[RTM] Run security check on CI server

[ausi]

This should help us to recognise early if we depend on packages with security issues. Running this automatically in CI is especially important for older supported PHP versions because locally most of us use the latest PHP version.

[leofeyer]

Do we really have to explicitly define the end point? If yes, we should use the HTTPS URL instead of HTTP, shouldn't we?

[ausi]

The default endpoint uses HTTPS, but there are SSL issues on the Travis CI servers, thats why I switched to the HTTP endpoint. See https://github.com/sensiolabs/security-checker/pull/77#issuecomment-290733113

[aschempp]

You're aware this is only executed if we change something on the managed edition? Like almost never?

[ausi]

I think Travis CI runs everytime a new tag is added (or it is configurable to do that). We could also configure Travis CI to run a build on a regular basis (daily, weekly or monthly).

[leofeyer]

Every time a tag is added should be enough, shouldn't it?

[dmolineus]

If an security issue is detected after a tag is created, you would release new versions with known security issues. You should get this information before tagging a release.

[leofeyer]

Since I am using roave/security-advisories (and yes, we are going around in circles here), this case is unlikely to happen. But even if I were not – CI never prevents issues before they happen. If your tests fail and you don't check, CI will only tell you after you have tagged your release, too.

[ausi]

@dmolineus you should run vendor/bin/security-checker security:check yourself locally.

This check on the CI servers is just to make sure that we don’t miss something, especially for edge cases that only occur in specific PHP versions.

[leofeyer]

Thank you @ausi.