From 6b96834d816ba8bcba632e8ae5400e97a6acc29d Mon Sep 17 00:00:00 2001 From: Michael Schiemer Date: Fri, 31 Oct 2025 03:43:16 +0100 Subject: [PATCH] refactor: replace GitHub Actions with native commands in security-scan workflow - Remove actions/checkout@v4, shivammathur/setup-php@v2, actions/cache@v3 - Replace with native shell commands (git clone, apt-get, simple file cache) - Should be much faster (no GitHub Action downloads) - Eliminates dependency on GitHub for action downloads --- .gitea/workflows/security-scan.yml | 84 +++++++++++++++++++++++------- 1 file changed, 64 insertions(+), 20 deletions(-) diff --git a/.gitea/workflows/security-scan.yml b/.gitea/workflows/security-scan.yml index 944bb71f..1cde45a2 100644 --- a/.gitea/workflows/security-scan.yml +++ b/.gitea/workflows/security-scan.yml @@ -17,42 +17,84 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + run: | + REF_NAME="${{ github.ref_name }}" + REPO="${{ github.repository }}" + if [ -z "$REF_NAME" ]; then + REF_NAME="main" + fi + + git clone --depth 1 --branch "$REF_NAME" \ + "https://git.michaelschiemer.de/${REPO}.git" \ + /workspace/repo || \ + git clone --depth 1 --branch "$REF_NAME" \ + "git@git.michaelschiemer.de:${REPO}.git" \ + /workspace/repo || \ + git clone --depth 1 \ + "https://git.michaelschiemer.de/${REPO}.git" \ + /workspace/repo + + cd /workspace/repo - name: Setup PHP - uses: https://github.com/shivammathur/setup-php@v2 - with: - php-version: '8.4' - extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, bcmath, soap, intl, gd, exif, iconv, sodium - coverage: none + run: | + apt-get update + apt-get install -y \ + php8.4 \ + php8.4-cli \ + php8.4-dom \ + php8.4-curl \ + php8.4-xml \ + php8.4-mbstring \ + php8.4-zip \ + php8.4-pcntl \ + php8.4-pdo \ + php8.4-pdo-sqlite \ + php8.4-bcmath \ + php8.4-soap \ + php8.4-intl \ + php8.4-gd \ + php8.4-exif \ + php8.4-iconv \ + php8.4-sodium \ + composer - name: Validate composer.json and composer.lock run: | + cd /workspace/repo # Validate composer.json (less strict - lock file might be updated during install) composer validate --no-check-lock || echo "⚠️ composer.lock might need update, but continuing..." # Try to update lock file if needed composer update --lock --no-interaction || echo "⚠️ Could not update lock file, but continuing..." - - name: Cache Composer packages - uses: actions/cache@v3 - with: - path: vendor - key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} - restore-keys: | - ${{ runner.os }}-php- + - name: Cache Composer packages (simple) + run: | + if [ -d "/tmp/composer-cache/vendor" ]; then + echo "📦 Restoring cached dependencies..." + cp -r /tmp/composer-cache/vendor /workspace/repo/vendor || true + fi - name: Install dependencies - run: composer install --prefer-dist --no-progress --no-dev + run: | + cd /workspace/repo + composer install --prefer-dist --no-progress --no-dev + + - name: Save Composer cache + run: | + mkdir -p /tmp/composer-cache + cp -r /workspace/repo/vendor /tmp/composer-cache/vendor || true - name: Run Composer Security Audit id: security-audit run: | + cd /workspace/repo composer audit --format=json > audit-result.json || true cat audit-result.json - name: Parse audit results id: parse-audit run: | + cd /workspace/repo if [ -f audit-result.json ]; then # Check if jq is available, install if not if ! command -v jq &> /dev/null; then @@ -96,13 +138,15 @@ jobs: fi fi - - name: Upload audit results as artifact + - name: Save audit results if: always() - uses: actions/upload-artifact@v3 - with: - name: security-audit-results-${{ github.run_number }} - path: audit-result.json - retention-days: 30 + run: | + cd /workspace/repo + if [ -f audit-result.json ]; then + mkdir -p /tmp/artifacts + cp audit-result.json /tmp/artifacts/security-audit-results-${{ github.run_number }}.json || true + echo "✅ Audit results saved" + fi - name: Create Gitea issue on vulnerability (scheduled runs only) if: failure() && github.event_name == 'schedule'