sca.yml 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. name: Static Code Analysis
  2. on:
  3. - pull_request
  4. - push
  5. permissions:
  6. contents: read # to fetch code (actions/checkout)
  7. concurrency:
  8. group: sca-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches
  9. cancel-in-progress: true
  10. jobs:
  11. tests:
  12. strategy:
  13. fail-fast: false
  14. matrix:
  15. operating-system:
  16. - ubuntu-24.04
  17. php-version:
  18. - 8.3
  19. name: Static Code Analysis
  20. runs-on: ${{ matrix.operating-system }}
  21. steps:
  22. - name: Checkout code
  23. uses: actions/checkout@v4
  24. # We need to fetch base branch because `actions/checkout` only initializes empty repo and fetches PR's meta-branch
  25. # which leads to `fatal: ambiguous argument 'origin/...': unknown revision or path not in the working tree.`,
  26. # because of that `CHANGED_PHP_FILES` is not set, and tools based on diff between branches (like Mess Detector) don't work.
  27. - name: Fetch base branch
  28. if: ${{ github.event_name == 'pull_request' }}
  29. run: git fetch --no-tags --prune --no-recurse-submodules --depth=1 origin $GITHUB_BASE_REF
  30. - name: Setup PHP with Composer deps
  31. uses: ./.github/composite-actions/setup-php-with-composer-deps
  32. with:
  33. os: ${{ runner.os }}
  34. php: ${{ matrix.php-version }}
  35. ## We want to have a lock-file used on PR level, so contributors are not bothered by SCA complains unrelated to their changes,
  36. ## and same time we want to be aware that we are complying with bleeding edge of SCA tools as maintainers observing the push hook.
  37. - name: Unlock dev-tools
  38. if: ${{ github.event_name != 'pull_request' }}
  39. run: rm ./dev-tools/composer.lock
  40. - name: Cache dev-tools
  41. uses: actions/cache@v4
  42. with:
  43. path: dev-tools/bin/
  44. key: DevTools-${{ hashFiles('dev-tools/install.sh') }}
  45. - name: Install dev-tools
  46. uses: nick-invision/retry@v3
  47. with:
  48. timeout_minutes: 5
  49. max_attempts: 5
  50. retry_wait_seconds: 30
  51. command: ./dev-tools/install.sh
  52. - name: Show PHPUnit version
  53. run: vendor/bin/phpunit --version
  54. - name: Run AutoReview
  55. run: vendor/bin/paraunit run --testsuite auto-review
  56. - name: Check - file permissions
  57. run: ./dev-tools/check_file_permissions.sh
  58. - name: Check - trailing spaces
  59. run: ./dev-tools/check_trailing_spaces.sh
  60. - name: Check - duplicate test methods
  61. run: php ./dev-tools/check_duplicate_test_methods.php
  62. - name: Check - Composer's autoload
  63. run: composer dump-autoload --dry-run --optimize --strict-psr
  64. - name: Check - phpstan
  65. run: ./dev-tools/vendor/bin/phpstan analyse --ansi
  66. - name: Check - composer-unused
  67. run: ./dev-tools/vendor/bin/composer-unused --no-progress --excludePackage=composer/xdebug-handler
  68. - name: Check - composer-require-checker
  69. run: ./dev-tools/vendor/bin/composer-require-checker check composer.json --config-file .composer-require-checker.json
  70. - name: Check - composer normalize
  71. run: |
  72. composer normalize --dry-run --working-dir=./dev-tools ../composer.json
  73. composer normalize --dry-run --working-dir=./dev-tools composer.json
  74. - name: Check - shell scripts
  75. run: ./dev-tools/check_shell_scripts.sh
  76. - name: Find changed files (for pull request)
  77. if: ${{ github.event_name == 'pull_request' }}
  78. run: |
  79. if git diff origin/$GITHUB_BASE_REF --name-only --diff-filter=ACMRTUXB | grep -E "\.php$"; then
  80. echo 'CHANGED_PHP_FILES<<EOF' >> $GITHUB_ENV
  81. git diff origin/$GITHUB_BASE_REF --name-only --diff-filter=ACMRTUXB | grep -E "\.php$" >> $GITHUB_ENV
  82. echo 'EOF' >> $GITHUB_ENV
  83. fi
  84. - name: Find changed files (for push)
  85. if: ${{ github.event_name != 'pull_request' }}
  86. run: |
  87. if git diff --name-only --diff-filter=ACMRTUXB HEAD~..HEAD | grep -E "\.php$"; then
  88. echo 'CHANGED_PHP_FILES<<EOF' >> $GITHUB_ENV
  89. git diff --name-only --diff-filter=ACMRTUXB HEAD~..HEAD | grep -E "\.php$" >> $GITHUB_ENV
  90. echo 'EOF' >> $GITHUB_ENV
  91. fi
  92. - name: Check - well defined array keys
  93. if: ${{ env.CHANGED_PHP_FILES }}
  94. run: |
  95. echo "Array types must explicitly declare key-type, i.e. as \`array<type-of-key, type-of-value>\`, \`list<type-of-value>\` or \`array{...}\` - instead of \`array<type-of-value>\` or \`type-of-value[]\`."
  96. echo "Hint: don't apply those rules blindly, provide array key type explicitly\!"
  97. ./php-cs-fixer check --config=dev-tools/.php-cs-fixer.well-defined-arrays.php --path-mode=intersection $CHANGED_PHP_FILES
  98. - name: Check - Mess Detector (phpmd)
  99. if: ${{ env.CHANGED_PHP_FILES }}
  100. run: |
  101. if [ '${{ github.event_name }}' == 'pull_request' ]; then
  102. ./dev-tools/vendor/bin/phpmd `echo "$CHANGED_PHP_FILES" | grep -v /Fixtures/ | xargs | sed 's/ /,/g'` github ./dev-tools/mess-detector/phpmd.xml
  103. else
  104. ./dev-tools/vendor/bin/phpmd `echo "$CHANGED_PHP_FILES" | grep -v /Fixtures/ | xargs | sed 's/ /,/g'` ansi ./dev-tools/mess-detector/phpmd.xml
  105. fi
  106. - name: Check - ensure test files are not present in the archive
  107. run: |
  108. git archive -o /dev/null HEAD -v 2>&1 | grep tests | grep \.php \
  109. && (echo "Test files detected in archive" && exit 1) || echo "No test files detected in archive"