aspirepress
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/codeql.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/dependency-review.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/dependency-review.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/php-static-analysis.yml‎
Lines changed: 49 additions & 0 deletions b/‎.github/workflows/php-static-analysis.yml‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎.github/workflows/phpunit.yml‎
Lines changed: 84 additions & 0 deletions b/‎.github/workflows/phpunit.yml‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎.github/workflows/run-checks.yaml‎
Lines changed: 0 additions & 50 deletions b/‎.github/workflows/run-checks.yaml‎
Lines changed: 0 additions & 50 deletions
diff --git a/‎.github/workflows/scorecards.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/scorecards.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎app/Http/Controllers/API/WpOrg/Export/ExportController.php‎
Lines changed: 55 additions & 0 deletions b/‎app/Http/Controllers/API/WpOrg/Export/ExportController.php‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎app/Models/User.php‎
Lines changed: 3 additions & 1 deletion b/‎app/Models/User.php‎
Lines changed: 3 additions & 1 deletion
@@ -43,9 +43,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
 
       # Initializes the CodeQL tools for scanning.
+      # These all use the @v3 tag instead of a commit hash because I can't make hashes work with the three-level path.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
 
@@ -17,6 +17,6 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683    # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9    # v4.7.1
+        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b    # v4.7.3
@@ -0,0 +1,49 @@
+name: Commit Pipeline
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  php-static-analysis:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        with:
+          php-version: 8.4
+
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: Cache composer dependencies
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: Run PHPStan
+        run: vendor/bin/phpstan --memory-limit=1G analyse -v
+
+      - name: Run Psalm
+        run: vendor/bin/psalm --memory-limit=2G
+
@@ -0,0 +1,84 @@
+name: Commit Pipeline
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  phpunit:
+    runs-on: ubuntu-24.04
+
+    strategy:
+      matrix:
+        php-versions: [ '8.4' ]
+
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: aspirecloud_testing
+        ports:
+          - 5432/tcp
+        options: --health-cmd pg_isready --health-interval 2s --health-timeout 2s --health-retries 10
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: mbstring, pgsql
+          # not doing coverage in CI yet
+          # coverage: xdebug
+
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: Cache composer dependencies
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: Prepare tests
+        run: |
+          cp .env.example .env
+          php artisan key:generate
+          php artisan migrate
+        env:
+          CACHE_STORE: array
+          DB_HOST: localhost
+          DB_PORT: ${{ job.services.postgres.ports[5432] }}
+          DB_USERNAME: postgres
+          DB_PASSWORD: postgres
+          DB_DATABASE: aspirecloud_testing
+
+      - name: Run Pest
+        run: vendor/bin/pest --ci
+        env:
+          CACHE_STORE: array
+          DB_HOST: localhost
+          DB_PORT: ${{ job.services.postgres.ports[5432] }}
+          DB_USERNAME: postgres
+          DB_PASSWORD: postgres
+          DB_DATABASE: aspirecloud_testing
+
@@ -39,7 +39,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
         with:
           persist-credentials: false
 
@@ -66,14 +66,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v3 # I can't make commit hashes work with these three-level paths...
         with:
           sarif_file: results.sarif
@@ -0,0 +1,55 @@
+<?php
+
+namespace App\Http\Controllers\API\WpOrg\Export;
+
+use App\Http\Controllers\Controller;
+use App\Services\Exports\ExportService;
+use App\Values\WpOrg\Export\ExportRequest;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Storage;
+use Symfony\Component\HttpFoundation\StreamedResponse;
+
+class ExportController extends Controller
+{
+    public function __construct(
+        private readonly ExportService $exportService,
+    ) {}
+
+    public function __invoke(Request $request, string $type): StreamedResponse
+    {
+        $req = ExportRequest::from([
+            ...$request->all(),
+            'type' => $type,
+        ]);
+
+        $path = $this->exportService->getExportedFilePath($req);
+        return $this->streamFromS3($path);
+    }
+
+    /**
+     * Stream the exported data from S3.
+     *
+     * @param string $path
+     * @return StreamedResponse
+     */
+    private function streamFromS3(string $path): StreamedResponse
+    {
+        $response = new StreamedResponse(function () use ($path) {
+            $stream = Storage::disk('s3')->readStream($path);
+            if (!$stream) {
+                throw new \RuntimeException("Failed to read stream from S3 for key: $path");
+            }
+
+            while (!feof($stream)) {
+                echo fgets($stream, 16384);
+            }
+
+            \Safe\fclose($stream);
+        });
+
+        $response->headers->set('Content-Type', 'application/x-ndjson');
+        $response->headers->set('Content-Disposition', 'attachment; filename="' . basename($path) . '"');
+
+        return $response;
+    }
+}
@@ -14,6 +14,7 @@
 use Laravel\Fortify\TwoFactorAuthenticatable;
 use Laravel\Jetstream\HasProfilePhoto;
 use Laravel\Sanctum\HasApiTokens;
+use Laravel\Sanctum\PersonalAccessToken;
 use Spatie\Permission\Traits\HasRoles;
 
 /**
@@ -30,12 +31,13 @@
  */
 class User extends Authenticatable
 {
+    /** @use HasApiTokens<PersonalAccessToken> */
     use HasApiTokens;
-    use HasRoles;
 
     /** @use HasFactory<UserFactory> */
     use HasFactory;
 
+    use HasRoles;
     use HasProfilePhoto;
     use Notifiable;
     use TwoFactorAuthenticatable;