Latest => v4.0

.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  # Enable checks for the default vendor folder
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  # Enable checks for Google API Client package
+  - package-ecosystem: "composer"
+    directory: "/lib/Google"
+    schedule:
+      interval: "weekly"
+
+  # Enable checks for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/publish-release.yml

@@ -0,0 +1,150 @@
+name: Publish Release
+run-name: Publish Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      release:
+        description: 'Release version (e.g. 1.2.3)'
+        required: true
+      prerelease:
+        description: 'Pre-release version (e.g. RC1, beta, etc...)'
+        required: false
+
+permissions:
+  contents: write
+
+env:
+  TAG: ${{ github.event.inputs.release }}
+  PRETAG: ${{ github.event.inputs.prerelease }}
+  BRANCH: temp-release-${{ github.event.inputs.release }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prepare vars
+        id: vars
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const full_tag = [
+              process.env.TAG,
+              process.env.PRETAG
+            ].filter(Boolean).join('-');
+            const branch = `temp-release-${full_tag}`;
+            const is_prerelease = !!process.env.PRETAG;
+
+            core.setOutput('full_tag', full_tag );
+            core.setOutput('branch', branch );
+            core.setOutput('is_prerelease', is_prerelease );
+
+      # 'ref' and 'repository' are required, otherwise repo could appear in detached head state
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          repository: ${{ github.repository }}
+
+      - name: Parse Changelog Entries
+        uses: actions/github-script@v7
+        id: changelog
+        with:
+          script: |
+            const { open } = require('fs/promises');
+
+            const version = process.env.TAG;
+            const delimiter = '#### ';
+            const file = await open('./changes.md');
+
+            let description = [];
+            let found = false;
+
+            for await (let line of file.readLines()) {
+              line = line.trim();
+
+              if ( line.startsWith(`${delimiter}${version}`) ) {
+                found = true;
+                continue;
+              }
+
+              if (!found) continue;
+              if ( line.startsWith(delimiter) )  break;
+
+              description.push(line);
+            }
+
+            if ( !description.length ) core.setFailed(`Release ${version} not found in the changelog!`);
+
+            core.setOutput('description', description.join('\n') );
+
+
+      # cleanup files that are not needed for the release
+      # but keep the .git folder, because we need it for the next step
+      - name: Cleanup files
+        run: |
+          rm -f composer.lock || true
+          rm -rf vendor/composer/installers || true
+          find ./ -name '.git*' -not -path './.git' -type f -delete || true
+          find ./ -name '.git*' -not -path './.git' -type d -exec rm -rf {} \; || true
+          find ./vendor -name .svn -exec rm -rf {} \; || true
+
+      # cleanup files, specific to Google API PHP library
+      - name: Cleanup files for Google API library
+        run: |
+          rm -f lib/Google/phpstan.neon.dist || true
+          rm -f lib/Google/vendor/paragonie/random_compat/build-phar.sh || true
+          find ./lib/Google/ -name '.repo-metadata.json' -type f -delete || true
+          find ./lib/Google/vendor -name .svn -exec rm -rf '{}' \; || true
+
+      # commit changes to temporary release branch and create a new tag
+      - name: Commit changes
+        uses: EndBug/add-and-commit@v9
+        with:
+          message: Cleanup files for release
+          new_branch: ${{ steps.vars.outputs.branch }}
+          tag: ${{ steps.vars.outputs.full_tag }}
+
+      # generate SBOM that will be attached to a release as an artifact
+      - name: Create SBOM
+        id: sbom
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          output-file: sbom.spdx.json
+          format: spdx-json
+
+      # create a draft release with the version changelog as a description
+      - name: Create Draft Release
+        id: draft_release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: "Release ${{ steps.vars.outputs.full_tag }}"
+          body: "${{ steps.changelog.outputs.description }}"
+          tag_name: ${{ steps.vars.outputs.full_tag }}
+          draft: true
+          prerelease: ${{ steps.vars.outputs.is_prerelease }}
+
+      # attach SBOM to release
+      - name: Upload SBOM to release
+        uses: actions/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.draft_release.outputs.upload_url }}
+          asset_path: ./sbom.spdx.json
+          asset_name: sbom.spdx.json
+          asset_content_type: application/json
+
+      # publish release using an ID from the 'draft_release' step
+      - name: Publish Release
+        uses: eregon/publish-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          release_id: ${{ steps.draft_release.outputs.id }}
+
+      # delete temporary release branch
+      - name: Delete temporary release branch
+        run: |
+          git push origin --delete ${{ steps.vars.outputs.branch }}

.github/workflows/security-scan.yml

@@ -0,0 +1,25 @@
+name: Security Scan
+run-name: Security Scan
+
+on: 
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  code-scanning:
+    name: Code Scanning (grype)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Security Check
+        id: test
+        uses: anchore/scan-action@v3
+        with:
+          path: .
+          output-format: table
+
+