorp/semgrep - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "Semgrep", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - run: semgrep ci - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "Semgrep", - status: "completed", - conclusion: "success", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/pull-request.snyk.yml b/.github/workflows/pull-request.snyk.yml deleted file mode 100644 index de489cf1..00000000 --- a/.github/workflows/pull-request.snyk.yml +++ /dev/null @@ -1,79 +0,0 @@ -name: "Pull Request CI / Snyk" - -# This workflow will run after a pull request is opened or updated, assuming the pull request is labeled with "Vetted". - -on: - workflow_run: - workflows: - - "Pull Request / Run Checks" - types: - - completed - -permissions: - contents: read - checks: write - -concurrency: - group: "pull-request.snyk-${{ github.ref }}" - cancel-in-progress: true - -jobs: - pull-request: - name: "Details" - uses: "./.github/workflows/common.pr-details.get.yml" - - snyk: - needs: pull-request - - name: "Snyk" - runs-on: ubuntu-latest - - steps: - - id: create-check - uses: actions/github-script@v6 - with: - result-encoding: string - script: | - const check = await github.rest.checks.create({ - owner: context.repo.owner, - repo: context.repo.repo, - head_sha: '${{ needs.pull-request.outputs.sha }}', - name: "Snyk", - status: "in_progress" - }) - return check.data.id - - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 - with: - php-version: ${{ env.PHP_VERSION }} - coverage: none - extensions: mbstring - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - run: composer install --no-progress - - - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - - uses: actions/github-script@v6 - env: - parameter_url: "${{ github.event.workflow_run.html_url }}" - with: - script: | - await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: '${{steps.create-check.outputs.result}}', - name: "Snyk", - status: "completed", - conclusion: "success", - details_url: process.env.parameter_url - }); diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..e38ffd92 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,47 @@ +name: Semgrep + +on: + merge_group: + workflow_dispatch: + pull_request_target: + types: + - opened + - synchronize + push: + branches: + - main + schedule: + - cron: "30 0 1,15 * *" + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + +jobs: + authorize: + name: Authorize + environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + runs-on: ubuntu-latest + steps: + - run: true + + check: + name: Check for Vulnerabilities + runs-on: ubuntu-latest + + container: + image: returntocorp/semgrep + + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: 8.0 + coverage: none + extensions: mbstring + + - run: semgrep ci + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 00000000..49fb2901 --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,45 @@ +name: Snyk + +on: + merge_group: + workflow_dispatch: + pull_request_target: + types: + - opened + - synchronize + push: + branches: + - main + schedule: + - cron: "30 0 1,15 * *" + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + +jobs: + authorize: + name: Authorize + environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + runs-on: ubuntu-latest + steps: + - run: true + + check: + name: Check for Vulnerabilities + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: 8.0 + coverage: none + extensions: mbstring + + - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 00000000..2d0f3b9b --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,156 @@ +name: Build and Test + +on: + merge_group: + workflow_dispatch: + pull_request_target: + types: + - opened + - synchronize + push: + branches: + - main + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + +jobs: + authorize: + name: Authorize + environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + runs-on: ubuntu-latest + steps: + - run: true + + configure: + needs: authorize + name: Configure + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - uses: actions/checkout@v3 + + - id: set-matrix + run: echo "matrix=$(jq -c . < ./.github/workflows/matrix.json)" >> $GITHUB_OUTPUT + + prepare: + needs: configure + name: Prepare Dependencies + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: ${{ matrix.php }} + + composer-normalize: + needs: prepare + name: Composer Normalize + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: ${{ matrix.php }} + - run: composer require --dev ergebnis/composer-normalize + - run: composer config allow-plugins.ergebnis/composer-normalize true + - run: composer normalize + + composer-validate: + needs: prepare + name: Composer Normalize + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: ${{ matrix.php }} + - run: composer validate + + pest: + needs: prepare + name: PEST + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: ${{ matrix.php }} + coverage: pcov + - run: vendor/bin/pest --order-by random --fail-on-risky --stop-on-defect --coverage --parallel + - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4 + with: + directory: ./coverage/ + flags: unittestsvalidate + + phpstan: + needs: prepare + name: PHPStan + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: ${{ matrix.php }} + - run: vendor/bin/phpstan analyze --no-ansi --no-progress --debug + + psalm: + needs: prepare + name: Psalm + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: ${{ matrix.php }} + - run: vendor/bin/psalm + + rector: + needs: prepare + name: Rector + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: ${{ matrix.php }} + - run: vendor/bin/rector process --dry-run + + php-cs-fixer: + needs: prepare + name: PHP CS Fixer + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup + with: + php: ${{ matrix.php }} + - run: vendor/bin/php-cs-fixer fix --dry-run --diff --ansi --verbose