# SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors # SPDX-License-Identifier: MIT name: Psalm static code analysis on: pull_request: push: branches: - main - master - stable* paths: - '.github/workflows/static-code-analysis.yml' - '**.php' concurrency: group: static-code-analysis-${{ github.head_ref || github.run_id }} cancel-in-progress: true jobs: static-code-analysis: runs-on: ubuntu-latest if: ${{ github.event_name != 'push' && github.repository_owner != 'nextcloud-gmbh' }} steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: submodules: true - name: Set up php uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 with: php-version: '8.1' extensions: apcu,ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip coverage: none env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Composer install run: composer i - name: Psalm run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline - name: Show potential changes in Psalm baseline if: always() run: git diff --exit-code -- . ':!lib/composer' static-code-analysis-security: runs-on: ubuntu-latest if: ${{ github.repository_owner != 'nextcloud-gmbh' }} steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: submodules: true - name: Set up php uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 with: php-version: '8.1' extensions: ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip coverage: none - name: Composer install run: composer i - name: Psalm taint analysis run: composer run psalm:security -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif - name: Show potential changes in Psalm baseline if: always() run: git diff --exit-code -- . ':!lib/composer' - name: Upload Security Analysis results to GitHub if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif static-code-analysis-ocp: runs-on: ubuntu-latest if: ${{ github.event_name != 'push' && github.repository_owner != 'nextcloud-gmbh' }} steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: submodules: true - name: Set up php uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 with: php-version: '8.1' extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip coverage: none env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Composer install run: composer i - name: Psalm run: composer run psalm:ocp -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline - name: Show potential changes in Psalm baseline if: always() run: git diff --exit-code -- . ':!lib/composer' static-code-analysis-ncu: runs-on: ubuntu-latest if: ${{ github.event_name != 'push' && github.repository_owner != 'nextcloud-gmbh' }} steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: submodules: true - name: Set up php uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 with: php-version: '8.1' extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip coverage: none env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Composer install run: composer i - name: Psalm run: composer run psalm:ncu -- --threads=1 --monochrome --no-progress --output-format=github