From 86f98f4959721f2898c29431c522b672cdb91324 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Tue, 19 Aug 2025 23:10:07 +0200 Subject: [PATCH 1/4] Install zip-extension --- .github/workflows/php.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 0acb8bf..8cef077 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -226,7 +226,7 @@ jobs: uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php-versions }} - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, posix, spl, xml + extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, posix, spl, xml, zip tools: composer ini-values: error_reporting=E_ALL coverage: none From 09a5a64fa994144f327ab38634e555507df0c259 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Aug 2025 17:59:44 +0000 Subject: [PATCH 2/4] Bump actions/checkout from 4 to 5 in the all-actions group Bumps the all-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4 to 5 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions ... Signed-off-by: dependabot[bot] From bb9e3c6f5de2056e506a16fafb8bb513c3d4efaf Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Tue, 19 Aug 2025 23:14:54 +0200 Subject: [PATCH 3/4] Replace psalm with phpstan --- .github/workflows/php.yml | 21 ++++----------------- phpstan-dev.neon | 4 ++++ phpstan.neon | 4 ++++ psalm.xml | 31 ------------------------------- src/Auth/Process/Authorize.php | 12 ++++++------ src/Controller/Authorize.php | 4 ++-- 6 files changed, 20 insertions(+), 56 deletions(-) create mode 100644 phpstan-dev.neon create mode 100644 phpstan.neon delete mode 100644 psalm.xml diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 8cef077..5133714 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -86,26 +86,13 @@ jobs: - name: PHP Code Sniffer run: phpcs - - name: Psalm + - name: PHPStan run: | - psalm -c psalm.xml \ - --show-info=true \ - --shepherd \ - --php-version=${{ steps.setup-php.outputs.php-version }} + vendor/bin/phpstan analyze -c phpstan.neon - - name: Psalm (testsuite) + - name: PHPStan (testsuite) run: | - psalm -c psalm-dev.xml \ - --show-info=true \ - --shepherd \ - --php-version=${{ steps.setup-php.outputs.php-version }} - - - name: Psalter - run: | - psalm --alter \ - --issues=UnnecessaryVarAnnotation \ - --dry-run \ - --php-version=${{ steps.setup-php.outputs.php-version }} + vendor/bin/phpstan analyze -c phpstan-dev.neon security: name: Security checks diff --git a/phpstan-dev.neon b/phpstan-dev.neon new file mode 100644 index 0000000..09d9773 --- /dev/null +++ b/phpstan-dev.neon @@ -0,0 +1,4 @@ +parameters: + level: 5 + paths: + - tests diff --git a/phpstan.neon b/phpstan.neon new file mode 100644 index 0000000..db37782 --- /dev/null +++ b/phpstan.neon @@ -0,0 +1,4 @@ +parameters: + level: 6 + paths: + - src diff --git a/psalm.xml b/psalm.xml deleted file mode 100644 index cd7d69d..0000000 --- a/psalm.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/src/Auth/Process/Authorize.php b/src/Auth/Process/Authorize.php index 3fc05e3..e9366b2 100644 --- a/src/Auth/Process/Authorize.php +++ b/src/Auth/Process/Authorize.php @@ -47,7 +47,7 @@ class Authorize extends Auth\ProcessingFilter /** * Array of localised rejection messages * - * @var array + * @var string[] */ protected array $reject_msg = []; @@ -60,9 +60,9 @@ class Authorize extends Auth\ProcessingFilter /** * Array of valid users. Each element is a regular expression. You should - * user \ to escape special chars, like '.' etc. + * use \ to escape special chars, like '.' etc. * - * @param array + * @var array */ protected array $valid_attribute_values = []; @@ -82,7 +82,7 @@ class Authorize extends Auth\ProcessingFilter * Initialize this filter. * Validate configuration parameters. * - * @param array $config Configuration information about this filter. + * @param array $config Configuration information about this filter. * @param mixed $reserved For future use. */ public function __construct(array $config, $reserved) @@ -155,7 +155,7 @@ public function __construct(array $config, $reserved) /** * Apply filter to validate attributes. * - * @param array &$state The current request + * @param array &$state The