Add scorecards badge and config (#48)

* Add scorecards badge and config
* Typo
* Min puphunit version

.github/dependabot.yml

@@ -9,11 +9,11 @@ updates:
     open-pull-requests-limit: 20
     allow:
       - dependency-type: all
-    labels: [ "Dependencies" ]
+    labels: [ "dependencies" ]
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
     open-pull-requests-limit: 20
-    labels: [ "Dependencies" ]
+    labels: [ "dependencies" ]

.github/workflows/scorecards.yml

@@ -0,0 +1,63 @@
+name: Scorecards supply-chain security
+
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '19 5 * * 7'
+  push:
+    branches: [ "4.3.x" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      # Needs for private repositories.
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v3.5.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@v2.1.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v2.3.3
+        with:
+          sarif_file: results.sarif

README.md

@@ -3,6 +3,16 @@ COSE Support for PHP
 
 **CBOR Object Signing and Encryption (COSE) Support for PHP** is a **PHP library** that will help you to perform cypher operations using Cose Keys.
 
+
+![Build Status](https://github.com/web-auth/cose-lib/workflows/Integrate/badge.svg)
+
+[![Latest Stable Version](https://poser.pugx.org/web-auth/cose-lib/v/stable.png)](https://packagist.org/packages/web-auth/cose-lib)
+[![Total Downloads](https://poser.pugx.org/web-auth/cose-lib/downloads.png)](https://packagist.org/packages/web-auth/cose-lib)
+[![Latest Unstable Version](https://poser.pugx.org/web-auth/cose-lib/v/unstable.png)](https://packagist.org/packages/web-auth/cose-lib)
+[![License](https://poser.pugx.org/web-auth/cose-lib/license.png)](https://packagist.org/packages/web-auth/cose-lib)
+
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/web-auth/cose-lib/badge)](https://api.securityscorecards.dev/projects/github.com/web-auth/cose-lib)
+
 # Installation
 
 Install the library with Composer: `composer require web-auth/cose-lib`.

composer.json

@@ -29,18 +29,19 @@
         }
     },
     "require-dev": {
-        "infection/infection": "^0.26.12",
+        "infection/infection": "^0.27",
         "phpstan/phpstan": "^1.7",
         "phpstan/phpstan-deprecation-rules": "^1.0",
         "phpstan/phpstan-phpunit": "^1.1",
         "phpstan/phpstan-strict-rules": "^1.2",
-        "phpunit/phpunit": "^10.0",
-        "rector/rector": "^0.15",
+        "phpunit/phpunit": "^10.1",
+        "rector/rector": "^0.16",
         "symplify/easy-coding-standard": "^11.0",
         "symfony/phpunit-bridge": "^6.1",
         "ekino/phpstan-banned-code": "^1.0",
         "php-parallel-lint/php-parallel-lint": "^1.3",
-        "qossmic/deptrac-shim": "^1.0"
+        "qossmic/deptrac-shim": "^1.0",
+        "phpstan/extension-installer": "^1.3"
     },
     "autoload-dev": {
         "psr-4": {
@@ -49,7 +50,8 @@
     },
     "config": {
         "allow-plugins": {
-            "infection/extension-installer": false
+            "infection/extension-installer": true,
+            "phpstan/extension-installer": true
         }
     },
     "suggest": {

phpstan.neon

@@ -5,9 +5,4 @@ parameters:
 
 includes:
     - vendor/phpstan/phpstan/conf/bleedingEdge.neon
-    - vendor/phpstan/phpstan-strict-rules/rules.neon
-    - vendor/phpstan/phpstan-phpunit/extension.neon
-    - vendor/phpstan/phpstan-deprecation-rules/rules.neon
-    - vendor/phpstan/phpstan-phpunit/rules.neon
-    - vendor/ekino/phpstan-banned-code/extension.neon
     - phpstan-baseline.neon

phpunit.xml.dist

@@ -1,15 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <phpunit
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.0/phpunit.xsd"
+    xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.1/phpunit.xsd"
     colors="true"
-    cacheDirectory=".phpunit.cache"
 >
-    <coverage>
-        <include>
-            <directory suffix=".php">src</directory>
-        </include>
-    </coverage>
+    <coverage/>
     <testsuites>
         <testsuite name="all">
             <directory>tests/</directory>
@@ -23,4 +18,9 @@
         <server name="SHELL_VERBOSITY" value="-1"/>
         <env name="SYMFONY_DEPRECATIONS_HELPER" value="weak"/>
     </php>
+    <source>
+        <include>
+            <directory>src</directory>
+        </include>
+    </source>
 </phpunit>

rector.php

@@ -4,6 +4,7 @@
 
 use Rector\Config\RectorConfig;
 use Rector\Core\ValueObject\PhpVersion;
+use Rector\PHPUnit\Set\PHPUnitLevelSetList;
 use Rector\PHPUnit\Set\PHPUnitSetList;
 use Rector\Set\ValueObject\LevelSetList;
 use Rector\Set\ValueObject\SetList;
@@ -20,7 +21,7 @@
     $config->import(SymfonySetList::ANNOTATIONS_TO_ATTRIBUTES);
     $config->import(PHPUnitSetList::PHPUNIT_EXCEPTION);
     $config->import(PHPUnitSetList::PHPUNIT_SPECIFIC_METHOD);
-    $config->import(PHPUnitSetList::PHPUNIT_100);
+    $config->import(PHPUnitLevelSetList::UP_TO_PHPUNIT_100);
     $config->import(PHPUnitSetList::PHPUNIT_YIELD_DATA_PROVIDER);
     $config->paths([__DIR__ . '/src', __DIR__ . '/tests']);
     $config->phpVersion(PhpVersion::PHP_81);