klevze/UploadShied
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden quarantine provisioning; enforce strict permissions and update Ansible and docs

Browse Source
This commit is contained in:
Gregor Klevže
2026-02-12 07:47:48 +01:00
parent 037b176892
commit 1768f61da1
44 changed files with 2587 additions and 698 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
.github/workflows/auto-merge-dependabot.yml vendored Normal file
View File

@@ -0,0 +1,36 @@
name: Auto-merge Dependabot security updates
on:
pull_request_target:
types: [opened, labeled, reopened, ready_for_review]
jobs:
enable-automerge:
name: Enable auto-merge for Dependabot security PRs
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'dependabot-preview[bot]'
steps:
- name: Check PR labels for security
id: label-check
uses: actions/github-script@v6
with:
script: |
const pr = await github.rest.pulls.get({ owner: context.repo.owner, repo: context.repo.repo, pull_number: context.payload.pull_request.number });
const labels = pr.data.labels.map(l => l.name.toLowerCase());
const isSecurity = labels.includes('security') || labels.includes('dependabot-security') || pr.data.body && /security/i.test(pr.data.body);
return { isSecurity };
- name: Enable GitHub auto-merge on PR
if: steps.label-check.outputs.isSecurity == 'true'
uses: peter-evans/enable-pull-request-automerge@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
pull-request-number: ${{ github.event.pull_request.number }}
merge-method: squash
- name: Comment when auto-merge enabled
if: steps.label-check.outputs.isSecurity == 'true'
uses: actions/github-script@v6
with:
script: |
await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, body: 'Auto-merge enabled for this Dependabot security update. Merge will occur automatically once required checks pass.' });

89
.github/workflows/ci.yml vendored Normal file
View File

@@ -0,0 +1,89 @@
name: CI
on:
push:
branches: [ main, master ]
pull_request:
branches: [ main, master ]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
php-version: ['8.0', '8.1', '8.2', '8.3', '8.4']
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php-version }}
coverage: none
- name: Cache Composer
uses: actions/cache@v4
with:
path: ~/.composer/cache
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
restore-keys: |
${{ runner.os }}-composer-
- name: Install dependencies
env:
COMPOSER_MEMORY_LIMIT: -1
run: composer install --no-progress --prefer-dist --no-interaction
- name: Dependency audit (Composer)
run: composer audit --no-interaction
- name: Run tests (PHPUnit)
run: vendor/bin/phpunit --configuration phpunit.xml --testdox
- name: Run static analysis (PHPStan)
run: vendor/bin/phpstan analyse -c phpstan.neon
lint:
name: PHP Lint & Basic Checks (matrix)
runs-on: ubuntu-latest
strategy:
matrix:
php: [ '8.0', '8.1', '8.2' ]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
- name: Show PHP version
run: php -v
- name: Install composer dependencies
run: |
composer --version || (curl -sS https://getcomposer.org/installer | php && mv composer.phar /usr/local/bin/composer)
composer install --no-progress --no-suggest --prefer-dist --no-interaction
- name: PHP -l lint (all .php files)
run: |
set -euo pipefail
echo "Finding PHP files..."
find . -name '*.php' -not -path './vendor/*' -print0 | xargs -0 -n1 -P4 php -l
- name: Run PHPStan static analysis
run: |
set -euo pipefail
vendor/bin/phpstan analyse --no-progress -c phpstan.neon
- name: Run PHPUnit
run: |
set -euo pipefail
if [ -x vendor/bin/phpunit ]; then
vendor/bin/phpunit --configuration phpunit.xml --colors=always
else
echo 'phpunit not installed; skipping tests (composer install should have installed dev deps).'
exit 0
fi