From f365d7a6adae80aa33f0bc49255fa61bdb942086 Mon Sep 17 00:00:00 2001 From: Lewis Larsen Date: Mon, 22 Jul 2024 22:55:49 +0100 Subject: [PATCH] chore: Added ci workflows --- .../workflows/composer-dependency-health.yml | 65 +++++++++++++ .github/workflows/npm-dependency-health.yml | 68 ++++++++++++++ .github/workflows/security-check.yml | 92 ------------------- 3 files changed, 133 insertions(+), 92 deletions(-) create mode 100644 .github/workflows/composer-dependency-health.yml create mode 100644 .github/workflows/npm-dependency-health.yml delete mode 100644 .github/workflows/security-check.yml diff --git a/.github/workflows/composer-dependency-health.yml b/.github/workflows/composer-dependency-health.yml new file mode 100644 index 00000000..1f516e1d --- /dev/null +++ b/.github/workflows/composer-dependency-health.yml @@ -0,0 +1,65 @@ +name: Composer Dependency Health Check + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '0 0 * * 1' # Run weekly on Mondays + +jobs: + dependency-check: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: '8.3' + extensions: mbstring, xml, ctype, iconv, intl, pdo_sqlite, dom, filter, gd, iconv, json, mbstring, pdo + + - name: Validate composer.json and composer.lock + run: composer validate + + - name: Install dependencies + run: composer install --prefer-dist --no-progress --no-suggest + + - name: Check for outdated dependencies + run: composer outdated --direct --format=json > outdated.json + + - name: Security Check + uses: symfonycorp/security-checker-action@v5 + id: security-check + + - name: Process and Output Dependency Health Results + if: always() + run: | + echo "# Composer Dependency Health Report" >> $GITHUB_STEP_SUMMARY + + echo "## Outdated Packages:" >> $GITHUB_STEP_SUMMARY + if [ -s outdated.json ]; then + jq -r '.installed[] | "- \(.name) (\(.version) => \(.latest))"' outdated.json >> $GITHUB_STEP_SUMMARY + else + echo "No outdated packages found." >> $GITHUB_STEP_SUMMARY + fi + + echo "## Security Vulnerabilities:" >> $GITHUB_STEP_SUMMARY + if [ -s ${{ steps.security-check.outputs.logfile }} ]; then + cat ${{ steps.security-check.outputs.logfile }} >> $GITHUB_STEP_SUMMARY + else + echo "No security vulnerabilities detected." >> $GITHUB_STEP_SUMMARY + fi + + echo "This report was automatically generated by the Composer Dependency Health Check workflow." >> $GITHUB_STEP_SUMMARY + + - name: Check for Critical Issues + if: always() + run: | + VULNERABILITIES=$(cat ${{ steps.security-check.outputs.logfile }} | wc -l) + OUTDATED=$(jq '.installed | length' outdated.json) + if [ $VULNERABILITIES -gt 0 ] || [ $OUTDATED -gt 0 ]; then + echo "::warning::Dependency issues detected. Please check the workflow summary for details." + fi diff --git a/.github/workflows/npm-dependency-health.yml b/.github/workflows/npm-dependency-health.yml new file mode 100644 index 00000000..f5d9e99c --- /dev/null +++ b/.github/workflows/npm-dependency-health.yml @@ -0,0 +1,68 @@ +name: NPM Dependency Health Check + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '0 0 * * 1' # Run weekly on Mondays + +jobs: + dependency-check: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + node-version: '18' # or your preferred Node.js version + + - name: Cache npm packages + uses: actions/cache@v3 + with: + path: ~/.npm + key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.OS }}-node- + + - name: Install dependencies + run: npm ci + + - name: Check for outdated dependencies + run: npm outdated --json > outdated.json + + - name: Run security audit + run: npm audit --json > audit.json + + - name: Process and Output Dependency Health Results + if: always() + run: | + echo "# NPM Dependency Health Report" >> $GITHUB_STEP_SUMMARY + + echo "## Outdated Packages:" >> $GITHUB_STEP_SUMMARY + if [ -s outdated.json ] && [ "$(cat outdated.json)" != "{}" ]; then + jq -r 'to_entries[] | "- \(.key) (\(.value.current) => \(.value.latest))"' outdated.json >> $GITHUB_STEP_SUMMARY + else + echo "No outdated packages found." >> $GITHUB_STEP_SUMMARY + fi + + echo "## Security Vulnerabilities:" >> $GITHUB_STEP_SUMMARY + if [ -s audit.json ] && [ "$(jq '.vulnerabilities | length' audit.json)" != "0" ]; then + jq -r '.vulnerabilities | to_entries[] | "- \(.key) (\(.value.severity)): \(.value.title)"' audit.json >> $GITHUB_STEP_SUMMARY + else + echo "No security vulnerabilities detected." >> $GITHUB_STEP_SUMMARY + fi + + echo "This report was automatically generated by the NPM Dependency Health Check workflow." >> $GITHUB_STEP_SUMMARY + + - name: Check for Critical Issues + if: always() + run: | + VULNERABILITIES=$(jq '.vulnerabilities | length' audit.json) + OUTDATED=$(jq 'length' outdated.json) + if [ $VULNERABILITIES -gt 0 ] || [ $OUTDATED -gt 0 ]; then + echo "::warning::Dependency issues detected. Please check the workflow summary for details." + fi diff --git a/.github/workflows/security-check.yml b/.github/workflows/security-check.yml deleted file mode 100644 index 4b4e77dd..00000000 --- a/.github/workflows/security-check.yml +++ /dev/null @@ -1,92 +0,0 @@ -name: CI - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -jobs: - build-test: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: '8.3' - extensions: mbstring, xml, ctype, iconv, intl, pdo_sqlite, dom, filter, gd, iconv, json, mbstring, pdo - - - name: Validate composer.json and composer.lock - run: composer validate --strict - - - name: Cache Composer packages - id: composer-cache - uses: actions/cache@v3 - with: - path: vendor - key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} - restore-keys: | - ${{ runner.os }}-php- - - - name: Install dependencies - run: composer install --prefer-dist --no-progress - - - name: Run test suite - run: vendor/bin/phpunit - - - name: Security Check - uses: symfonycorp/security-checker-action@v5 - - - name: Create GitHub Issue on Security Failure - if: failure() - uses: actions/github-script@v6 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - const fs = require('fs'); - const securityCheckOutput = fs.readFileSync('${{ steps.security-check.outputs.logfile }}', 'utf8'); - - const issueBody = ` - # Security Vulnerabilities Detected - - The security check has detected vulnerabilities in the project dependencies. - - ## Details: - - \`\`\` - ${securityCheckOutput} - \`\`\` - - Please review these vulnerabilities and update the affected dependencies if possible. - - _This issue was automatically created by the Security Check GitHub Action._ - `; - - const issues = await github.rest.issues.listForRepo({ - owner: context.repo.owner, - repo: context.repo.repo, - state: 'open', - labels: ['security'] - }); - - const existingIssue = issues.data.find(issue => issue.title.includes('Security Vulnerabilities Detected')); - - if (existingIssue) { - await github.rest.issues.update({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: existingIssue.number, - body: issueBody - }); - } else { - await github.rest.issues.create({ - owner: context.repo.owner, - repo: context.repo.repo, - title: 'Security Vulnerabilities Detected', - body: issueBody, - labels: ['security'] - }); - }