Cyber.Trackr.Live/.github/workflows/psalm.yml at master · CyberSecDef/Cyber.Trackr.Live · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Psalm Security Scan

on:
  push:
    branches: [ "master" ]
  pull_request:
    branches: [ "master" ]
  schedule:
    - cron: '40 12 * * 3'

permissions:
  contents: read

jobs:
  php-security:
    runs-on: ubuntu-latest
    permissions:
      contents: read           # for actions/checkout to fetch code
      security-events: write   # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read            # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

    # The Symfony app (composer.json, src/, psalm.xml) lives in this subdirectory.
    defaults:
      run:
        working-directory: cyber.trackr.live

    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Set up PHP 8.4
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.4'
          tools: composer:v2, psalm
          coverage: none
          ini-values: memory_limit=512M

      - name: Validate composer.json
        run: composer validate --no-check-publish

      - name: Get Composer cache directory
        id: composer-cache
        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"

      - name: Cache Composer dependencies
        uses: actions/cache@v4
        with:
          path: ${{ steps.composer-cache.outputs.dir }}
          key: ${{ runner.os }}-php8.4-composer-${{ hashFiles('**/composer.lock') }}
          restore-keys: |
            ${{ runner.os }}-php8.4-composer-

      - name: Install Composer dependencies
        run: composer install --prefer-dist --no-progress --no-interaction

      - name: Psalm Security Scan
        run: psalm --no-cache --taint-analysis --php-version=8.4 --report=results.sarif --output-format=github
        continue-on-error: true

      - name: Upload Security Analysis results to GitHub
        uses: github/codeql-action/upload-sarif@v4
        with:
          # uses: steps ignore the job's working-directory, so qualify the path.
          sarif_file: cyber.trackr.live/results.sarif