-
-
Notifications
You must be signed in to change notification settings - Fork 37
57 lines (45 loc) · 1.74 KB
/
securitycheck.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
---
name: Security check
on:
- push
- pull_request
# Allow manually triggering the workflow.
- workflow_dispatch
env:
COMPOSER_AUTH: '{"github-oauth": {"github.com": "${{ secrets.GITHUB_TOKEN }}"}}'
# Cancels all previous workflow runs for the same branch that have not yet completed.
concurrency:
# The concurrency group contains the workflow name and the branch name.
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
security-check:
runs-on: ubuntu-latest
name: "Security check"
strategy:
matrix:
php: ['5.4', 'latest']
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
coverage: none
- name: Enable creation of `composer.lock` file
run: composer config --unset lock
# Install dependencies and handle caching in one go.
# @link https://github.com/marketplace/actions/install-php-dependencies-with-composer
- name: Install Composer dependencies
uses: "ramsey/composer-install@v3"
with:
# Bust the cache at least once a month - output format: YYYY-MM.
custom-cache-suffix: $(date -u "+%Y-%m")
- name: Download security checker
# yamllint disable-line rule:line-length
run: wget -P . https://github.com/fabpot/local-php-security-checker/releases/download/v2.0.6/local-php-security-checker_2.0.6_linux_amd64
- name: Make security checker executable
run: chmod +x ./local-php-security-checker_2.0.6_linux_amd64
- name: Check against insecure dependencies
run: ./local-php-security-checker_2.0.6_linux_amd64 --path=composer.lock