ci: add static analysis and security workflows

wayofdev · May 18, 2024 · db609ef · db609ef
1 parent d85a2b2
commit db609ef
Show file tree

Hide file tree

Showing 12 changed files with 193 additions and 20 deletions.
diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
@@ -60,7 +60,7 @@ representative at an online or offline event.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-the@wayof.dev.
+<the@wayof.dev>.
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the
@@ -116,13 +116,13 @@ the community.
 
 This Code of Conduct is adapted from the [Contributor Covenant][homepage],
 version 2.0, available at
-https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+<https://www.contributor-covenant.org/version/2/0/code_of_conduct.html>.
 
 Community Impact Guidelines were inspired by [Mozilla's code of conduct
 enforcement ladder](https://github.com/mozilla/diversity).
 
 [homepage]: https://www.contributor-covenant.org
 
 For answers to common questions about this code of conduct, see the FAQ at
-https://www.contributor-covenant.org/faq. Translations are available at
-https://www.contributor-covenant.org/translations.
+<https://www.contributor-covenant.org/faq>. Translations are available at
+<https://www.contributor-covenant.org/translations>.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,59 @@
+---
+
+name: 🔐 Security analysis
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+  push:
+
+jobs:
+  security-analysis:
+    timeout-minutes: 4
+    runs-on: ${{ matrix.os }}
+    concurrency:
+      cancel-in-progress: true
+      group: security-analysis-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    strategy:
+      fail-fast: true
+      matrix:
+        os:
+          - ubuntu-latest
+        php-version:
+          - '8.2'
+        dependencies:
+          - locked
+    steps:
+      - name: 📦 Check out the codebase
+        uses: actions/checkout@v4.1.5
+
+      - name: 🛠️ Setup PHP
+        uses: shivammathur/setup-php@2.30.4
+        with:
+          php-version: ${{ matrix.php-version }}
+          extensions: none, ctype, dom, json, mbstring, phar, simplexml, tokenizer, xml, xmlwriter, sockets
+          ini-values: error_reporting=E_ALL
+          coverage: none
+
+      - name: 🛠️ Setup problem matchers
+        run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
+
+      - name: 🤖 Validate composer.json and composer.lock
+        run: composer validate --ansi --strict
+
+      - name: 🔍 Get composer cache directory
+        uses: wayofdev/gh-actions/actions/composer/get-cache-directory@v3.1.0
+
+      - name: ♻️ Restore cached dependencies installed with composer
+        uses: actions/cache@v4.0.2
+        with:
+          path: ${{ env.COMPOSER_CACHE_DIR }}
+          key: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ hashFiles('composer.lock') }}
+          restore-keys: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-
+
+      - name: 📥 Install "${{ matrix.dependencies }}" dependencies
+        uses: wayofdev/gh-actions/actions/composer/install@v3.1.0
+        with:
+          dependencies: ${{ matrix.dependencies }}
+
+      - name: 🐛 Check installed packages for security vulnerability advisories
+        run: composer audit --ansi
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -0,0 +1,73 @@
+---
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - master
+    paths:
+      - 'src/**'
+      - 'tests/**'
+      - 'bin/trap'
+      - '.php-cs-fixer.dist.php'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - 'src/**'
+      - 'tests/**'
+      - 'bin/trap'
+      - '.php-cs-fixer.dist.php'
+
+name: 🔍 Static analysis
+
+jobs:
+  static-analysis:
+    timeout-minutes: 4
+    runs-on: ${{ matrix.os }}
+    concurrency:
+      cancel-in-progress: true
+      group: static-analysis-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    strategy:
+      fail-fast: true
+      matrix:
+        os:
+          - ubuntu-latest
+        php-version:
+          - '8.2'
+        dependencies:
+          - locked
+    steps:
+      - name: 📦 Check out the codebase
+        uses: actions/checkout@v4.1.5
+
+      - name: 🛠️ Setup PHP
+        uses: shivammathur/setup-php@2.30.4
+        with:
+          php-version: ${{ matrix.php-version }}
+          extensions: none, ctype, curl, dom, json, mbstring, phar, simplexml, tokenizer, xml, xmlwriter, sockets, opcache, pcntl, posix
+          ini-values: error_reporting=E_ALL
+          coverage: none
+
+      - name: 🛠️ Setup problem matchers
+        run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
+
+      - name: 🤖 Validate composer.json and composer.lock
+        run: composer validate --ansi --strict
+
+      - name: 🔍 Get composer cache directory
+        uses: wayofdev/gh-actions/actions/composer/get-cache-directory@v3.1.0
+
+      - name: ♻️ Restore cached dependencies installed with composer
+        uses: actions/cache@v4.0.2
+        with:
+          path: ${{ env.COMPOSER_CACHE_DIR }}
+          key: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ hashFiles('composer.lock') }}
+          restore-keys: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-
+
+      - name: 📥 Install "${{ matrix.dependencies }}" dependencies
+        uses: wayofdev/gh-actions/actions/composer/install@v3.1.0
+        with:
+          dependencies: ${{ matrix.dependencies }}
+
+      - name: 🔍 Run static analysis using phpstan/phpstan
+        run: composer stan:ci
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,18 +2,40 @@
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.6.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-added-large-files
-      - id: fix-encoding-pragma
+        args: ['--maxkb=600']
 
