Skip to content

Commit 800d4a0

Browse files
committed
🅿️🅿️🅿️ You caused 300 bucks damage to my car
> -- Biff Tannen, Back to the Future Part (1985)
0 parents  commit 800d4a0

10 files changed

Lines changed: 488 additions & 0 deletions

File tree

.gitattributes

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
* text=auto eol=lf

.github/dependabot.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
version: 2
2+
3+
updates:
4+
- package-ecosystem: github-actions
5+
directory: /
6+
schedule:
7+
interval: daily
8+
cooldown:
9+
default-days: 3
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
# Taken from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enabling-automerge-on-a-pull-request
2+
# and https://github.com/dependabot/fetch-metadata/blob/06ea45a2e4582d87b11f03c7ce596ae3261f39f6/README.md?plain=1#L133-L160
3+
name: Dependabot Auto-merge
4+
5+
on:
6+
pull_request:
7+
branches:
8+
- main
9+
10+
concurrency:
11+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
12+
cancel-in-progress: true
13+
14+
permissions:
15+
contents: write
16+
pull-requests: write
17+
18+
jobs:
19+
auto-merge-pull-request:
20+
runs-on: ubuntu-latest
21+
if: github.event.pull_request.user.login == 'dependabot[bot]'
22+
steps:
23+
- name: Dependabot metadata
24+
id: dependabot-metadata
25+
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
26+
with:
27+
github-token: "${{ github.token }}"
28+
29+
- if: |
30+
(steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor')
31+
|| (steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch')
32+
run: gh pr merge --auto --squash "$PR_URL"
33+
env:
34+
PR_URL: ${{ github.event.pull_request.html_url }}
35+
GH_TOKEN: ${{ github.token }}

.github/workflows/lint.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# Taken from https://github.com/typisttech/.github/blob/8c3b859e35165a6e81a660713be195ec61d2ca1d/.github/workflows/lint-actions.yml
2+
name: Lint GitHub Actions
3+
4+
on:
5+
pull_request:
6+
branches:
7+
- main
8+
push:
9+
branches:
10+
- main
11+
workflow_call:
12+
13+
permissions:
14+
contents: read
15+
16+
jobs:
17+
actionlint:
18+
runs-on: ubuntu-latest
19+
steps:
20+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
21+
with:
22+
persist-credentials: false
23+
sparse-checkout: .github
24+
25+
- name: Check workflow files
26+
uses: docker://rhysd/actionlint:latest
27+
with:
28+
args: -color
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
name: Publish Major Tag
2+
3+
on:
4+
release:
5+
types:
6+
- published
7+
workflow_dispatch:
8+
inputs:
9+
tag_name:
10+
description: |
11+
Tag name that the major tag will point to. Examples: v1.2.3, 1.2.3
12+
required: true
13+
type: string
14+
15+
permissions: {}
16+
17+
jobs:
18+
publish:
19+
runs-on: ubuntu-latest
20+
steps:
21+
- name: Create GitHub App Token
22+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
23+
id: app-token
24+
with:
25+
client-id: ${{ vars.TASTENDRUCK_CLIENT_ID }}
26+
private-key: ${{ secrets.TASTENDRUCK_PRIVATE_KEY }}
27+
permission-contents: write
28+
permission-workflows: write
29+
30+
- uses: actions/publish-action@23f4c6f12633a2da8f44938b71fde9afec138fb4 # v0.4.0
31+
with:
32+
token: ${{ steps.app-token.outputs.token }}
33+
source-tag: ${{ inputs.tag_name || github.event.release.tag_name }}
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
name: Release Drafter
2+
3+
on:
4+
workflow_dispatch:
5+
push:
6+
branches:
7+
- main
8+
9+
concurrency:
10+
group: ${{ github.workflow }}-${{ github.ref_name }}
11+
cancel-in-progress: true
12+
13+
jobs:
14+
release-drafter:
15+
runs-on: ubuntu-latest
16+
permissions:
17+
contents: write
18+
pull-requests: read
19+
steps:
20+
- uses: release-drafter/release-drafter@c2e2804cc59f45f57076a99af580d0fedb697927 # v7.3.0

