auth0 · developerkunal · Oct 31, 2024 · Oct 22, 2024 · Oct 22, 2024 · Oct 22, 2024
@@ -17,7 +17,5 @@ runs:
     - id: get_version
       shell: bash
       run: |
-        VERSION=$(echo ${BRANCH_NAME} | sed -r 's#release/+##g')
+        VERSION=$(head -1 .version)
         echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
-      env:
-        BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
@@ -0,0 +1,71 @@
+name: 'Reversing Labs Scanner'
+description: 'Runs the Reversing Labs scanner on a specified artifact.'
+inputs:
+  artifact-path:
+    description: 'Path to the artifact to be scanned.'
+    required: true
+  version:
+    description: 'Version of the artifact.'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
+
+    - name: Install Python dependencies
+      shell: bash
+      run: |
+        pip install boto3 requests
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
+        aws-region: us-east-1
+        mask-aws-account-id: true
+
+    - name: Install RL Wrapper
+      shell: bash
+      run: |
+        pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+
+    - name: Run RL Scanner
+      shell: bash
+      env:
+        RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
+        RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
+        SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
+        PYTHONUNBUFFERED: 1
+      run: |
+        if [ ! -f "${{ inputs.artifact-path }}" ]; then
+          echo "Artifact not found: ${{ inputs.artifact-path }}"
+          exit 1
+        fi
+
+        rl-wrapper \
+          --artifact "${{ inputs.artifact-path }}" \
+          --name "${{ github.event.repository.name }}" \
+          --version "${{ inputs.version }}" \
+          --repository "${{ github.repository }}" \
+          --commit "${{ github.sha }}" \
+          --build-env "github_actions" \
+          --suppress_output
+
+        # Check the outcome of the scanner
+        if [ $? -ne 0 ]; then
+          echo "RL Scanner failed."
+          echo "scan-status=failed" >> $GITHUB_ENV
+          exit 1
+        else
+          echo "RL Scanner passed."
+          echo "scan-status=success" >> $GITHUB_ENV
+        fi
+
+outputs:
+  scan-status:
+    description: 'The outcome of the scan process.'
+    value: ${{ env.scan-status }}
@@ -5,15 +5,32 @@ on:
     types:
       - closed
 
+
+
 permissions:
   contents: write
+  id-token: write # This is required for requesting the JWT
 
 ### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
 ### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
 
 jobs:
+  rl-scanner:
+    uses: ./.github/workflows/rl-scanner.yml
+    with:
+      php-version: 8.2
+      artifact-name: 'laravel-auth0.zip'
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
   release:
     if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')
+    needs: rl-scanner
     runs-on: ubuntu-latest
 
     steps:

@@ -0,0 +1,68 @@
+name: RL-Secure Workflow
+
+on:
+  workflow_call:
+    inputs:
+      php-version:
+        required: true
+        type: string
+      artifact-name:
+        required: true
+        type: string
+    secrets:
+      RLSECURE_LICENSE:
+        required: true
+      RLSECURE_SITE_KEY:
+        required: true
+      SIGNAL_HANDLER_TOKEN:
+        required: true
+      PRODSEC_TOOLS_USER:
+        required: true
+      PRODSEC_TOOLS_TOKEN:
+        required: true
+      PRODSEC_TOOLS_ARN:
+        required: true
+
+jobs:
+  rl-scanner:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    runs-on: ubuntu-latest
+    outputs:
+      scan-status: ${{ steps.rl-scan-conclusion.outcome }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha || github.ref }}
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # [email protected]
+        with:
+          php-version: ${{ inputs.php-version }}
+
+      - name: Build Laravel
+        shell: bash
+        run: |
+          zip -r ${{ inputs.artifact-name }} ./*
+
+      - name: Get Artifact Version
+        id: get_version
+        uses: ./.github/actions/get-version
+
+      - name: Run RL Scanner
+        id: rl-scan-conclusion
+        uses: ./.github/actions/rl-scanner
+        with:
+          artifact-path: "$(pwd)/${{ inputs.artifact-name }}"
+          version: "${{ steps.get_version.outputs.version }}"
+        env:
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+
+      - name: Output scan result
+        run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV
@@ -13,6 +13,7 @@ parameters:
         - '#Constructor of class (.*) has an unused parameter (.*).#'
         - '#Method (.*) has parameter (.*) with no value type specified in iterable type array.#'
         - '#no value type specified in iterable type array.#'
+        - '#Dynamic call to static method (.*).#'
 
