chore: add permissions to caller workflow for reusable CI

Author: Fahl-Design

.github/workflows/ci.yml

@@ -3,219 +3,15 @@ on:
     branches:
       - "main"
   pull_request:
-#  schedule:
-#    - cron: '24 10 * * 4'
 
 name: "CI"
 
 permissions:
   contents: read
-
-env:
-  PHP_VERSION: "8.3"
+  actions: read
+  security-events: write
 
 jobs:
-  qa:
-    name: "QA (lint + static analysis)"
-    if: "!startsWith(github.event.head_commit.message, 'chore(release)')"
-    runs-on: "ubuntu-latest"
-    steps:
-      -   name: "Checkout"
-          uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
-
-      -   name: "Install PHP"
-          uses: "shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f" # 2.37.0
-          with:
-            coverage: "none"
-            php-version: "${{ env.PHP_VERSION }}"
-
-      -   name: "Validate composer.json and composer.lock"
-          if: "github.actor != 'renovate[bot]' || contains(github.head_ref, 'lock-file-maintenance')"
-          run: "composer validate --ansi --strict"
-
-      -   name: "Determine composer cache directory"
-          uses: "ergebnis/.github/actions/composer/determine-cache-directory@9785f99b3546d64df9cb331449e7fcdc41885d25" # 1.11.0
-
-      -   name: "Cache dependencies installed with composer"
-          uses: "actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7" # v5.0.4
-          with:
-            path: "${{ env.COMPOSER_CACHE_DIR }}"
-            key: "php-${{ env.PHP_VERSION }}-composer-locked-${{ hashFiles('composer.lock') }}"
-            restore-keys: |
-              php-${{ env.PHP_VERSION }}-composer-locked-${{ github.ref_name }}
-              php-${{ env.PHP_VERSION }}-composer-locked-
-              php-${{ env.PHP_VERSION }}-composer-main
-
-      -   name: "Install locked dependencies with composer"
-          uses: "ergebnis/.github/actions/composer/install@9785f99b3546d64df9cb331449e7fcdc41885d25" # 1.11.0
-          with:
-            dependencies: "${{ (github.actor == 'renovate[bot]' && !contains(github.head_ref, 'lock-file-maintenance')) && 'highest' || 'locked' }}"
-
-      -   name: "Check coding style"
-          run: "vendor/bin/codecept build"
-
-      -   name: "Check coding style"
-          run: "composer cs:check"
-
-      -   name: "Run static analysis"
-          run: "composer stan"
-
-#  codacy:
-#    name: "Codacy Security Scan"
-#    if: "!startsWith(github.event.head_commit.message, 'chore(release)')"
-#    runs-on: "ubuntu-latest"
-#    permissions:
-#      contents: read
-#      security-events: write
-#      actions: read
-#    steps:
-#      - name: Checkout code
-#        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-#
-#      - name: Run Codacy Analysis CLI
-#        uses: codacy/codacy-analysis-cli-action@30783d03e758713bb5ed7b79292cfb14b9dd9a4a
-#        with:
-#          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
-#          verbose: false
-#          output: results.sarif
-#          format: sarif
-#          upload: true
-#          skip-uncommitted-files-check: true
-#          gh-code-scanning-compat: true
-#          max-allowed-issues: 2147483647
-
-  tests:
-    name: "Run codeception tests"
-    needs: [ qa ]
-    runs-on: "ubuntu-latest"
-    strategy:
-      matrix:
-        include:
-          - { php-version: 8.3, dependencies: locked, coverage: pcov, with_coverage: false, allow-fail: false }
-
-          - { php-version: 8.4, dependencies: highest, coverage: pcov, with_coverage: false, allow-fail: true }
-          - { php-version: 8.5, dependencies: highest, coverage: pcov, with_coverage: false, allow-fail: true }
-    steps:
-      -   name: "Checkout"
-          uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
-
-      -   name: "Install PHP"
-          uses: "shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f" # 2.37.0
-          with:
-            coverage: "${{ matrix.coverage }}"
-            ini-values: display_errors=On, display_startup_errors=On, error_reporting=32767
-            php-version: "${{ matrix.php-version }}"
-
-      -   name: "Set up problem matchers for PHP"
-          run: "echo \"::add-matcher::${{ runner.tool_cache }}/php.json\""
-
-      -   name: "Set up problem matchers for phpunit/phpunit"
-          run: "echo \"::add-matcher::${{ runner.tool_cache }}/phpunit.json\""
-
-      -   name: "Validate composer.json and composer.lock"
-          if: "github.actor != 'renovate[bot]' || contains(github.head_ref, 'lock-file-maintenance')"