.github/workflows/test.yml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
name: Test
2+
3+
on:
4+
workflow_dispatch:
5+
pull_request:
6+
branches:
7+
- main
8+
push:
9+
branches:
10+
- main
11+
tags:
12+
- '**'
13+
14+
concurrency:
15+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}
16+
cancel-in-progress: true
17+
18+
permissions: {}
19+
20+
jobs:
21+
default:
22+
runs-on: ${{ matrix.runs-on }}
23+
strategy:
24+
matrix:
25+
runs-on:
26+
- ubuntu-latest
27+
- ubuntu-24.04-arm
28+
- macos-latest
29+
- macos-26-intel
30+
steps:
31+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
32+
with:
33+
persist-credentials: false
34+
path: local-action
35+
36+
- name: Create fake audit.json
37+
run: echo '{"advisories":[],"abandoned":[]}' > audit.json
38+
39+
- name: Create fake composer.lock
40+
run: echo '{"packages":[{"name":"psr/log"}],"packages-dev":[]}' > composer.lock
41+
42+
- uses: ./local-action
43+
44+
customization:
45+
runs-on: ${{ matrix.runs-on }}
46+
strategy:
47+
matrix:
48+
runs-on:
49+
- ubuntu-latest
50+
- ubuntu-24.04-arm
51+
- macos-latest
52+
- macos-26-intel
53+
steps:
54+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
55+
with:
56+
persist-credentials: false
57+
path: local-action
58+
59+
- name: Create fake root directory
60+
run: mkdir -p foo/bar
61+
62+
- name: Create fake audit.json
63+
run: echo '{"advisories":[],"abandoned":[]}' > foo/bar/audit-baz.json
64+
65+
- name: Create fake composer.lock
66+
run: echo '{"packages":[{"name":"psr/log"}],"packages-dev":[]}' > foo/bar/composer-baz.lock
67+
68+
- uses: ./local-action
69+
with:
70+
audit: foo/bar/audit-baz.json
71+
lock: foo/bar/composer-baz.lock
72+
root: foo

LICENSE

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
MIT License
2+
3+
Copyright (c) 2026 Typist Tech Limited
4+
5+
Permission is hereby granted, free of charge, to any person obtaining a copy
6+
of this software and associated documentation files (the "Software"), to deal
7+
in the Software without restriction, including without limitation the rights
8+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9+
copies of the Software, and to permit persons to whom the Software is
10+
furnished to do so, subject to the following conditions:
11+
12+
The above copyright notice and this permission notice shall be included in all
13+
copies or substantial portions of the Software.
14+
15+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21+
SOFTWARE.

