Add flow backend #9999
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integrate | |
| # Run this workflow every time a new commit pushed to your repository | |
| on: | |
| push: | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'public/dist/*.js' | |
| - 'public/dist/**/*.js' | |
| - 'public/Lychee-front' | |
| pull_request: | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'public/dist/*.js' | |
| - 'public/dist/**/*.js' | |
| - 'public/Lychee-front' | |
| # Allow manually triggering the workflow. | |
| workflow_dispatch: | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| kill_previous: | |
| name: 0️⃣ Kill previous runs | |
| runs-on: ubuntu-latest | |
| # We want to run on external PRs, but not on our own internal PRs as they'll be run by the push to the branch. | |
| if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository) | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - name: Cancel Previous Runs | |
| uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 | |
| with: | |
| access_token: ${{ github.token }} | |
| php_syntax_errors: | |
| name: 1️⃣ PHP 8.3 - Syntax errors | |
| runs-on: ubuntu-latest | |
| needs: | |
| - kill_previous | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - name: Setup PHP Action | |
| uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # 2.34.1 | |
| with: | |
| php-version: 8.3 | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install dependencies | |
| uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 | |
| - name: Check source code for syntax errors | |
| run: vendor/bin/parallel-lint --exclude .git --exclude vendor . | |
| code_style_errors: | |
| name: 2️⃣ PHP 8.3 - Code Style errors | |
| runs-on: ubuntu-latest | |
| needs: | |
| - php_syntax_errors | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # 2.34.1 | |
| with: | |
| php-version: 8.3 | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install dependencies | |
| uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 | |
| - name: Check source code for code style errors | |
| run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run | |
| check_js: | |
| name: 2️⃣ JS front-end | |
| uses: ./.github/workflows/js_check.yml | |
| needs: | |
| - php_syntax_errors | |
| phpstan: | |
| name: 2️⃣ PHP 8.3 - PHPStan | |
| runs-on: ubuntu-latest | |
| needs: | |
| - php_syntax_errors | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # 2.34.1 | |
| with: | |
| php-version: 8.3 | |
| coverage: none | |
| - name: Install Composer dependencies | |
| uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 | |
| - name: Run PHPStan | |
| run: vendor/bin/phpstan analyze | |
| license: | |
| name: 2️⃣ PHP 8.3 - License Check | |
| runs-on: ubuntu-latest | |
| needs: | |
| - php_syntax_errors | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # 2.34.1 | |
| with: | |
| php-version: 8.3 | |
| coverage: none | |
| - name: Install Composer dependencies | |
| uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 | |
| # We ban GPL-2.0-or-later, we don't want that viral thing in Lychee: We want to keep our MIT license. | |
| - name: Run License Checker | |
| run: vendor/bin/composer-license-checker check -b GPL-2.0-or-later -b GPL-2.0-only -b GPL-3.0-only -b GPL-3.0-or-later -b AGPL-1.0-only -b AGPL-1.0-or-later -b AGPL-3.0-only -b AGPL-3.0-or-later -b LGPL-2.0-only -b LGPL-2.0-or-later -b LGPL-2.1-only -b LGPL-2.1-or-later -b LGPL-3.0-only -b LGPL-3.0-or-later --no-dev | |
| tests: | |
| name: 2️⃣ PHP tests | |
| needs: | |
| - php_syntax_errors | |
| uses: ./.github/workflows/php_tests.yml | |
| with: | |
| test-suite: 'Unit,Feature_v2' | |
| env-file: '.env' | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| dist: | |
| name: 3️⃣ PHP dist | |
| needs: | |
| - code_style_errors | |
| uses: ./.github/workflows/php_dist.yml | |
| createArtifact: | |
| name: 4️⃣ Build Artifact | |
| if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') | |
| needs: | |
| - phpstan | |
| - dist | |
| - tests | |
| - check_js | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| env: | |
| extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # 2.34.1 | |
| with: | |
| php-version: 8.3 | |
| extensions: ${{ env.extensions }} | |
| coverage: none | |
| - name: Use Node.js 20 | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 20 | |
| - name: Build Dist | |
| run: | | |
| make clean dist | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: Lychee.zip | |
| path: Lychee.zip | |
| if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` | |
| - name: Attest | |
| uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | |
| with: | |
| # Path to the artifact serving as the subject of the attestation. Must | |
| # specify exactly one of "subject-path" or "subject-digest". May contain a | |
| # glob pattern or list of paths (total subject count cannot exceed 2500). | |
| subject-path: '${{ github.workspace }}/Lychee.zip' | |
| # SHA256 digest of the subject for the attestation. Must be in the form | |
| # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one | |
| # of "subject-path" or "subject-digest". | |
| # subject-digest: | |
| # Subject name as it should appear in the attestation. Required unless | |
| # "subject-path" is specified, in which case it will be inferred from the | |
| # path. | |
| # subject-name: Lychee | |
| # Whether to push the attestation to the image registry. Requires that the | |
| # "subject-name" parameter specify the fully-qualified image name and that | |
| # the "subject-digest" parameter be specified. Defaults to false. | |
| # push-to-registry: | |
| # Whether to attach a list of generated attestations to the workflow run | |
| # summary page. Defaults to true. | |
| # show-summary: | |
| # The GitHub token used to make authenticated API requests. Default is | |
| # ${{ github.token }} | |
| github-token: ${{ github.token }} | |
| release: | |
| name: 5️⃣ Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| needs: | |
| - createArtifact | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| env: | |
| extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 | |
| - name: Download generated artifact | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: Lychee.zip | |
| # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
| - name: Sign release with a key | |
| run: | | |
| cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature Lychee.zip.asc Lychee.zip | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Create release | |
| uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2 | |
| with: | |
| files: | | |
| Lychee.zip.asc | |
| Lychee.zip | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| generate_release_notes: true | |
| make_latest: true | |