@@ -15,19 +15,19 @@ permissions:
1515 contents : read
1616
1717jobs :
18- test :
18+ quality :
1919 runs-on : ubuntu-latest
2020
2121 steps :
2222 - name : Checkout
2323 uses : actions/checkout@v5
2424
25- - name : Setup PHP
26- uses : shivammathur/setup-php@v2
27- with :
28- php-version : ' 8.4'
29- extensions : dom, pdo, pdo_sqlite
30- coverage : none
25+ # - name: Setup PHP
26+ # uses: shivammathur/setup-php@v2
27+ # with:
28+ # php-version: '8.4'
29+ # extensions: dom, pdo, pdo_sqlite
30+ # coverage: none
3131
3232 - name : Validate Composer metadata
3333 run : composer validate --strict
4747 - name : Run code style
4848 run : composer lint
4949
50- # ===========================================
51- # SBOM generation and upload
52- # ===========================================
50+
51+ sbom :
52+ runs-on : ubuntu-latest
53+ steps :
54+ - name : Checkout
55+ uses : actions/checkout@v5
56+
57+ - name : Setup PHP
58+ uses : shivammathur/setup-php@v2
59+ with :
60+ php-version : ' 8.4'
61+ extensions : dom, pdo, pdo_sqlite
62+ coverage : none
63+
64+ # ===========================================
65+ # SBOM generation and upload
66+ # ===========================================
5367 - name : Generate SBOM
5468 run : composer sbom
5569
7387 security :
7488 runs-on : ubuntu-latest
7589 permissions :
90+ actions : read
7691 contents : read
7792 security-events : write
7893
@@ -114,11 +129,11 @@ jobs:
114129 with :
115130 sarif_file : gitleaks-results.sarif
116131
117- - name : Fail if Gitleaks found leaks
118- if : steps.gitleaks.outcome == 'failure'
119- run : |
120- echo "Gitleaks found secrets. Failing the workflow."
121- exit 1
132+ # - name: Fail if Gitleaks found leaks
133+ # if: steps.gitleaks.outcome == 'failure'
134+ # run: |
135+ # echo "Gitleaks found secrets. Failing the workflow."
136+ # exit 1
122137
123138 # Avoiding the action and run the open-source CLI directly
124139 # - name: Run Gitleaks
@@ -131,6 +146,8 @@ jobs:
131146 # and upload results as SARIF for GitHub code scanning alerts
132147 # ============================================================
133148 - name : Run Trivy filesystem scan
149+ id : trivy
150+ continue-on-error : true
134151 uses : aquasecurity/trivy-action@v0.36.0
135152 with :
136153 scan-type : fs
@@ -143,10 +160,28 @@ jobs:
143160 # exit-code: '1' # Exit with code 1 if vulnerabilities are found, but continue to upload results
144161
145162 - name : Upload Trivy SARIF
163+ if : always()
146164 uses : github/codeql-action/upload-sarif@v4
147165 with :
148166 sarif_file : trivy-results.sarif
149167
168+ # ==============================================================
169+ # Final security gate
170+ # ==============================================================
171+ - name : ❌⛓️💥 Fail if security findings were detected
172+ if : steps.gitleaks.outcome == 'failure' || steps.trivy.outcome == 'failure'
173+ run : |
174+ echo "Security findings detected. Failing the workflow."
175+
176+ if [ "${{ steps.gitleaks.outcome }}" = "failure" ]; then
177+ echo "- Gitleaks found secrets."
178+ fi
179+
180+ if [ "${{ steps.trivy.outcome }}" = "failure" ]; then
181+ echo "- Trivy found HIGH or CRITICAL vulnerabilities."
182+ fi
183+
184+ exit 1
150185
151186 # Docker-based integration tests are currently disabled
152187 # docker:
0 commit comments