Updated PHP, composer and php-extension-installer to latest version #6672
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GitHub Actions docs | |
| # https://help.github.com/en/articles/about-github-actions | |
| # https://help.github.com/en/articles/workflow-syntax-for-github-actions | |
| name: CI | |
| on: | |
| # Trigger the workflow on push or pull request, | |
| # but only for the master branch | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: '0 0 * * *' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| security-check: | |
| name: PHP Security Checker | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: '0' | |
| - name: Setup PHP, with composer and extensions | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| tools: composer:v2 | |
| - name: Get composer cache directory | |
| id: composer-cache | |
| run: echo "CACHE_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
| - name: Cache composer dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ steps.composer-cache.outputs.CACHE_DIR }} | |
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: ${{ runner.os }}-composer- | |
| - name: Install Composer dependencies | |
| run: composer install --no-progress --optimize-autoloader | |
| - name: Check which versions we're using | |
| run: | | |
| mysql --version | |
| php --version | |
| php ./bin/console --version | |
| php ./vendor/bin/phpunit --version | |
| composer --version | |
| - name: PHP Security Checker | |
| uses: symfonycorp/security-checker-action@v5 | |
| - name: Check that application doesn't have installed dependencies with known security vulnerabilities | |
| run: make check-security | |
| lint-configuration: | |
| name: Lint configuration | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: '0' | |
| - name: Setup PHP, with composer and extensions | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| tools: composer:v2 | |
| - name: Get composer cache directory | |
| id: composer-cache | |
| run: echo "CACHE_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
| - name: Cache composer dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ steps.composer-cache.outputs.CACHE_DIR }} | |
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: ${{ runner.os }}-composer- | |
| - name: Install Composer dependencies | |
| run: composer install --no-progress --optimize-autoloader | |
| - name: Check which versions we're using | |
| run: | | |
| mysql --version | |
| php --version | |
| php ./bin/console --version | |
| php ./vendor/bin/phpunit --version | |
| composer --version | |
| - name: Validate main `composer.json` and `composer.lock` files | |
| run: composer validate --no-check-version | |
| - name: Check that environment is configured correctly | |
| run: php ./vendor/bin/requirements-checker | |
| - name: Lint YAML configurations | |
| run: make lint-yaml | |
| static: | |
| name: Static analyzers | |
| runs-on: ubuntu-latest | |
| needs: | |
| - security-check | |
| - lint-configuration | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: '0' | |
| - name: Setup PHP, with composer and extensions | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| tools: composer:v2 | |
| - name: Get composer cache directory | |
| id: composer-cache | |
| run: echo "CACHE_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
| - name: Cache composer dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ steps.composer-cache.outputs.CACHE_DIR }} | |
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: ${{ runner.os }}-composer- | |
| - name: Install Composer dependencies | |
| run: composer install --no-progress --optimize-autoloader | |
| - name: Check which versions we're using | |
| run: | | |
| mysql --version | |
| php --version | |
| php ./bin/console --version | |
| php ./vendor/bin/phpunit --version | |
| composer --version | |
| - name: Run PHP CodeSniffer | |
| run: make phpcs | |
| - name: Run The Easiest Way to Use Any Coding Standard | |
| run: make ecs | |
| - name: Run PHPLint tool | |
| run: make phplint | |
| - name: Run PHP Parallel Lint tool | |
| run: make php-parallel-lint | |
| - name: Run Psalm static analysis tool and report statistics to https://shepherd.dev/ | |
| run: make psalm-github | |
| #- name: Run Psalm static analysis tool | |
| # run: make psalm | |
| - name: Run PHPStan static analysis tool | |
| run: make phpstan-github | |
| - name: Run `phploc` to collect LOC stats | |
| run: make phploc | |
| - name: Run `PHP Insights` static analysis tool | |
| run: make phpinsights | |
| - name: Archive Psalm results (psalm.json) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: psalm.json | |
| path: ./build/psalm.json | |
| - name: Archive `phploc` results (phploc.json) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: phploc.json | |
| path: ./build/phploc.json | |
| test: | |
| name: PHPUnit tests | |
| runs-on: ubuntu-latest | |
| needs: | |
| - static | |
| - lint-documentation | |
| services: | |
| mariadb: | |
| image: mariadb:10.7.1 | |
| env: | |
| MYSQL_ALLOW_EMPTY_PASSWORD: false | |
| MYSQL_ROOT_PASSWORD: symfony | |
| MYSQL_DATABASE: symfony | |
| ports: | |
| - 3306/tcp | |
