From 230ab6549ffb5a1ade535d6566c9eeb5b4e71017 Mon Sep 17 00:00:00 2001
From: Vincent Biret <vibiret@microsoft.com>
Date: Wed, 4 Sep 2024 13:33:46 -0400
Subject: [PATCH] security: adds missing branch policy file

---
 .../kiota-authentication-phpleague-php.yml    | 43 +++++++++++++++++
 .github/workflows/pr-validation.yml           | 46 +++++++++++++++----
 2 files changed, 80 insertions(+), 9 deletions(-)
 create mode 100644 .github/policies/kiota-authentication-phpleague-php.yml

diff --git a/.github/policies/kiota-authentication-phpleague-php.yml b/.github/policies/kiota-authentication-phpleague-php.yml
new file mode 100644
index 0000000..f4f90dd
--- /dev/null
+++ b/.github/policies/kiota-authentication-phpleague-php.yml
@@ -0,0 +1,43 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+name: kiota-authentication-phpleague-php-branch-protection
+description: Branch protection policy for the kiota-authentication-phpleague-php repository
+resource: repository
+configuration:
+  branchProtectionRules:
+
+  - branchNamePattern: dev
+    # This branch pattern applies to the following branches as of 06/09/2023 14:08:44:
+    # dev
+
+    # Specifies whether this branch can be deleted. boolean
+    allowsDeletions: false
+    # Specifies whether forced pushes are allowed on this branch. boolean
+    allowsForcePushes: false
+    # Specifies whether new commits pushed to the matching branches dismiss pull request review approvals. boolean
+    dismissStaleReviews: true
+    # Specifies whether admins can overwrite branch protection. boolean
+    isAdminEnforced: false
+    # Indicates whether "Require a pull request before merging" is enabled. boolean
+    requiresPullRequestBeforeMerging: true
+    # Specifies the number of pull request reviews before merging. int (0-6). Should be null/empty if PRs are not required
+    requiredApprovingReviewsCount: 1
+    # Require review from Code Owners. Requires requiredApprovingReviewsCount. boolean
+    requireCodeOwnersReview: true
+    # Are commits required to be signed. boolean. TODO: all contributors must have commit signing on local machines.
+    requiresCommitSignatures: false
+    # Are conversations required to be resolved before merging? boolean
+    requiresConversationResolution: true
+    # Are merge commits prohibited from being pushed to this branch. boolean
+    requiresLinearHistory: false
+    # Required status checks to pass before merging. Values can be any string, but if the value does not correspond to any existing status check, the status check will be stuck on pending for status since nothing exists to push an actual status
+    requiredStatusChecks:
+    - license/cla
+    - check-php-version-matrix
+    # Require branches to be up to date before merging. This should be false since the repo contains autogenerated files. boolean
+    requiresStrictStatusChecks: false
+    # Indicates whether there are restrictions on who can push. boolean. Should be set with whoCanPush.
+    restrictsPushes: false
+    # Restrict who can dismiss pull request reviews. boolean
+    restrictsReviewDismissals: false
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index 95f79a1..59ad87a 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -16,29 +16,57 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php-versions: ['7.4', '8.0', '8.1', '8.2']
+        php-versions: ['7.4', '8.1', '8.2', '8.3']
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.7
-      - name: Setup PHP and Xdebug for Code Coverage report
+        uses: actions/checkout@v4
+      - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php-versions }}
-          coverage: xdebug2
-        env:
-          phpts: ts
-          debug: true
+          coverage: none
+      - name: Install dependencies
+        run: composer install
+      - name: Run static analysis
+        run: ./vendor/bin/phpstan
+      - name: Run tests without coverage
+        run: ./vendor/bin/phpunit
+
+  code-coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup PHP and Xdebug for Code Coverage report
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+          coverage: xdebug
       - name: Install dependencies
         run: composer install
       - name: Run static analysis
         run: ./vendor/bin/phpstan
-      - name: Run tests
+      - name: Run tests with coverage
         run: ./vendor/bin/phpunit --coverage-clover=coverage.xml
       - name: Fix code coverage paths
         run: sed -i 's@'$GITHUB_WORKSPACE'@/github/workspace/@g' coverage.xml
       - name: SonarCloud Scan
-        if: ${{ matrix.php-versions  == '8.0' && !github.event.pull_request.head.repo.fork }}
+        if: ${{ !github.event.pull_request.head.repo.fork }}
         uses: SonarSource/sonarcloud-github-action@master
         env:
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  # The check-php-version-matrix returns success if all matrix jobs in build are successful; otherwise, it returns a failure.
+  # Use this as a PR status check for GitHub Policy Service instead of individual matrix entry checks.
+  check-php-version-matrix:
+    runs-on: ubuntu-latest
+    needs: [build, code-coverage]
+    if: always()
+    steps:
+      - name: All build matrix options are successful
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: exit 0
+      - name: One or more build matrix options failed
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1