Add rating per user. #12131
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integrate | |
| # Run this workflow every time a new commit pushed to your repository | |
| on: | |
| push: | |
| branches: | |
| - master | |
| tags: | |
| - '*' | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'public/dist/*.js' | |
| - 'public/dist/**/*.js' | |
| - 'public/Lychee-front' | |
| pull_request: | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'public/dist/*.js' | |
| - 'public/dist/**/*.js' | |
| - 'public/Lychee-front' | |
| # Allow manually triggering the workflow. | |
| workflow_dispatch: | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ !contains(github.ref, 'master') && !startsWith(github.ref, 'refs/tags/') }} # Only cancel previous runs on non-master/non-tag branches. | |
| jobs: | |
| php_syntax_errors: | |
| name: 0️⃣ PHP 8.4 - Syntax errors | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Setup PHP Action | |
| uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 | |
| with: | |
| php-version: 8.4 | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Install dependencies | |
| uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 | |
| - name: Check source code for syntax errors | |
| run: vendor/bin/parallel-lint --exclude .git --exclude vendor . | |
| check_js: | |
| name: 0️⃣ JS front-end | |
| uses: ./.github/workflows/js_check.yml | |
| code_style_errors: | |
| name: 1️⃣ PHP 8.4 - Code Style errors | |
| runs-on: ubuntu-latest | |
| needs: | |
| - php_syntax_errors | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 | |
| with: | |
| php-version: 8.4 | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Install dependencies | |
| uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 | |
| - name: Check source code for code style errors | |
| run: vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run | |
| phpstan: | |
| name: 1️⃣ PHP 8.4 - PHPStan | |
| runs-on: ubuntu-latest | |
| needs: | |
| - php_syntax_errors | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 | |
| with: | |
| php-version: 8.4 | |
| coverage: none | |
| - name: Install Composer dependencies | |
| uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 | |
| - name: Run PHPStan | |
| run: vendor/bin/phpstan analyze | |
| license: | |
| name: 1️⃣ PHP 8.4 - License Check | |
| runs-on: ubuntu-latest | |
| needs: | |
| - php_syntax_errors | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 | |
| with: | |
| php-version: 8.4 | |
| coverage: none | |
| - name: Install Composer dependencies | |
| uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 | |
| # We ban GPL-2.0-or-later, we don't want that viral thing in Lychee: We want to keep our MIT license. | |
| - name: Run License Checker | |
| run: vendor/bin/composer-license-checker check -b GPL-2.0-or-later -b GPL-2.0-only -b GPL-3.0-only -b GPL-3.0-or-later -b AGPL-1.0-only -b AGPL-1.0-or-later -b AGPL-3.0-only -b AGPL-3.0-or-later -b LGPL-2.0-only -b LGPL-2.0-or-later -b LGPL-2.1-only -b LGPL-2.1-or-later -b LGPL-3.0-only -b LGPL-3.0-or-later --no-dev | |
| tests: | |
| name: 1️⃣ PHP tests | |
| needs: | |
| - php_syntax_errors | |
| uses: ./.github/workflows/php_tests.yml | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| dist: | |
| name: 2️⃣ PHP dist | |
| needs: | |
| - code_style_errors | |
| uses: ./.github/workflows/php_dist.yml | |
| docker_check: | |
| name: 3️⃣ Dockerfile Lint | |
| runs-on: ubuntu-latest | |
| needs: | |
| - phpstan | |
| - check_js | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3.12.0 | |
| - name: Docker Lint | |
| uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 | |
| with: | |
| dockerfile: ./Dockerfile | |
| failure-threshold: warning | |
| - name: Build Docker image locally | |
| run: docker build -t lychee:local . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| with: | |
| image-ref: lychee:local | |
| format: 'table' | |
| exit-code: 1 | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| docker-build: | |
| name: 4️⃣ Build Docker Image | |
| runs-on: ubuntu-latest | |
| if: > | |
| (github.ref == 'refs/heads/master' && github.event_name == 'push') || | |
| (startsWith(github.ref, 'refs/tags/') && github.event_name == 'push') | |
| needs: | |
| - docker_check | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3.12.0 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| flavor: | | |
| latest=${{ startsWith(github.ref, 'refs/tags/') }} | |
| tags: | | |
| # define default branch | |
| type=edge,branch=master | |
| # branch event | |
| type=ref,event=branch | |
| # tag event | |
| type=ref,event=tag | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| NODE_ENV=production | |
| createArtifact: | |
| name: 3️⃣ Build Artifact | |
| if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') | |
| needs: | |
| - phpstan | |
| - dist | |
| - tests | |
| - check_js | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| env: | |
| extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 | |
| with: | |
| php-version: 8.4 | |
| extensions: ${{ env.extensions }} | |
| coverage: none | |
| - name: Use Node.js 20 | |
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 | |
| with: | |
| node-version: 20 | |
| - name: Build Dist | |
| run: | | |
| make clean dist | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: Lychee.zip | |
| path: Lychee.zip | |
| if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` | |
| - name: Attest | |
| uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0 | |
| with: | |
| # Path to the artifact serving as the subject of the attestation. Must | |
| # specify exactly one of "subject-path" or "subject-digest". May contain a | |
| # glob pattern or list of paths (total subject count cannot exceed 2500). | |
| subject-path: '${{ github.workspace }}/Lychee.zip' | |
| # SHA256 digest of the subject for the attestation. Must be in the form | |
| # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one | |
| # of "subject-path" or "subject-digest". | |
| # subject-digest: | |
| # Subject name as it should appear in the attestation. Required unless | |
| # "subject-path" is specified, in which case it will be inferred from the | |
| # path. | |
| # subject-name: Lychee | |
| # Whether to push the attestation to the image registry. Requires that the | |
| # "subject-name" parameter specify the fully-qualified image name and that | |
| # the "subject-digest" parameter be specified. Defaults to false. | |
| # push-to-registry: | |
| # Whether to attach a list of generated attestations to the workflow run | |
| # summary page. Defaults to true. | |
| # show-summary: | |
| # The GitHub token used to make authenticated API requests. Default is | |
| # ${{ github.token }} | |
| github-token: ${{ github.token }} | |
| release: | |
| name: 4️⃣ Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| needs: | |
| - createArtifact | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| env: | |
| extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Download generated artifact | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| name: Lychee.zip | |
| # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
| - name: Sign release with a key | |
| run: | | |
| cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --bundle Lychee.zip.sigstore.json Lychee.zip | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Create release | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 | |
| with: | |
| files: | | |
| Lychee.zip.sigstore.json | |
| Lychee.zip | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| generate_release_notes: true | |
| make_latest: true |