Skip to content

chore: Harden GHA workflows #1799

chore: Harden GHA workflows

chore: Harden GHA workflows #1799

Workflow file for this run

name: CI
permissions: {}
on:
push:
branches:
- master
pull_request:
jobs:
tests:
name: Tests on PHP ${{ matrix.php }} ${{ matrix.dependencies }}
runs-on: ubuntu-24.04
permissions:
contents: read
services:
redis:
image: redis
ports:
- 6379/tcp
strategy:
matrix:
php: ['8.2', '8.3', '8.4']
dependencies: ['--ignore-platform-req=php', '--prefer-lowest --prefer-stable --ignore-platform-req=php']
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
with:
php-version: ${{ matrix.php }}
extensions: mbstring, redis, apcu
ini-values: apc.enable_cli=1, zend.assertions=1
coverage: pcov
- name: Remove Composer lockfile
run: rm composer.lock
- name: Install dependencies
run: composer update --no-interaction --prefer-dist ${{ matrix.dependencies }}
- name: Configure PHPUnit matchers
run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json"
- name: Run tests
run: ./vendor/bin/phpunit --verbose --colors --coverage-clover=coverage.xml
env:
REDIS_PORT: ${{ job.services.redis.ports['6379'] }}
- name: Upload coverage to Codecov
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
with:
files: ./coverage.xml
use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }}
mutation_testing:
name: Mutation testing
runs-on: ubuntu-24.04
services:
redis:
image: redis
ports:
- 6379/tcp
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
with:
php-version: '8.2'
extensions: mbstring, redis, apcu
ini-values: apc.enable_cli=1, zend.assertions=1
coverage: pcov
- name: Install dependencies
run: composer install --no-interaction --prefer-dist
- name: Run Infection
run: ./vendor/bin/infection --min-msi=90 --min-covered-msi=90
env:
REDIS_PORT: ${{ job.services.redis.ports['6379'] }}
- name: Archive report
if: always()
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: Infection report
path: infection.log
integration:
name: Integration tests on PHP ${{ matrix.php }}
runs-on: ubuntu-24.04
strategy:
matrix:
php: ['8.2', '8.3', '8.4']
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install dependencies
run: composer install --no-interaction --prefer-dist
- name: Start stack
run: |
docker compose up -d
sleep 10
docker ps -a
env:
PHP_VERSION: ${{ matrix.php }}
- name: Tests with Redis
run: docker compose exec -T phpunit env ADAPTER=redis vendor/bin/phpunit --testsuite=functionnal
env:
PHP_VERSION: ${{ matrix.php }}
- name: Tests with APCU
run: docker compose exec -T phpunit env ADAPTER=apcu vendor/bin/phpunit --testsuite=functionnal
env:
PHP_VERSION: ${{ matrix.php }}
code_quality:
name: Code quality
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
with:
php-version: '8.2'
extensions: mbstring, redis, apcu
coverage: none
- name: Install dependencies
run: composer install --no-interaction --prefer-dist
- name: PHPCS
run: ./vendor/bin/phpcs
- name: Psalm
run: ./vendor/bin/psalm --shepherd
- name: PHPStan
run: ./vendor/bin/phpstan analyse
dependencies:
name: Dependencies state
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install dependencies
run: composer install --no-interaction --prefer-dist
- name: Composer Require Checker
uses: docker://webfactory/composer-require-checker:3.2.0
with:
args: --config-file=tests/config-composer-require-checker.json
- name: Composer Unused
uses: docker://icanhazstring/composer-unused-ga
backward_compatible_changes:
name: Backward Compatible Changes
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
# Disable (temporarily) CI check with Roave BC check
# See https://github.com/Nyholm/roave-bc-check-docker/issues/32
#- name: Roave BC Check
# uses: docker://nyholm/roave-bc-check-ga
# with:
# args: roave-backwards-compatibility-check:assert-backwards-compatible --from=v1.0.0
nix-shell:
name: Working Nix Shell
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install nix
uses: cachix/install-nix-action@v30
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: Install dependencies
run: nix-shell --pure --run 'composer install --no-interaction --prefer-dist'
- name: Basic tests
run: nix-shell --pure --run './vendor/bin/psalm'