SEC25-123: Add Psalm PHP static analysis and CI/CD integration (#29)

Add Psalm PHP static analysis and CI/CD integration
Adds Psalm PHP static analysis with SARIF upload to GitHub Code Scanning.

Author: Glenn-Ewing

.github/workflows/codeql.yml

@@ -0,0 +1,63 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '30 12 * * 1'
+
+jobs:
+  analyze:
+    strategy:
+      matrix:
+        php-versions: [ '8.0', '8.1', '8.2', '8.3' ]
+    name: Analyze PHP ${{ matrix.php-versions }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - uses: actions/checkout@v3
+        name: Check Out Code
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          tools: pecl
+          extensions: pdo
+
+      - name: Validate composer.json and composer.lock
+        run: composer validate
+
+      - name: Setup Composer Access
+        run: composer config -g github-oauth.github.com ${{ secrets.GITHUB_TOKEN }}
+        
+      - name: Cache Composer packages
+        id: composer-cache
+        uses: actions/cache@v4
+        with:
+          path: vendor
+          key: ${{ runner.os }}-composer-${{ matrix.php-versions }}-${{ hashFiles('**/composer.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-composer-${{ matrix.php-versions }}-
+            ${{ runner.os }}-composer-
+
+      - name: Install dependencies
+        if: steps.composer-cache.outputs.cache-hit != 'true'
+        run: composer install --prefer-dist --no-progress --optimize-autoloader
+
+      - name: Perform CodeQL Analysis using Psalm
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+             vendor/bin/psalm --diff --output-format=sarif --report=psalm-report.sarif || true
+          else
+             vendor/bin/psalm --no-diff --output-format=sarif --report=psalm-report.sarif || true
+          fi
+        continue-on-error: true
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: psalm-report.sarif

composer.json

@@ -7,15 +7,22 @@
         "php": ">=8.0",
         "ext-pdo": "*"
     },
+    "config": {
+        "platform": {
+            "php": "8.0"
+        }
+    },
     "require-dev": {
         "phpunit/phpunit": "^9.4",
         "symfony/yaml": "^5.0",
         "phpspec/prophecy": "^1.22.0",
         "doctrine/instantiator": "^1.5",
-        "symfony/deprecation-contracts": "^2.4"
+        "symfony/deprecation-contracts": "^2.4",
+        "vimeo/psalm": "^5.26"
     },
     "scripts":{
-        "test": "./vendor/bin/phpunit -c phpunit.xml"
+        "test": "./vendor/bin/phpunit -c phpunit.xml",
+        "psalm": "vendor/bin/psalm"
     },
     "autoload": {
         "psr-4": {