[StepSecurity] ci: Harden GitHub Actions #16408
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://help.github.com/en/categories/automating-your-workflow-with-github-actions | |
| name: "Issue bot" | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| paths-ignore: | |
| - 'compiler/**' | |
| - 'apigen/**' | |
| - 'changelog-generator/**' | |
| push: | |
| branches: | |
| - "2.2.x" | |
| paths-ignore: | |
| - 'compiler/**' | |
| - 'apigen/**' | |
| - 'changelog-generator/**' | |
| concurrency: | |
| group: run-issue-bot-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches | |
| cancel-in-progress: true | |
| jobs: | |
| download: | |
| name: "Download data" | |
| runs-on: "ubuntu-latest" | |
| outputs: | |
| matrix: ${{ steps.shards.outputs.shards }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "8.5" | |
| - name: "Install issue-bot dependencies" | |
| uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| with: | |
| working-directory: "issue-bot" | |
| - name: "Cache downloads" | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ./issue-bot/tmp | |
| key: "issue-bot-download-v7-${{ github.run_id }}" | |
| restore-keys: | | |
| issue-bot-download-v7- | |
| - name: "Download data" | |
| working-directory: "issue-bot" | |
| env: | |
| GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./console.php download > matrix.json | |
| - name: "Output shards" | |
| id: shards | |
| working-directory: "issue-bot" | |
| run: | | |
| echo "shards=$(jq -c '{include: [range(length) | {shard: .}]}' matrix.json)" >> $GITHUB_OUTPUT | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: playground-cache | |
| path: issue-bot/tmp/playgroundCache.tmp | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: issue-cache | |
| path: issue-bot/tmp/issueCache.tmp | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: matrix | |
| path: issue-bot/matrix.json | |
| analyse: | |
| name: "Analyse" | |
| needs: download | |
| runs-on: "ubuntu-latest" | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON(needs.download.outputs.matrix) }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "8.5" | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| with: | |
| composer-options: "--no-dev" | |
| - name: "Install issue-bot dependencies" | |
| uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| with: | |
| working-directory: "issue-bot" | |
| - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 | |
| with: | |
| action: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | | |
| name: playground-cache | |
| path: issue-bot/tmp | |
| attempt_limit: 5 | |
| attempt_delay: 1000 | |
| - uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0 | |
| with: | |
| action: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | | |
| name: matrix | |
| path: issue-bot | |
| attempt_limit: 5 | |
| attempt_delay: 1000 | |
| - name: "Extract shard" | |
| working-directory: "issue-bot" | |
| id: chunk | |
| run: | | |
| echo "phpVersion=$(jq -r '.[${{ matrix.shard }}].phpVersion' matrix.json)" >> "$GITHUB_OUTPUT" | |
| echo "playgroundExamples=$(jq -r '.[${{ matrix.shard }}].playgroundExamples' matrix.json)" >> "$GITHUB_OUTPUT" | |
| echo "chunkNumber=$(jq -r '.[${{ matrix.shard }}].chunkNumber' matrix.json)" >> "$GITHUB_OUTPUT" | |
| - name: "Run PHPStan" | |
| working-directory: "issue-bot" | |
| timeout-minutes: 5 | |
| run: ./console.php run ${{ steps.chunk.outputs.phpVersion }} ${{ steps.chunk.outputs.playgroundExamples }} | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: results-${{ steps.chunk.outputs.phpVersion }}-${{ steps.chunk.outputs.chunkNumber }} | |
| path: issue-bot/tmp/results-${{ steps.chunk.outputs.phpVersion }}-*.tmp | |
| evaluate: | |
| name: "Evaluate results" | |
| needs: analyse | |
| runs-on: "ubuntu-latest" | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "8.5" | |
| - name: "Install issue-bot dependencies" | |
| uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| with: | |
| working-directory: "issue-bot" | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: playground-cache | |
| path: issue-bot/tmp | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: issue-cache | |
| path: issue-bot/tmp | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| pattern: results-* | |
| merge-multiple: true | |
| path: issue-bot/tmp | |
| - name: "List tmp" | |
| run: "ls -lA issue-bot/tmp" | |
| - name: "Evaluate results - pull request" | |
| working-directory: "issue-bot" | |
| if: github.event_name == 'pull_request' | |
| env: | |
| GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set +e | |
| ./console.php evaluate > tmp/step-summary.md | |
| exit_code="$?" | |
| cat tmp/step-summary.md >> $GITHUB_STEP_SUMMARY | |
| if [[ "$exit_code" == "2" ]]; then | |
| echo "::notice file=.github/workflows/issue-bot.yml,line=3 ::Issue bot detected open issues which are affected by this pull request - see https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | |
| exit 0 | |
| fi | |
| exit $exit_code | |
| - name: "Upload step summary" | |
| if: github.event_name == 'pull_request' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: step-summary | |
| path: issue-bot/tmp/step-summary.md | |
| - name: "Evaluate results - push" | |
| working-directory: "issue-bot" | |
| if: "github.repository_owner == 'phpstan' && github.ref == 'refs/heads/2.2.x'" | |
| env: | |
| GITHUB_PAT: ${{ secrets.PHPSTAN_BOT_TOKEN }} | |
| PHPSTAN_SRC_COMMIT_BEFORE: ${{ github.event.before }} | |
| PHPSTAN_SRC_COMMIT_AFTER: ${{ github.event.after }} | |
| run: | | |
| set +e | |
| ./console.php evaluate --post-comments >> $GITHUB_STEP_SUMMARY | |
| exit_code="$?" | |
| # its fine when issue-bot found affected issues | |
| if [[ "$exit_code" == "2" ]]; then | |
| exit 0 | |
| fi | |
| exit $exit_code |