Skip to content

Commit dcabecd

Browse files
committed
Update ci.yml
1 parent 4cbb687 commit dcabecd

1 file changed

Lines changed: 50 additions & 15 deletions

File tree

.github/workflows/ci.yml

Lines changed: 50 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -15,19 +15,19 @@ permissions:
1515
contents: read
1616

1717
jobs:
18-
test:
18+
quality:
1919
runs-on: ubuntu-latest
2020

2121
steps:
2222
- name: Checkout
2323
uses: actions/checkout@v5
2424

25-
- name: Setup PHP
26-
uses: shivammathur/setup-php@v2
27-
with:
28-
php-version: '8.4'
29-
extensions: dom, pdo, pdo_sqlite
30-
coverage: none
25+
# - name: Setup PHP
26+
# uses: shivammathur/setup-php@v2
27+
# with:
28+
# php-version: '8.4'
29+
# extensions: dom, pdo, pdo_sqlite
30+
# coverage: none
3131

3232
- name: Validate Composer metadata
3333
run: composer validate --strict
@@ -47,9 +47,23 @@ jobs:
4747
- name: Run code style
4848
run: composer lint
4949

50-
#===========================================
51-
# SBOM generation and upload
52-
# ===========================================
50+
51+
sbom:
52+
runs-on: ubuntu-latest
53+
steps:
54+
- name: Checkout
55+
uses: actions/checkout@v5
56+
57+
- name: Setup PHP
58+
uses: shivammathur/setup-php@v2
59+
with:
60+
php-version: '8.4'
61+
extensions: dom, pdo, pdo_sqlite
62+
coverage: none
63+
64+
#===========================================
65+
# SBOM generation and upload
66+
# ===========================================
5367
- name: Generate SBOM
5468
run: composer sbom
5569

@@ -73,6 +87,7 @@ jobs:
7387
security:
7488
runs-on: ubuntu-latest
7589
permissions:
90+
actions: read
7691
contents: read
7792
security-events: write
7893

@@ -114,11 +129,11 @@ jobs:
114129
with:
115130
sarif_file: gitleaks-results.sarif
116131

117-
- name: Fail if Gitleaks found leaks
118-
if: steps.gitleaks.outcome == 'failure'
119-
run: |
120-
echo "Gitleaks found secrets. Failing the workflow."
121-
exit 1
132+
# - name: Fail if Gitleaks found leaks
133+
# if: steps.gitleaks.outcome == 'failure'
134+
# run: |
135+
# echo "Gitleaks found secrets. Failing the workflow."
136+
# exit 1
122137

123138
# Avoiding the action and run the open-source CLI directly
124139
# - name: Run Gitleaks
@@ -131,6 +146,8 @@ jobs:
131146
# and upload results as SARIF for GitHub code scanning alerts
132147
# ============================================================
133148
- name: Run Trivy filesystem scan
149+
id: trivy
150+
continue-on-error: true
134151
uses: aquasecurity/trivy-action@v0.36.0
135152
with:
136153
scan-type: fs
@@ -143,10 +160,28 @@ jobs:
143160
# exit-code: '1' # Exit with code 1 if vulnerabilities are found, but continue to upload results
144161

145162
- name: Upload Trivy SARIF
163+
if: always()
146164
uses: github/codeql-action/upload-sarif@v4
147165
with:
148166
sarif_file: trivy-results.sarif
149167

168+
# ==============================================================
169+
# Final security gate
170+
# ==============================================================
171+
- name: ❌⛓️‍💥 Fail if security findings were detected
172+
if: steps.gitleaks.outcome == 'failure' || steps.trivy.outcome == 'failure'
173+
run: |
174+
echo "Security findings detected. Failing the workflow."
175+
176+
if [ "${{ steps.gitleaks.outcome }}" = "failure" ]; then
177+
echo "- Gitleaks found secrets."
178+
fi
179+
180+
if [ "${{ steps.trivy.outcome }}" = "failure" ]; then
181+
echo "- Trivy found HIGH or CRITICAL vulnerabilities."
182+
fi
183+
184+
exit 1
150185
151186
# Docker-based integration tests are currently disabled
152187
# docker:

0 commit comments

Comments
 (0)