SEC25-123: Add Psalm PHP static analysis and CI/CD integration #29
Conversation
- Add vimeo/psalm to require-dev dependencies - Add psalm.xml configuration file - Add composer psalm script - Add CodeQL workflow for automated Psalm scanning in CI/CD
Glenn-Ewing
changed the title
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
- Add platform config to force PHP 8.1 dependency resolution - Generate new composer.lock with compatible dependency versions - Revert to reusable workflow with composer install for reproducible builds
- Change platform from 8.1 to 8.0 to match minimum PHP requirement and test matrix - Regenerate composer.lock with PHP 8.0-compatible dependencies
… reusable workflow)
joshmcrae
left a comment
joshmcrae
left a comment
There was a problem hiding this comment.
Looks good, but we can avoid confusing issues resulting from cached vendor files. See below.
.github/workflows/codeql.yml
Outdated
| uses: actions/cache@v4 | ||
| with: | ||
| path: vendor | ||
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} |
There was a problem hiding this comment.
I recommend including the PHP version in the key as the PHP version can influence which packages are installed. This leads to very confusing test failures when the loaded libraries (cached) use unavailable language features.
${{ runner.os }}-${{ matrix.php-versions }}-composer-${{ hashFiles('**/composer.json') }}
There was a problem hiding this comment.
Agreed, good call. That said, this is pulled from: https://github.com/tithely/php-workflows/blob/main/.github/workflows/codeql.yml (which I don't have access to change) so I'll update this inline version, but can't change the source.
There was a problem hiding this comment.
@joshmcrae Do we have a preference on merge type:
- Merge commit
- Squash Commit
- Rebase & Merge
I tend to favor rebase & merge, but I see squash is coming up as default, so I just wanted to check.
This PR adds Psalm PHP static analysis tooling and integrates it into CI/CD.
Changes
vimeo/psalmto require-dev dependenciespsalm.xmlconfiguration filecomposer psalmscriptVerification
The CI/CD workflow will run Psalm analysis across PHP versions 8.0, 8.1, 8.2, 8.3 (matching the PHP 8.0+ requirement) and upload results to GitHub Security. Includes
pdoextension as required by the library.