first commit
This commit is contained in:
63
.github/workflows/security.yml
vendored
Normal file
63
.github/workflows/security.yml
vendored
Normal file
@@ -0,0 +1,63 @@
|
||||
name: security
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [develop, main, master]
|
||||
pull_request:
|
||||
branches: [develop, main, master]
|
||||
schedule:
|
||||
# Еженедельная проверка уязвимостей зависимостей (мера УКФ.4).
|
||||
- cron: '0 3 * * 1'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
audit:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@v2
|
||||
with:
|
||||
php-version: '8.3'
|
||||
coverage: none
|
||||
|
||||
- name: Install Dependencies
|
||||
run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
|
||||
|
||||
# УКФ.4: анализ уязвимостей в зависимостях.
|
||||
- name: Composer audit
|
||||
run: composer audit --no-interaction
|
||||
|
||||
# ОЦЛ.1: контроль целостности lock-файлов (запрет несогласованных изменений).
|
||||
- name: Verify composer.lock integrity
|
||||
run: composer validate --strict
|
||||
|
||||
# Статический анализ (ОПС: безопасность кода).
|
||||
- name: Static analysis (Larastan)
|
||||
run: ./vendor/bin/phpstan analyse --no-progress || true
|
||||
|
||||
tests:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@v2
|
||||
with:
|
||||
php-version: '8.3'
|
||||
|
||||
- name: Install Dependencies
|
||||
run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
|
||||
|
||||
- name: Copy environment
|
||||
run: cp .env.example .env && php artisan key:generate
|
||||
|
||||
- name: Run tests
|
||||
run: ./vendor/bin/pest
|
||||
Reference in New Issue
Block a user