Make specific to security analysis

Author: muglug

.github/workflows/build.yml

@@ -15,6 +15,13 @@ jobs:
         with:
           ref: master
 
+      - name: Login to ghcr
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
       - name: Update Dockerfile with latest version
         id: fetch_version
         run: |
@@ -26,11 +33,10 @@ jobs:
           sed -i -re "s/require vimeo\/psalm/require vimeo\/psalm:$last/" Dockerfile
           cat Dockerfile
 
-      - name: Docker login
-        run: echo '${{ secrets.DOCKER_PASSWORD }}' | docker login --username ${{ secrets.DOCKER_USERNAME }} --password-stdin
-
       - name: Build images
-        run: docker build -t vimeo/psalm-github-actions:${{ steps.fetch_version.outputs.last }} .
+        run: docker build -t ghcr.io/psalm/psalm-security-scan:${{ steps.fetch_version.outputs.last }} -t ghcr.io/psalm/psalm-security-scan:latest .
 
       - name: Publish
-        run: docker push vimeo/psalm-github-actions:${{ steps.fetch_version.outputs.last }}
+        run: |
+          docker push ghcr.io/psalm/psalm-security-scan:${{ steps.fetch_version.outputs.last }}
+          docker push ghcr.io/psalm/psalm-security-scan:latest

.github/workflows/watch.yml

@@ -5,7 +5,7 @@ LABEL "com.github.actions.description"="A static analysis tool for finding error
 LABEL "com.github.actions.icon"="check"
 LABEL "com.github.actions.color"="blue"
 
-LABEL "repository"="http://github.com/psalm/psalm-github-actions"
+LABEL "repository"="http://github.com/psalm/psalm-github-security-scan"
 LABEL "homepage"="http://github.com/actions"
 LABEL "maintainer"="Matt Brown <github@muglug.com>"
 

Dockerfile

@@ -1,9 +1,9 @@
-# Psalm Github action
+# Psalm Github Security Scan
 
-Run Psalm as a github action.
+Run [Psalm’s Security Analysis](https://psalm.dev/docs/security_analysis/) as a Github action (a more general version [can be found here](https://github.com/psalm/psalm-github-actions)).
 
 ```yaml
-name: Static analysis
+name: Psalm Security Scan
 
 on: [push, pull_request]
 
@@ -15,60 +15,20 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
 
-      - name: Psalm
-        uses: docker://vimeo/psalm-github-actions
-
+      - name: Psalm Security Scan
+        uses: docker://ghcr.io/psalm/psalm-security-scan
+        
+      - name: Upload Security Analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: results.sarif
 ```
 
 ## Specify Psalm version
 
-You can also specify a version (after 3.14.2).
-
-```diff
-       - name: Psalm
--        uses: docker://vimeo/psalm-github-actions
-+        uses: docker://vimeo/psalm-github-actions:3.14.2
-```
-
-## Use Security Analysis
-
-Psalm supports [Security Analysis](https://psalm.dev/docs/security_analysis/). You can use this config to show security analysis reports:
-
-```diff
-       - name: Psalm
-         uses: docker://vimeo/psalm-github-actions
-+        with:
-+          security_analysis: true
-```
-
-### Send security output to GitHub Security tab
-
-GitHub also allows you to [send security issues to a separate part of the site](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning) that can be restricted to members of your team.
-
-Use the following config:
-
-```diff
-       - name: Psalm
-         uses: docker://vimeo/psalm-github-actions
-+        with:
-+          security_analysis: true
-+          report_file: results.sarif
-+      - name: Upload Security Analysis results to GitHub
-+        uses: github/codeql-action/upload-sarif@v1
-+        with:
-+          sarif_file: results.sarif
-```
-
-## Customising Composer
-
-Specify `composer_require_dev: true` to install dev dependencies and `composer_ignore_platform_reqs: true` in order to ignore platform requirements.
-
-These are both set to false by default.
+You can also specify a version.
 
 ```diff
-       - name: Psalm
-         uses: docker://vimeo/psalm-github-actions
-+        with:
-+          composer_require_dev: true
-+          composer_ignore_platform_reqs: true
+-        uses: docker://ghcr.io/psalm/psalm-security-scan
++        uses: docker://ghcr.io/psalm/psalm-security-scan:4.2.1
 ```