current request */ public function process(array &$state): void { @@ -225,7 +225,7 @@ public function process(array &$state): void * thinking in case a "chained" ACL is needed, more complex * permission logic. * - * @param array $state + * @param array $state */ protected function unauthorized(array &$state): void { diff --git a/src/Controller/Authorize.php b/src/Controller/Authorize.php index d7e8785..026558d 100644 --- a/src/Controller/Authorize.php +++ b/src/Controller/Authorize.php @@ -51,7 +51,7 @@ public function forbidden(Request $request): Template throw new Error\BadRequest('Missing required StateId query parameter.'); } - /** @var array $state */ + /** @var array $state */ $state = Auth\State::loadState($stateId, 'authorize:Authorize'); $t = new Template($this->config, 'authorize:authorize_403.twig'); @@ -108,7 +108,7 @@ public function reauthenticate(Request $request): void if (!is_string($stateId)) { throw new Error\BadRequest('Missing required StateId query parameter.'); } - /** @var array $state */ + /** @var array $state */ $state = Auth\State::loadState($stateId, 'authorize:Authorize'); $authSource = $state['Source']['auth']; From 4687e042c8fa8915237c3cebe6b2eae3183f88f8 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Tue, 19 Aug 2025 23:32:14 +0200 Subject: [PATCH 4/4] Replace super-linter with custom linters --- .github/workflows/php.yml | 249 +++++++++++++++++++------------------- 1 file changed, 126 insertions(+), 123 deletions(-) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 5133714..e07de6b 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -14,51 +14,62 @@ on: # yamllint disable-line rule:truthy workflow_dispatch: jobs: + phplinter: + name: 'PHP-Linter' + strategy: + fail-fast: false + matrix: + php-version: ['8.1', '8.2', '8.3', '8.4'] + + uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_phplinter.yml@v1.9.3 + with: + php-version: ${{ matrix.php-version }} + linter: - name: Linter - runs-on: ['ubuntu-latest'] + name: 'Linter' + strategy: + fail-fast: false - steps: - - uses: actions/checkout@v5 - with: - # super-linter needs the full git history to get the - # list of files that changed across commits - fetch-depth: 0 - - - name: Lint Code Base - uses: super-linter/super-linter/slim@v8 - env: - SAVE_SUPER_LINTER_OUTPUT: false - # To report GitHub Actions status checks - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - LINTER_RULES_PATH: 'tools/linters' - LOG_LEVEL: NOTICE - VALIDATE_ALL_CODEBASE: true - VALIDATE_JSON: true - VALIDATE_PHP_BUILTIN: true - VALIDATE_YAML: true - VALIDATE_XML: true - VALIDATE_GITHUB_ACTIONS: true + uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_linter.yml@v1.9.3 + with: + enable_eslinter: false + enable_jsonlinter: true + enable_stylelinter: false + enable_yamllinter: true - quality: - name: Quality control - runs-on: [ubuntu-latest] + unit-tests-linux: + name: "Unit tests, PHP ${{ matrix.php-versions }}, ${{ matrix.operating-system }}" + runs-on: ${{ matrix.operating-system }} + needs: [phplinter, linter] + + strategy: + fail-fast: false + matrix: + operating-system: [ubuntu-latest] + php-versions: ['8.1', '8.2', '8.3', '8.4'] steps: - name: Setup PHP, with composer and extensions - id: setup-php # https://github.com/shivammathur/setup-php uses: shivammathur/setup-php@v2 with: - # Should be the higest supported version, so we can use the newest tools - php-version: '8.3' - tools: composer, composer-require-checker, composer-unused, phpcs, psalm - # optional performance gain for psalm: opcache - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, opcache, openssl, pcre, posix, spl, xml + php-version: ${{ matrix.php-versions }} + extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, posix, spl, xml + tools: composer + ini-values: error_reporting=E_ALL + coverage: pcov - name: Setup problem matchers for PHP run: echo "::add-matcher::${{ runner.tool_cache }}/php.json" + - name: Setup problem matchers for PHPUnit + run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" + + - name: Set git to use LF + run: | + git config --global core.autocrlf false + git config --global