Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #112 #332: Seperate Security Checks and Replace Composer Lock Diff #636

Merged
merged 6 commits into from
Aug 14, 2024
Merged

Issue #112 #332: Seperate Security Checks and Replace Composer Lock Diff #636

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
bfcdb85
Issue #112 #332: Seperate Security Checks and Replace Composer Lock Diff
justafish Aug 7, 2024
749ac3b
Fix versions
justafish Aug 7, 2024
015b5d1
Update with main
justafish Aug 13, 2024
c144ace
Merge branch 'main' into justafish/112-seperate-security-332-replace-…
justafish Aug 13, 2024
ae8e56c
Merge branch 'main' into justafish/112-seperate-security-332-replace-…
justafish Aug 13, 2024
40c3d91
restore composer.json
justafish Aug 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,22 @@ They are composite actions which can be used in any of your workflows e.g.
Tests can be run locally with [act](https://github.com/nektos/act):
`act -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:runner-latest -j Static-Tests`

### Composer Lock Diff
### Security
```json
"extra": {
"drainpipe": {
"github": ["Security"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

}
}
```

Runs security checks for composer packages and Drupal contrib, as well as posting
a diff of `composer.lock` as a review comment.

### Composer Lock Diff (Deprecated)

**This is now provided as part of the Security workflow**

Update Pull Request descriptions with a markdown table of any changes detected
in `composer.lock` using [composer-lock-diff](https://github.com/davidrjonas/composer-lock-diff).

Expand Down
1 change: 1 addition & 0 deletions drainpipe-dev/composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
"composer-plugin-api": "^2.0",
"behat/mink": "^1.11.0",
"behat/mink-browserkit-driver": "^2.2.0",
"davidrjonas/composer-lock-diff": "^1.7",
"drupal/coder": "^8.3.24",
"lullabot/drainpipe": "*",
"mglaman/phpstan-drupal": "^1.2.11",
Expand Down
86 changes: 86 additions & 0 deletions scaffold/github/workflows/Security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
name: "Security"
justafish marked this conversation as resolved.
Show resolved Hide resolved

on:
pull_request:
types: [opened, synchronize, reopened]

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:
Security:
runs-on: ubuntu-22.04
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4

- name: Checkout base branch
run: |
git fetch --no-tags --depth=1 origin ${{ github.base_ref }}
git checkout ${{ github.base_ref }}
git checkout -

- uses: actions/cache@v4
with:
path: ${{ github.workspace }}/.ddev/.drainpipe-composer-cache
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
restore-keys: |
${{ runner.os }}-composer-

- uses: ./.github/actions/drainpipe/set-env

- name: Install and Start DDEV
uses: ./.github/actions/drainpipe/ddev
with:
git-name: Drainpipe Bot
git-email: [email protected]
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
ssh-known-hosts: ${{ secrets.SSH_KNOWN_HOSTS }}

- name: Build Project
run: ddev composer install

- name: Run Security Checks
run: ddev task security composer_lock_diff_from=${{ github.base_ref }} composer_lock_diff=composer-lock-diff.md

- name: Publish Results
run: |
COMPOSER_LOCK_DIFF="<!-- composer-lock-diff -->
justafish marked this conversation as resolved.
Show resolved Hide resolved
## Composer Lock Diff
$(cat composer-lock-diff.md)"
COMPOSER_LOCK_DIFF=$(echo "$COMPOSER_LOCK_DIFF" | jq -Rsa .)
FIRST=true
echo $COMPOSER_LOCK_DIFF >> $GITHUB_STEP_SUMMARY
curl -s -L -f -X GET \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/${{ github.repository }}/pulls/$DRAINPIPE_PR_NUMBER/comments | jq -rc '.[]|select(.body | contains("<!-- composer-lock-diff -->")) | .id' | while read i; do
if [ "$FIRST" == "true" ]; then
FIRST=false
curl -L \
-X PATCH \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/pulls/comments/$i \
-d "{\"body\":$COMPOSER_LOCK_DIFF}"
fi
curl -L \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/pulls/comments/$i
done
if [ "$FIRST" == "true" ]; then
curl -L -f \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/pulls/$DRAINPIPE_PR_NUMBER/comments \
-d "{\"body\":$COMPOSER_LOCK_DIFF,\"commit_id\":\"$DRAINPIPE_SHA\",\"path\":\"composer.lock\",\"subject_type\":\"file\",\"side\":\"RIGHT\"}"
fi
4 changes: 4 additions & 0 deletions src/ScaffoldInstallerPlugin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,10 @@ private function installGitHubActions(string $scaffoldPath): void {
$fs->ensureDirectoryExists('./.github/workflows');
$fs->copy("$scaffoldPath/github/workflows/ComposerLockDiff.yml", './.github/workflows/ComposerLockDiff.yml');
}
else if ($github === 'Security') {
$fs->ensureDirectoryExists('./.github/workflows');
$fs->copy("$scaffoldPath/github/workflows/Security.yml", './.github/workflows/Security.yml');
}
}
}

Expand Down
7 changes: 6 additions & 1 deletion tasks/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ vars:
tasks:
static:
desc: Runs all static tests
deps: [security, lint, phpstan, phpunit:static, phpcs]
deps: [lint, phpstan, phpunit:static, phpcs]
functional:
desc: Runs all tests that require a bootstrapped Drupal site
deps: [config, phpunit:functional, nightwatch]
Expand All @@ -41,6 +41,11 @@ tasks:
./vendor/bin/local-php-security-checker
fi
- composer audit
- |
./vendor/bin/composer-lock-diff --from {{ shellQuote (.composer_lock_diff_from | default "main") }} --md
if [ "" != {{ shellQuote (.composer_lock_diff | default "") }} ]; then
./vendor/bin/composer-lock-diff --from {{ shellQuote (.composer_lock_diff_from | default "main") }} --md > {{ shellQuote (.composer_lock_diff | default "") }}
fi
lint:
desc: Runs lint on composer, YAML, and Twig files
# @todo JUnit output
Expand Down
Loading