   - repo: https://github.com/commitizen-tools/commitizen
-    rev: v2.28.0
+    rev: v3.26.0
     hooks:
       - id: commitizen
         stages:
           - commit-msg
 
+  - repo: local
+    hooks:
+      - id: php-cs-fixer
+        name: PHP CS Fixer
+        description: Lint files using PHP CS Fixer
+        entry: vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.dist.php --verbose --diff
+        language: system
+        types: [php]
+        exclude: ^vendor/
+        files: \.php$
+        pass_filenames: false
+        require_serial: true
+
+  - repo: local
+    hooks:
+      - id: markdownlint
+        name: markdownlint-cli2
+        description: Run markdownlint-cli2 on your Markdown files using the docker image
+        language: docker_image
+        types: [markdown]
+        entry: davidanson/markdownlint-cli2-rules:latest
+
 ...
diff --git a/README.md b/README.md
@@ -1,12 +1,10 @@
 <br>
 
 <div align="center">
-<img width="456" src="https://raw.githubusercontent.com/wayofdev/php-cs-fixer-config/master/assets/logo.gh-light-mode-only.png#gh-light-mode-only">
-<img width="456" src="https://raw.githubusercontent.com/wayofdev/php-cs-fixer-config/master/assets/logo.gh-dark-mode-only.png#gh-dark-mode-only">
+<img alt="Logo for Light Theme" width="456" src="https://raw.githubusercontent.com/wayofdev/php-cs-fixer-config/master/assets/logo.gh-light-mode-only.png#gh-light-mode-only">
+<img alt="Logo for Dark Theme" width="456" src="https://raw.githubusercontent.com/wayofdev/php-cs-fixer-config/master/assets/logo.gh-dark-mode-only.png#gh-dark-mode-only">
 </div>
 
-
-
 <br>
 
 <br>
@@ -36,7 +34,7 @@ If you **like/use** this package, please consider **starring** it. Thanks!
 Require as dependency:
 
 ```bash
-$ composer req wayofdev/cs-fixer-config
+composer req wayofdev/cs-fixer-config
 ```
 
 <br>
@@ -75,7 +73,7 @@ $ composer req wayofdev/cs-fixer-config
 Fix coding standards by simply running console command:
 
 ```bash
-$ php vendor/bin/php-cs-fixer fix -v
+php vendor/bin/php-cs-fixer fix -v
 ```
 
 ### → Using Makefile
@@ -112,23 +110,23 @@ To use with our `Makefile`:
 To run tests, run the following command:
 
 ```bash
-$ make test
+make test
 ```
 
 ### → Static Analysis
 
 Code quality using PHPStan:
 
 ```bash
-$ make stan
+make stan
 ```
 
 ### → Coding Standards Fixing
 
 Fix code using The PHP Coding Standards Fixer (PHP CS Fixer) to follow our standards:
 
 ```bash
-$ make cs-fix
+make cs-fix
 ```
 
 <br>

diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
@@ -0,0 +1,2 @@
+parameters:
+	ignoreErrors: []
diff --git a/phpstan.neon.dist b/phpstan.neon.dist
@@ -1,10 +1,10 @@
+includes:
+    - phpstan-baseline.neon
+
 parameters:
     level: max
-
     paths:
         - src/
         - tests/
-
-    checkMissingIterableValueType: false
-
+        - .php-cs-fixer.dist.php
     tmpDir: .build/phpstan/
diff --git a/src/ConfigBuilder.php b/src/ConfigBuilder.php
@@ -28,6 +28,8 @@ public static function createFromRuleSet(RuleSet $ruleSet): self
     }
 
     /**
+     * @param array<mixed> $arguments
+     *
      * @throws BadMethodCallException
      */
     public function __call(string $name, array $arguments): self
@@ -50,6 +52,9 @@ public function inDir(string $dir): self
         return $this;
     }
 
+    /**
+     * @param array<mixed> $files
+     */
     public function addFiles(array $files): self
     {
         $this->getFinder()->append($files);

diff --git a/src/RuleSet.php b/src/RuleSet.php
@@ -12,5 +12,8 @@ public function allowRisky(): bool;
 
     public function useCache(): bool;
 
+    /**
+     * @return array<string, array<string, mixed>|bool>
+     */
     public function rules(): array;
 }
diff --git a/src/RuleSets/DefaultSet.php b/src/RuleSets/DefaultSet.php
@@ -11,6 +11,9 @@
 
 final class DefaultSet implements RuleSet
 {
+    /**
+     * @param array<string, array<string, mixed>|bool> $rules
+     */
     public function __construct(private readonly array $rules = [])
     {
     }

diff --git a/src/RuleSets/ExtendedPERSet.php b/src/RuleSets/ExtendedPERSet.php
@@ -11,6 +11,9 @@
 
 final class ExtendedPERSet implements RuleSet
 {
+    /**
+     * @param array<string, array<string, mixed>|bool> $rules
+     */
     public function __construct(private readonly array $rules = [])
     {
     }

diff --git a/tests/Unit/ConfigBuilderTest.php b/tests/Unit/ConfigBuilderTest.php
@@ -131,6 +131,11 @@ public function it_overrides_default_rules(): void
         self::assertEmpty(array_diff_assoc($expected, $rules));
     }
 
+    /**
+     * @param iterable<SplFileInfo> $finder
+     *
+     * @return array<string>
+     */
     private function finderToArray(iterable $finder): array
     {
         $map = static function (SplFileInfo $info): string {