README.md

Lines changed: 119 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,119 @@
1+
<div align="center">
2+
3+
# Composer Audit to SARIF Action
4+
5+
[![GitHub Release](https://img.shields.io/github/v/release/typisttech/composer-audit-to-sarif-action)](https://github.com/typisttech/composer-audit-to-sarif-action/releases/latest)
6+
[![GitHub Marketplace](https://img.shields.io/badge/marketplace-php--matrix-blue?logo=github)](https://github.com/marketplace/actions/php-matrix)
7+
[![Test](https://github.com/typisttech/composer-audit-to-sarif-action/actions/workflows/test.yml/badge.svg)](https://github.com/typisttech/composer-audit-to-sarif-action/actions/workflows/test.yml)
8+
[![License](https://img.shields.io/github/license/typisttech/composer-audit-to-sarif-action.svg)](https://github.com/typisttech/composer-audit-to-sarif-action/blob/master/LICENSE)
9+
[![Follow @TangRufus on X](https://img.shields.io/badge/Follow-TangRufus-15202B?logo=x&logoColor=white)](https://x.com/tangrufus)
10+
[![Follow @TangRufus.com on Bluesky](https://img.shields.io/badge/Bluesky-TangRufus.com-blue?logo=bluesky)](https://bsky.app/profile/tangrufus.com)
11+
[![Sponsor @TangRufus via GitHub](https://img.shields.io/badge/Sponsor-TangRufus-EA4AAA?logo=githubsponsors)](https://github.com/sponsors/tangrufus)
12+
[![Hire Typist Tech](https://img.shields.io/badge/Hire-Typist%20Tech-778899)](https://typist.tech/contact/)
13+
14+
<p>
15+
<strong> Convert Composer audit reports to SARIF files</strong>
16+
<br>
17+
<br>
18+
Built with ♥ by <a href="https://typist.tech/">Typist Tech</a>
19+
</p>
20+
21+
</div>
22+
23+
---
24+
25+
> [!TIP]
26+
> **Hire Tang Rufus!**
27+
>
28+
> I am looking for my next role, freelance or full-time.
29+
> If you find this tool useful, I can build you more dev tools like this.
30+
> Let's talk if you are hiring PHP / Ruby / Go developers.
31+
>
32+
> Contact me at https://typist.tech/contact/
33+
34+
---
35+
36+
## Usage
37+
38+
See [action.yml](action.yml) and the underlying script [`ComSARIF`](https://github.com/typisttech/comsarif/#options).
39+
40+
```yaml
41+
- uses: typisttech/composer-audit-to-sarif-action@0
42+
with:
43+
# Path to Path to audit JSON file
44+
#
45+
# Default: audit.json
46+
audit: some/path/to/audit.json
47+
48+
# Path to composer.lock
49+
#
50+
# Default: composer.lock
51+
lock: some/path/to/composer.lock
52+
53+
# Path to repository root
54+
#
55+
# Default: ${{ github.workspace }}
56+
root: some/path
57+
58+
# ComSARIF version.
59+
#
60+
# The version of [ComSARIF] to use. Leave blank for latest. For example: v1.0.2
61+
#
62+
# [ComSARIF]: https://github.com/typisttech/comsarif
63+
#
64+
# Default: ''
65+
version: v1.0.2
66+
67+
# Verify Attestation
68+
#
69+
# Whether to verify PHP matrix tarball attestation.
70+
71+
# Github Token
72+
#
73+
# GitHub token to use for authentication
74+
#
75+
# Default: ${{ github.token }}
76+
github-token: ${{ secrets.GITHUB_PAT_TOKEN }}
77+
```
78+
79+
### Outputs
80+
81+
| Key | Description | Example |
82+
| --- | --- | --- |
83+
| `sarif` | Path to the SARIF file | `/tmp/comsarif-123.sarif` |
84+
85+
> [!TIP]
86+
> **Hire Tang Rufus!**
87+
>
88+
> There is no need to understand any of these quirks.
89+
> Let me handle them for you.
90+
> I am seeking my next job, freelance or full-time.
91+
>
92+
> If you are hiring PHP / Ruby / Go developers,
93+
> contact me at https://typist.tech/contact/
94+
95+
## Examples
96+
97+
<details open>
98+
<summary>TODO</summary>
99+
100+
```yaml
101+
TODO
102+
```
103+
</details>
104+
105+
## Credits
106+
107+
[`Composer Audit to SARIF Action`](https://github.com/typisttech/composer-audit-to-sarif-action) is a [Typist Tech](https://typist.tech) project and
108+
maintained by [Tang Rufus](https://x.com/TangRufus), freelance developer [for hire](https://typist.tech/contact/).
109+
110+
Full list of contributors can be found [on GitHub](https://github.com/typisttech/composer-audit-to-sarif-action/graphs/contributors).
111+
112+
## Copyright and License
113+
114+
This project is a [free software](https://www.gnu.org/philosophy/free-sw.en.html) distributed under the terms of
115+
the MIT license. For the full license, see [LICENSE](LICENSE).
116+
117+
## Contribute
118+
119+
Feedbacks / bug reports / pull requests are welcome.

0 commit comments

Comments
 (0)