static-code-analysis.yml 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103
  1. # SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
  2. # SPDX-License-Identifier: MIT
  3. name: Psalm static code analysis
  4. on:
  5. pull_request:
  6. concurrency:
  7. group: static-code-analysis-${{ github.head_ref || github.run_id }}
  8. cancel-in-progress: true
  9. jobs:
  10. static-code-analysis:
  11. runs-on: ubuntu-latest
  12. if: ${{ github.repository_owner != 'nextcloud-gmbh' }}
  13. steps:
  14. - name: Checkout
  15. uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
  16. with:
  17. submodules: true
  18. - name: Set up php
  19. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
  20. with:
  21. php-version: '8.1'
  22. extensions: apcu,ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  23. coverage: none
  24. env:
  25. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  26. - name: Composer install
  27. run: composer i
  28. - name: Psalm
  29. run: composer run psalm:ci -- --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif
  30. - name: Show potential changes in Psalm baseline
  31. if: always()
  32. run: git diff --exit-code -- . ':!lib/composer'
  33. - name: Upload Analysis results to GitHub
  34. if: always()
  35. uses: github/codeql-action/upload-sarif@v3
  36. with:
  37. sarif_file: results.sarif
  38. static-code-analysis-security:
  39. runs-on: ubuntu-latest
  40. steps:
  41. - name: Checkout code
  42. uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
  43. with:
  44. submodules: true
  45. - name: Set up php
  46. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
  47. with:
  48. php-version: '8.1'
  49. extensions: ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  50. coverage: none
  51. - name: Composer install
  52. run: composer i
  53. - name: Psalm taint analysis
  54. run: composer run psalm:ci -- --monochrome --no-progress --output-format=github --report=results.sarif --taint-analysis --ignore-baseline
  55. - name: Upload Security Analysis results to GitHub
  56. if: always()
  57. uses: github/codeql-action/upload-sarif@v3
  58. with:
  59. sarif_file: results.sarif
  60. static-code-analysis-ocp:
  61. runs-on: ubuntu-latest
  62. steps:
  63. - name: Checkout
  64. uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
  65. with:
  66. submodules: true
  67. - name: Set up php
  68. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
  69. with:
  70. php-version: '8.1'
  71. extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  72. coverage: none
  73. env:
  74. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  75. - name: Composer install
  76. run: composer i
  77. - name: Psalm
  78. run: composer run psalm:ci -- -c psalm-ocp.xml --monochrome --no-progress --output-format=github --update-baseline
  79. - name: Show potential changes in Psalm baseline
  80. if: always()
  81. run: git diff --exit-code -- . ':!lib/composer'