ci: add security check workflow

.github/workflows/apply-labels.yml

@@ -14,7 +14,7 @@ name: 🏷️ Add labels
 
 jobs:
   label:
-    uses: wayofdev/gh-actions/.github/workflows/apply-labels.yml@master
+    uses: wayofdev/gh-actions/.github/workflows/apply-labels.yml@v3.1.0
     with:
       os: ubuntu-latest
     secrets:

.github/workflows/create-release.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 🎉 Create release
-        uses: google-github-actions/release-please-action@v4
+        uses: googleapis/release-please-action@v4.1.1
         id: release
         with:
           token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}

.github/workflows/security-analysis.yml

@@ -0,0 +1,63 @@
+---
+
+name: 🔐 Security analysis
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  security-analysis:
+    timeout-minutes: 4
+    runs-on: ${{ matrix.os }}
+    concurrency:
+      cancel-in-progress: true
+      group: security-analysis-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    strategy:
+      fail-fast: true
+      matrix:
+        os:
+          - ubuntu-latest
+        php-version:
+          - '8.2'
+        dependencies:
+          - locked
+    steps:
+      - name: 📦 Check out the codebase
+        uses: actions/[email protected]
+
+      - name: 🛠️ Setup PHP
+        uses: shivammathur/[email protected]
+        with:
+          php-version: ${{ matrix.php-version }}
+          extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, pdo_mysql
+          ini-values: error_reporting=E_ALL
+          coverage: none
+
+      - name: 🛠️ Setup problem matchers
+        run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
+
+      - name: 🤖 Validate composer.json and composer.lock
+        run: composer validate --ansi --strict
+
+      - name: 🔍 Get composer cache directory
+        uses: wayofdev/gh-actions/actions/composer/[email protected]
+
+      - name: ♻️ Restore cached dependencies installed with composer
+        uses: actions/[email protected]
+        with:
+          path: ${{ env.COMPOSER_CACHE_DIR }}
+          key: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ hashFiles('composer.lock') }}
+          restore-keys: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-
+
+      - name: 📥 Install "${{ matrix.dependencies }}" dependencies
+        uses: wayofdev/gh-actions/actions/composer/[email protected]
+        with:
+          dependencies: ${{ matrix.dependencies }}
+
+      - name: 🐛 Check installed packages for security vulnerability advisories
+        run: composer audit --ansi

.github/workflows/shellcheck.yml

@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   shellcheck:
-    uses: wayofdev/gh-actions/.github/workflows/shellcheck.yml@master
+    uses: wayofdev/gh-actions/.github/workflows/shellcheck.yml@v3.1.0
     with:
       os: ubuntu-latest
       severity: warning

.github/workflows/static-analysis.yml

@@ -0,0 +1,73 @@
+---
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - master
+    paths:
+      - 'config/**'
+      - 'src/**'
+      - 'tests/**'
+      - '.php-cs-fixer.dist.php'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - 'config/**'
+      - 'src/**'
+      - 'tests/**'
+      - '.php-cs-fixer.dist.php'
+
+name: 🔍 Static analysis
+
+jobs:
+  static-analysis:
+    timeout-minutes: 4
+    runs-on: ${{ matrix.os }}
+    concurrency:
+      cancel-in-progress: true
+      group: static-analysis-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    strategy:
+      fail-fast: true
+      matrix:
+        os:
+          - ubuntu-latest
+        php-version:
+          - '8.2'
+        dependencies:
+          - locked
+    steps:
+      - name: 📦 Check out the codebase
+        uses: actions/[email protected]
+
+      - name: 🛠️ Setup PHP
+        uses: shivammathur/[email protected]
+        with:
+          php-version: ${{ matrix.php-version }}
+          extensions: none, ctype, dom, json, mbstring, simplexml, tokenizer, xml, xmlwriter, pdo, curl, fileinfo, pdo_mysql
+          ini-values: error_reporting=E_ALL
+          coverage: none
+
+      - name: 🛠️ Setup problem matchers
+        run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
+
+      - name: 🤖 Validate composer.json and composer.lock
+        run: composer validate --ansi --strict
+
+      - name: 🔍 Get composer cache directory
+        uses: wayofdev/gh-actions/actions/composer/[email protected]
+
+      - name: ♻️ Restore cached dependencies installed with composer
+        uses: actions/[email protected]
+        with:
+          path: ${{ env.COMPOSER_CACHE_DIR }}
+          key: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ hashFiles('composer.lock') }}
+          restore-keys: php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-
+
+      - name: 📥 Install "${{ matrix.dependencies }}" dependencies
+        uses: wayofdev/gh-actions/actions/composer/[email protected]
+        with:
+          dependencies: ${{ matrix.dependencies }}
+
+      - name: 🔍 Run static analysis using phpstan/phpstan
+        run: composer stan:ci

.phive/phars.xml

@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <phive xmlns="https://phar.io/phive">
-  <phar name="composer-require-checker" version="^4.10.0" installed="4.10.0" location="./.phive/composer-require-checker" copy="false"/>
+  <phar name="composer-normalize" version="^2.42.0" installed="2.42.0" location="./.phive/composer-normalize" copy="false"/>
+  <phar name="composer-require-checker" version="^4.11.0" installed="4.11.0" location="./.phive/composer-require-checker" copy="false"/>
 </phive>

