Issue #3490462: Revoke "Join group" and "request group membership" from Authenticated (outsider) group role #7397
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Quality checks | |
| on: | |
| pull_request: { } | |
| # Trigger workflow for release branches. | |
| push: | |
| branches: | |
| - main | |
| - "[0-9]+.[0-9]+.x" | |
| # We use the default concurrency grouping of allowing a single workflow per branch/PR/tag to run at the same time. | |
| # In case of PRs we only care about the results for the last workflow run, so we cancel workflows already in progress | |
| # when new code is pushed, in all other cases (branches/tags) we want to have a history for commits so it's easier to | |
| # find breakages when they occur (head_ref is non-empty only when the workflow is triggered from a PR). | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.head_ref != '' }} | |
| jobs: | |
| setup: | |
| name: Project Setup | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| php: | |
| - 8.1 | |
| steps: | |
| # We want to reuse our project setup to run different jobs at once. | |
| - uses: actions/cache@v4 | |
| id: opensocial-project-build | |
| with: | |
| path: ./* | |
| key: ${{ github.sha }}-${{ matrix.php }} | |
| # Set PHP {{ matrix.php }} as default. | |
| # https://github.com/shivammathur/setup-php | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: ${{ matrix.php }} | |
| coverage: none | |
| # We check out the code in a separate folder since we want to use the | |
| # result of the merge rather than the pre-merged code. | |
| # A separate path is used to keep our working directory clean. | |
| - name: Setup a temporary repository | |
| uses: actions/checkout@v4 | |
| with: | |
| path: ${{ github.workspace }}/tmp/repository | |
| # Since composer must clone from this we require all the history. | |
| fetch-depth: 0 | |
| # Create a branch for the specific commit so that composer can check it | |
| # out. | |
| - name: Checkout out to current commit in temporary repository | |
| run: cd $GITHUB_WORKSPACE/tmp/repository && git checkout -b $GITHUB_SHA | |
| # Prepare our composer.json to do a full project set-up. | |
| - name: Copy tests/composer.json to root of workspace | |
| run: cp $GITHUB_WORKSPACE/tmp/repository/tests/composer.json composer.json | |
| # Set up composer with our desired PHP version. | |
| - name: Setup Composer Config similar to temporary repository | |
| run: composer config repositories.social vcs $GITHUB_WORKSPACE/tmp/repository | |
| # Install the version of Open Social under test. | |
| - name: Composer require Open Social of current branch's latest commit. | |
| run: composer require goalgorilla/open_social:dev-${{ github.sha }}#${{ github.sha }} | |
| - name: Set file permissions | |
| run: mkdir -p $GITHUB_WORKSPACE/sites/default/files && sudo chmod -R 664 $GITHUB_WORKSPACE/sites/default/files | |
| phpstan: | |
| needs: setup | |
| name: PHPStan check | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| php: | |
| - 8.1 | |
| steps: | |
| - uses: actions/cache/restore@v4 | |
| id: opensocial-project-build-load | |
| with: | |
| path: ./* | |
| key: ${{ github.sha }}-${{ matrix.php }} | |
| fail-on-cache-miss: true | |
| # Set PHP {{ matrix.php }} as default. | |
| # https://github.com/shivammathur/setup-php | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: ${{ matrix.php }} | |
| coverage: none | |
| tools: cs2pr | |
| - name: PHPStan Version | |
| run: $GITHUB_WORKSPACE/vendor/bin/phpstan --version | |
| # Run PHPStan | |
| - name: Run PHPStan analysis | |
| run: $GITHUB_WORKSPACE/vendor/bin/phpstan analyse -c $GITHUB_WORKSPACE/html/profiles/contrib/social/phpstan.neon --error-format=checkstyle | cs2pr | |
| phpcs: | |
| needs: setup | |
| name: PHPCS check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/cache/restore@v4 | |
