OpenFGA MCP

name: "Security: Code Analysis" on: push: branches: [main] pull_request: branches: [main] schedule: - cron: "0 9 * * 1" # Run weekly on Mondays at 9 AM UTC permissions: contents: read jobs: psalm-security: name: "Psalm Scanner" runs-on: ubuntu-latest permissions: contents: read security-events: write actions: read steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Psalm uses: docker://ghcr.io/psalm/psalm-github-actions@sha256:a58bcf4f57b860c8ada5106983c4e6adf2f4bf3f41ab7a53d8cd46a2d2444bc0 with: security_analysis: true report_file: results.sarif - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@15bce5bb14748fcfd6fe32738ca1cba36e5f218f # codeql-bundle-v2.21.3 with: sarif_file: results.sarif category: psalm-security php-security-checker: name: "Symfony Checker" runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup PHP uses: shivammathur/setup-php@ec406be512d7077f68eed36e63f4d91bc006edc4 # 2.35.4 with: php-version: "8.3" coverage: none tools: composer:v2 - name: Install dependencies run: composer install --prefer-dist --no-progress --no-interaction - name: Check PHP Security uses: symfonycorp/security-checker-action@258311ef7ac571f1310780ef3d79fc5abef642b5 # v5