SEC25-120: Add Psalm PHP static analysis and CI/CD integration #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL" | |
| on: | |
| push: | |
| branches: [ "master" ] | |
| pull_request: | |
| branches: [ "master" ] | |
| schedule: | |
| - cron: '30 12 * * 1' | |
| jobs: | |
| analyze: | |
| strategy: | |
| matrix: | |
| php-versions: [ '8.0', '8.1', '8.2', '8.3' ] | |
| name: Analyze PHP ${{ matrix.php-versions }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| name: Check Out Code | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: ${{ matrix.php-versions }} | |
| tools: pecl | |
| extensions: "" | |
| - name: Validate composer.json and composer.lock | |
| run: composer validate | |
| - name: Setup Composer Access | |
| run: composer config -g github-oauth.github.com ${{ secrets.GITHUB_TOKEN }} | |
| - name: Cache Composer packages | |
| id: composer-cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: vendor | |
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-composer- | |
| - name: Install dependencies | |
| if: steps.composer-cache.outputs.cache-hit != 'true' | |
| run: composer install --prefer-dist --no-progress --optimize-autoloader | |
| - name: Perform CodeQL Analysis using Psalm | |
| run: | | |
| if [ "${{ github.event_name }}" == "pull_request" ]; then | |
| vendor/bin/psalm --diff --output-format=sarif --report=psalm-report.sarif || true | |
| else | |
| vendor/bin/psalm --no-diff --output-format=sarif --report=psalm-report.sarif || true | |
| fi | |
| continue-on-error: true | |
| - name: Upload SARIF report | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: psalm-report.sarif |