diff --git a/.github/actionlint-matcher.json b/.github/actionlint-matcher.json new file mode 100644 index 00000000000..4613e1617bf --- /dev/null +++ b/.github/actionlint-matcher.json @@ -0,0 +1,17 @@ +{ + "problemMatcher": [ + { + "owner": "actionlint", + "pattern": [ + { + "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$", + "file": 1, + "line": 2, + "column": 3, + "message": 4, + "code": 5 + } + ] + } + ] +} diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 00000000000..27f24666227 --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,23 @@ +self-hosted-runner: + # Labels of self-hosted runner in array of strings. + labels: + - blacksmith-4vcpu-ubuntu-2404 + +# Configuration variables in array of strings defined in your repository or +# organization. `null` means disabling configuration variables check. +# Empty array means no configuration variable is allowed. +config-variables: null + +# Configuration for file paths. The keys are glob patterns to match to file +# paths relative to the repository root. The values are the configurations for +# the file paths. Note that the path separator is always '/'. +# The following configurations are available. +# +# "ignore" is an array of regular expression patterns. Matched error messages +# are ignored. This is similar to the "-ignore" command line option. +paths: + .github/workflows/**/*.{yml,yaml}: + # List of regular expressions to filter errors by the error messages. + ignore: + # Ignore the specific error from shellcheck + - 'shellcheck reported issue in this script: SC2129:.+' diff --git a/.github/workflows/backward-compatibility.yml b/.github/workflows/backward-compatibility.yml index 2dd30625218..f928b68c51f 100644 --- a/.github/workflows/backward-compatibility.yml +++ b/.github/workflows/backward-compatibility.yml @@ -51,4 +51,4 @@ jobs: composer global require --dev ondrejmirtes/backward-compatibility-check:^7.3.0.1 - name: "Check" - run: "$(composer global config bin-dir --absolute)/roave-backward-compatibility-check" + run: '"$(composer global config bin-dir --absolute)"/roave-backward-compatibility-check' diff --git a/.github/workflows/issue-bot.yml b/.github/workflows/issue-bot.yml index ea4e4fd42a6..b0886ca8076 100644 --- a/.github/workflows/issue-bot.yml +++ b/.github/workflows/issue-bot.yml @@ -68,7 +68,7 @@ jobs: id: shards working-directory: "issue-bot" run: | - echo "shards=$(jq -c '{include: [range(length) | {shard: .}]}' matrix.json)" >> $GITHUB_OUTPUT + echo "shards=$(jq -c '{include: [range(length) | {shard: .}]}' matrix.json)" >> "$GITHUB_OUTPUT" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -210,7 +210,7 @@ jobs: ./console.php evaluate > tmp/step-summary.md exit_code="$?" - cat tmp/step-summary.md >> $GITHUB_STEP_SUMMARY + cat tmp/step-summary.md >> "$GITHUB_STEP_SUMMARY" if [[ "$exit_code" == "2" ]]; then echo "::notice file=.github/workflows/issue-bot.yml,line=3 ::Issue bot detected open issues which are affected by this pull request - see https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" @@ -235,7 +235,7 @@ jobs: PHPSTAN_SRC_COMMIT_AFTER: ${{ github.event.after }} run: | set +e - ./console.php evaluate --post-comments >> $GITHUB_STEP_SUMMARY + ./console.php evaluate --post-comments >> "$GITHUB_STEP_SUMMARY" exit_code="$?" # its fine when issue-bot found affected issues diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml new file mode 100644 index 00000000000..5dd4964d5ee --- /dev/null +++ b/.github/workflows/lint-workflows.yml @@ -0,0 +1,113 @@ +# Configuration from: +# https://github.com/johnbillion/plugin-infrastructure/blob/571cba96190304963285181e2b928d941b9ec7c4/.github/workflows/reusable-workflow-lint.yml + +name: Lint GitHub Actions workflows +on: + pull_request: + push: + branches: + - "2.1.x" + +permissions: {} + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Check workflow files + run: | + echo "::add-matcher::.github/actionlint-matcher.json" + bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) + ./actionlint -color + shell: bash + + octoscan: + name: Octoscan + runs-on: ubuntu-latest + permissions: + security-events: write # Required for codeql-action/upload-sarif to upload SARIF files. + timeout-minutes: 10 + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Run octoscan + id: octoscan + uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 + with: + filter_triggers: '' + + - name: Upload SARIF file to GitHub + uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 + with: + sarif_file: "${{steps.octoscan.outputs.sarif_output}}" + category: octoscan + wait-for-processing: false + + poutine: + name: Poutine + runs-on: ubuntu-latest + permissions: + security-events: write # Required for codeql-action/upload-sarif to upload SARIF files. + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run Poutine + uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 + + - name: Upload poutine SARIF file + uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 + with: + sarif_file: results.sarif + category: poutine + wait-for-processing: false + + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # Required for codeql-action/upload-sarif to upload SARIF files. + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0 + with: + enable-cache: false + + - name: Run zizmor + run: uvx zizmor@1.20.0 --persona=auditor --format=sarif --strict-collection . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + with: + sarif_file: results.sarif + category: zizmor + wait-for-processing: false diff --git a/.github/workflows/phar.yml b/.github/workflows/phar.yml index e28b7da29b9..abc8cc94166 100644 --- a/.github/workflows/phar.yml +++ b/.github/workflows/phar.yml @@ -112,7 +112,7 @@ jobs: - name: "Save checksum" id: "checksum" - run: echo "md5=$(md5sum tmp/phpstan.phar | cut -d' ' -f1)" >> $GITHUB_OUTPUT + run: echo "md5=$(md5sum tmp/phpstan.phar | cut -d' ' -f1)" >> "$GITHUB_OUTPUT" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -231,7 +231,7 @@ jobs: - name: "Save old checksum" id: "old_checksum" - run: echo "md5=$(md5sum phpstan.phar | cut -d' ' -f1)" >> $GITHUB_OUTPUT + run: echo "md5=$(md5sum phpstan.phar | cut -d' ' -f1)" >> "$GITHUB_OUTPUT" - name: "Assert checksum" run: | @@ -330,7 +330,7 @@ jobs: - name: "Get previous pushed dist commit" id: previous-commit working-directory: phpstan-dist - run: echo "sha=$(sed -n '2p' .phar-checksum)" >> $GITHUB_OUTPUT + run: echo "sha=$(sed -n '2p' .phar-checksum)" >> "$GITHUB_OUTPUT" - name: "Checkout phpstan-src" uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 @@ -342,24 +342,24 @@ jobs: id: git-log working-directory: phpstan-src run: | - echo "log<> $GITHUB_OUTPUT - echo "$(git log ${{ steps.previous-commit.outputs.sha }}..${{ github.event.after }} --reverse --pretty='https://github.com/phpstan/phpstan-src/commit/%H %s')" >> $GITHUB_OUTPUT - echo 'MESSAGE' >> $GITHUB_OUTPUT + echo "log<> "$GITHUB_OUTPUT" + git log ${{ steps.previous-commit.outputs.sha }}..${{ github.event.after }} --reverse --pretty='https://github.com/phpstan/phpstan-src/commit/%H %s' >> "$GITHUB_OUTPUT" + echo 'MESSAGE' >> "$GITHUB_OUTPUT" - name: "Get short phpstan-src SHA" id: short-src-sha working-directory: phpstan-src - run: echo "sha=$(git rev-parse --short=7 HEAD)" >> $GITHUB_OUTPUT + run: echo "sha=$(git rev-parse --short=7 HEAD)" >> "$GITHUB_OUTPUT" - name: "Check PHAR checksum" id: checksum-difference working-directory: phpstan-dist run: | - checksum=${{needs.compiler-tests.outputs.checksum}} + checksum="${{needs.compiler-tests.outputs.checksum}}" if [[ $(head -n 1 .phar-checksum) != "$checksum" ]]; then - echo "result=different" >> $GITHUB_OUTPUT + echo "result=different" >> "$GITHUB_OUTPUT" else - echo "result=same" >> $GITHUB_OUTPUT + echo "result=same" >> "$GITHUB_OUTPUT" fi - name: "Download phpstan.phar" diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index bb324d9e14c..8162d58468e 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -185,6 +185,6 @@ jobs: - name: "Generate baseline" run: | - > phpstan-baseline.neon && \ + true > phpstan-baseline.neon && \ make phpstan-generate-baseline-php && \ make phpstan-result-cache diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 30e5088cda5..80474700d47 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -171,7 +171,7 @@ jobs: - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 - id: set-matrix - run: echo "matrix=$(php .github/workflows/tests-levels-matrix.php)" >> $GITHUB_OUTPUT + run: echo "matrix=$(php .github/workflows/tests-levels-matrix.php)" >> "$GITHUB_OUTPUT" outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} @@ -325,12 +325,12 @@ jobs: --source-directory='build/PHPStan/Build' \ --timeout=500 \ > infection.json5 - cat infection.json5 | jq + jq < infection.json5 - name: "Determine default branch" id: default-branch run: | - echo "name=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')" >> $GITHUB_OUTPUT + echo "name=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')" >> "$GITHUB_OUTPUT" - name: "Restore result cache" uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 diff --git a/.github/workflows/update-phpstorm-stubs.yml b/.github/workflows/update-phpstorm-stubs.yml index bbc3f68ee55..21868ad8ab2 100644 --- a/.github/workflows/update-phpstorm-stubs.yml +++ b/.github/workflows/update-phpstorm-stubs.yml @@ -39,7 +39,7 @@ jobs: path: "phpstorm-stubs" repository: "jetbrains/phpstorm-stubs" - name: "Update stubs" - run: "composer require jetbrains/phpstorm-stubs:dev-master#$(git -C phpstorm-stubs rev-parse HEAD)" + run: "composer require \"jetbrains/phpstorm-stubs:dev-master#$(git -C phpstorm-stubs rev-parse HEAD)\"" - name: "Remove stubs repo" run: "rm -r phpstorm-stubs" - name: "Update function metadata"