-          run: "composer validate --ansi --strict"
-
-      -   name: "Determine composer cache directory"
-          uses: "ergebnis/.github/actions/composer/determine-cache-directory@9785f99b3546d64df9cb331449e7fcdc41885d25" # 1.11.0
-
-      -   name: "Cache dependencies installed with composer"
-          uses: "actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7" # v5.0.4
-          with:
-            path: "${{ env.COMPOSER_CACHE_DIR }}"
-            key: "php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ hashFiles('composer.lock') }}"
-            restore-keys: |
-              php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-${{ github.ref_name }}
-              php-${{ matrix.php-version }}-composer-${{ matrix.dependencies }}-
-              php-${{ matrix.php-version }}-composer-main
-
-      -   name: "Install ${{ matrix.dependencies }} dependencies with composer"
-          uses: "ergebnis/.github/actions/composer/install@9785f99b3546d64df9cb331449e7fcdc41885d25" # 1.11.0
-          with:
-            dependencies: "${{ (github.actor == 'renovate[bot]' && !contains(github.head_ref, 'lock-file-maintenance') && matrix.dependencies == 'locked') && 'highest' || matrix.dependencies }}"
-
-      -   name: "Run Tests (coverage)"
-          if: matrix.with_coverage == true
-          run: |
-            vendor/bin/codecept build
-            vendor/bin/codecept run --coverage --coverage-xml=coverage.xml --xml  --report
-
-      -   name: "Run Tests"
-          if: matrix.with_coverage != true
-          run: |
-            vendor/bin/codecept build
-            vendor/bin/codecept run --xml --report
-
-      -   name: "Upload coverage artifact"
-          if: matrix.with_coverage == true
-          uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-          with:
-            name: code-coverage-results
-            path: tests/_output/
-            retention-days: 5
-
-#      -   name: "Upload Coverage coverage"
-#          if: matrix.with_coverage == true
-#          run: |
-#            export CODACY_PROJECT_TOKEN=${{ secrets.CODACY_PROJECT_TOKEN }}
-#            bash <(curl -Ls https://coverage.codacy.com/get.sh) report -r ./build/logs/coverage.xml
-#
-#      -   name: Upload test results to Codecov
-#          if: ${{ !cancelled() && matrix.with_coverage == true }}
-#          uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
-#          with:
-#            token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
-#            files: ./build/logs/report.xml
-#            flags: unittests # optional
-#            report_type: test_results
-#            fail_ci_if_error: "${{ matrix.with_coverage }}" # optional (default = false)
-#            verbose: false # optional (default = false)
-#      -   name: Upload coverage to Codecov
-#          if: ${{ !cancelled() && matrix.with_coverage == true }}
-#          uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
-#          with:
-#            token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
-#            files: ./build/logs/coverage.xml
-#            flags: unittests # optional
-#            fail_ci_if_error: "${{ matrix.with_coverage }}" # optional (default = false)
-#            verbose: false # optional (default = false)
-
-  release:
-    name: "Release"
-    needs:
-    - tests
-#    - codacy
-    if: "github.event_name == 'push' && github.ref == 'refs/heads/main' && !startsWith(github.event.head_commit.message, 'chore(release)')"
-    runs-on: "ubuntu-latest"
-    permissions:
-      actions: read
-      contents: read
-    steps:
-      - name: Generate Token
-        id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
-        with:
-          app-id: ${{ secrets.BOT_APP_ID }}
-          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          token: ${{ steps.generate_token.outputs.token }}
-
-      - name: Semantic Release
-        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
-        with:
-          tag_format: ${version}
-          branches: |
-            ['main']
-          extra_plugins: |
-            @semantic-release/commit-analyzer
-            @semantic-release/release-notes-generator
-            @semantic-release/github
-            @semantic-release/changelog
-            @semantic-release/git
-            conventional-changelog-conventionalcommits
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+  ci:
+    uses: "WebProject-xyz/.github/.github/workflows/ci.yml@main"
+    secrets: inherit