[StepSecurity] ci: Harden GitHub Actions #26037
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://help.github.com/en/categories/automating-your-workflow-with-github-actions | |
| name: "Tests" | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - 'compiler/**' | |
| - 'apigen/**' | |
| - 'changelog-generator/**' | |
| - 'issue-bot/**' | |
| push: | |
| branches: | |
| - "2.1.x" | |
| paths-ignore: | |
| - 'compiler/**' | |
| - 'apigen/**' | |
| - 'changelog-generator/**' | |
| - 'issue-bot/**' | |
| concurrency: | |
| group: tests-${{ github.head_ref || github.run_id }} # will be canceled on subsequent pushes in pull requests but not branches | |
| cancel-in-progress: true | |
| jobs: | |
| tests: | |
| name: "Tests PHPUnit 12.x" | |
| runs-on: ${{ matrix.operating-system }} | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| php-version: | |
| - "8.3" | |
| - "8.4" | |
| - "8.5" | |
| operating-system: [ ubuntu-latest, windows-latest ] | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "${{ matrix.php-version }}" | |
| tools: pecl | |
| extensions: ds,mbstring | |
| ini-file: development | |
| ini-values: memory_limit=-1 | |
| - name: "Upgrade PHPUnit 12" | |
| shell: bash | |
| run: | | |
| composer require --dev phpunit/phpunit:^12 brianium/paratest:^7.16 symfony/process:^7 symfony/string:^7 symfony/console:^7 --update-with-dependencies --ignore-platform-reqs --working-dir=tests | |
| composer require --dev phpunit/phpunit:^12 sebastian/diff --update-with-dependencies --ignore-platform-reqs | |
| - name: "Check PHP configuration" | |
| run: "vendor/bin/phpunit --check-php-configuration" | |
| - name: "Tests" | |
| run: "php tests/vendor/bin/paratest --runner WrapperRunner --no-coverage" | |
| tests-phpunit11: | |
| name: "Tests PHPUnit 11.x" | |
| runs-on: ${{ matrix.operating-system }} | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| php-version: | |
| - "8.2" | |
| operating-system: [ ubuntu-latest, windows-latest ] | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "${{ matrix.php-version }}" | |
| tools: pecl | |
| extensions: ds,mbstring | |
| ini-file: development | |
| ini-values: memory_limit=-1 | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| - name: "Check PHP configuration" | |
| run: "vendor/bin/phpunit --check-php-configuration" | |
| - name: "Tests" | |
| run: "make tests" | |
| tests-integration: | |
| name: "Integration tests" | |
| runs-on: ${{ matrix.operating-system }} | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| operating-system: [ ubuntu-latest, windows-latest ] | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "8.2" | |
| tools: pecl | |
| extensions: ds,mbstring | |
| ini-file: development | |
| ini-values: memory_limit=-1 | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| - name: "Check PHP configuration" | |
| run: "vendor/bin/phpunit --check-php-configuration" | |
| - name: "Tests" | |
| run: "make tests-integration" | |
| tests-levels-matrix: | |
| name: "Determine levels tests matrix" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "8.3" | |
| tools: pecl | |
| extensions: ds,mbstring | |
| ini-file: development | |
| ini-values: memory_limit=1G | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| - id: set-matrix | |
| run: echo "matrix=$(php .github/workflows/tests-levels-matrix.php)" >> $GITHUB_OUTPUT | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| tests-levels: | |
| needs: tests-levels-matrix | |
| name: "Levels tests" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| script: "${{fromJson(needs.tests-levels-matrix.outputs.matrix)}}" | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "8.3" | |
| tools: pecl | |
| extensions: ds,mbstring | |
| ini-file: development | |
| ini-values: memory_limit=-1 | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| - name: "Check PHP configuration" | |
| run: "vendor/bin/phpunit --check-php-configuration" | |
| - name: "Tests" | |
| run: "${{ matrix.script }}" | |
| tests-with-old-phpunit: | |
| name: "Tests with old PHPUnit" | |
| runs-on: ${{ matrix.operating-system }} | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| php-version: | |
| - "7.4" | |
| - "8.0" | |
| - "8.1" | |
