From 2005902ac7d4926676c686187579716775c9a336 Mon Sep 17 00:00:00 2001
From: Daniel <daniel@developerdan.com>
Date: Mon, 13 Feb 2023 00:32:54 -0500
Subject: [PATCH] Add PHP Version Audit to notifiy when the PHP version needs
 to be bumped

Signed-off-by: Daniel <daniel@developerdan.com>
---
 .github/workflows/php-version-audit.yml | 15 +++++++++++++++
 php-version-audit.sh                    | 19 +++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 .github/workflows/php-version-audit.yml
 create mode 100755 php-version-audit.sh

diff --git a/.github/workflows/php-version-audit.yml b/.github/workflows/php-version-audit.yml
new file mode 100644
index 00000000..77dc1e60
--- /dev/null
+++ b/.github/workflows/php-version-audit.yml
@@ -0,0 +1,15 @@
+name: PHP Version Audit
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  schedule:
+    - cron: '0 0 16 * *' # run arbitrarily once a month
+  workflow_dispatch:
+
+jobs:
+  php-version-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: ./php-version-audit.sh
diff --git a/php-version-audit.sh b/php-version-audit.sh
new file mode 100755
index 00000000..8c5019de
--- /dev/null
+++ b/php-version-audit.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# Run PHP Version Audit against all the base docker images to alert if they are EOL or have CVEs
+# See https://www.github.developerdan.com/php-version-audit/
+
+# Parse out the "FROM php:" tags from the Dockerfiles
+php_tags=$(find . -type f -name Dockerfile -not -path '*/.*' | xargs cat | grep "FROM php:" | sort -u | sed 's/.*://')
+
+# For each image, get the full php version
+php_versions=$(echo "${php_tags}" | while read -r tag; do
+  docker run --pull always --rm --entrypoint=php "php:${tag}" -r 'echo phpversion()."\n";';
+done | sort -u)
+
+# Run all the php version through php-version-audit with the '--fail-security' flag
+# to generate an exit code if a CVE is found or the support is EOL
+echo "${php_versions}" | while read -r version; do
+  docker run --rm lightswitch05/php-version-audit:latest --fail-security --version="${version}";
+done