1
0

static-code-analysis.yml 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113
  1. # SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
  2. # SPDX-License-Identifier: MIT
  3. name: Psalm static code analysis
  4. on:
  5. pull_request:
  6. push:
  7. branches:
  8. - main
  9. - master
  10. - stable*
  11. paths:
  12. - '.github/workflows/static-code-analysis.yml'
  13. - '**.php'
  14. concurrency:
  15. group: static-code-analysis-${{ github.head_ref || github.run_id }}
  16. cancel-in-progress: true
  17. jobs:
  18. static-code-analysis:
  19. runs-on: ubuntu-latest
  20. if: ${{ github.event_name != 'push' && github.repository_owner != 'nextcloud-gmbh' }}
  21. steps:
  22. - name: Checkout
  23. uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
  24. with:
  25. submodules: true
  26. - name: Set up php
  27. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
  28. with:
  29. php-version: '8.1'
  30. extensions: apcu,ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  31. coverage: none
  32. env:
  33. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  34. - name: Composer install
  35. run: composer i
  36. - name: Psalm
  37. run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline
  38. - name: Show potential changes in Psalm baseline
  39. if: always()
  40. run: git diff --exit-code -- . ':!lib/composer'
  41. static-code-analysis-security:
  42. runs-on: ubuntu-latest
  43. if: ${{ github.repository_owner != 'nextcloud-gmbh' }}
  44. steps:
  45. - name: Checkout code
  46. uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
  47. with:
  48. submodules: true
  49. - name: Set up php
  50. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
  51. with:
  52. php-version: '8.1'
  53. extensions: ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  54. coverage: none
  55. - name: Composer install
  56. run: composer i
  57. - name: Psalm taint analysis
  58. run: composer run psalm:security -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif
  59. - name: Show potential changes in Psalm baseline
  60. if: always()
  61. run: git diff --exit-code -- . ':!lib/composer'
  62. - name: Upload Security Analysis results to GitHub
  63. if: always()
  64. uses: github/codeql-action/upload-sarif@v3
  65. with:
  66. sarif_file: results.sarif
  67. static-code-analysis-ocp:
  68. runs-on: ubuntu-latest
  69. if: ${{ github.event_name != 'push' && github.repository_owner != 'nextcloud-gmbh' }}
  70. steps:
  71. - name: Checkout
  72. uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
  73. with:
  74. submodules: true
  75. - name: Set up php
  76. uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
  77. with:
  78. php-version: '8.1'
  79. extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
  80. coverage: none
  81. env:
  82. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  83. - name: Composer install
  84. run: composer i
  85. - name: Psalm
  86. run: composer run psalm:ocp -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline
  87. - name: Show potential changes in Psalm baseline
  88. if: always()
  89. run: git diff --exit-code -- . ':!lib/composer'