Only audit packages we actually provide #399
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: ['main'] | |
pull_request: | |
branches: ['main'] | |
schedule: | |
# Run this workflow at 4 AM UTC every day. | |
- cron: '0 4 * * *' | |
workflow_dispatch: | |
env: | |
COMPOSER_FLAGS: "--ansi --no-interaction --no-progress --prefer-dist --optimize-autoloader" | |
jobs: | |
fixture: | |
name: Generate test fixture | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 1 | |
- uses: actions/checkout@v2 | |
with: | |
repository: php-tuf/php-tuf | |
ref: main | |
path: php-tuf | |
fetch-depth: 1 | |
- id: cache-pip | |
uses: actions/cache@v2 | |
with: | |
path: ~/.cache/pip | |
key: ${{ runner.os }}-pip-${{ hashFiles('**/Pipfile.lock') }} | |
restore-keys: | | |
${{ runner.os }}-pip- | |
- id: cache-pipenv | |
uses: actions/cache@v2 | |
with: | |
path: ~/.local/share/virtualenvs | |
key: ${{ runner.os }}-pipenv-${{ hashFiles('**/Pipfile.lock') }} | |
restore-keys: | | |
${{ runner.os }}-pipenv- | |
- name: Set up Python 3.9 | |
uses: actions/setup-python@v2 | |
with: | |
python-version: 3.9 | |
- name: Install pip/pipenv | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install --upgrade pipenv | |
- name: Install dependencies via pipenv | |
run: | | |
if [ -f Pipfile.lock ]; then pipenv install; fi | |
working-directory: php-tuf | |
- name: Generate fixtures | |
run: | | |
pipenv run python generate.py | |
cp -f ./metadata/root.json ../client/tuf/localhost.json | |
tar -c -z -f fixture.tar.gz --directory ../.. ./tests/server/metadata ./tests/client/tuf/localhost.json | |
env: | |
PIPENV_PIPFILE: ../../php-tuf/Pipfile | |
working-directory: ./tests/server | |
- name: Store fixtures as artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: fixture | |
path: ./tests/server/fixture.tar.gz | |
retention-days: 5 | |
test: | |
name: Test on ${{ matrix.operating-system }} with Composer ${{ matrix.composer }} and PHP ${{ matrix.php }} | |
needs: fixture | |
runs-on: ${{ matrix.operating-system }} | |
strategy: | |
fail-fast: false | |
max-parallel: 10 | |
matrix: | |
operating-system: [ubuntu-latest, macos-latest, windows-latest] | |
php: ['8.0', '8.1', '8.2'] | |
composer: [2, 2.2] | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 1 | |
- name: Install PHP and Composer 2 | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: ${{ matrix.php }} | |
tools: composer:v${{ matrix.composer }} | |
extensions: sodium, json | |
- name: Install dependencies | |
run: | | |
composer config github-oauth.github.com ${{ secrets.GITHUB_TOKEN }} | |
# @todo This is needed because Composer 2.6.5 declared support for | |
# Symfony 7, but isn't actually compatible with it. We can remove | |
# this line when Composer 2.6.6 or later is released. | |
composer require 'symfony/console:6.4.0' --no-update | |
composer install ${{ env.COMPOSER_FLAGS }} | |
- name: Download fixture | |
uses: actions/download-artifact@v3 | |
with: | |
name: fixture | |
- name: Extract fixture | |
run: tar -x -v -f fixture.tar.gz | |
- name: Run tests | |
run: vendor/bin/phpunit ./tests --debug | |
- name: Check dependencies for known security vulnerabilities (legacy) | |
if: matrix.composer == 2.2 | |
run: composer require --update-with-all-dependencies roave/security-advisories:dev-latest | |
- name: Check dependencies for known security vulnerabilities | |
if: matrix.composer == 2 | |
run: 'composer audit' |