SEC25-120: Add Psalm PHP static analysis and CI/CD integration #25
Conversation
- Add vimeo/psalm to require-dev dependencies - Add psalm.xml configuration file - Add composer psalm script - Add CodeQL workflow for automated Psalm scanning in CI/CD
Glenn-Ewing
changed the title
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
- Generate new composer.lock with compatible dependency versions (using existing platform config) - Revert to reusable workflow with composer install for reproducible builds
… reusable workflow)
joshmcrae
left a comment
joshmcrae
left a comment
There was a problem hiding this comment.
Looks good, but we can avoid confusing issues resulting from cached vendor files. See below.
.github/workflows/codeql.yml
Outdated
| uses: actions/cache@v4 | ||
| with: | ||
| path: vendor | ||
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} |
There was a problem hiding this comment.
I recommend including the PHP version in the key as the PHP version can influence which packages are installed. This leads to very confusing test failures when the loaded libraries (cached) use unavailable language features.
${{ runner.os }}-${{ matrix.php-versions }}-composer-${{ hashFiles('**/composer.json') }}
There was a problem hiding this comment.
Agreed, good call. That said, this is pulled from: https://github.com/tithely/php-workflows/blob/main/.github/workflows/codeql.yml (which I don't have access to change) so I'll update this inline version, but can't change the source.
This PR adds Psalm PHP static analysis tooling and integrates it into CI/CD.
Changes
vimeo/psalmto require-dev dependenciespsalm.xmlconfiguration filecomposer psalmscriptVerification
The CI/CD workflow will run Psalm analysis across PHP versions 8.0, 8.1, 8.2, 8.3 (matching the PHP 8.0+ requirement) and upload results to GitHub Security.