Refactor advanced security workflow for clarity

codebyoul · web-flow · commit be6294aeb24e · 2025-10-21T12:23:03.000+02:00
diff --git a/.github/workflows/advanced-security.yml b/.github/workflows/advanced-security.yml
@@ -1,13 +1,13 @@
-name: Security scans
+name: Advanced Security Scans
 
 on:
-  pull_request:
-    types: [opened, synchronize, reopened]
   push:
     branches: [ main ]
+  pull_request:
+    types: [opened, synchronize, reopened]
 
 env:
-  PHP_VERSION: '8.0'    # Adjust if you prefer 8.2/8.3
+  PHP_VERSION: '8.0'    # Adjust to 8.2 if you want
 
 jobs:
   prepare:
@@ -48,7 +48,6 @@ jobs:
     if: needs.prepare.outputs.has-composer == 'true'
     steps:
       - uses: actions/checkout@v4
-
       - name: Setup PHP for audit
         uses: shivammathur/setup-php@v4
         with:
@@ -58,17 +57,11 @@ jobs:
         run: composer --version || true
 
       - name: Composer audit (Composer >= 2.4)
-        id: compaudit
         run: |
-          if composer --version | grep -q "Composer"; then
-            composer audit --format=json > composer-audit.json || true
-            echo "composer-audit=true" >> $GITHUB_OUTPUT || true
-          else
-            echo "composer-audit=false" >> $GITHUB_OUTPUT || true
-          fi
+          composer audit --format=json > composer-audit.json || true
 
       - name: Upload composer audit
-        if: always() && (exists('composer-audit.json') || true)
+        if: always()
         uses: actions/upload-artifact@v4
         with:
           name: composer-audit
@@ -91,8 +84,6 @@ jobs:
           semgrep --version
 
       - name: Run semgrep scan
-        env:
-          HOMEDIR: ${{ runner.temp }}
         run: |
           export PATH="$HOME/.local/bin:$PATH"
           semgrep --config p/php --json --output semgrep-report.json || true
@@ -131,12 +122,11 @@ jobs:
         run: |
           if [ -x vendor/bin/psalm ]; then
             vendor/bin/psalm --show-info=false --taint-analysis --report=psalm-security-report.xml || true
-            ls -la psalm-security-report.xml || true
           else
             echo "psalm not found, skipping"
           fi
 
-      - name: Upload Psalm report (if exists)
+      - name: Upload Psalm report
         if: always()
         uses: actions/upload-artifact@v4
         with:
@@ -163,18 +153,22 @@ jobs:
     name: DAST - OWASP ZAP baseline (staging only)
     runs-on: ubuntu-latest
     needs: prepare
-    if: ${{ secrets.STAGING_URL != '' }}
-    env:
-      TARGET_URL: ${{ secrets.STAGING_URL }}
     steps:
+      - name: Check for STAGING_URL
+        run: |
+          if [ -z "${{ secrets.STAGING_URL }}" ]; then
+            echo "STAGING_URL secret not set, skipping ZAP"
+            exit 0
+          fi
       - name: Run ZAP baseline scan
+        if: ${{ secrets.STAGING_URL }}
         uses: zaproxy/action-baseline@v1
         with:
-          target: ${{ env.TARGET_URL }}
+          target: ${{ secrets.STAGING_URL }}
           rules_file_name: zap-rules.md
           format: 'github'
       - name: Upload ZAP artifacts
-        if: always()
+        if: ${{ secrets.STAGING_URL }}
         uses: actions/upload-artifact@v4
         with:
           name: zap-output
@@ -191,10 +185,10 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
   summary:
-    name: Summary (non-blocking)
+    name: Summary
     runs-on: ubuntu-latest
     needs: [dependency-audit, semgrep, sast-php, secret-scan, dast-zap, dependency-review]
     steps:
       - name: Print summary message
         run: |
-          echo "Security scan pipeline finished. Check artifacts (semgrep/psalm/composer/gitleaks/zap) and PR annotations for findings."
+          echo "Advanced Security scan finished. Check artifacts (composer/semgrep/psalm/gitleaks/ZAP) and PR annotations."
