-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GH Action that builds PHAR files with build-release.sh #149
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Conceptually; great.
Probably warrants a little bit of security review around shivammathur/setup-php@v2
or any of the other actions; which we do already use; but not to create an artifact potentially many folks will access that persists beyond the life of a CI job.
May need to look at more exact version pinning/sha1 or something like that (https://github.com/shivammathur/setup-php/releases/tag/v2 for example says it was 'updated')
I've updated this PR with 060f823
The other actions are |
IMO yes, when I think about stuff like https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash Will let a few of the other maintainers add their thoughts |
Quality Gate passedIssues Measures |
We could also improve the way we publish GH releases...
I'm already doing this for https://github.com/mlocati/powershell-phpmanager (and somehow also for https://github.com/mlocati/docker-php-extension-installer) |
Thanks for the effort on this, but for now, I'd prefer to continue generating and signing them myself. Your PR will be a useful reference to later implement this though, so it is definitely appreciated (and might get reopened/merged later). |
@ashnazg what about keeping the GH workflow that builds the PHARs? That way we check if everything works as expected (and people have a working reference to see how to build them) |
People may install pear in two ways (AFAIK):
What about adding a GitHub Action that generates those two PHAR files (and attaches them to GitHub Releases autimatically when someone publishes a new release).
We'd also need to update the two PHARs on the pear.php.net website, but at least we don't have to compile them manually.