core.eol lf + - uses: actions/checkout@v5 - name: Get composer cache directory @@ -71,50 +82,60 @@ jobs: key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} restore-keys: ${{ runner.os }}-composer- - - name: Validate composer.json and composer.lock - run: composer validate - - name: Install Composer dependencies run: composer install --no-progress --prefer-dist --optimize-autoloader - - name: Check code for hard dependencies missing in composer.json - run: composer-require-checker check --config-file=tools/composer-require-checker.json composer.json - - - name: Check code for unused dependencies in composer.json - run: composer-unused + - name: Run unit tests with coverage + if: ${{ matrix.php-versions == '8.4' }} + run: vendor/bin/phpunit - - name: PHP Code Sniffer - run: phpcs + - name: Run unit tests (no coverage) + if: ${{ matrix.php-versions != '8.4' }} + run: vendor/bin/phpunit --no-coverage - - name: PHPStan - run: | - vendor/bin/phpstan analyze -c phpstan.neon + - name: Save coverage data + if: ${{ matrix.php-versions == '8.4' }} + uses: actions/upload-artifact@v4 + with: + name: coverage-data + path: ${{ github.workspace }}/build - - name: PHPStan (testsuite) - run: | - vendor/bin/phpstan analyze -c phpstan-dev.neon + unit-tests-windows: + name: "Unit tests, PHP ${{ matrix.php-versions }}, ${{ matrix.operating-system }}" + runs-on: ${{ matrix.operating-system }} + needs: [phplinter, linter] + strategy: + fail-fast: true + matrix: + operating-system: [windows-latest] + php-versions: ['8.1', '8.2', '8.3', '8.4'] - security: - name: Security checks - runs-on: [ubuntu-latest] steps: - name: Setup PHP, with composer and extensions # https://github.com/shivammathur/setup-php uses: shivammathur/setup-php@v2 with: - # Should be the lowest supported version - php-version: '8.1' - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, posix, spl, xml + php-version: ${{ matrix.php-versions }} + extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, posix, spl, xml, zip tools: composer + ini-values: error_reporting=E_ALL coverage: none - name: Setup problem matchers for PHP run: echo "::add-matcher::${{ runner.tool_cache }}/php.json" + - name: Setup problem matchers for PHPUnit + run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" + + - name: Set git to use LF + run: | + git config --global core.autocrlf false + git config --global core.eol lf + - uses: actions/checkout@v5 - name: Get composer cache directory - run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV" + run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$env:GITHUB_ENV" - name: Cache composer dependencies uses: actions/cache@v4 @@ -124,49 +145,31 @@ jobs: restore-keys: ${{ runner.os }}-composer- - name: Install Composer dependencies - run: composer install --no-progress --prefer-dist --optimize-autoloader - - - name: Security check for locked dependencies - run: composer audit - - - name: Update Composer dependencies - run: composer update --no-progress --prefer-dist --optimize-autoloader + run: composer install --no-progress --prefer-dist --optimize-autoloader --ignore-platform-req=ext-posix - - name: Security check for updated dependencies - run: composer audit + - name: Run unit tests + run: vendor/bin/phpunit --no-coverage - unit-tests-linux: - name: "Unit tests, PHP ${{ matrix.php-versions }}, ${{ matrix.operating-system }}" - runs-on: ${{ matrix.operating-system }} - needs: [linter, quality, security] - strategy: - fail-fast: false - matrix: - operating-system: [ubuntu-latest] - php-versions: ['8.1', '8.2', '8.3'] + quality: + name: Quality control + runs-on: [ubuntu-latest] + needs: [unit-tests-linux] steps: - name: Setup PHP, with composer and extensions + id: setup-php # https://github.com/shivammathur/setup-php uses: shivammathur/setup-php@v2 with: - php-version: ${{ matrix.php-versions }} - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, posix, spl, xml - tools: composer - ini-values: error_reporting=E_ALL - coverage: pcov + # Should be the higest supported version, so we can use the newest tools + php-version: '8.4' + tools: composer, composer-require-checker, composer-unused, phpcs, psalm + # optional performance gain for psalm: opcache + extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, opcache, openssl, pcre, posix, spl, xml - name: Setup problem matchers for PHP run: echo "::add-matcher::${{ runner.tool_cache }}/php.json" - - name: Setup problem matchers for PHPUnit - run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" - - - name: Set git to use LF - run: | - git config --global core.autocrlf false - git config --global core.eol lf - - uses: actions/checkout@v5 - name: Get composer cache directory @@ -179,60 +182,52 @@ jobs: key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} restore-keys: ${{ runner.os }}-composer- + - name: Validate composer.json and composer.lock + run: composer validate + - name: Install Composer dependencies run: composer install --no-progress --prefer-dist --optimize-autoloader - - name: Run unit tests with coverage - if: ${{ matrix.php-versions == '8.3' }} - run: vendor/bin/phpunit + - name: Check code for hard dependencies missing in composer.json + run: composer-require-checker check --config-file=tools/composer-require-checker.json composer.json - - name: Run unit tests (no coverage) - if: ${{ matrix.php-versions != '8.3' }} - run: vendor/bin/phpunit --no-coverage + - name: Check code for unused dependencies in composer.json + run: composer-unused - - name: Save coverage data - if: ${{ matrix.php-versions == '8.3' }} - uses: actions/upload-artifact@v4 - with: - name: coverage-data - path: ${{ github.workspace }}/build + - name: PHP Code Sniffer + run: phpcs - unit-tests-windows: - name: "Unit tests, PHP ${{ matrix.php-versions }}, ${{ matrix.operating-system }}" - runs-on: ${{ matrix.operating-system }} - needs: [linter, quality, security] - strategy: - fail-fast: true - matrix: - operating-system: [windows-latest] - php-versions: ['8.1', '8.2', '8.3'] + - name: PHPStan + run: | + vendor/bin/phpstan analyze -c phpstan.neon + + - name: PHPStan (testsuite) + run: | + vendor/bin/phpstan analyze -c phpstan-dev.neon + + security: + name: Security checks + runs-on: [ubuntu-latest] + needs: [unit-tests-linux] steps: - name: Setup PHP, with composer and extensions # https://github.com/shivammathur/setup-php uses: shivammathur/setup-php@v2 with: - php-version: ${{ matrix.php-versions }} - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, posix, spl, xml, zip + # Should be the lowest supported version + php-version: '8.1' + extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, posix, spl, xml tools: composer - ini-values: error_reporting=E_ALL coverage: none - name: Setup problem matchers for PHP run: echo "::add-matcher::${{ runner.tool_cache }}/php.json" - - name: Setup problem matchers for PHPUnit - run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" - - - name: Set git to use LF - run: | - git config --global core.autocrlf false - git config --global core.eol lf - - uses: actions/checkout@v5 - name: Get composer cache directory - run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$env:GITHUB_ENV" + run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV" - name: Cache composer dependencies uses: actions/cache@v4 @@ -242,15 +237,22 @@ jobs: restore-keys: ${{ runner.os }}-composer- - name: Install Composer dependencies - run: composer install --no-progress --prefer-dist --optimize-autoloader --ignore-platform-req=ext-posix + run: composer install --no-progress --prefer-dist --optimize-autoloader - - name: Run unit tests - run: vendor/bin/phpunit --no-coverage + - name: Security check for locked dependencies + run: composer audit + + - name: Update Composer dependencies + run: composer update --no-progress --prefer-dist --optimize-autoloader + + - name: Security check for updated dependencies + run: composer audit coverage: name: Code coverage runs-on: [ubuntu-latest] needs: [unit-tests-linux] + steps: - uses: actions/checkout@v5 @@ -268,8 +270,9 @@ jobs: cleanup: name: Cleanup artifacts - needs: [unit-tests-linux, coverage] runs-on: [ubuntu-latest] + needs: [unit-tests-linux, coverage] + if: | always() && needs.coverage.result == 'success' ||