forked from squizlabs/PHP_CodeSniffer
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
27 additions
and
176 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -23,19 +23,23 @@ concurrency: | |
|
|
||
| jobs: | ||
| ############################ | ||
| # Verify the release assets. | ||
| # Verify the release is available in all the right places and works as expected. | ||
| ############################ | ||
| verify-release-assets: | ||
| verify-available-downloads: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| download_flavour: | ||
| - "Release assets" | ||
| - "Unversioned web" | ||
| - "Versioned web" | ||
| pharfile: | ||
| - 'phpcs' | ||
| - 'phpcbf' | ||
|
|
||
| name: "Release assets: ${{ matrix.pharfile }}" | ||
| name: "${{ matrix.download_flavour }}: ${{ matrix.pharfile }}" | ||
|
|
||
| steps: | ||
| - name: Retrieve latest release info | ||
|
|
@@ -57,184 +61,33 @@ jobs: | |
| - name: "DEBUG: Show tag name found in API response" | ||
| run: "echo ${{ steps.version.outputs.TAG }}" | ||
|
|
||
| - name: Verify PHAR file is available and download | ||
| run: wget -O ${{ matrix.pharfile }}.phar https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/${{ matrix.pharfile }}.phar | ||
|
|
||
| - name: Verify signature file is available and download | ||
| run: wget -O ${{ matrix.pharfile }}.phar.asc https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/${{ matrix.pharfile }}.phar.asc | ||
|
|
||
| - name: "DEBUG: List files" | ||
| run: ls -Rlh | ||
|
|
||
| - name: Verify attestation of the PHAR file | ||
| run: gh attestation verify ${{ matrix.pharfile }}.phar -o PHPCSStandards | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
|
|
||
| - name: Download public key | ||
| env: | ||
| FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32" | ||
| run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT | ||
|
|
||
| - name: Verify signature of the PHAR file | ||
| run: gpg --verify ${{ matrix.pharfile }}.phar.asc ${{ matrix.pharfile }}.phar | ||
|
|
||
| - name: Setup PHP | ||
| uses: shivammathur/setup-php@v2 | ||
| with: | ||
| php-version: 'latest' | ||
| ini-values: error_reporting=-1, display_errors=On | ||
| coverage: none | ||
|
|
||
| # Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF. | ||
| - name: Verify the PHAR is nominally functional | ||
| run: php ${{ matrix.pharfile }}.phar . -e --standard=PSR12 | ||
|
|
||
| - name: Grab the version | ||
| id: asset_version | ||
| env: | ||
| FILE_NAME: ${{ matrix.pharfile }}.phar | ||
| # yamllint disable-line rule:line-length | ||
| run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: "DEBUG: Show grabbed version" | ||
| run: echo ${{ steps.asset_version.outputs.VERSION }} | ||
|
|
||
| - name: Fail the build if the PHAR is not the correct version | ||
| if: ${{ steps.asset_version.outputs.VERSION != steps.version.outputs.TAG }} | ||
| run: exit 1 | ||
|
|
||
| ########################################## | ||
| # Verify plain downloads from the website. | ||
| ########################################## | ||
| verify-plain-web: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| pharfile: | ||
| - 'phpcs' | ||
| - 'phpcbf' | ||
|
|
||
| name: "Unversioned web: ${{ matrix.pharfile }}" | ||
|
|
||
| steps: | ||
| - name: Retrieve latest release info | ||
| uses: octokit/[email protected] | ||
| id: get_latest_release | ||
| with: | ||
| route: GET /repos/PHPCSStandards/PHP_CodeSniffer/releases/latest | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: "DEBUG: Show API request failure status" | ||
| if: ${{ failure() }} | ||
| run: "echo No release found. Request failed with status ${{ steps.get_latest_release.outputs.status }}" | ||
|
|
||
| - name: Grab latest tag name from API response | ||
| id: version | ||
|
|
||
| - name: Get source URL | ||
| id: source | ||
| shell: bash | ||
| run: | | ||
| echo "TAG=${{ fromJson(steps.get_latest_release.outputs.data).tag_name }}" >> "$GITHUB_OUTPUT" | ||
| - name: "DEBUG: Show tag name found in API response" | ||
| run: "echo ${{ steps.version.outputs.TAG }}" | ||
|
|
||
| - name: Verify PHAR file is available and download | ||
| run: curl --remote-name https://phars.phpcodesniffer.com/${{ matrix.pharfile }}.phar | ||
|
|
||
| - name: Verify signature file is available and download | ||
| run: curl --remote-name https://phars.phpcodesniffer.com/${{ matrix.pharfile }}.phar.asc | ||
|
|
||
| - name: "DEBUG: List files" | ||
| run: ls -Rlh | ||
|
|
||
| - name: Verify attestation of the PHAR file | ||
| run: gh attestation verify ${{ matrix.pharfile }}.phar -o PHPCSStandards | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
|
|
||
| - name: Download public key | ||
| env: | ||
| FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32" | ||
| run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT | ||
|
|
||
| - name: Verify signature of the PHAR file | ||
