From 3c6ae5188288a2c8f05caaa53fe0e62e847f8bed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20P=C5=82otka?= Date: Mon, 25 Jan 2021 15:55:15 +0100 Subject: [PATCH] Introduce GitHub Actions for Local PHP Security Checker. --- .github/workflows/update.yml | 64 ++++++++++++++++++++++++++++++++++++ Dockerfile | 22 +++++++++++++ README.md | 54 ++++++++++++++++++++++++++++++ action.yaml | 25 ++++++++++++++ entrypoint.sh | 15 +++++++++ 5 files changed, 180 insertions(+) create mode 100644 .github/workflows/update.yml create mode 100644 Dockerfile create mode 100644 README.md create mode 100644 action.yaml create mode 100644 entrypoint.sh diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml new file mode 100644 index 0000000..632f705 --- /dev/null +++ b/.github/workflows/update.yml @@ -0,0 +1,64 @@ +name: Release + +on: + workflow_dispatch: + push: + schedule: + - cron: '30 */4 * * *' + +jobs: + update: + name: Push tagged image to registry + runs-on: ubuntu-latest + + steps: + - + name: Checkout code + uses: actions/checkout@v2 + with: + ref: main + + - + name: Fetch latest version + id: fetch_latest_version + run: | + last_release_info=$(curl --silent "https://api.github.com/repos/fabpot/local-php-security-checker/releases/latest") + version=$(echo "${last_release_info}" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/') + echo "Last local php security checker version is ${version}" + echo ::set-output name=version::${version} + + executable_url=$(echo "${last_release_info}" | grep -E "browser_download_url(.+)linux_amd64" | cut -d : -f 2,3 | tr -d \") + echo "Executable url is ${executable_url}" + echo ::set-output name=executable_url::${executable_url} + + - + name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - + name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - + name: Push to Docker Hub + id: docker_build + uses: docker/build-push-action@v2 + with: + push: true + tags: | + pplotka/local-php-security-checker-github-actions:latest + pplotka/local-php-security-checker-github-actions:${{ steps.fetch_latest_version.outputs.version }} + build-args: | + EXECUTABLE_URL=${{ steps.fetch_latest_version.outputs.executable_url }} + + - + name: Image digest + run: echo ${{ steps.docker_build.outputs.digest }} + \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..8aa1ef2 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,22 @@ +FROM alpine:latest + +ARG EXECUTABLE_URL + +LABEL "com.github.actions.name"="Local PHP Security Checker" +LABEL "com.github.actions.description"="Run local php security checker via GitHub Actions" +LABEL "com.github.actions.icon"="check" +LABEL "com.github.actions.color"="blue" + +LABEL "repository"="https://github.com/pplotka/local-php-security-checker-github-actions" +LABEL "homepage"="http://github.com/actions" +LABEL "maintainer"="Paweł Płotka " + +RUN echo "${EXECUTABLE_URL}" +RUN wget -O /security-checker ${EXECUTABLE_URL} + +COPY ./entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh /security-checker + +WORKDIR /app + +ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/README.md b/README.md new file mode 100644 index 0000000..2a8965d --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +# GitHub Actions for Local PHP Security Checker + +Run [Local PHP Security Checker](https://github.com/fabpot/local-php-security-checker) via GitHub Actions. + +## How to use +```yaml +name: Security scanner + +on: [push, pull_request] + +jobs: + psalm: + name: Local PHP Security Checker + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Local PHP Security Checker + uses: docker://pplotka/local-php-security-checker-github-actions +``` + +You can specify version of Local PHP Security Checker: + +```diff + - name: Local PHP Security Checker +- uses: docker://pplotka/local-php-security-checker-github-actions ++ uses: docker://pplotka/local-php-security-checker-github-actions:v1.0.0 +``` + +You can also pass a `path` to check a specific directory: +```diff + - name: Local PHP Security Checker + uses: docker://pplotka/local-php-security-checker-github-actions ++ with: ++ path: path/to/php/project/composer.lock +``` + +By default, the output is optimized for terminals, change it via the `format` parameter (supported formats: `ansi`, `markdown`, `json`, and `yaml`): +```diff + - name: Local PHP Security Checker + uses: docker://pplotka/local-php-security-checker-github-actions ++ with: ++ format: markdown +``` + +## Use without GitHub Actions +The Docker Image is located here: https://hub.docker.com/r/pplotka/local-php-security-checker-github-actions + +You can run checking any directory with `composer.lock` file with this command: + +```shell +docker run --rm -it -w /app -v $(pwd):/app pplotka/local-php-security-checker-github-actions --format=yaml +``` diff --git a/action.yaml b/action.yaml new file mode 100644 index 0000000..f82828b --- /dev/null +++ b/action.yaml @@ -0,0 +1,25 @@ +# https://help.github.com/en/articles/metadata-syntax-for-github-actions + +author: 'pplotka' + +branding: + icon: 'check' + color: 'blue' + +description: 'Run local php security checker via GitHub Actions.' + +name: 'Local PHP Security Checker' + +inputs: + path: + required: false + default: false + description: 'Pass to check a specific directory' + format: + required: false + default: 'ansi' + description: 'Output format' + +runs: + using: 'docker' + image: 'docker://pplotka/local-php-security-checker-github-actions' diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..1be502f --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,15 @@ +#!/bin/sh -l +set -e + +PATH="" +if [ ! -z "${INPUT_PATH}" ]; then + PATH="--path=${INPUT_PATH}" +fi + +FORMAT="" +if [ ! -z "${INPUT_FORMAT}" ]; then + FORMAT="--path=${INPUT_FORMAT}" +fi + +/security-checker --update-cache +/security-checker ${PATH} ${FORMAT} $*