forked from PHP-CS-Fixer/PHP-CS-Fixer
-
Notifications
You must be signed in to change notification settings - Fork 2
131 lines (104 loc) · 5.34 KB
/
sca.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Static Code Analysis
on:
- pull_request
- push
permissions:
contents: read # to fetch code (actions/checkout)
concurrency:
group: sca-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches
cancel-in-progress: true
jobs:
everything:
name: Static Code Analysis
runs-on: 'ubuntu-24.04'
env:
php-version: '8.3'
steps:
- name: Checkout code
uses: actions/checkout@v4
# We need to fetch base branch because `actions/checkout` only initializes empty repo and fetches PR's meta-branch
# which leads to `fatal: ambiguous argument 'origin/...': unknown revision or path not in the working tree.`,
# because of that `CHANGED_PHP_FILES` is not set, and tools based on diff between branches (like Mess Detector) don't work.
- name: Fetch base branch
if: ${{ github.event_name == 'pull_request' }}
run: git fetch --no-tags --prune --no-recurse-submodules --depth=1 origin $GITHUB_BASE_REF
- name: Setup PHP with Composer deps
uses: ./.github/composite-actions/setup-php-with-composer-deps
with:
os: ${{ runner.os }}
php: ${{ env.php-version }}
## We want to have a lock-file used on PR level, so contributors are not bothered by SCA complains unrelated to their changes,
## and same time we want to be aware that we are complying with bleeding edge of SCA tools as maintainers observing the push hook.
- name: Unlock dev-tools
if: ${{ github.event_name != 'pull_request' }}
run: rm ./dev-tools/composer.lock
- name: Cache dev-tools
uses: actions/cache@v4
with:
path: dev-tools/bin/
key: DevTools-${{ hashFiles('dev-tools/install.sh') }}
- name: Install dev-tools
uses: nick-invision/retry@v3
with:
timeout_minutes: 5
max_attempts: 5
retry_wait_seconds: 30
command: ./dev-tools/install.sh
- name: Show PHPUnit version
run: vendor/bin/phpunit --version
- name: Run AutoReview
run: vendor/bin/paraunit run --testsuite auto-review
- name: Check - file permissions
run: ./dev-tools/check_file_permissions.sh
- name: Check - trailing spaces
run: ./dev-tools/check_trailing_spaces.sh
- name: Check - Composer's autoload
run: composer dump-autoload --dry-run --optimize --strict-psr
- name: Check - phpstan
run: ./dev-tools/vendor/bin/phpstan analyse --ansi
- name: Check - PHP compatibility
run: composer php-compatibility
- name: Check - composer-unused
run: ./dev-tools/vendor/bin/composer-unused --no-progress --excludePackage=composer/xdebug-handler
- name: Check - composer-require-checker
run: ./dev-tools/vendor/bin/composer-require-checker check composer.json --config-file .composer-require-checker.json
- name: Check - composer normalize
run: |
composer normalize --dry-run --working-dir=./dev-tools ../composer.json
composer normalize --dry-run --working-dir=./dev-tools composer.json
- name: Check - shell scripts
run: ./dev-tools/check_shell_scripts.sh
- name: Find changed files (for pull request)
if: ${{ github.event_name == 'pull_request' }}
run: |
if git diff origin/$GITHUB_BASE_REF --name-only --diff-filter=ACMRTUXB | grep -E "\.php$"; then
echo 'CHANGED_PHP_FILES<<EOF' >> $GITHUB_ENV
git diff origin/$GITHUB_BASE_REF --name-only --diff-filter=ACMRTUXB | grep -E "\.php$" >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
fi
- name: Find changed files (for push)
if: ${{ github.event_name != 'pull_request' }}
run: |
if git diff --name-only --diff-filter=ACMRTUXB HEAD~..HEAD | grep -E "\.php$"; then
echo 'CHANGED_PHP_FILES<<EOF' >> $GITHUB_ENV
git diff --name-only --diff-filter=ACMRTUXB HEAD~..HEAD | grep -E "\.php$" >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
fi
- name: Check - well defined array keys
if: ${{ env.CHANGED_PHP_FILES }}
run: |
echo "Array types must explicitly declare key-type, i.e. as \`array<type-of-key, type-of-value>\`, \`list<type-of-value>\` or \`array{...}\` - instead of \`array<type-of-value>\` or \`type-of-value[]\`."
echo "Hint: don't apply those rules blindly, provide array key type explicitly\!"
./php-cs-fixer check --config=dev-tools/.php-cs-fixer.well-defined-arrays.php --path-mode=intersection $CHANGED_PHP_FILES
- name: Check - Mess Detector (phpmd)
if: ${{ env.CHANGED_PHP_FILES }}
run: |
if [ '${{ github.event_name }}' == 'pull_request' ]; then
./dev-tools/vendor/bin/phpmd `echo "$CHANGED_PHP_FILES" | grep -v /Fixtures/ | xargs | sed 's/ /,/g'` github ./dev-tools/mess-detector/phpmd.xml
else
./dev-tools/vendor/bin/phpmd `echo "$CHANGED_PHP_FILES" | grep -v /Fixtures/ | xargs | sed 's/ /,/g'` ansi ./dev-tools/mess-detector/phpmd.xml
fi
- name: Check - ensure test files are not present in the archive
run: |
git archive -o /dev/null HEAD -v 2>&1 | grep tests | grep \.php \
&& (echo "Test files detected in archive" && exit 1) || echo "No test files detected in archive"