Skip to content

Bump actions/attest-build-provenance from 2.0.1 to 2.1.0 (#2822) #6579

Bump actions/attest-build-provenance from 2.0.1 to 2.1.0 (#2822)

Bump actions/attest-build-provenance from 2.0.1 to 2.1.0 (#2822) #6579

Workflow file for this run

name: Integrate
# Run this workflow every time a new commit pushed to your repository
on:
push:
paths-ignore:
- '**/*.md'
- 'public/dist/*.js'
- 'public/dist/**/*.js'
- 'public/Lychee-front'
pull_request:
paths-ignore:
- '**/*.md'
- 'public/dist/*.js'
- 'public/dist/**/*.js'
- 'public/Lychee-front'
# Allow manually triggering the workflow.
workflow_dispatch:
# Declare default permissions as read only.
permissions: read-all
jobs:
kill_previous:
name: 0️⃣ Kill previous runs
runs-on: ubuntu-latest
# We want to run on external PRs, but not on our own internal PRs as they'll be run by the push to the branch.
if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository)
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Cancel Previous Runs
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
with:
access_token: ${{ github.token }}
php_syntax_errors:
name: 1️⃣ PHP 8.2 - Syntax errors
runs-on: ubuntu-latest
needs:
- kill_previous
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Setup PHP Action
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
with:
php-version: 8.2
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install dependencies
uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
- name: Check source code for syntax errors
run: vendor/bin/parallel-lint --exclude .git --exclude vendor .
code_style_errors:
name: 2️⃣ PHP 8.2 - Code Style errors
runs-on: ubuntu-latest
needs:
- php_syntax_errors
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Set up PHP
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
with:
php-version: 8.2
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install dependencies
uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
- name: Check source code for code style errors
run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run
check_js:
name: 2️⃣ JS front-end
uses: ./.github/workflows/js_check.yml
needs:
- php_syntax_errors
phpstan:
name: 2️⃣ PHP 8.2 - PHPStan
runs-on: ubuntu-latest
needs:
- php_syntax_errors
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup PHP
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
with:
php-version: 8.2
coverage: none
- name: Install Composer dependencies
uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
- name: Run PHPStan
run: vendor/bin/phpstan analyze
tests_legacy:
name: 2️⃣ PHP tests legacy
needs:
- php_syntax_errors
uses: ./.github/workflows/php_tests.yml
with:
test-suite: 'Feature_v1'
env-file: '.env.legacy'
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
tests:
name: 2️⃣ PHP tests
needs:
- php_syntax_errors
uses: ./.github/workflows/php_tests.yml
with:
test-suite: 'Unit,Feature_v2'
env-file: '.env'
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
dist:
name: 3️⃣ PHP dist
needs:
- code_style_errors
uses: ./.github/workflows/php_dist.yml
createArtifact:
name: 4️⃣ Build Artifact
if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
needs:
- phpstan
- dist
- tests
- tests_legacy
- check_js
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
env:
extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup PHP
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
with:
php-version: 8.2
extensions: ${{ env.extensions }}
coverage: none
- name: Use Node.js 20
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 20
- name: Build Dist
run: |
make clean dist
- name: Upload build artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: Lychee.zip
path: Lychee.zip
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`
- name: Attest
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
with:
# Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest". May contain a
# glob pattern or list of paths (total subject count cannot exceed 2500).
subject-path: '${{ github.workspace }}/Lychee.zip'
# SHA256 digest of the subject for the attestation. Must be in the form
# "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
# of "subject-path" or "subject-digest".
# subject-digest:
# Subject name as it should appear in the attestation. Required unless
# "subject-path" is specified, in which case it will be inferred from the
# path.
# subject-name: Lychee
# Whether to push the attestation to the image registry. Requires that the
# "subject-name" parameter specify the fully-qualified image name and that
# the "subject-digest" parameter be specified. Defaults to false.
# push-to-registry:
# Whether to attach a list of generated attestations to the workflow run
# summary page. Defaults to true.
# show-summary:
# The GitHub token used to make authenticated API requests. Default is
# ${{ github.token }}
github-token: ${{ github.token }}
release:
name: 5️⃣ Release
if: startsWith(github.ref, 'refs/tags/')
needs:
- createArtifact
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
env:
extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Download generated artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18
with:
name: Lychee.zip
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
- name: Sign release with a key
run: |
cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature Lychee.zip.asc Lychee.zip
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Create release
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
with:
files: |
Lychee.zip.asc
Lychee.zip
token: ${{ secrets.GITHUB_TOKEN }}
generate_release_notes: true
make_latest: true