Remove Makefile and update CI workflows

Deleted the Makefile and incorporated related CI tasks into GitHub workflows. Updated the workflows to use Castor for tasks previously handled by make commands. Added new workflows for dependency review, issue locking, and scorecards analysis. Adjusted phpstan baseline and deptrac configurations accordingly.

.gitattributes

@@ -8,8 +8,8 @@
 /CODE_OF_CONDUCT.md export-ignore
 /deptrac.yaml export-ignore
 /ecs.php export-ignore
+/castor.php export-ignore
 /infection.json.dist export-ignore
-/Makefile export-ignore
 /phpstan.neon export-ignore
 /phpstan-baseline.neon export-ignore
 /phpunit.xml.dist export-ignore

.github/workflows/dependency-review.yml

@@ -0,0 +1,14 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4

.github/workflows/infection.yml

@@ -0,0 +1,34 @@
+name: "Integrate"
+
+on:
+  push:
+    branches:
+      - "*.*.x"
+
+jobs:
+  mutation_testing:
+    name: "5️⃣ Mutation Testing"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "8.3"
+          extensions: "ctype, curl, dom, json, libxml, mbstring, openssl, phar, simplexml, sodium, tokenizer, xml, xmlwriter, zlib"
+          tools: "castor"
+          coverage: "xdebug"
+
+      - name: "Checkout code"
+        uses: "actions/checkout@v4"
+
+      - name: "Fetch Git base reference"
+        run: "git fetch --depth=1 origin ${GITHUB_BASE_REF}"
+
+      - name: "Install dependencies"
+        uses: "ramsey/composer-install@v3"
+        with:
+          dependency-versions: "highest"
+          composer-options: "--optimize-autoloader"
+
+      - name: "Execute Infection"
+        run: "castor infect"

.github/workflows/integrate.yml

@@ -55,7 +55,6 @@ jobs:
         operating-system:
           - "ubuntu-latest"
         php-version:
-          - "8.1"
           - "8.2"
           - "8.3"
         dependencies:
@@ -80,7 +79,7 @@ jobs:
           composer-options: "--optimize-autoloader"
 
       - name: "Execute tests (PHP)"
-        run: "make ci-cc"
+        run: "castor test"
 
   #      - name: Send coverage to Coveralls
   #        if: "matrix.php-version == '8.1' && matrix.dependencies == 'highest'"
@@ -120,7 +119,7 @@ jobs:
         run: "composer dump-autoload --optimize --strict-psr"
 
       - name: "Execute static analysis"
-        run: "make st"
+        run: "castor stan"
 
   coding_standards:
     name: "4️⃣ Coding Standards"
@@ -146,40 +145,10 @@ jobs:
           composer-options: "--optimize-autoloader"
 
       - name: "Check coding style"
-        run: "make ci-cs"
+        run: "castor cs"
 
       - name: "Deptrac"
-        run: |
-          vendor/bin/deptrac analyse --fail-on-uncovered --no-cache
-
-  mutation_testing:
-    name: "5️⃣ Mutation Testing"
-    needs:
-      - "byte_level"
-      - "syntax_errors"
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: "Set up PHP"
-        uses: "shivammathur/setup-php@v2"
-        with:
-          php-version: "8.3"
-          extensions: "ctype, dom, json, libxml, mbstring, openssl, phar, simplexml, tokenizer, xml, xmlwriter"
-          coverage: "xdebug"
-
-      - name: "Checkout code"
-        uses: "actions/checkout@v3"
-
-      - name: "Fetch Git base reference"
-        run: "git fetch --depth=1 origin ${GITHUB_BASE_REF}"
-
-      - name: "Install dependencies"
-        uses: "ramsey/composer-install@v2"
-        with:
-          dependency-versions: "highest"
-          composer-options: "--optimize-autoloader"
-
-      - name: "Execute Infection"
-        run: "make ci-mu"
+        run: "castor deptrac"
 
   rector_checkstyle:
     name: "6️⃣ Rector Checkstyle"
@@ -208,7 +177,7 @@ jobs:
           composer-options: "--optimize-autoloader"
 
