static-code-analysis.yml 3.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101
  1. name: Psalm static code analysis
  2. on:
  3. pull_request:
  4. concurrency:
  5. group: static-code-analysis-${{ github.head_ref || github.run_id }}
  6. cancel-in-progress: true
  7. jobs:
  8. static-code-analysis:
  9. runs-on: ubuntu-latest
  10. if: ${{ github.repository_owner != 'nextcloud-gmbh' }}
  11. steps:
  12. - name: Checkout
  13. uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  14. with:
  15. submodules: true
  16. - name: Set up php
  17. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
  18. with:
  19. php-version: '8.0'
  20. extensions: apcu,ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  21. coverage: none
  22. env:
  23. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  24. - name: Composer install
  25. run: composer i
  26. - name: Psalm
  27. run: composer run psalm:ci -- --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif
  28. - name: Show potential changes in Psalm baseline
  29. if: always()
  30. run: git diff --exit-code -- . ':!lib/composer'
  31. - name: Upload Analysis results to GitHub
  32. if: always()
  33. uses: github/codeql-action/upload-sarif@v3
  34. with:
  35. sarif_file: results.sarif
  36. static-code-analysis-security:
  37. runs-on: ubuntu-latest
  38. steps:
  39. - name: Checkout code
  40. uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  41. with:
  42. submodules: true
  43. - name: Set up php
  44. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
  45. with:
  46. php-version: '8.0'
  47. extensions: ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  48. coverage: none
  49. - name: Composer install
  50. run: composer i
  51. - name: Psalm taint analysis
  52. run: composer run psalm:ci -- --monochrome --no-progress --output-format=github --report=results.sarif --taint-analysis --ignore-baseline
  53. - name: Upload Security Analysis results to GitHub
  54. if: always()
  55. uses: github/codeql-action/upload-sarif@v3
  56. with:
  57. sarif_file: results.sarif
  58. static-code-analysis-ocp:
  59. runs-on: ubuntu-latest
  60. steps:
  61. - name: Checkout
  62. uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  63. with:
  64. submodules: true
  65. - name: Set up php
  66. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
  67. with:
  68. php-version: '8.0'
  69. extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  70. coverage: none
  71. env:
  72. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  73. - name: Composer install
  74. run: composer i
  75. - name: Psalm
  76. run: composer run psalm:ci -- -c psalm-ocp.xml --monochrome --no-progress --output-format=github --update-baseline
  77. - name: Show potential changes in Psalm baseline
  78. if: always()
  79. run: git diff --exit-code -- . ':!lib/composer'