Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions .env.testing.example
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,12 @@ LOG_DAILY_DAYS=7
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug

DB_CONNECTION=sqlite
DB_DATABASE=:memory:
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=invoiceplane_test
DB_USERNAME=root
DB_PASSWORD=root

SESSION_DRIVER=array
SESSION_LIFETIME=120
Expand Down
44 changes: 24 additions & 20 deletions .github/workflows/phpunit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,28 +10,35 @@ jobs:
phpunit:
runs-on: ubuntu-latest

# MySQL service commented out - tests use SQLite in-memory instead
# services:
# mysql:
# image: mysql:8
# env:
# MYSQL_ROOT_PASSWORD: root
# MYSQL_DATABASE: testing
# ports:
# - 3306:3306
# options: >-
# --health-cmd="mysqladmin ping --silent"
# --health-interval=10s
# --health-timeout=5s
# --health-retries=3
services:
mariadb:
image: mariadb:10.11
env:
MYSQL_DATABASE: invoiceplane_test
MYSQL_ROOT_PASSWORD: root
ports:
- 3306:3306
options: >-
--health-cmd="mysqladmin ping --silent"
--health-interval=10s
--health-timeout=5s
--health-retries=5

env:
DB_CONNECTION: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_DATABASE: invoiceplane_test
DB_USERNAME: root
DB_PASSWORD: root

steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify unpinned action refs and checkout credential persistence in workflows
rg -nP '^\s*uses:\s*[^@\s]+@(v?\d+(\.\d+)*)\s*$' .github/workflows
rg -nP '^\s*-\s*uses:\s*actions/checkout@' .github/workflows -A4 -B1

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 2442


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the phpunit workflow around the checkout step
echo "---- phpunit.yml (around checkout) ----"
nl -ba .github/workflows/phpunit.yml | sed -n '1,120p'

# Check whether persist-credentials is set anywhere (especially in phpunit.yml)
echo "---- persist-credentials occurrences ----"
rg -n "persist-credentials" .github/workflows .github/actions || true

# Confirm whether phpunit.yml sets a 'with:' block on the checkout step
echo "---- checkout step in phpunit.yml ----"
rg -n "uses:\s*actions/checkout@" .github/workflows/phpunit.yml -n -C 5

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 173


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "phpunit.yml line count:"
wc -l .github/workflows/phpunit.yml

echo "---- phpunit.yml (first 120 lines) ----"
cat -n .github/workflows/phpunit.yml | sed -n '1,120p'

echo "---- persist-credentials occurrences ----"
rg -n "persist-credentials" .github/workflows .github/actions || true

echo "---- checkout step in phpunit.yml ----"
rg -n "uses:\s*actions/checkout@" .github/workflows/phpunit.yml -C 5 || true

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 2243


🌐 Web query:

actions/checkout persist-credentials default value

💡 Result:

The default value for the persist-credentials input in actions/checkout is true [1][2][3]. When set to true, this setting configures the repository's local git configuration with the authentication token or SSH key used for the checkout [1][4][5]. This allows subsequent git commands (such as git fetch or git push) within the workflow to use these credentials automatically [1][3]. The action removes these credentials from the local configuration during the post-job cleanup process [1][4][5]. Users can set persist-credentials to false to opt out of this behavior [1][5].

Citations:


Pin actions/checkout and disable persisted credentials in phpunit.yml.

  • .github/workflows/phpunit.yml uses a floating ref (actions/checkout@v4) and does not set persist-credentials, whose default is true—so checkout keeps the auth token/SSH key in the local git config for the remainder of the job.

Current state:

      - uses: actions/checkout@v4
Suggested hardening patch
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<full_commit_sha_for_v4>
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 36-36: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/phpunit.yml at line 36, The workflow is using a floating
actions/checkout@v4 ref and leaves persist-credentials enabled; update the
checkout step (the line containing "uses: actions/checkout@v4") to a pinned
release (e.g., a specific patch tag or the action's commit SHA instead of the
floating `@v4`) and add the with: persist-credentials: false option to the same
step so the job does not retain the repo auth token/SSH key after checkout.


- name: Setup PHP with Composer
uses: ./.github/actions/setup-php-composer
with:
php-version: '8.3'
php-version: '8.4'
php-extensions: 'mbstring, bcmath, pdo_mysql'
composer-flags: '--no-progress --prefer-dist --optimize-autoloader'

Expand All @@ -40,11 +47,8 @@ jobs:
cp .env.testing.example .env.testing
php artisan key:generate --env=testing

#- name: Run Laravel migrations
# run: php artisan migrate --force --env=testing

#- name: Run Laravel seeds (optional)
# run: php artisan db:seed --force --env=testing
- name: Run Laravel migrations
run: php artisan migrate --force --env=testing

- name: Run PHPUnit
run: php artisan test --env=testing
39 changes: 20 additions & 19 deletions .github/workflows/quickstart.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,28 +10,28 @@ jobs:
permissions:
contents: read

# MySQL service commented out - smoke tests should not require database setup
# services:
# mysql:
# image: mariadb:10.6
# env:
# MYSQL_DATABASE: testing
# MYSQL_ROOT_PASSWORD: root
# ports:
# - 3306:3306
# options: >-
# --health-cmd="mysqladmin ping"
# --health-interval=10s
# --health-timeout=5s
# --health-retries=5
services:
mariadb:
image: mariadb:10.11
env:
MYSQL_DATABASE: invoiceplane_test
MYSQL_ROOT_PASSWORD: root
ports:
- 3306:3306
options: >-
--health-cmd="mysqladmin ping --silent"
--health-interval=10s
--health-timeout=5s
--health-retries=5

env:
# DB_CONNECTION: mysql
# DB_DATABASE: testing
# DB_USERNAME: root
# DB_PASSWORD: root
# DB_HOST: 127.0.0.1
APP_ENV: testing
DB_CONNECTION: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_DATABASE: invoiceplane_test
DB_USERNAME: root
DB_PASSWORD: root

steps:
- name: Checkout repository
Expand All @@ -41,6 +41,7 @@ jobs:
uses: ./.github/actions/setup-php-composer
with:
php-version: '8.4'
php-extensions: 'mbstring, xml, ctype, json, fileinfo, pdo, pdo_mysql, bcmath'
composer-flags: '--prefer-dist --no-interaction'

