Only audit packages we actually provide #392
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: ['main'] | |
pull_request: | |
branches: ['main'] | |
schedule: | |
# Run this workflow at 4 AM UTC every day. | |
- cron: '0 4 * * *' | |
workflow_dispatch: | |
env: | |
COMPOSER_FLAGS: "--ansi --no-interaction --no-progress --prefer-dist --optimize-autoloader" | |
jobs: | |
fixture: | |
name: Generate test fixture | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 1 | |
- uses: actions/checkout@v2 | |
with: | |
repository: php-tuf/php-tuf | |
ref: main | |
path: php-tuf | |
fetch-depth: 1 | |
- id: cache-pip | |
uses: actions/cache@v2 | |
with: | |
path: ~/.cache/pip | |
key: ${{ runner.os }}-pip-${{ hashFiles('**/Pipfile.lock') }} | |
restore-keys: | | |
${{ runner.os }}-pip- | |
- id: cache-pipenv | |
uses: actions/cache@v2 | |
with: | |
path: ~/.local/share/virtualenvs | |
key: ${{ runner.os }}-pipenv-${{ hashFiles('**/Pipfile.lock') }} | |
restore-keys: | | |
${{ runner.os }}-pipenv- | |
- name: Set up Python 3.9 | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.9 | |
- name: Install pip/pipenv | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install --upgrade pipenv | |
- name: Install dependencies via pipenv | |
run: | | |
if [ -f Pipfile.lock ]; then pipenv install; fi | |
working-directory: php-tuf | |
- name: Generate fixtures | |
run: | | |
pipenv run python generate.py | |
cp -f ./metadata/root.json ../client/tuf/localhost.json | |
tar -c -z -f fixture.tar.gz --directory ../.. ./tests/server/metadata ./tests/client/tuf/localhost.json | |
env: | |
PIPENV_PIPFILE: ../../php-tuf/Pipfile | |
working-directory: ./tests/server | |
- name: Store fixtures as artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: fixture | |
path: ./tests/server/fixture.tar.gz | |
retention-days: 5 | |
test: | |
name: Test on ${{ matrix.operating-system }} with Composer ${{ matrix.composer }} and PHP ${{ matrix.php }} | |
needs: fixture | |
runs-on: ${{ matrix.operating-system }} | |
strategy: | |
fail-fast: false | |
max-parallel: 10 | |
matrix: | |
operating-system: [ubuntu-latest, macos-latest, windows-latest] | |
php: ['8.0', '8.1', '8.2'] | |
composer: [2, 2.2] | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 1 | |
- name: Install PHP and Composer 2 | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: ${{ matrix.php }} | |
tools: composer:v${{ matrix.composer }} | |
extensions: sodium, json | |
- name: Install dependencies | |
run: | | |
composer config github-oauth.github.com ${{ secrets.GITHUB_TOKEN }} | |
# @todo This is required because Composer 2.6.5 shipped with support for | |
# Symfony 7, but is not actually compatible with it due to poor test | |
# coverage. This is since fixed, and this line can be removed when Composer | |
# 2.6.6 or later is released. | |
composer require symfony/console:^6 --no-update | |
composer install ${{ env.COMPOSER_FLAGS }} | |
- name: Download fixture | |
uses: actions/download-artifact@v3 | |
with: | |
name: fixture | |
- name: Extract fixture | |
run: tar -x -v -f fixture.tar.gz | |
- name: Run tests | |
run: vendor/bin/phpunit ./tests --debug | |
- name: Check dependencies for known security vulnerabilities (legacy) | |
if: matrix.composer == 2.2 | |
run: composer require --update-with-all-dependencies roave/security-advisories:dev-latest | |
- name: Check dependencies for known security vulnerabilities | |
if: matrix.composer == 2 | |
run: 'composer audit' |