Makefile

@@ -171,7 +171,7 @@ update: ## Updates composer dependencies by running composer update command
 .PHONY: update
 
 phive: ## Installs dependencies with phive
-	$(APP_RUNNER) /usr/local/bin/phive install --trust-gpg-keys 0x033E5F8D801A2F8D
+	$(APP_RUNNER) /usr/local/bin/phive install --trust-gpg-keys 0xC00543248C87FB13,0x033E5F8D801A2F8D
 .PHONY: phive
 
 #
@@ -241,7 +241,7 @@ lint-deps: ## Runs composer-require-checker – checks for dependencies that are
 .PHONY: lint-deps
 
 lint-composer: ## Normalize composer.json and composer.lock files
-	$(APP_COMPOSER) normalize
+	$(APP_RUNNER) .phive/composer-normalize normalize
 .PHONY: lint-composer
 
 lint-audit: ## Runs security checks for composer dependencies

composer.json

@@ -3,7 +3,6 @@
     "description": "🔥 A Laravel adapter for CycleORM, providing seamless integration of the Cycle DataMapper ORM for advanced database handling and object mapping in PHP applications.",
     "license": "MIT",
     "type": "library",
-    "version": "4.12.3",
     "keywords": [
         "php",
         "php8",
@@ -44,6 +43,7 @@
     ],
     "require": {
         "php": "^8.2",
+        "ext-fileinfo": "*",
         "ext-pdo": "*",
         "cycle/annotated": "^4.1",
         "cycle/database": "^2.8",
@@ -62,8 +62,9 @@
         "symfony/console": "^6.4 || ^7.0"
     },
     "require-dev": {
+        "ext-curl": "*",
+        "ext-pdo_mysql": "*",
         "beberlei/assert": "^3.3",
-        "ergebnis/composer-normalize": "^2.42",
         "fakerphp/faker": "^1.23",
         "larastan/larastan": "^2.9",
         "laravel/telescope": "^5.0",
@@ -80,13 +81,18 @@
         "psalm/plugin-phpunit": "~0.19.0",
         "rector/rector": "^1.0",
         "roave/infection-static-analysis-plugin": "^1.35",
-        "roave/security-advisories": "dev-latest",
         "vimeo/psalm": "^5.23.1",
         "wayofdev/cs-fixer-config": "^1.2"
     },
     "suggest": {
+        "ext-pdo_mysql": "Required for MySQL database support",
+        "ext-pdo_pgsql": "Required for PostgreSQL database support",
+        "ext-pdo_sqlite": "Required for SQLite database support",
+        "cycle/active-record": "Provides a simple way to work with your database using Active Record pattern and Cycle ORM",
+        "wayofdev/cs-fixer-config": "A set of PHP-CS-Fixer rules for Laravel projects",
         "wayofdev/laravel-cycle-orm-factories": "Cycle-ORM Entity Factories and Database Seeders for Laravel",
-        "wayofdev/laravel-paginator": "Custom Laravel Paginator for Cycle-ORM implementing RFC 5988"
+        "wayofdev/laravel-paginator": "Custom Laravel Paginator for Cycle-ORM implementing RFC 5988",
+        "wayofdev/laravel-symfony-serializer": "Symfony Serializer for Laravel"
     },
     "minimum-stability": "dev",
     "prefer-stable": true,
@@ -108,6 +114,9 @@
             "pestphp/pest-plugin": true,
             "phpstan/extension-installer": true
         },
+        "platform": {
+            "php": "8.2.19"
+        },
         "sort-packages": true
     },
     "extra": {
@@ -132,11 +141,13 @@
         "cs:fix": "php vendor/bin/php-cs-fixer fix -v",
         "infect": [
             "Composer\\Config::disableProcessTimeout",
-            "XDEBUG_MODE=coverage php vendor/bin/roave-infection-static-analysis-plugin --threads=2 --configuration=infection.json.dist"
+            "@putenv XDEBUG_MODE=coverage",
+            "php vendor/bin/roave-infection-static-analysis-plugin --threads=2"
         ],
         "infect:ci": [
             "Composer\\Config::disableProcessTimeout",
-            "XDEBUG_MODE=coverage php vendor/bin/roave-infection-static-analysis-plugin --threads=2 --ansi --configuration=infection.json.dist --logger-github --ignore-msi-with-no-mutations --only-covered"
+            "@putenv XDEBUG_MODE=coverage",
+            "php vendor/bin/roave-infection-static-analysis-plugin --threads=2 --ansi --logger-github --ignore-msi-with-no-mutations --only-covered"
         ],
         "psalm": "php vendor/bin/psalm --show-info=true",
         "psalm:baseline": "php vendor/bin/psalm --set-baseline=psalm-baseline.xml",
@@ -146,7 +157,13 @@
         "stan": "php vendor/bin/phpstan analyse --memory-limit=2G",
         "stan:baseline": "php vendor/bin/phpstan analyse --generate-baseline --memory-limit=2G --allow-empty-baseline",
         "stan:ci": "php vendor/bin/phpstan analyse --memory-limit=2G --error-format=github",
-        "test": "XDEBUG_MODE=coverage php vendor/bin/pest",
-        "test:cc": "XDEBUG_MODE=coverage php vendor/bin/pest --coverage --coverage-clover=.build/phpunit/logs/clover.xml"
+        "test": [
+            "@putenv XDEBUG_MODE=coverage",
+            "php vendor/bin/pest"
+        ],
+        "test:cc": [
+            "@putenv XDEBUG_MODE=coverage",
+            "php vendor/bin/pest --coverage --coverage-clover=.build/phpunit/logs/clover.xml"
+        ]
     }
 }