From 1482ed63141b1416f6ed3bbdc2e0f92a7f96a144 Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 14:40:14 +0100 Subject: [PATCH 01/11] WIP release signature --- .github/workflows/CICD.yml | 325 +++++++++++++---------- .github/workflows/CICD_no_legacy.yml | 17 +- .github/workflows/dependency-review.yml | 27 -- .github/workflows/php_dist.yml | 5 - .github/workflows/php_no_legacy_dist.yml | 5 - 5 files changed, 190 insertions(+), 189 deletions(-) delete mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index 4ac4a935bb7..b1de240248a 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -21,143 +21,144 @@ on: permissions: read-all jobs: - kill_previous: - name: 0️⃣ Kill previous runs - runs-on: ubuntu-latest - # We want to run on external PRs, but not on our own internal PRs as they'll be run by the push to the branch. - if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository) - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - name: Cancel Previous Runs - uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - with: - access_token: ${{ github.token }} - - php_syntax_errors: - name: 1️⃣ PHP 8.2 - Syntax errors - runs-on: ubuntu-latest - needs: - - kill_previous - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - name: Setup PHP Action - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 - with: - php-version: 8.2 - - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Install dependencies - uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - - - name: Check source code for syntax errors - run: vendor/bin/parallel-lint --exclude .git --exclude vendor . - - code_style_errors: - name: 2️⃣ PHP 8.2 - Code Style errors - runs-on: ubuntu-latest - needs: - - php_syntax_errors - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - name: Set up PHP - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 - with: - php-version: 8.2 - - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Install dependencies - uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - - - name: Check source code for code style errors - run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run - - check_js: - name: 2️⃣ JS front-end - uses: ./.github/workflows/js_check.yml - needs: - - php_syntax_errors - - phpstan: - name: 2️⃣ PHP 8.2 - PHPStan - runs-on: ubuntu-latest - needs: - - php_syntax_errors - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Setup PHP - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 - with: - php-version: 8.2 - coverage: none - - - name: Install Composer dependencies - uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - - - name: Run PHPStan - run: vendor/bin/phpstan analyze - - tests_legacy: - name: 2️⃣ PHP tests legacy - needs: - - php_syntax_errors - uses: ./.github/workflows/php_tests.yml - with: - test-suite: 'Feature_v1' - env-file: '.env.legacy' - secrets: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - - tests: - name: 2️⃣ PHP tests - needs: - - php_syntax_errors - uses: ./.github/workflows/php_tests.yml - with: - test-suite: 'Unit,Feature_v2' - env-file: '.env' - secrets: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - - dist: - name: 3️⃣ PHP dist - needs: - - code_style_errors - uses: ./.github/workflows/php_dist.yml + # kill_previous: + # name: 0️⃣ Kill previous runs + # runs-on: ubuntu-latest + # # We want to run on external PRs, but not on our own internal PRs as they'll be run by the push to the branch. + # if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository) + # steps: + # - name: Harden Runner + # uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + # with: + # egress-policy: audit + + # - name: Cancel Previous Runs + # uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 + # with: + # access_token: ${{ github.token }} + + # php_syntax_errors: + # name: 1️⃣ PHP 8.2 - Syntax errors + # runs-on: ubuntu-latest + # needs: + # - kill_previous + # steps: + # - name: Harden Runner + # uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + # with: + # egress-policy: audit + + # - name: Setup PHP Action + # uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 + # with: + # php-version: 8.2 + + # - name: Checkout code + # uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # - name: Install dependencies + # uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 + + # - name: Check source code for syntax errors + # run: vendor/bin/parallel-lint --exclude .git --exclude vendor . + + # code_style_errors: + # name: 2️⃣ PHP 8.2 - Code Style errors + # runs-on: ubuntu-latest + # needs: + # - php_syntax_errors + # steps: + # - name: Harden Runner + # uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + # with: + # egress-policy: audit + + # - name: Set up PHP + # uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 + # with: + # php-version: 8.2 + + # - name: Checkout code + # uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # - name: Install dependencies + # uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 + + # - name: Check source code for code style errors + # run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run + + # check_js: + # name: 2️⃣ JS front-end + # uses: ./.github/workflows/js_check.yml + # needs: + # - php_syntax_errors + + # phpstan: + # name: 2️⃣ PHP 8.2 - PHPStan + # runs-on: ubuntu-latest + # needs: + # - php_syntax_errors + # steps: + # - name: Harden Runner + # uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + # with: + # egress-policy: audit + + # - name: Checkout code + # uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # - name: Setup PHP + # uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 + # with: + # php-version: 8.2 + # coverage: none + + # - name: Install Composer dependencies + # uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 + + # - name: Run PHPStan + # run: vendor/bin/phpstan analyze + + # tests_legacy: + # name: 2️⃣ PHP tests legacy + # needs: + # - php_syntax_errors + # uses: ./.github/workflows/php_tests.yml + # with: + # test-suite: 'Feature_v1' + # env-file: '.env.legacy' + # secrets: + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + # CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + # tests: + # name: 2️⃣ PHP tests + # needs: + # - php_syntax_errors + # uses: ./.github/workflows/php_tests.yml + # with: + # test-suite: 'Unit,Feature_v2' + # env-file: '.env' + # secrets: + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + # CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + # dist: + # name: 3️⃣ PHP dist + # needs: + # - code_style_errors + # uses: ./.github/workflows/php_dist.yml createArtifact: name: 4️⃣ Build Artifact - if: github.ref == 'refs/heads/master' - needs: - - phpstan - - dist - - tests - - tests_legacy - - check_js + # For testing purpose we disable this. + # if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') + # needs: + # - phpstan + # - dist + # - tests + # - tests_legacy + # - check_js runs-on: ubuntu-latest permissions: contents: read @@ -189,15 +190,21 @@ jobs: - name: Build Dist run: | - make clean dist + make clean dist-clean - - name: Upload a Build Artifact + - name: Upload build artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Lychee.zip - path: Lychee.zip + path: Lychee if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` + - name: Download generated artifact + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 + with: + name: Lychee.zip + path: '${{ github.workspace }}/Lychee.zip' + - name: Attest uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: @@ -227,4 +234,46 @@ jobs: # The GitHub token used to make authenticated API requests. Default is # ${{ github.token }} - github-token: ${{ github.token }} \ No newline at end of file + github-token: ${{ github.token }} + + + release: + name: 5️⃣ Release + if: github.ref == 'refs/heads/master' + needs: + - createArtifact + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + env: + extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip + + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + + - name: Download generated artifact + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 + with: + name: Lychee.zip + path: '${{ github.workspace }}/Lychee.zip' + + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + - name: Sign image with a key + run: | + DIGEST=$(shasum -a 256 artifact | cut -d' ' -f 1) && echo "$DIGEST" + cosign sign --yes --key env://COSIGN_PRIVATE_KEY --output-signature sig.asc $DIGEST + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + + - name: Create release + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 + with: + files: | + sig.asc + Lychee.zip + token: ${{ secrets.GITHUB_TOKEN }} + draft: true + \ No newline at end of file diff --git a/.github/workflows/CICD_no_legacy.yml b/.github/workflows/CICD_no_legacy.yml index fea562756a1..3c99e1061bd 100644 --- a/.github/workflows/CICD_no_legacy.yml +++ b/.github/workflows/CICD_no_legacy.yml @@ -181,29 +181,18 @@ jobs: extensions: ${{ env.extensions }} coverage: none - - name: Install Composer dependencies - uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - with: - composer-options: --no-dev - - name: Use Node.js 20 uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - - name: Install - run: npm ci - - - name: Compile Front-end - run: npm run build - - name: Build Dist run: | - make clean dist + make clean dist-clean - name: Upload a Build Artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: - name: Lychee-Dist.zip - path: Lychee.zip + name: Lychee-No-Legacy.zip + path: Lychee if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml deleted file mode 100644 index 21a469b132c..00000000000 --- a/.github/workflows/dependency-review.