| options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3 | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: '0' | |
| - name: Setup PHP, with composer and extensions | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| extensions: pdo_mysql, mysql | |
| coverage: xdebug | |
| tools: composer:v2 | |
| - name: Get composer cache directory | |
| id: composer-cache | |
| run: echo "CACHE_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
| - name: Cache composer dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ steps.composer-cache.outputs.CACHE_DIR }} | |
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: ${{ runner.os }}-composer- | |
| - name: Configure application for CI run | |
| run: | | |
| cp .env.gh-actions .env | |
| cp .env.gh-actions .env.test | |
| make generate-jwt-keys | |
| chmod 644 ./config/jwt/private.pem | |
| - name: Install Composer dependencies | |
| run: composer install --no-progress --optimize-autoloader | |
| - name: Check which versions we're using | |
| run: | | |
| mysql --version | |
| php --version | |
| php ./bin/console --version | |
| php ./vendor/bin/phpunit --version | |
| composer --version | |
| - name: Prepare Code Climate (https://codeclimate.com/github/tarlepp/symfony-flex-backend/) | |
| run: | | |
| curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter | |
| chmod +x ./cc-test-reporter | |
| GIT_BRANCH=$GITHUB_REF GIT_COMMIT_SHA=$GITHUB_SHA ./cc-test-reporter before-build | |
| env: | |
| CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }} # https://docs.codeclimate.com/docs/finding-your-test-coverage-token | |
| - name: Run application test suites with PHPUnit | |
| run: make run-tests-php | |
| env: | |
| DATABASE_URL: mysql://root:symfony@127.0.0.1:${{ job.services.mariadb.ports['3306'] }}/symfony | |
| - name: Report results to Code Climate (https://codeclimate.com/github/tarlepp/symfony-flex-backend/) | |
| run: GIT_BRANCH=$GITHUB_REF GIT_COMMIT_SHA=$GITHUB_SHA ./cc-test-reporter after-build --id ${{ secrets.CC_TEST_REPORTER_ID }} --coverage-input-type clover --exit-code $? | |
| env: | |
| CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }} # https://docs.codeclimate.com/docs/finding-your-test-coverage-token | |
| - name: Report results to Scrutinizer (https://scrutinizer-ci.com/g/tarlepp/symfony-flex-backend/) | |
| run: | | |
| composer global require scrutinizer/ocular | |
| ~/.composer/vendor/bin/ocular code-coverage:upload --access-token ${{ secrets.SCRUTINIZER_ACCESS_TOKEN }} --format=php-clover ./build/logs/clover.xml | |
| - name: Report results to Coveralls (https://coveralls.io/github/tarlepp/symfony-flex-backend) | |
| run: php ./vendor/bin/php-coveralls -v | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }} | |
| COVERALLS_RUN_LOCALLY: 1 | |
| - name: SonarCloud Scan (https://sonarcloud.io/dashboard?id=github.com.tarlepp.symfony-flex-backend) | |
| uses: sonarsource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # https://github.com/SonarSource/sonarcloud-github-action#secrets | |
| - name: Create PhpMetrics report | |
| run: make phpmetrics | |
| - name: Archive code coverage results (clover.xml) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: clover.xml | |
| path: ./build/logs/clover.xml | |
| - name: Archive code coverage results (junit.xml) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: junit.xml | |
| path: ./build/logs/junit.xml | |
| - name: Archive Code Coverage | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: CodeCoverage | |
| path: ./build/report | |
| - name: Archive PhpMetrics results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: PhpMetrics | |
| path: ./build/phpmetrics | |
| lint-documentation: | |
| name: Lint documentation files | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Make checkout | |
| uses: actions/checkout@v4 | |
| - name: Lint `./README.md` | |
| uses: avto-dev/markdown-lint@v1 | |
| with: | |
| config: './markdown-lint.yml' | |
| args: './README.md' | |
| - name: Lint all the resource docs under `./doc/` directory | |
| uses: avto-dev/markdown-lint@v1 | |
| with: | |
| config: './markdown-lint.yml' | |
| args: './doc/*.md' | |
| - name: Lint all the docs under `./docker/` directory | |
| uses: avto-dev/markdown-lint@v1 | |
| with: | |
| config: './markdown-lint.yml' | |
| args: './docker/*.md' | |
| - name: Lint all the docs under `./secrets/` directory | |
| uses: avto-dev/markdown-lint@v1 | |
| with: | |
| config: './markdown-lint.yml' | |
| args: './secrets/*.md' | |
| build: | |
| name: Build application Docker image | |
| runs-on: ubuntu-latest | |
| needs: | |
| - test | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set tag var | |
| id: vars | |
| run: echo "DOCKER_TAG=$(echo ${GITHUB_REF} | sed -r 's/[\/()\.]+/_/g')-${GITHUB_SHA}" >> $GITHUB_OUTPUT | |
| - name: Build the Docker image | |
| run: docker build . --file Dockerfile --tag symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }} | |
| - name: Scan Docker image with Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.24.0 | |
| with: | |
| image-ref: 'symfony-flex-backend:${{ steps.vars.outputs.DOCKER_TAG }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' |