michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: replace GitHub Actions with native commands in security-scan workflow

Browse Source 
- Remove actions/checkout@v4, shivammathur/setup-php@v2, actions/cache@v3
- Replace with native shell commands (git clone, apt-get, simple file cache)
- Should be much faster (no GitHub Action downloads)
- Eliminates dependency on GitHub for action downloads
This commit is contained in:
Michael Schiemer
2025-10-31 03:43:16 +01:00
parent 134fbecb61
commit 6b96834d81
1 changed files with 64 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
.gitea/workflows/security-scan.yml
View File

@@ -17,42 +17,84 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
run: |
REF_NAME="${{ github.ref_name }}"
REPO="${{ github.repository }}"
if [ -z "$REF_NAME" ]; then
REF_NAME="main"
fi
git clone --depth 1 --branch "$REF_NAME" \
"https://git.michaelschiemer.de/${REPO}.git" \
/workspace/repo || \
git clone --depth 1 --branch "$REF_NAME" \
"git@git.michaelschiemer.de:${REPO}.git" \
/workspace/repo || \
git clone --depth 1 \
"https://git.michaelschiemer.de/${REPO}.git" \
/workspace/repo
cd /workspace/repo
- name: Setup PHP
uses: https://github.com/shivammathur/setup-php@v2
with:
php-version: '8.4'
extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, bcmath, soap, intl, gd, exif, iconv, sodium
coverage: none
run: |
apt-get update
apt-get install -y \
php8.4 \
php8.4-cli \
php8.4-dom \
php8.4-curl \
php8.4-xml \
php8.4-mbstring \
php8.4-zip \
php8.4-pcntl \
php8.4-pdo \
php8.4-pdo-sqlite \
php8.4-bcmath \
php8.4-soap \
php8.4-intl \
php8.4-gd \
php8.4-exif \
php8.4-iconv \
php8.4-sodium \
composer
- name: Validate composer.json and composer.lock
run: |
cd /workspace/repo
# Validate composer.json (less strict - lock file might be updated during install)
composer validate --no-check-lock || echo "⚠️ composer.lock might need update, but continuing..."
# Try to update lock file if needed
composer update --lock --no-interaction || echo "⚠️ Could not update lock file, but continuing..."
- name: Cache Composer packages
uses: actions/cache@v3
with:
path: vendor
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
restore-keys: |
${{ runner.os }}-php-
- name: Cache Composer packages (simple)
run: |
if [ -d "/tmp/composer-cache/vendor" ]; then
echo "📦 Restoring cached dependencies..."
cp -r /tmp/composer-cache/vendor /workspace/repo/vendor || true
fi
- name: Install dependencies
run: composer install --prefer-dist --no-progress --no-dev
run: |
cd /workspace/repo
composer install --prefer-dist --no-progress --no-dev
- name: Save Composer cache
run: |
mkdir -p /tmp/composer-cache
cp -r /workspace/repo/vendor /tmp/composer-cache/vendor || true
- name: Run Composer Security Audit
id: security-audit
run: |
cd /workspace/repo
composer audit --format=json > audit-result.json || true
cat audit-result.json
- name: Parse audit results
id: parse-audit
run: |
cd /workspace/repo
if [ -f audit-result.json ]; then
# Check if jq is available, install if not
if ! command -v jq &> /dev/null; then
@@ -96,13 +138,15 @@ jobs:
fi
fi
- name: Upload audit results as artifact
- name: Save audit results
if: always()
uses: actions/upload-artifact@v3
with:
name: security-audit-results-${{ github.run_number }}
path: audit-result.json
retention-days: 30
run: |
cd /workspace/repo
if [ -f audit-result.json ]; then
mkdir -p /tmp/artifacts
cp audit-result.json /tmp/artifacts/security-audit-results-${{ github.run_number }}.json || true
echo "✅ Audit results saved"
fi
- name: Create Gitea issue on vulnerability (scheduled runs only)
if: failure() && github.event_name == 'schedule'