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' -on: [pull_request] - -permissions: - contents: read - -jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - name: 'Checkout Repository' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: 'Dependency Review' - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/php_dist.yml b/.github/workflows/php_dist.yml index c911f4f0b97..53be52444ec 100644 --- a/.github/workflows/php_dist.yml +++ b/.github/workflows/php_dist.yml @@ -67,11 +67,6 @@ jobs: extensions: ${{ env.extensions }} tools: pecl, composer - - name: Install Composer dependencies - uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - with: - composer-options: --no-dev - - name: Build Dist run: | make dist-clean diff --git a/.github/workflows/php_no_legacy_dist.yml b/.github/workflows/php_no_legacy_dist.yml index 455c3da329a..64e5c4cee24 100644 --- a/.github/workflows/php_no_legacy_dist.yml +++ b/.github/workflows/php_no_legacy_dist.yml @@ -71,11 +71,6 @@ jobs: extensions: ${{ env.extensions }} tools: pecl, composer - - name: Install Composer dependencies - uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - with: - composer-options: --no-dev - - name: Build Dist run: | make dist-clean From 8f674522dd28a54aede456509a9dabee56996d28 Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 14:44:48 +0100 Subject: [PATCH 02/11] fix --- .github/workflows/CICD.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index b1de240248a..f8c49a31f67 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -190,13 +190,13 @@ jobs: - name: Build Dist run: | - make clean dist-clean + make clean dist - name: Upload build artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Lychee.zip - path: Lychee + path: Lychee.zip if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` - name: Download generated artifact @@ -257,12 +257,12 @@ jobs: uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 with: name: Lychee.zip - path: '${{ github.workspace }}/Lychee.zip' + # path: '${{ github.workspace }}/Lychee.zip' # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - name: Sign image with a key run: | - DIGEST=$(shasum -a 256 artifact | cut -d' ' -f 1) && echo "$DIGEST" + DIGEST=$(shasum -a 256 Lychee.zip | cut -d' ' -f 1) && echo "$DIGEST" cosign sign --yes --key env://COSIGN_PRIVATE_KEY --output-signature sig.asc $DIGEST env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} From b3e9d654e8784364e009c19f343fec002492f254 Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 14:49:27 +0100 Subject: [PATCH 03/11] fix --- .github/workflows/CICD.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index f8c49a31f67..7b7e7a7ee06 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -203,7 +203,7 @@ jobs: uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 with: name: Lychee.zip - path: '${{ github.workspace }}/Lychee.zip' + # path: '${{ github.workspace }}/Lychee.zip' - name: Attest uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 From 2be43f5cb8ab463723db7c99b6244a7df8bf5108 Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 14:51:51 +0100 Subject: [PATCH 04/11] first step okay, now second --- .github/workflows/CICD.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index 7b7e7a7ee06..0310838503f 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -239,7 +239,7 @@ jobs: release: name: 5️⃣ Release - if: github.ref == 'refs/heads/master' + # if: github.ref == 'refs/heads/master' needs: - createArtifact runs-on: ubuntu-latest From 7e138643e5c0df5078cb9b67faad7a9ee88289cc Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 15:36:39 +0100 Subject: [PATCH 05/11] fix --- .github/workflows/CICD.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index 0310838503f..8021d6577c6 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -260,10 +260,9 @@ jobs: # path: '${{ github.workspace }}/Lychee.zip' # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - - name: Sign image with a key + - name: Sign release with a key run: | - DIGEST=$(shasum -a 256 Lychee.zip | cut -d' ' -f 1) && echo "$DIGEST" - cosign sign --yes --key env://COSIGN_PRIVATE_KEY --output-signature sig.asc $DIGEST + cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature sig.asc Lychee.zip env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} From 9b2afbbbd0552159879dc3912b286e4f1194a6d1 Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 16:04:07 +0100 Subject: [PATCH 06/11] more tentative --- .github/release.yml | 17 +++++++++++++++++ .github/workflows/CICD.yml | 7 ++++--- 2 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 .github/release.yml diff --git a/.github/release.yml b/.github/release.yml new file mode 100644 index 00000000000..b06aac4921b --- /dev/null +++ b/.github/release.yml @@ -0,0 +1,17 @@ +changelog: + exclude: + labels: + - ignore-for-release + authors: + - octocat + - dependabot + categories: + - title: 🏕 Features + labels: + - '*' + exclude: + labels: + - dependencies + - title: 👒 Dependencies + labels: + - dependencies diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index 8021d6577c6..1f5c820eb54 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -239,7 +239,7 @@ jobs: release: name: 5️⃣ Release - # if: github.ref == 'refs/heads/master' + # if: startsWith(github.ref, 'refs/tags/') needs: - createArtifact runs-on: ubuntu-latest @@ -257,12 +257,11 @@ jobs: uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 with: name: Lychee.zip - # path: '${{ github.workspace }}/Lychee.zip' # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - name: Sign release with a key run: | - cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature sig.asc Lychee.zip + cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature Lychee.zip.asc Lychee.zip env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} @@ -275,4 +274,6 @@ jobs: Lychee.zip token: ${{ secrets.GITHUB_TOKEN }} draft: true + generate_release_notes: true + make_latest: true \ No newline at end of file From 814f69afcedcab89e0b3e80f5ec7fff6a2a75847 Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 16:11:17 +0100 Subject: [PATCH 07/11] fix signature --- .github/workflows/CICD.