fix: Downgrade Illuminate to v10 for PHP 8.1 compatibility #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [ master, development ] | |
| pull_request: | |
| branches: [ master, development ] | |
| schedule: | |
| - cron: '0 0 * * 1' # Weekly on Mondays | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.1' | |
| extensions: pdo, pdo_mysql, mbstring, openssl, tokenizer, xml, ctype, json, bcmath | |
| tools: composer:v2 | |
| - name: Cache Composer dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: vendor | |
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-composer- | |
| - name: Install PHP dependencies | |
| run: composer install --no-progress --prefer-dist --optimize-autoloader | |
| - name: Run Composer Security Audit | |
| run: composer audit --format=summary || echo "Composer audit completed with warnings" | |
| - name: Check for vulnerable dependencies | |
| run: | | |
| if command -v safety &> /dev/null; then | |
| safety check --json || echo "Safety check completed with warnings" | |
| else | |
| echo "Safety tool not found, skipping Python dependency check..." | |
| fi | |
| - name: Check for exposed secrets | |
| run: | | |
| # Check for common patterns that might indicate secrets | |
| if command -v grep &> /dev/null; then | |
| echo "Checking for potential secrets..." | |
| grep -r "password\|secret\|key\|token" --include="*.php" --include="*.js" --include="*.json" app/ core/ || echo "No obvious secrets found in source code" | |
| fi | |
| - name: Security scan with Trivy | |
| uses: aquasecurity/trivy-action@0.30.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| continue-on-error: true | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| ignore-file: 'trivy-ignore.txt' |