| id: opensocial-project-build-load | |
| with: | |
| path: ./* | |
| key: ${{ github.sha }}-8.1 | |
| fail-on-cache-miss: true | |
| # Set PHP {{ matrix.php }} as default. | |
| # https://github.com/shivammathur/setup-php | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: 8.1 | |
| coverage: none | |
| tools: cs2pr | |
| # Copy phpcs.xml folder to root. | |
| - name: Copy PHPCS.xml file from temporary repository to root of workspace. | |
| run: cp $GITHUB_WORKSPACE/tmp/repository/phpcs.xml phpcs.xml | |
| - name: Run PHPCS checks | |
| id: phpcs | |
| run: vendor/bin/phpcs --report-full --report-checkstyle=./phpcs-report.xml | |
| # https://github.com/staabm/annotate-pull-request-from-checkstyle#using-php_codesniffer | |
| - name: Show PHPCS results in PR | |
| if: ${{ always() && steps.phpcs.outcome == 'failure' }} | |
| run: cs2pr ./phpcs-report.xml | |
| phpunit: | |
| needs: setup | |
| name: PHPUnit Tests | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| php: | |
| - 8.1 | |
| steps: | |
| - uses: actions/cache/restore@v4 | |
| id: opensocial-project-build-load | |
| with: | |
| path: ./* | |
| key: ${{ github.sha }}-${{ matrix.php }} | |
| fail-on-cache-miss: true | |
| # Set PHP {{ matrix.php }} as default. | |
| # https://github.com/shivammathur/setup-php | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: ${{ matrix.php }} | |
| ini-values: zend.assertions=1 | |
| coverage: none | |
| tools: cs2pr | |
| # https://github.com/shivammathur/setup-php#phpunit | |
| - name: Setup problem matchers for PHPUnit | |
| run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json" | |
| # Run PHPUnit testing. | |
| - name: Run PHPUnit test suite | |
| run: $GITHUB_WORKSPACE/vendor/bin/phpunit -c $GITHUB_WORKSPACE/html/profiles/contrib/social/phpunit.xml.dist --log-junit $GITHUB_WORKSPACE/test-reports/phpunit.xml | |
| env: | |
| SIMPLETEST_DB: sqlite://tmp/db.sqlite | |
| spellcheck: | |
| name: Spell Check | |
| runs-on: ubuntu-22.04 | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: streetsidesoftware/cspell-action@v6 | |
| behat-linting: | |
| name: Behat Linting | |
| runs-on: ubuntu-22.04 | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install developer tooling | |
| run: composer install --no-interaction --no-progress --working-dir=tests | |
| - name: Find changed test files | |
| run: | | |
| git fetch origin $BRANCH_NAME | |
| # We change the way we create the TEST_FILES env in the GITHUB_ENV file depending on whether we actually have | |
| # test files that were changed in this PR. This is needed to avoid the TEST_FILES variable from containing a | |
| # single blank line in case no files are changed. | |
| TEST_FILES=`git diff --name-only --diff-filter=d origin/$BRANCH_NAME..HEAD -- 'tests/behat/features/capabilities/*.feature'` | |
| if [ "$TEST_FILES" == '' ]; then | |
| echo 'TEST_FILES=' >> $GITHUB_ENV | |
| else | |
| { | |
| echo 'TEST_FILES<<EOF' | |
| echo "$TEST_FILES" | |
| echo EOF | |
| } >> "$GITHUB_ENV" | |
| fi | |
| env: | |
| BRANCH_NAME: ${{ github.base_ref || github.ref_name }} | |
| - name: Ensure behat folder and filenames are kebab-case | |
| if: ${{ env.TEST_FILES != '' }} | |
| run: | | |
| # We must invert the exit code because we want to have no matches, but grep treats no matches as failure. | |
| ! MISNAMED_FILES=`grep -v -E '^([a-z\-]+\/)+[a-z0-9\-]+\.feature$' <<<"$TEST_FILES"` | |
| EXIT_CODE=$? | |
| while read -r file && [ ! -z "$file" ]; do | |
| echo "::error file=$file::File and folder names for Behat tests must be kebab-case and alphanumeric." | |
| done <<< "$MISNAMED_FILES" | |
| exit $EXIT_CODE | |
| - name: Lint modified test files | |
| if: ${{ env.TEST_FILES != '' }} | |
| run: xargs tests/vendor/bin/cucumber-linter <<<"$TEST_FILES" |