| operating-system: [ ubuntu-latest, windows-latest ] | |
| include: | |
| - php-version: "8.1" | |
| operating-system: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: "Install PHP" | |
| uses: "shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1" # v2 | |
| with: | |
| coverage: "none" | |
| php-version: "${{ matrix.php-version }}" | |
| tools: pecl | |
| extensions: ds,mbstring | |
| ini-file: development | |
| ini-values: memory_limit=2G | |
| - name: "Downgrade PHPUnit" | |
| shell: bash | |
| run: "composer require --dev phpunit/phpunit:^9.6 sebastian/diff:^4.0 doctrine/instantiator:^1.0 --update-with-dependencies --ignore-platform-reqs" | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| - name: "Downgrade PHPUnit with Paratest" | |
| shell: bash | |
| run: "composer require --dev phpunit/phpunit:^9.6 brianium/paratest:^6.5 symfony/console:^5.4 symfony/process:^5.4 doctrine/instantiator:^1.0 --update-with-dependencies --ignore-platform-reqs --working-dir=tests" | |
| - uses: ./.github/actions/downgrade-code | |
| with: | |
| php-version: "${{ matrix.php-version }}" | |
| - name: "Tests" | |
| run: "make tests" | |
| mutation-testing: | |
| name: "Mutation Testing" | |
| runs-on: "ubuntu-latest" | |
| needs: ["tests"] | |
| if: github.event_name == 'pull_request' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| php-version: | |
| - "8.3" | |
| - "8.4" | |
| operating-system: [ubuntu-latest] | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: "Checkout" | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| - name: "Checkout build-infection" | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| with: | |
| repository: "phpstan/build-infection" | |
| path: "build-infection" | |
| ref: "1.x" | |
| - uses: ./build-infection/.github/actions/setup-php | |
| with: | |
| php-version: "${{ matrix.php-version }}" | |
| php-extensions: ds,mbstring | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| with: | |
| working-directory: "tests/" | |
| - name: "Upgrade PHPUnit with Paratest to speedup coverage generation" | |
| shell: bash | |
| run: | | |
| composer require --dev phpunit/phpunit:^12 brianium/paratest:^7.16 symfony/process:^7 symfony/string:^7 symfony/console:^7 --update-with-dependencies --ignore-platform-reqs --working-dir=tests | |
| composer require --dev phpunit/phpunit:^12 sebastian/diff --update-with-dependencies --ignore-platform-reqs | |
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | |
| with: | |
| working-directory: "build-infection/" | |
| - name: "Configure infection" | |
| run: | | |
| php build-infection/bin/infection-config.php \ | |
| --source-directory='build/PHPStan/Build' \ | |
| --timeout=500 \ | |
| > infection.json5 | |
| cat infection.json5 | jq | |
| - name: "Determine default branch" | |
| id: default-branch | |
| run: | | |
| echo "name=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')" >> $GITHUB_OUTPUT | |
| - name: "Restore result cache" | |
| uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ./tmp | |
| key: "result-cache-v1-${{ matrix.php-version }}-${{ github.run_id }}" | |
| restore-keys: | | |
| result-cache-v1-${{ matrix.php-version }}- | |
| # see https://infection.github.io/guide/command-line-options.html#coverage | |
| - name: "Create coverage in parallel" | |
| run: | | |
| php -d pcov.enabled=1 tests/vendor/bin/paratest \ | |
| --passthru-php="'-d' 'pcov.enabled=1'" \ | |
| --coverage-xml=tmp/coverage/coverage-xml --log-junit=tmp/coverage/junit.xml \ | |
| --exclude-source-from-xml-coverage | |
| - name: "Run infection" | |
| run: | | |
| git fetch --depth=1 origin ${{ steps.default-branch.outputs.name }} | |
| infection \ | |
| --git-diff-base=origin/${{ steps.default-branch.outputs.name }} \ | |
| --git-diff-lines \ | |
| --coverage=tmp/coverage \ | |
| --skip-initial-tests \ | |
| --ignore-msi-with-no-mutations \ | |
| --min-msi=100 \ | |
| --min-covered-msi=100 \ | |
| --log-verbosity=all \ | |
| --debug \ | |
| --logger-text=php://stdout | |
| - name: "Save result cache" | |
| uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| if: ${{ !cancelled() }} | |
| with: | |
| path: ./tmp | |
| key: "result-cache-v1-${{ matrix.php-version }}-${{ github.run_id }}" |