devmarkt/.github/workflows/verify.yml at main · devcordde/devmarkt · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: PHP Verify

on:
  push:
    branches: [main]
  pull_request:
  # Renovate creates branches like "renovate/*" - run on those too so
  # branch-mode auto-merge gates on this workflow's success
  workflow_dispatch:

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  verify:
    name: Verify PHP ${{ matrix.php-version }}
    runs-on: ubuntu-latest

    strategy:
      matrix:
        # PHP version is kept in sync with the Dockerfile by Renovate.
        # See the customManagers rule in renovate.json - do not edit this
        # line by hand, Renovate will bump it together with the Dockerfile.
        # renovate: datasource=docker depName=php
        php-version: ['8.4']

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: ${{ matrix.php-version }}
          # Match the extensions installed in the Dockerfile
          extensions: mbstring, pdo, pdo_mysql, mysqli, gd
          coverage: none
          tools: composer:v2

      - name: Validate composer.json and composer.lock
        # --no-check-publish: this is an application, not a library on Packagist
        # No --strict: tolerate `"*"` constraints and missing optional fields
        # (description, license, etc.) which are fine for an internal project.
        # The important checks - valid JSON and lockfile in sync - still run.
        run: composer validate --no-check-publish --no-check-all

      - name: Get Composer cache directory
        id: composer-cache
        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"

      - name: Cache Composer dependencies
        uses: actions/cache@v5
        with:
          path: ${{ steps.composer-cache.outputs.dir }}
          key: ${{ runner.os }}-php${{ matrix.php-version }}-composer-${{ hashFiles('**/composer.lock') }}
          restore-keys: |
            ${{ runner.os }}-php${{ matrix.php-version }}-composer-

      - name: Install dependencies
        run: composer install --prefer-dist --no-progress --no-interaction

      - name: Lint all PHP files (syntax check)
        run: |
          find php public -type f -name "*.php" -print0 \
          | xargs -0 -n1 -P4 php -l > /tmp/lint.log 2>&1 \
          || (cat /tmp/lint.log && exit 1)

      - name: Static analysis (PHPStan)
        # No phpstan in composer.json yet - install ad-hoc to catch breaking
        # changes from dependency updates. Level 0 catches removed/renamed
        # symbols without complaining about pre-existing untyped code.
        #
        # jetbrains/phpstorm-attributes provides stub classes for PhpStorm's
        # IDE hint attributes (#[Pure], #[Immutable], etc.) that the codebase
        # uses. PHP ignores unknown attributes at runtime, but PHPStan flags
        # them as undefined classes - this package makes them resolvable.
        run: |
          composer require --dev --no-progress --no-interaction --no-update \
            phpstan/phpstan jetbrains/phpstorm-attributes
          composer update --no-progress --no-interaction \
            phpstan/phpstan jetbrains/phpstorm-attributes
          vendor/bin/phpstan analyse \
            --no-progress \
            --error-format=github \
            --level=0 \
            php public

      - name: Run tests (PHPUnit)
        # Currently no tests in this repo - this step is a no-op until added.
        run: |
          if [ -f vendor/bin/phpunit ]; then
            vendor/bin/phpunit --no-coverage
          else
            echo "::notice::No PHPUnit configured - skipping tests."
          fi

  docker-build:
    name: Verify Docker image builds
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4

      - name: Build production image
        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./Dockerfile
          push: false
          load: true
          tags: devmarkt:ci
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Build debug image
        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./debug.Dockerfile
          push: false
          load: true
          tags: devmarkt:ci-debug
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Smoke-test container starts and PHP works
        run: |
          # Boot the container, confirm PHP can parse the app's entry points
          # without throwing. Catches breaking changes that only show up
          # under the actual base image's PHP version.
          docker run --rm --entrypoint php devmarkt:ci -v
          docker run --rm --entrypoint php devmarkt:ci -m
          docker run --rm --entrypoint sh devmarkt:ci -c \
            'find /var/www -name "*.php" -not -path "*/vendor/*" -print0 | xargs -0 -n1 php -l > /dev/null'