- name: Set up Node.js
Expand Down
30 changes: 29 additions & 1 deletion .github/workflows/smoke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,43 @@ permissions:
contents: read

on:
push:
branches:
- master
- develop
pull_request:
branches:
- master
- develop
workflow_dispatch:

jobs:
smoke:
name: Composer, migrations, and smoke tests
runs-on: ubuntu-latest

services:
mariadb:
image: mariadb:10.11
env:
MYSQL_DATABASE: invoiceplane_test
MYSQL_ROOT_PASSWORD: root
ports:
- 3306:3306
options: >-
--health-cmd="mysqladmin ping --silent"
--health-interval=10s
--health-timeout=5s
--health-retries=5

env:
APP_ENV: testing
DB_CONNECTION: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_DATABASE: invoiceplane_test
DB_USERNAME: root
DB_PASSWORD: root

steps:
- name: Checkout repository
Expand All @@ -22,7 +50,7 @@ jobs:
uses: ./.github/actions/setup-php-composer
with:
php-version: '8.4'
php-extensions: 'mbstring, xml, ctype, json, fileinfo, pdo, sqlite, mysql, bcmath'
php-extensions: 'mbstring, xml, ctype, json, fileinfo, pdo, pdo_mysql, pdo_sqlite, sqlite, bcmath'
composer-flags: '--prefer-dist --no-interaction'

- name: Prepare Laravel environment
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/yarn-update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,8 @@ jobs:
- name: Setup PHP with Composer
uses: ./.github/actions/setup-php-composer
with:
php-version: '8.2'
php-extensions: 'mbstring, xml, ctype, json, fileinfo, pdo, sqlite, mysql'
php-version: '8.4'
php-extensions: 'mbstring, xml, ctype, json, fileinfo, pdo, pdo_sqlite, pdo_mysql'

- name: Check for package-lock.json conflicts
id: lockfile-check
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
use Modules\Clients\Enums\RelationType;
use Modules\Clients\Models\Relation;
use Modules\Core\Models\Company;
use Modules\Core\Models\DocumentGroup;
use Modules\Core\Models\Numbering;
use Modules\Invoices\Models\Invoice;
use Modules\Invoices\Models\RecurringInvoice;

Expand All @@ -25,7 +25,7 @@ public function definition(): array
'company_id' => $company->id,
'customer_id' => Relation::query()->where('relation_type', RelationType::CUSTOMER->value)->inRandomOrder()->first()->id,
'invoice_id' => Invoice::query()->inRandomOrder()->first()->id,
'document_group_id' => DocumentGroup::query()->inRandomOrder()->first()->id,
'numbering_id' => Numbering::query()->inRandomOrder()->first()?->id,
'frequency' => fake()->word,
'start_at' => fake()->date(),
'end_at' => fake()->optional()->date(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,16 @@ public function up(): void
$table->id();
$table->unsignedBigInteger('company_id');
$table->unsignedBigInteger('invoice_id');
$table->unsignedBigInteger('document_group_id')->nullable()->index('recurr_document_group_id_foreign');
$table->unsignedBigInteger('numbering_id')->nullable();
$table->string('frequency');
$table->date('start_at');
$table->date('end_at')->nullable();

$table->foreign('company_id')->references('id')->on('companies')->onDelete('cascade');
$table->foreign('invoice_id')->references('id')->on('invoices')->onDelete('cascade');
$table->foreign('document_group_id', 'recurr_document_group_id_foreign')
$table->foreign('numbering_id', 'recurring_invoices_numbering_id_foreign')
->references('id')
->on('document_groups')
->on('numbering')
->onUpdate('cascade')
->onDelete('restrict');
});
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@ public static function configure(Schema $schema): Schema
TextInput::make('invoice_id')
->required()
->numeric(),
TextInput::make('document_group_id')
->numeric()
Select::make('numbering_id')
->label(trans('ip.numbering'))
->relationship('numbering', 'name')
->default(null),
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Select::make('frequency')
->options(RecurringFrequency::class)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ public function up(): void
$table->id();
$table->unsignedBigInteger('company_id');
$table->unsignedBigInteger('customer_id');
$table->unsignedBigInteger('invoice_id')->nullable();
$table->unsignedBigInteger('invoice_id');
$table->unsignedBigInteger('merchant_client_id')->nullable();
$table->string('payment_number')->nullable();
$table->string('payment_method');
Expand All @@ -22,7 +22,11 @@ public function up(): void

$table->foreign('company_id')->references('id')->on('companies')->cascadeOnDelete();
$table->foreign('customer_id')->references('id')->on('relations')->restrictOnDelete();
$table->foreign('invoice_id')->references('id')->on('invoices')->nullOnDelete();
$table->foreign('invoice_id', 'payments_invoice_id_foreign')
->references('id')
->on('invoices')
->onUpdate('cascade')
->onDelete('restrict');
// $table->foreign('merchant_client_id')->references('id')->on('merchant_clients')->nullOnDelete();
});
}
Expand Down

This file was deleted.

Loading