| run: gpg --verify ${{ matrix.pharfile }}.phar.asc ${{ matrix.pharfile }}.phar | ||
|
|
||
| - name: Setup PHP | ||
| uses: shivammathur/setup-php@v2 | ||
| with: | ||
| php-version: 'latest' | ||
| ini-values: error_reporting=-1, display_errors=On | ||
| coverage: none | ||
|
|
||
| # Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF. | ||
| - name: Verify the PHAR is nominally functional | ||
| run: php ${{ matrix.pharfile }}.phar . -e --standard=PSR12 | ||
|
|
||
| - name: Grab the version | ||
| id: asset_version | ||
| env: | ||
| FILE_NAME: ${{ matrix.pharfile }}.phar | ||
| # yamllint disable-line rule:line-length | ||
| run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: "DEBUG: Show grabbed version" | ||
| run: echo ${{ steps.asset_version.outputs.VERSION }} | ||
|
|
||
| - name: Fail the build if the PHAR is not the correct version | ||
| if: ${{ steps.asset_version.outputs.VERSION != steps.version.outputs.TAG }} | ||
| run: exit 1 | ||
|
|
||
| # ######################################### | ||
| # Verify versioned downloads from the website. | ||
| # ######################################### | ||
| verify-versioned-web: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| pharfile: | ||
| - 'phpcs' | ||
| - 'phpcbf' | ||
|
|
||
| name: "Versioned web: ${{ matrix.pharfile }}" | ||
|
|
||
| steps: | ||
| - name: Retrieve latest release info | ||
| uses: octokit/[email protected] | ||
| id: get_latest_release | ||
| with: | ||
| route: GET /repos/PHPCSStandards/PHP_CodeSniffer/releases/latest | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: "DEBUG: Show API request failure status" | ||
| if: ${{ failure() }} | ||
| run: "echo No release found. Request failed with status ${{ steps.get_latest_release.outputs.status }}" | ||
|
|
||
| - name: Grab latest tag name from API response | ||
| id: version | ||
| run: | | ||
| echo "TAG=${{ fromJson(steps.get_latest_release.outputs.data).tag_name }}" >> "$GITHUB_OUTPUT" | ||
| - name: "DEBUG: Show tag name found in API response" | ||
| run: "echo ${{ steps.version.outputs.TAG }}" | ||
| if [[ ${{ matrix.download_flavour }} == 'Release assets' ]]; then | ||
| echo 'SRC=https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/' >> "$GITHUB_OUTPUT" | ||
| echo 'FILE=${{ matrix.pharfile }}.phar' >> "$GITHUB_OUTPUT" | ||
| elif [[ ${{ matrix.download_flavour }} == 'Unversioned web' ]]; then | ||
| echo 'SRC=https://phars.phpcodesniffer.com/' >> "$GITHUB_OUTPUT" | ||
| echo 'FILE=${{ matrix.pharfile }}.phar' >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo 'SRC=https://phars.phpcodesniffer.com/phars/' >> "$GITHUB_OUTPUT" | ||
| echo 'FILE=${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar' >> "$GITHUB_OUTPUT" | ||
| fi | ||
| - name: Verify PHAR file is available and download | ||
| run: curl --remote-name https://phars.phpcodesniffer.com/phars/${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar | ||
| run: wget -O ${{ steps.source.outputs.FILE }} ${{ steps.source.outputs.SRC }}${{ steps.source.outputs.FILE }} | ||
|
|
||
| - name: Verify signature file is available and download | ||
| run: curl --remote-name https://phars.phpcodesniffer.com/phars/${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar.asc | ||
| run: wget -O ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.SRC }}${{ steps.source.outputs.FILE }}.asc | ||
|
|
||
| - name: "DEBUG: List files" | ||
| run: ls -Rlh | ||
|
|
||
| - name: Verify attestation of the PHAR file | ||
| run: gh attestation verify ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar -o PHPCSStandards | ||
| run: gh attestation verify ${{ steps.source.outputs.FILE }} -o PHPCSStandards | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
|
|
||
|
|
@@ -244,9 +97,7 @@ jobs: | |
| run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT | ||
|
|
||
| - name: Verify signature of the PHAR file | ||
| run: > | ||
| gpg --verify ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar.asc | ||
| ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar | ||
| run: gpg --verify ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.FILE }} | ||
|
|
||
| - name: Setup PHP | ||
| uses: shivammathur/setup-php@v2 | ||
|
|
@@ -257,12 +108,12 @@ jobs: | |
|
|
||
| # Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF. | ||
| - name: Verify the PHAR is nominally functional | ||
| run: php ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar . -e --standard=PSR12 | ||
| run: php ${{ steps.source.outputs.FILE }} . -e --standard=PSR12 | ||
|
|
||
| - name: Grab the version | ||
| id: asset_version | ||
| env: | ||
| FILE_NAME: ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar | ||
| FILE_NAME: ${{ steps.source.outputs.FILE }} | ||
| # yamllint disable-line rule:line-length | ||
| run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT" | ||
|
|
||
|
|
||