refactor: replace GitHub Actions with native commands in security-scan workflow
- Remove actions/checkout@v4, shivammathur/setup-php@v2, actions/cache@v3 - Replace with native shell commands (git clone, apt-get, simple file cache) - Should be much faster (no GitHub Action downloads) - Eliminates dependency on GitHub for action downloads
This commit is contained in:
@@ -17,42 +17,84 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
run: |
|
||||||
|
REF_NAME="${{ github.ref_name }}"
|
||||||
|
REPO="${{ github.repository }}"
|
||||||
|
if [ -z "$REF_NAME" ]; then
|
||||||
|
REF_NAME="main"
|
||||||
|
fi
|
||||||
|
|
||||||
|
git clone --depth 1 --branch "$REF_NAME" \
|
||||||
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
||||||
|
/workspace/repo || \
|
||||||
|
git clone --depth 1 --branch "$REF_NAME" \
|
||||||
|
"git@git.michaelschiemer.de:${REPO}.git" \
|
||||||
|
/workspace/repo || \
|
||||||
|
git clone --depth 1 \
|
||||||
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
||||||
|
/workspace/repo
|
||||||
|
|
||||||
|
cd /workspace/repo
|
||||||
|
|
||||||
- name: Setup PHP
|
- name: Setup PHP
|
||||||
uses: https://github.com/shivammathur/setup-php@v2
|
run: |
|
||||||
with:
|
apt-get update
|
||||||
php-version: '8.4'
|
apt-get install -y \
|
||||||
extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, bcmath, soap, intl, gd, exif, iconv, sodium
|
php8.4 \
|
||||||
coverage: none
|
php8.4-cli \
|
||||||
|
php8.4-dom \
|
||||||
|
php8.4-curl \
|
||||||
|
php8.4-xml \
|
||||||
|
php8.4-mbstring \
|
||||||
|
php8.4-zip \
|
||||||
|
php8.4-pcntl \
|
||||||
|
php8.4-pdo \
|
||||||
|
php8.4-pdo-sqlite \
|
||||||
|
php8.4-bcmath \
|
||||||
|
php8.4-soap \
|
||||||
|
php8.4-intl \
|
||||||
|
php8.4-gd \
|
||||||
|
php8.4-exif \
|
||||||
|
php8.4-iconv \
|
||||||
|
php8.4-sodium \
|
||||||
|
composer
|
||||||
|
|
||||||
- name: Validate composer.json and composer.lock
|
- name: Validate composer.json and composer.lock
|
||||||
run: |
|
run: |
|
||||||
|
cd /workspace/repo
|
||||||
# Validate composer.json (less strict - lock file might be updated during install)
|
# Validate composer.json (less strict - lock file might be updated during install)
|
||||||
composer validate --no-check-lock || echo "⚠️ composer.lock might need update, but continuing..."
|
composer validate --no-check-lock || echo "⚠️ composer.lock might need update, but continuing..."
|
||||||
# Try to update lock file if needed
|
# Try to update lock file if needed
|
||||||
composer update --lock --no-interaction || echo "⚠️ Could not update lock file, but continuing..."
|
composer update --lock --no-interaction || echo "⚠️ Could not update lock file, but continuing..."
|
||||||
|
|
||||||
- name: Cache Composer packages
|
- name: Cache Composer packages (simple)
|
||||||
uses: actions/cache@v3
|
run: |
|
||||||
with:
|
if [ -d "/tmp/composer-cache/vendor" ]; then
|
||||||
path: vendor
|
echo "📦 Restoring cached dependencies..."
|
||||||
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
|
cp -r /tmp/composer-cache/vendor /workspace/repo/vendor || true
|
||||||
restore-keys: |
|
fi
|
||||||
${{ runner.os }}-php-
|
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: composer install --prefer-dist --no-progress --no-dev
|
run: |
|
||||||
|
cd /workspace/repo
|
||||||
|
composer install --prefer-dist --no-progress --no-dev
|
||||||
|
|
||||||
|
- name: Save Composer cache
|
||||||
|
run: |
|
||||||
|
mkdir -p /tmp/composer-cache
|
||||||
|
cp -r /workspace/repo/vendor /tmp/composer-cache/vendor || true
|
||||||
|
|
||||||
- name: Run Composer Security Audit
|
- name: Run Composer Security Audit
|
||||||
id: security-audit
|
id: security-audit
|
||||||
run: |
|
run: |
|
||||||
|
cd /workspace/repo
|
||||||
composer audit --format=json > audit-result.json || true
|
composer audit --format=json > audit-result.json || true
|
||||||
cat audit-result.json
|
cat audit-result.json
|
||||||
|
|
||||||
- name: Parse audit results
|
- name: Parse audit results
|
||||||
id: parse-audit
|
id: parse-audit
|
||||||
run: |
|
run: |
|
||||||
|
cd /workspace/repo
|
||||||
if [ -f audit-result.json ]; then
|
if [ -f audit-result.json ]; then
|
||||||
# Check if jq is available, install if not
|
# Check if jq is available, install if not
|
||||||
if ! command -v jq &> /dev/null; then
|
if ! command -v jq &> /dev/null; then
|
||||||
@@ -96,13 +138,15 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
- name: Upload audit results as artifact
|
- name: Save audit results
|
||||||
if: always()
|
if: always()
|
||||||
uses: actions/upload-artifact@v3
|
run: |
|
||||||
with:
|
cd /workspace/repo
|
||||||
name: security-audit-results-${{ github.run_number }}
|
if [ -f audit-result.json ]; then
|
||||||
path: audit-result.json
|
mkdir -p /tmp/artifacts
|
||||||
retention-days: 30
|
cp audit-result.json /tmp/artifacts/security-audit-results-${{ github.run_number }}.json || true
|
||||||
|
echo "✅ Audit results saved"
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Create Gitea issue on vulnerability (scheduled runs only)
|
- name: Create Gitea issue on vulnerability (scheduled runs only)
|
||||||
if: failure() && github.event_name == 'schedule'
|
if: failure() && github.event_name == 'schedule'
|
||||||
|
|||||||
Reference in New Issue
Block a user