Skip to content

catalog: bump official pinned ref to v2.1.4 #1323

catalog: bump official pinned ref to v2.1.4

catalog: bump official pinned ref to v2.1.4 #1323

name: Coding Standards
on:
push:
branches: [ master, main, develop ]
pull_request:
branches: [ master, main, develop ]
jobs:
phpcs:
name: PHP CodeSniffer
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.3'
extensions: json
- name: Install Composer dependencies
run: composer install --no-interaction --prefer-dist
- name: Run PHPCS
if: always()
run: |
if [ -f vendor/bin/phpcs ]; then
./vendor/bin/phpcs --standard=PSR12 -n --colors src/
fi
phpstan:
name: PHPStan Static Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.3'
extensions: json
- name: Install Composer dependencies
run: composer install --no-interaction --prefer-dist
- name: Assert no phpstan baseline file
run: |
if [ -f phpstan-baseline.neon ]; then
echo "::error::phpstan-baseline.neon has been re-introduced. Wave 5 deleted it permanently — fix errors at their source, do not regenerate a baseline."
exit 1
fi
- name: Run PHPStan
if: always()
run: |
if [ -f vendor/bin/phpstan ]; then
./vendor/bin/phpstan analyze src/ --level=9 --no-progress --error-format=github
fi
smarty-escape-guard:
name: Smarty Auto-Escape Guard (S1)
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Assert all WebPortal Smarty instances go through the auto-escape factory
run: |
# S1: every \Smarty used to render portal HTML must be built by
# PageRenderer::newSmartyFor(), which sets escape_html = true. A raw
# `new \Smarty()` anywhere else in src/Server/WebPortal would bypass
# HTML auto-escaping and reopen the stored/reflected XSS holes.
#
# Allow exactly ONE real instantiation: the one inside the factory in
# PageRenderer.php. Comment/docblock mentions are ignored (only lines
# that actually call `new \Smarty(` as an assignment count).
matches="$(grep -rnE '=\s*new\s+\\?Smarty\s*\(' src/Server/WebPortal/ || true)"
echo "Matched instantiations:"
echo "${matches:-<none>}"
# Every match must live in PageRenderer.php (the factory file).
offenders="$(echo "$matches" | grep -v '^$' | grep -v 'src/Server/WebPortal/PageRenderer.php:' || true)"
if [ -n "$offenders" ]; then
echo "::error::Raw 'new \\Smarty()' found in src/Server/WebPortal outside PageRenderer's auto-escape factory. Build the instance via PageRenderer::newSmartyFor() (escape_html=true) instead:"
echo "$offenders"
exit 1
fi
# Exactly one real instantiation (the factory) must remain.
count="$(echo "$matches" | grep -c 'src/Server/WebPortal/PageRenderer.php:' || true)"
if [ "$count" != "1" ]; then
echo "::error::Expected exactly 1 'new \\Smarty()' in src/Server/WebPortal (PageRenderer::newSmartyFor factory), found ${count}. Do not add new inline Smarty instances; route them through the factory."
exit 1
fi
# The auto-escape policy itself must not be disabled in WebPortal.
if grep -rnE "escape_html\s*=\s*false|setEscapeHtml\s*\(\s*false" src/Server/WebPortal/; then
echo "::error::HTML auto-escape is being disabled in src/Server/WebPortal. escape_html must stay true (S1)."
exit 1
fi
echo "Smarty auto-escape guard passed."
psalm:
name: Psalm Static Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.3'
extensions: json
- name: Install Composer dependencies
run: composer install --no-interaction --prefer-dist
- name: Run Psalm
if: always()
run: |
if [ -f vendor/bin/psalm ]; then
./vendor/bin/psalm --show-info=false
fi
composer-validate:
name: Composer Validation
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.3'
- name: Validate Composer
run: composer validate --strict --no-check-publish
security-check:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.3'
- name: Install Composer dependencies
run: composer install --no-interaction --prefer-dist
- name: Run Security Audit
if: always()
run: |
if [ -f vendor/bin/security-checker ]; then
./vendor/bin/security-checker security:check
elif [ -f vendor/bin/composer-audit ]; then
./vendor/bin/composer-audit audit --format=github
fi