adjust security checks in github CI #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| jobs: | |
| static: | |
| runs-on: ubuntu-latest | |
| env: | |
| APP_ENV: test | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: 8.2 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v2 | |
| with: | |
| node-version: '14' | |
| - name: Install Composer dependencies | |
| run: composer install --no-interaction --no-progress --ignore-platform-reqs | |
| - name: Install Node.js dependencies | |
| run: yarn install --immutable | |
| - name: Run PHP security checks | |
| uses: symfonycorp/security-checker-action@v5 | |
| - name: Run JS security checks | |
| run: yarn audit:high | |
| - name: Cache warmup for PHPStan | |
| run: php bin/console cache:warmup --env=dev | |
| - name: Run PHPStan | |
| run: php bin/phpstan analyse --no-progress --memory-limit 1G src | |
| - name: Lint YAML | |
| run: bin/console lint:yaml config | |
| - name: Lint Twig | |
| run: bin/console lint:twig templates | |
| - name: Lint Container | |
| run: bin/console lint:container | |
| - name: Lint JS | |
| run: yarn lint:js | |
| - name: Lint CSS | |
| run: yarn lint:css | |
| - name: Run PHPUnit tests | |
| run: | | |
| mkdir -p public/build | |
| printf "{}" > public/build/manifest.json | |
| bin/simple-phpunit | |
| deploy_staging: | |
| runs-on: ubuntu-latest | |
| needs: static | |
| if: github.ref == 'refs/heads/master' | |
| environment: staging | |
| env: | |
| APP_ENV: dev | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: 8.2 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v2 | |
| with: | |
| node-version: '14' | |
| - name: Install Composer dependencies | |
| run: composer install --classmap-authoritative --no-interaction --no-progress --ignore-platform-reqs | |
| - name: Install Node.js dependencies | |
| run: yarn install --immutable | |
| - name: Run security checks | |
| run: | | |
| symfony security:check | |
| yarn audit:high | |
| - name: Build assets | |
| run: yarn build --mode development | |
| - name: Deploy to staging | |
| run: | | |
| # Add your deployment script here | |
| deploy_prod: | |
| runs-on: ubuntu-latest | |
| needs: static | |
| if: github.ref == 'refs/heads/master' | |
| environment: production | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: 8.2 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v2 | |
| with: | |
| node-version: '14' | |
| - name: Install Composer dependencies | |
| run: composer install --no-dev --classmap-authoritative --no-interaction --no-progress --ignore-platform-reqs | |
| - name: Install Node.js dependencies | |
| run: yarn install --immutable | |
| - name: Run security checks | |
| run: | | |
| symfony security:check | |
| yarn audit:high | |
| - name: Build assets | |
| run: yarn build | |
| - name: Deploy to production | |
| run: | | |
| # Add your deployment script here |