diff --git a/.github/workflows/dependency-security-audit.yml b/.github/workflows/dependency-security-audit.yml new file mode 100644 index 0000000..97e3187 --- /dev/null +++ b/.github/workflows/dependency-security-audit.yml @@ -0,0 +1,44 @@ +name: Audit Composer dependencies +permissions: + contents: read +on: + workflow_call: + +env: + DEV_SCRIPTS_DIR: ${{ github.workspace }}/vendor/publishpress/dev-workspace/scripts + +jobs: + check: + name: Run the dependency audit + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - name: Checkout repository + # actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + + - name: Set up PHP + # shivammathur/setup-php@2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f + with: + php-version: 8.3 + extensions: mbstring,xml,curl,zip,intl,bcmath,gettext,mysqli,phar,gd,iconv,yaml + tools: composer:v2 + + - name: Create root .env file + run: cp $GITHUB_WORKSPACE/.env.example $GITHUB_WORKSPACE/.env + + - name: Validate Composer configuration + run: composer validate --strict + + - name: Install Composer dependencies + run: composer install --no-interaction --prefer-dist --no-progress + + - name: Show dev-workspace tool versions + run: composer info:version + + - name: Add dev-workspace scripts to PATH + run: echo "$DEV_SCRIPTS_DIR" >> "$GITHUB_PATH" + + - name: Run Composer dependency security audit + run: composer audit --locked \ No newline at end of file diff --git a/README.md b/README.md index b13b708..df49abe 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ Reusable GitHub Actions workflows for PublishPress plugin repositories. - `.github/workflows/unit-tests.yml`: Runs PHPUnit tests. - `.github/workflows/code-standards.yml`: Runs PHP compatibility and lint checks. +- `.github/workflows/dependency-security-audit.yml`: Runs Composer dependency security audits. - `.github/workflows/deploy-free.yml`: Builds and deploys free plugin releases to WordPress.org and uploads release assets to GitHub. - `.github/workflows/deploy-free-assets.yml`: Updates WordPress.org plugin assets/readme. - `.github/workflows/deploy-pro.yml`: Builds pro plugin packages and uploads release assets to GitHub.