README.md

@@ -7,28 +7,16 @@ branding:
   icon: 'check'
   color: 'blue'
 
-description: 'Run Psalm via GitHub Actions'
+name: 'Psalm – Security Scanner for PHP'
 
-name: 'Psalm – Static Analysis for PHP'
+description: 'Find security vulnerabilities in your PHP codebase with Psalm, a free and open-source tool created by Vimeo.'
 
 inputs:
-  security_analysis:
-    required: false
-    default: false
-    description: 'Whether or not to use Psalm’s security analysis'
   report_file:
     required: false
-    default: ''
+    default: 'results.sarif'
     description: 'File for Psalm’s output'
-  composer_require_dev:
-    required: false
-    default: false
-    description: 'Whether or not Composer installs dev packages'
-  composer_ignore_platform_reqs:
-    required: false
-    default: false
-    description: 'Whether or not the --ignore-platform-reqs flag is passed to Composer'
 
 runs:
   using: 'docker'
-  image: 'docker://vimeo/psalm-github-actions'
+  image: 'docker://ghcr.io/psalm/psalm-security-scan'

action.yml

@@ -1,28 +1,13 @@
 #!/bin/sh -l
 set -e
 
-TAINT_ANALYSIS=""
-if [ "$INPUT_SECURITY_ANALYSIS" = "true" ]; then
-    TAINT_ANALYSIS="--taint-analysis"
-fi
-
-REPORT=""
+REPORT_FILE="results.sarif"
 if [ ! -z "$INPUT_REPORT_FILE" ]; then
-    REPORT="--report=$INPUT_REPORT_FILE"
+    REPORT_FILE="$INPUT_REPORT_FILE"
 fi
 
 if test -f "composer.json"; then
-    IGNORE_PLATFORM_REQS=""
-    if [ "$CHECK_PLATFORM_REQUIREMENTS" = "false" ] || [ "$INPUT_COMPOSER_CHECK_PLATFORM_REQUIREMENTS" = "false" ]; then
-        IGNORE_PLATFORM_REQS="--ignore-platform-reqs"
-    fi
-
-    NO_DEV="--no-dev"
-    if [ "$REQUIRE_DEV" = "true" ] || [ "$INPUT_COMPOSER_REQUIRE_DEV" = "true"  ]; then
-        NO_DEV=""
-    fi
-
-    COMPOSER_COMMAND="composer install --no-scripts --no-progress $NO_DEV $IGNORE_PLATFORM_REQS"
+    COMPOSER_COMMAND="composer install --no-scripts --no-progress"
     echo "::group::$COMPOSER_COMMAND"
     $COMPOSER_COMMAND
     echo "::endgroup::"
@@ -31,4 +16,4 @@ else
 fi
 
 /composer/vendor/bin/psalm --version
-/composer/vendor/bin/psalm --output-format=github $TAINT_ANALYSIS $REPORT $*
+/composer/vendor/bin/psalm --output-format=github --taint-analysis --report=$REPORT_FILE $*

entrypoint.sh

@@ -0,0 +1,25 @@
+# For most projects this workflow file will not need changed at all - you
+# can just commit it to your repository.
+#
+# If you want to run Psalm *without* security scanning you should instead
+# use this GitHub Action: https://github.com/psalm/psalm-github-actions
+
+name: Psalm Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  psalm-security-scan:
+    name: Psalm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Psalm Security Scan
+        uses: docker://ghcr.io/psalm/psalm-security-scan
+        
+      - name: Import Security Analysis results into GitHub Security Code Scanning
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: results.sarif