Skip to content

Commit bd1a52e

Browse files
NoResponseMateNoResponseMate
committed
quickie
1 parent 7527657 commit bd1a52e

File tree

1 file changed

+62
-36
lines changed

1 file changed

+62
-36
lines changed

.github/workflows/build.yaml

Lines changed: 62 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,68 @@ jobs:
143143
name: Install PHP dependencies
144144
run: composer install --no-interaction
145145

146+
- name: Run security checks
147+
run: |
148+
set -e
149+
150+
composer audit --no-interaction --format=json > composer-audit.json || AUDIT_EXIT=$?
151+
152+
IGNORED=$(jq -r '.config.audit.ignore[]?' composer.json | sort || true)
153+
154+
if [ "${AUDIT_EXIT:-0}" -ne 0 ]; then
155+
FOUND=$(jq -r '
156+
# Collect CVEs from both advisories and ignored-advisories
157+
(.advisories[]?.advisories[]?.cve? // empty),
158+
(.["ignored-advisories"][]?[]?.cve? // empty)
159+
' composer-audit.json | sort | uniq)
160+
161+
DIFF=$(comm -23 <(echo "$FOUND") <(echo "$IGNORED"))
162+
163+
if [ -n "$DIFF" ]; then
164+
echo "❌ New vulnerabilities found by Composer audit:"
165+
echo "$DIFF"
166+
exit 1
167+
else
168+
echo "✅ Only ignored CVEs found in Composer audit."
169+
fi
170+
else
171+
echo "✅ No vulnerabilities found by Composer audit."
172+
fi
173+
174+
symfony security:check --format=json > symfony-audit.json || true
175+
176+
FOUND=$(jq -r '.[]?.advisories[]?.cve? // empty' symfony-audit.json | sort | uniq)
177+
178+
DIFF=$(comm -23 <(echo "$FOUND") <(echo "$IGNORED"))
179+
180+
if [ -n "$DIFF" ]; then
181+
echo "❌ New vulnerabilities found by Symfony security:check:"
182+
echo "$DIFF"
183+
exit 1
184+
else
185+
echo "✅ No new vulnerabilities (ignored CVEs excluded)."
186+
fi
187+
188+
-
189+
name: Run ECS
190+
run: vendor/bin/ecs check
191+
192+
-
193+
name: Validate composer.json
194+
run: composer validate --ansi --strict
195+
196+
-
197+
name: Run analysis
198+
run: composer analyse
199+
200+
-
201+
name: Run PHPStan
202+
run: vendor/bin/phpstan analyse -c phpstan.neon.dist src/
203+
204+
-
205+
name: Run PHPSpec
206+
run: vendor/bin/phpspec run --ansi -f progress --no-interaction
207+
146208
-
147209
name: Get Yarn cache directory
148210
id: yarn-cache
@@ -192,42 +254,6 @@ jobs:
192254
name: Load fixtures in test application
193255
run: (cd tests/Application && bin/console sylius:fixtures:load -n)
194256

195-
- name: Run security checks
196-
run: |
197-
set -e
198-
composer audit --no-interaction
199-
200-
symfony security:check --format=json > security.json || true
201-
jq --argjson ignore "$(jq '.config.audit.ignore' composer.json)" '
202-
.vulnerabilities
203-
| map(select(.cve | IN($ignore[]) | not))
204-
| if length > 0 then
205-
(error("New vulnerabilities found: " + (map(.cve) | join(", "))))
206-
else
207-
empty
208-
end
209-
' security.json
210-
211-
-
212-
name: Run ECS
213-
run: vendor/bin/ecs check
214-
215-
-
216-
name: Validate composer.json
217-
run: composer validate --ansi --strict
218-
219-
-
220-
name: Run analysis
221-
run: composer analyse
222-
223-
-
224-
name: Run PHPStan
225-
run: vendor/bin/phpstan analyse -c phpstan.neon.dist src/
226-
227-
-
228-
name: Run PHPSpec
229-
run: vendor/bin/phpspec run --ansi -f progress --no-interaction
230-
231257
-
232258
name: Run PHPUnit
233259
run: vendor/bin/phpunit --colors=always

0 commit comments

Comments
 (0)