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index 1f5c820eb54..dd918c6f49f 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -270,7 +270,7 @@ jobs: uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: files: | - sig.asc + Lychee.zip.asc Lychee.zip token: ${{ secrets.GITHUB_TOKEN }} draft: true From 086d972fe6637542ca1202c6b53516db3078fbdd Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 16:17:23 +0100 Subject: [PATCH 08/11] final push --- .github/workflows/CICD.yml | 273 ++++++++++++++++++------------------- 1 file changed, 136 insertions(+), 137 deletions(-) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index dd918c6f49f..9aef15f8ace 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -21,144 +21,143 @@ on: permissions: read-all jobs: - # kill_previous: - # name: 0️⃣ Kill previous runs - # runs-on: ubuntu-latest - # # We want to run on external PRs, but not on our own internal PRs as they'll be run by the push to the branch. - # if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository) - # steps: - # - name: Harden Runner - # uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - # with: - # egress-policy: audit - - # - name: Cancel Previous Runs - # uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 - # with: - # access_token: ${{ github.token }} - - # php_syntax_errors: - # name: 1️⃣ PHP 8.2 - Syntax errors - # runs-on: ubuntu-latest - # needs: - # - kill_previous - # steps: - # - name: Harden Runner - # uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - # with: - # egress-policy: audit - - # - name: Setup PHP Action - # uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 - # with: - # php-version: 8.2 - - # - name: Checkout code - # uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # - name: Install dependencies - # uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - - # - name: Check source code for syntax errors - # run: vendor/bin/parallel-lint --exclude .git --exclude vendor . - - # code_style_errors: - # name: 2️⃣ PHP 8.2 - Code Style errors - # runs-on: ubuntu-latest - # needs: - # - php_syntax_errors - # steps: - # - name: Harden Runner - # uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - # with: - # egress-policy: audit - - # - name: Set up PHP - # uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 - # with: - # php-version: 8.2 - - # - name: Checkout code - # uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # - name: Install dependencies - # uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - - # - name: Check source code for code style errors - # run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run - - # check_js: - # name: 2️⃣ JS front-end - # uses: ./.github/workflows/js_check.yml - # needs: - # - php_syntax_errors - - # phpstan: - # name: 2️⃣ PHP 8.2 - PHPStan - # runs-on: ubuntu-latest - # needs: - # - php_syntax_errors - # steps: - # - name: Harden Runner - # uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - # with: - # egress-policy: audit - - # - name: Checkout code - # uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # - name: Setup PHP - # uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 - # with: - # php-version: 8.2 - # coverage: none - - # - name: Install Composer dependencies - # uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 - - # - name: Run PHPStan - # run: vendor/bin/phpstan analyze - - # tests_legacy: - # name: 2️⃣ PHP tests legacy - # needs: - # - php_syntax_errors - # uses: ./.github/workflows/php_tests.yml - # with: - # test-suite: 'Feature_v1' - # env-file: '.env.legacy' - # secrets: - # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - - # tests: - # name: 2️⃣ PHP tests - # needs: - # - php_syntax_errors - # uses: ./.github/workflows/php_tests.yml - # with: - # test-suite: 'Unit,Feature_v2' - # env-file: '.env' - # secrets: - # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - - # dist: - # name: 3️⃣ PHP dist - # needs: - # - code_style_errors - # uses: ./.github/workflows/php_dist.yml + kill_previous: + name: 0️⃣ Kill previous runs + runs-on: ubuntu-latest + # We want to run on external PRs, but not on our own internal PRs as they'll be run by the push to the branch. + if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository) + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Cancel Previous Runs + uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 + with: + access_token: ${{ github.token }} + + php_syntax_errors: + name: 1️⃣ PHP 8.2 - Syntax errors + runs-on: ubuntu-latest + needs: + - kill_previous + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Setup PHP Action + uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 + with: + php-version: 8.2 + + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Install dependencies + uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 + + - name: Check source code for syntax errors + run: vendor/bin/parallel-lint --exclude .git --exclude vendor . + + code_style_errors: + name: 2️⃣ PHP 8.2 - Code Style errors + runs-on: ubuntu-latest + needs: + - php_syntax_errors + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Set up PHP + uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 + with: + php-version: 8.2 + + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Install dependencies + uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 + + - name: Check source code for code style errors + run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run + + check_js: + name: 2️⃣ JS front-end + uses: ./.github/workflows/js_check.yml + needs: + - php_syntax_errors + + phpstan: + name: 2️⃣ PHP 8.2 - PHPStan + runs-on: ubuntu-latest + needs: + - php_syntax_errors + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Setup PHP + uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 + with: + php-version: 8.2 + coverage: none + + - name: Install Composer dependencies + uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 + + - name: Run PHPStan + run: vendor/bin/phpstan analyze + + tests_legacy: + name: 2️⃣ PHP tests legacy + needs: + - php_syntax_errors + uses: ./.github/workflows/php_tests.yml + with: + test-suite: 'Feature_v1' + env-file: '.env.legacy' + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + tests: + name: 2️⃣ PHP tests + needs: + - php_syntax_errors + uses: ./.github/workflows/php_tests.yml + with: + test-suite: 'Unit,Feature_v2' + env-file: '.env' + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + dist: + name: 3️⃣ PHP dist + needs: + - code_style_errors + uses: ./.github/workflows/php_dist.yml createArtifact: name: 4️⃣ Build Artifact - # For testing purpose we disable this. - # if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') - # needs: - # - phpstan - # - dist - # - tests - # - tests_legacy - # - check_js + if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') + needs: + - phpstan + - dist + - tests + - tests_legacy + - check_js runs-on: ubuntu-latest permissions: contents: read @@ -239,7 +238,7 @@ jobs: release: name: 5️⃣ Release - # if: startsWith(github.ref, 'refs/tags/') + if: startsWith(github.ref, 'refs/tags/') needs: - createArtifact runs-on: ubuntu-latest @@ -251,7 +250,7 @@ jobs: steps: - name: Install Cosign - uses: sigstore/cosign-installer@v3.7.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Download generated artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 From e2d752e90c9e4ea5cf6e4b0565a9780c5f556d0b Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 16:19:01 +0100 Subject: [PATCH 09/11] final final --- .github/workflows/CICD.yml | 6 ------ .github/workflows/CICD_no_legacy.yml | 4 ++-- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index 9aef15f8ace..28e3b277b57 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -198,12 +198,6 @@ jobs: path: Lychee.zip if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` - - name: Download generated artifact - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 - with: - name: Lychee.zip - # path: '${{ github.workspace }}/Lychee.zip' - - name: Attest uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: diff --git a/.github/workflows/CICD_no_legacy.yml b/.github/workflows/CICD_no_legacy.yml index 3c99e1061bd..c915329fd3e 100644 --- a/.github/workflows/CICD_no_legacy.yml +++ b/.github/workflows/CICD_no_legacy.yml @@ -188,11 +188,11 @@ jobs: - name: Build Dist run: | - make clean dist-clean + make clean dist - name: Upload a Build Artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Lychee-No-Legacy.zip - path: Lychee + path: Lychee.zip if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` From 18c09b2e04cf8f155bbe5fea9dee36f3a9427a83 Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 16:19:34 +0100 Subject: [PATCH 10/11] final final final --- .github/workflows/CICD.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index 28e3b277b57..3c0e44a1c03 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -266,7 +266,6 @@ jobs: Lychee.zip.asc Lychee.zip token: ${{ secrets.GITHUB_TOKEN }} - draft: true generate_release_notes: true make_latest: true \ No newline at end of file From 5ff18c04cca1b5341a24e1caa21251b6aa71028e Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 27 Nov 2024 16:58:04 +0100 Subject: [PATCH 11/11] Restore dependency review --- .github/workflows/dependency-review.yml | 27 +++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000000..21a469b132c --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0