       - name: "Execute Rector"
-        run: "make rector"
+        run: "castor rector"
 
   exported_files:
     name: "7️⃣ Exported files"

.github/workflows/lock-closed-issues.yml

@@ -0,0 +1,23 @@
+name: 'Lock Issues'
+
+on:
+  schedule:
+    - cron: '12 6 * * *'
+
+jobs:
+  lock:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dessant/lock-threads@v5
+        with:
+          github-token: ${{ github.token }}
+          issue-inactive-days: '31'
+          exclude-issue-created-before: ''
+          exclude-any-issue-labels: ''
+          add-issue-labels: ''
+          issue-comment: >
+            This thread has been automatically locked since there has not been
+            any recent activity after it was closed. Please open a new issue for
+            related bugs.
+          issue-lock-reason: 'resolved'
+          process-only: 'issues'

.github/workflows/release-on-milestone-closed.yml

@@ -1,5 +1,3 @@
-# https://help.github.com/en/categories/automating-your-workflow-with-github-actions
-
 name: "Automatic Releases"
 
 on:

.github/workflows/scorecards.yml

@@ -0,0 +1,62 @@
+name: Scorecards supply-chain security
+
+on:
+  schedule:
+    - cron: '34 4 * * 6'
+  push:
+    branches:
+      - "*.*.x"
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      # Needs for private repositories.
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/[email protected]
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/[email protected]
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

deptrac.yaml

@@ -4,11 +4,11 @@ parameters:
   layers:
     - name: 'CBOR'
       collectors:
-        - type: 'className'
-          regex: '^CBO\\'
+        - type: 'classLike'
+          value: '^CBO\\'
     - name: 'Vendors'
       collectors:
-        - { type: className, regex: '^Brick\\' }
+        - { type: 'classLike', value: '^Brick\\' }
   ruleset:
     CBOR:
       - Vendors

phpstan-baseline.neon

@@ -5,21 +5,41 @@ parameters:
 			count: 1
 			path: src/NegativeIntegerObject.php
 
+		-
+			message: "#^Cannot access offset 1 on array\\|false\\.$#"
+			count: 1
+			path: src/OtherObject/DoublePrecisionFloatObject.php
+
 		-
 			message: "#^Parameter \\#1 \\$value of static method CBOR\\\\Utils\\:\\:binToBigInteger\\(\\) expects string, string\\|null given\\.$#"
 			count: 3
 			path: src/OtherObject/DoublePrecisionFloatObject.php
 
+		-
+			message: "#^Parameter \\#2 \\$data of class CBOR\\\\OtherObject\\\\DoublePrecisionFloatObject constructor expects string\\|null, string\\|false given\\.$#"
+			count: 1
+			path: src/OtherObject/DoublePrecisionFloatObject.php
+
 		-
 			message: "#^Parameter \\#1 \\$value of static method CBOR\\\\Utils\\:\\:binToBigInteger\\(\\) expects string, string\\|null given\\.$#"
 			count: 3
 			path: src/OtherObject/HalfPrecisionFloatObject.php
 
+		-
+			message: "#^Cannot access offset 1 on array\\|false\\.$#"
+			count: 1
+			path: src/OtherObject/SinglePrecisionFloatObject.php
+
 		-
 			message: "#^Parameter \\#1 \\$value of static method CBOR\\\\Utils\\:\\:binToBigInteger\\(\\) expects string, string\\|null given\\.$#"
 			count: 3
 			path: src/OtherObject/SinglePrecisionFloatObject.php
 
+		-
+			message: "#^Parameter \\#2 \\$data of class CBOR\\\\OtherObject\\\\SinglePrecisionFloatObject constructor expects string\\|null, string\\|false given\\.$#"
+			count: 1
+			path: src/OtherObject/SinglePrecisionFloatObject.php
+
 		-
 			message: "#^Parameter \\#1 \\$num1 of function bcmul expects numeric\\-string, string given\\.$#"
 			count: 1