64 lines
1.8 KiB
YAML
64 lines
1.8 KiB
YAML
name: security
|
|
|
|
on:
|
|
push:
|
|
branches: [develop, main, master]
|
|
pull_request:
|
|
branches: [develop, main, master]
|
|
schedule:
|
|
# Еженедельная проверка уязвимостей зависимостей (мера УКФ.4).
|
|
- cron: '0 3 * * 1'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
audit:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup PHP
|
|
uses: shivammathur/setup-php@v2
|
|
with:
|
|
php-version: '8.3'
|
|
coverage: none
|
|
|
|
- name: Install Dependencies
|
|
run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
|
|
|
|
# УКФ.4: анализ уязвимостей в зависимостях.
|
|
- name: Composer audit
|
|
run: composer audit --no-interaction
|
|
|
|
# ОЦЛ.1: контроль целостности lock-файлов (запрет несогласованных изменений).
|
|
- name: Verify composer.lock integrity
|
|
run: composer validate --strict
|
|
|
|
# Статический анализ (ОПС: безопасность кода).
|
|
- name: Static analysis (Larastan)
|
|
run: ./vendor/bin/phpstan analyse --no-progress || true
|
|
|
|
tests:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup PHP
|
|
uses: shivammathur/setup-php@v2
|
|
with:
|
|
php-version: '8.3'
|
|
|
|
- name: Install Dependencies
|
|
run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
|
|
|
|
- name: Copy environment
|
|
run: cp .env.example .env && php artisan key:generate
|
|
|
|
- name: Run tests
|
|
run: ./vendor/bin/pest
|