     reportUnmatchedIgnoredErrors: false
     treatPhpDocTypesAsCertain: false

@@ -339,8 +339,8 @@
         // ArrayShapeFromConstantArrayReturnRector::class,
         // BinarySwitchToIfElseRector::class,
         BooleanNotIdenticalToNotIdenticalRector::class,
-        BoolvalToTypeCastRector::class,
-        CallableThisArrayToAnonymousFunctionRector::class,
+        //BoolvalToTypeCastRector::class,
+        //CallableThisArrayToAnonymousFunctionRector::class,
         CallUserFuncArrayToVariadicRector::class,
         CallUserFuncToMethodCallRector::class,
         CallUserFuncWithArrowFunctionToInlineRector::class,
@@ -373,19 +373,19 @@
         // FinalizeClassesWithoutChildrenRector::class,
         FinalPrivateToPrivateVisibilityRector::class,
         FlipTypeControlToUseExclusiveTypeRector::class,
-        FloatvalToTypeCastRector::class,
+        //FloatvalToTypeCastRector::class,
         ForeachItemsAssignToEmptyArrayToAssignRector::class,
         ForeachToInArrayRector::class,
         ForRepeatedCountToOwnVariableRector::class,
         // ForToForeachRector::class,
         FuncGetArgsToVariadicParamRector::class,
-        GetClassToInstanceOfRector::class,
+        //GetClassToInstanceOfRector::class,
         GetDebugTypeRector::class,
         InlineArrayReturnAssignRector::class,
         InlineConstructorDefaultToPropertyRector::class,
         InlineIfToExplicitIfRector::class,
         InlineIsAInstanceOfRector::class,
-        IntvalToTypeCastRector::class,
+        //IntvalToTypeCastRector::class,
         IsAWithStringWithThirdArgumentRector::class,
         IssetOnPropertyObjectToPropertyExistsRector::class,
         JoinStringConcatRector::class,
@@ -459,7 +459,7 @@
         ReturnNeverTypeRector::class,
         ReturnTypeFromReturnDirectArrayRector::class,
         ReturnTypeFromReturnNewRector::class,
-        ReturnTypeFromStrictBoolReturnExprRector::class,
+        //ReturnTypeFromStrictBoolReturnExprRector::class,
         ReturnTypeFromStrictConstantReturnRector::class,
         ReturnTypeFromStrictNativeCallRector::class,
         ReturnTypeFromStrictNewArrayRector::class,
@@ -507,7 +507,7 @@
         StringableForToStringRector::class,
         StrlenZeroToIdenticalEmptyStringRector::class,
         StrStartsWithRector::class,
-        StrvalToTypeCastRector::class,
+        //StrvalToTypeCastRector::class,
         SwitchNegatedTernaryRector::class,
         SymplifyQuoteEscapeRector::class,
         TernaryConditionVariableAssignmentRector::class,
@@ -527,7 +527,7 @@
         UnwrapSprintfOneArgumentRector::class,
         UseClassKeywordForClassNameResolutionRector::class,
         UseIdenticalOverEqualWithSameTypeRector::class,
-        UseIncrementAssignRector::class,
+        //UseIncrementAssignRector::class,
         // VarAnnotationIncorrectNullableRector::class,
         // VarConstantCommentRector::class,
         VarToPublicPropertyRector::class,

@@ -18,6 +18,7 @@
 use Throwable;
 
 use function is_string;
+use function sprintf;
 
 /**
  * @api

@@ -13,6 +13,8 @@
 use Illuminate\Http\Request;
 use Symfony\Component\HttpFoundation\Response;
 
+use function sprintf;
+
 /**
  * Controller for handling a login request.
  *

@@ -12,6 +12,8 @@
 use Illuminate\Http\Request;
 use Symfony\Component\HttpFoundation\Response;
 
+use function sprintf;
+
 /**
  * Controller for handling a logout request.
  *

@@ -22,6 +22,7 @@
 use function is_array;
 use function is_int;
 use function is_string;
+use function sprintf;
 
 /**
  * @internal

@@ -10,6 +10,7 @@
 use Illuminate\Support\Facades\Cache;
 
 use function is_string;
+use function sprintf;
 
 /**
  * User provider for the Auth0 user repository.