action.yml

name: Psalm Taint analysis
description: |
  Run psalm with --taint-analysis and upload sarif file artifact

inputs:
  memory-limit:
    description: Memory limit for analysis
    required: false
  report-name:
    description: "Report name"
    required: false
    default: "psalm-taint-analysis"
  report-retention-days:
    description: "Duration in days to preserve reports."
    required: false
    default: "5"
  working-directory:
    description: "Workflow working directory"
    default: '.'
    required: false

runs:
  using: "composite"
  steps:
    - name: Taint analysis
      working-directory: ${{ inputs.working-directory }}
      shell: bash
      run: |
        command_string=(./vendor/bin/psalm --taint-analysis --report=psalm-taint-analysis.sarif)
        if [ -n "${{ inputs.memory-limit }}" ]
        then
          command_string+=(--memory-limit="${{ inputs.memory-limit }}")
        fi
        echo "Command: " "${command_string[@]}"
        ${command_string[@]}

    - name: Store results.sarif
      uses: actions/upload-artifact@v4
      if: "!cancelled()"
      with:
        name: psalm-taint-analysis.sarif
        path: ${{ inputs.working-directory }}/psalm-taint-analysis.sarif
        retention-days: ${{ inputs.report-retention-days }}

    - name: Publish report
      uses: github/codeql-action/upload-sarif@v3
      with:
        category: ${{ inputs.report-name }}
        sarif_file: ${{ inputs.working-directory }}/psalm-taint-analysis.sarif