catalog: bump official pinned ref to v2.1.4 #1323
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Coding Standards | |
| on: | |
| push: | |
| branches: [ master, main, develop ] | |
| pull_request: | |
| branches: [ master, main, develop ] | |
| jobs: | |
| phpcs: | |
| name: PHP CodeSniffer | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| extensions: json | |
| - name: Install Composer dependencies | |
| run: composer install --no-interaction --prefer-dist | |
| - name: Run PHPCS | |
| if: always() | |
| run: | | |
| if [ -f vendor/bin/phpcs ]; then | |
| ./vendor/bin/phpcs --standard=PSR12 -n --colors src/ | |
| fi | |
| phpstan: | |
| name: PHPStan Static Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| extensions: json | |
| - name: Install Composer dependencies | |
| run: composer install --no-interaction --prefer-dist | |
| - name: Assert no phpstan baseline file | |
| run: | | |
| if [ -f phpstan-baseline.neon ]; then | |
| echo "::error::phpstan-baseline.neon has been re-introduced. Wave 5 deleted it permanently — fix errors at their source, do not regenerate a baseline." | |
| exit 1 | |
| fi | |
| - name: Run PHPStan | |
| if: always() | |
| run: | | |
| if [ -f vendor/bin/phpstan ]; then | |
| ./vendor/bin/phpstan analyze src/ --level=9 --no-progress --error-format=github | |
| fi | |
| smarty-escape-guard: | |
| name: Smarty Auto-Escape Guard (S1) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Assert all WebPortal Smarty instances go through the auto-escape factory | |
| run: | | |
| # S1: every \Smarty used to render portal HTML must be built by | |
| # PageRenderer::newSmartyFor(), which sets escape_html = true. A raw | |
| # `new \Smarty()` anywhere else in src/Server/WebPortal would bypass | |
| # HTML auto-escaping and reopen the stored/reflected XSS holes. | |
| # | |
| # Allow exactly ONE real instantiation: the one inside the factory in | |
| # PageRenderer.php. Comment/docblock mentions are ignored (only lines | |
| # that actually call `new \Smarty(` as an assignment count). | |
| matches="$(grep -rnE '=\s*new\s+\\?Smarty\s*\(' src/Server/WebPortal/ || true)" | |
| echo "Matched instantiations:" | |
| echo "${matches:-<none>}" | |
| # Every match must live in PageRenderer.php (the factory file). | |
| offenders="$(echo "$matches" | grep -v '^$' | grep -v 'src/Server/WebPortal/PageRenderer.php:' || true)" | |
| if [ -n "$offenders" ]; then | |
| echo "::error::Raw 'new \\Smarty()' found in src/Server/WebPortal outside PageRenderer's auto-escape factory. Build the instance via PageRenderer::newSmartyFor() (escape_html=true) instead:" | |
| echo "$offenders" | |
| exit 1 | |
| fi | |
| # Exactly one real instantiation (the factory) must remain. | |
| count="$(echo "$matches" | grep -c 'src/Server/WebPortal/PageRenderer.php:' || true)" | |
| if [ "$count" != "1" ]; then | |
| echo "::error::Expected exactly 1 'new \\Smarty()' in src/Server/WebPortal (PageRenderer::newSmartyFor factory), found ${count}. Do not add new inline Smarty instances; route them through the factory." | |
| exit 1 | |
| fi | |
| # The auto-escape policy itself must not be disabled in WebPortal. | |
| if grep -rnE "escape_html\s*=\s*false|setEscapeHtml\s*\(\s*false" src/Server/WebPortal/; then | |
| echo "::error::HTML auto-escape is being disabled in src/Server/WebPortal. escape_html must stay true (S1)." | |
| exit 1 | |
| fi | |
| echo "Smarty auto-escape guard passed." | |
| psalm: | |
| name: Psalm Static Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| extensions: json | |
| - name: Install Composer dependencies | |
| run: composer install --no-interaction --prefer-dist | |
| - name: Run Psalm | |
| if: always() | |
| run: | | |
| if [ -f vendor/bin/psalm ]; then | |
| ./vendor/bin/psalm --show-info=false | |
| fi | |
| composer-validate: | |
| name: Composer Validation | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| - name: Validate Composer | |
| run: composer validate --strict --no-check-publish | |
| security-check: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.3' | |
| - name: Install Composer dependencies | |
| run: composer install --no-interaction --prefer-dist | |
| - name: Run Security Audit | |
| if: always() | |
| run: | | |
| if [ -f vendor/bin/security-checker ]; then | |
| ./vendor/bin/security-checker security:check | |
| elif [ -f vendor/bin/composer-audit ]; then | |
| ./vendor/bin/composer-audit audit --format=github | |
| fi |