Backport Html Writer Security Patches #8981
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: main | |
on: [ push, pull_request, merge_group ] | |
permissions: | |
contents: read # to fetch code (actions/checkout) | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
experimental: | |
- false | |
php-version: | |
- '8.1' | |
- '8.2' | |
- '8.3' | |
- '8.4' | |
include: | |
- php-version: 'nightly' | |
experimental: true | |
name: PHP ${{ matrix.php-version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install locales | |
run: sudo apt-get install -y language-pack-fr language-pack-de | |
- name: Setup PHP, with composer and extensions | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: ${{ matrix.php-version }} | |
extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib | |
coverage: none | |
- name: Get composer cache directory | |
id: composer-cache | |
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
- name: Cache composer dependencies | |
uses: actions/cache@v4 | |
with: | |
path: ${{ steps.composer-cache.outputs.dir }} | |
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
restore-keys: ${{ runner.os }}-composer- | |
- name: Delete composer lock file | |
id: composer-lock | |
if: ${{ matrix.php-version == 'nightly' }} | |
run: | | |
rm composer.lock | |
echo "flags=--ignore-platform-reqs" >> $GITHUB_OUTPUT | |
- name: Install dependencies | |
run: composer install --no-progress --prefer-dist --optimize-autoloader ${{ steps.composer-lock.outputs.flags }} | |
- name: Setup problem matchers for PHP | |
run: echo "::add-matcher::${{ runner.tool_cache }}/php.json" | |
- name: Setup problem matchers for PHPUnit | |
run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" | |
- name: "Run PHPUnit tests (Experimental: ${{ matrix.experimental }})" | |
env: | |
FAILURE_ACTION: "${{ matrix.experimental == true }}" | |
run: vendor/bin/phpunit --display-incomplete --display-skipped --display-deprecations --display-errors --display-notices --display-warnings || $FAILURE_ACTION | |
phpdoc-types: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 2 | |
- name: Setup PHP, with composer and extensions | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: 8.3 | |
extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib | |
coverage: none | |
# This is non-ideal because it only checks for the last commit of the PR, not all of them, but better than nothing | |
- name: Check PHPDoc types | |
run: ./bin/check-phpdoc-types | |
php-cs-fixer: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup PHP, with composer and extensions | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: 8.3 | |
extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib | |
coverage: none | |
tools: cs2pr | |
- name: Get composer cache directory | |
id: composer-cache | |
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
- name: Cache composer dependencies | |
uses: actions/cache@v4 | |
with: | |
path: ${{ steps.composer-cache.outputs.dir }} | |
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
restore-keys: ${{ runner.os }}-composer- | |
- name: Install dependencies | |
run: composer install --no-progress --prefer-dist --optimize-autoloader | |
- name: Code style with PHP-CS-Fixer | |
run: (./vendor/bin/php-cs-fixer fix --dry-run --format=checkstyle | cs2pr) || ./vendor/bin/php-cs-fixer fix --diff --dry-run | |
phpcs: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup PHP, with composer and extensions | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: 8.3 | |
extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib | |
coverage: none | |
tools: cs2pr | |
- name: Get composer cache directory | |
id: composer-cache | |
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
- name: Cache composer dependencies | |
uses: actions/cache@v4 | |
with: | |
path: ${{ steps.composer-cache.outputs.dir }} | |
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
restore-keys: ${{ runner.os }}-composer- | |
- name: Install dependencies | |
run: composer install --no-progress --prefer-dist --optimize-autoloader | |
- name: Code style with PHP_CodeSniffer | |
run: ./vendor/bin/phpcs -q --report=checkstyle | cs2pr | |
versions: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup PHP, with composer and extensions | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: 8.3 | |
extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib | |
coverage: none | |
tools: cs2pr | |
- name: Get composer cache directory | |
id: composer-cache | |
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
- name: Cache composer dependencies | |
uses: actions/cache@v4 | |
with: | |
path: ${{ steps.composer-cache.outputs.dir }} | |
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
restore-keys: ${{ runner.os }}-composer- | |
- name: Install dependencies | |
run: composer install --no-progress --prefer-dist --optimize-autoloader | |
- name: Code Version Compatibility check with PHP_CodeSniffer | |
run: ./vendor/bin/phpcs -q --report-width=200 --report=summary,full src/ --standard=PHPCompatibility --runtime-set testVersion 8.1- | |
phpstan: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup PHP, with composer and extensions | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: 8.3 | |
extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib | |
coverage: none | |
tools: cs2pr | |
- name: Get composer cache directory | |
id: composer-cache | |
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
- name: Cache composer dependencies | |
uses: actions/cache@v4 | |
with: | |
path: ${{ steps.composer-cache.outputs.dir }} | |
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
restore-keys: ${{ runner.os }}-composer- | |
- name: Install dependencies | |
run: composer install --no-progress --prefer-dist --optimize-autoloader | |
- name: Static analysis with PHPStan | |
run: ./vendor/bin/phpstan analyse | |
coverage: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup PHP, with composer and extensions | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: 8.3 | |
extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib | |
coverage: pcov | |
- name: Get composer cache directory | |
id: composer-cache | |
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT | |
- name: Cache composer dependencies | |
uses: actions/cache@v4 | |
with: | |
path: ${{ steps.composer-cache.outputs.dir }} | |
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
restore-keys: ${{ runner.os }}-composer- | |
- name: Install dependencies | |
run: composer install --no-progress --prefer-dist --optimize-autoloader | |
- name: Coverage | |
run: | | |
./vendor/bin/phpunit --coverage-clover coverage-clover.xml | |
composer global require scrutinizer/ocular | |
~/.composer/vendor/bin/ocular code-coverage:upload --format=php-clover coverage-clover.xml | |
release: | |
permissions: | |
contents: write # to create a release (actions/create-release) | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} # Otherwise our annotated tag is not fetched and we cannot get correct version | |
- name: Get release info | |
run: git tag --format '%(contents:body)' --points-at > release-body.txt | |
- uses: ncipollo/release-action@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token | |
with: | |
bodyFile: release-body.txt | |
makeLatest: false |