sca.yml 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132
  1. name: Static Code Analysis
  2. on:
  3. - pull_request
  4. - push
  5. permissions:
  6. contents: read # to fetch code (actions/checkout)
  7. concurrency:
  8. group: sca-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches
  9. cancel-in-progress: true
  10. jobs:
  11. tests:
  12. strategy:
  13. fail-fast: false
  14. matrix:
  15. operating-system:
  16. - ubuntu-20.04
  17. php-version:
  18. - 8.1
  19. name: Static Code Analysis
  20. runs-on: ${{ matrix.operating-system }}
  21. steps:
  22. - name: Checkout code
  23. uses: actions/checkout@v3
  24. with:
  25. fetch-depth: 0
  26. - name: Setup PHP
  27. uses: shivammathur/setup-php@v2
  28. with:
  29. php-version: ${{ matrix.php-version }}
  30. extensions: none, dom, mbstring, opcache, simplexml, tokenizer, xml, xmlwriter
  31. coverage: none # without this Xdebug will be enabled
  32. tools: cs2pr
  33. - name: Get Composer cache directory
  34. id: composer-cache
  35. run: echo "dir=$(composer config cache-dir)" >> $GITHUB_OUTPUT
  36. - name: Cache dependencies
  37. uses: actions/cache@v3
  38. with:
  39. path: ${{ steps.composer-cache.outputs.dir }}
  40. key: composer-${{ runner.os }}-${{ matrix.php-version }}-${{ hashFiles('**/composer.*') }}-${{ matrix.composer-flags }}
  41. restore-keys: |
  42. composer-${{ runner.os }}-${{ matrix.php-version }}-${{ hashFiles('**/composer.*') }}-
  43. composer-${{ runner.os }}-${{ matrix.php-version }}-
  44. composer-${{ runner.os }}-
  45. composer-
  46. - name: Install dependencies
  47. uses: nick-invision/retry@v2
  48. with:
  49. timeout_minutes: 5
  50. max_attempts: 5
  51. retry_wait_seconds: 30
  52. command: composer update --optimize-autoloader --no-interaction --no-progress ${{ matrix.composer-flags }}
  53. - name: Report versions
  54. run: composer info -D
  55. ## We want to have a lock-file used on PR level, so contributors are not bothered by SCA complains unrelated to their changes,
  56. ## and same time we want to be aware that we are complying with bleeding edge of SCA tools as maintainers observing the push hook.
  57. - name: Unlock dev-tools
  58. if: ${{ github.event_name != 'pull_request' }}
  59. run: rm ./dev-tools/composer.lock
  60. - name: Install dev-tools
  61. uses: nick-invision/retry@v2
  62. with:
  63. timeout_minutes: 5
  64. max_attempts: 5
  65. retry_wait_seconds: 30
  66. command: ./dev-tools/install.sh
  67. - name: Check - file permissions
  68. run: ./dev-tools/check_file_permissions.sh
  69. - name: Check - trailing spaces
  70. run: ./dev-tools/check_trailing_spaces.sh
  71. - name: Check - phpstan
  72. run: ./dev-tools/vendor/bin/phpstan analyse --error-format=checkstyle | cs2pr
  73. - name: Check - composer-require-checker
  74. run: ./dev-tools/vendor/bin/composer-require-checker check composer.json --config-file .composer-require-checker.json
  75. - name: Check - composer normalize
  76. run: |
  77. composer normalize --dry-run --working-dir=./dev-tools ../composer.json
  78. composer normalize --dry-run --working-dir=./dev-tools composer.json
  79. - name: Check - shell scripts
  80. run: ./dev-tools/check_shell_scripts.sh
  81. - name: Find changed files (for pull request)
  82. if: ${{ github.event_name == 'pull_request' }}
  83. run: |
  84. if git diff origin/$GITHUB_BASE_REF --name-only --diff-filter=ACMRTUXB | grep -E "\.php$"; then
  85. echo 'CHANGED_PHP_FILES<<EOF' >> $GITHUB_ENV
  86. git diff origin/$GITHUB_BASE_REF --name-only --diff-filter=ACMRTUXB | grep -E "\.php$" >> $GITHUB_ENV
  87. echo 'EOF' >> $GITHUB_ENV
  88. fi
  89. - name: Find changed files (for push)
  90. if: ${{ github.event_name != 'pull_request' }}
  91. run: |
  92. if git diff --name-only --diff-filter=ACMRTUXB HEAD~..HEAD | grep -E "\.php$"; then
  93. echo 'CHANGED_PHP_FILES<<EOF' >> $GITHUB_ENV
  94. git diff --name-only --diff-filter=ACMRTUXB HEAD~..HEAD | grep -E "\.php$" >> $GITHUB_ENV
  95. echo 'EOF' >> $GITHUB_ENV
  96. fi
  97. - name: Check - Mess Detector (phpmd)
  98. if: ${{ env.CHANGED_PHP_FILES }}
  99. run: |
  100. if [ '${{ github.event_name }}' == 'pull_request' ]; then
  101. ./dev-tools/vendor/bin/phpmd `echo "$CHANGED_PHP_FILES" | grep -v /Fixtures/ | xargs | sed 's/ /,/g'` github ./dev-tools/mess-detector/phpmd.xml
  102. else
  103. ./dev-tools/vendor/bin/phpmd `echo "$CHANGED_PHP_FILES" | grep -v /Fixtures/ | xargs | sed 's/ /,/g'` ansi ./dev-tools/mess-detector/phpmd.xml
  104. fi
  105. - name: Check - ensure test files are not present in the archive
  106. run: |
  107. git archive -o /dev/null HEAD -v 2>&1 | grep tests | grep \.php \
  108. && (echo "Test files detected in archive" && exit 1) || echo "No test files detected in archive"