name: security on: push: branches: [develop, main, master] pull_request: branches: [develop, main, master] schedule: # Еженедельная проверка уязвимостей зависимостей (мера УКФ.4). - cron: '0 3 * * 1' permissions: contents: read jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: persist-credentials: false - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: '8.3' coverage: none - name: Install Dependencies run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist # УКФ.4: анализ уязвимостей в зависимостях. - name: Composer audit run: composer audit --no-interaction # ОЦЛ.1: контроль целостности lock-файлов (запрет несогласованных изменений). - name: Verify composer.lock integrity run: composer validate --strict # Статический анализ (ОПС: безопасность кода). - name: Static analysis (Larastan) run: ./vendor/bin/phpstan analyse --no-progress || true tests: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: persist-credentials: false - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: '8.3' - name: Install Dependencies run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist - name: Copy environment run: cp .env.example .env && php artisan key:generate - name: Run tests run: ./vendor/bin/pest