From 2ccdae6d3073e98fbfb1b4f73ab435c019afac69 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Sat, 2 Aug 2025 22:42:46 +0200
Subject: [PATCH] feat(security): Check for vulnerable PHP dependencies

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 workflow-templates/psalm-matrix.yml | 2 ++
 workflow-templates/psalm.yml        | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml
index a623632..7087d95 100644
--- a/workflow-templates/psalm-matrix.yml
+++ b/workflow-templates/psalm-matrix.yml
@@ -67,6 +67,8 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
+      - name: Check for vulnerable PHP dependencies
+        run: composer require --dev roave/security-advisories:dev-latest
 
       - name: Install dependencies # zizmor: ignore[template-injection]
         run: composer require --dev 'nextcloud/ocp:${{ matrix.ocp-version }}' --ignore-platform-reqs --with-dependencies
diff --git a/workflow-templates/psalm.yml b/workflow-templates/psalm.yml
index 114a022..b51d38c 100644
--- a/workflow-templates/psalm.yml
+++ b/workflow-templates/psalm.yml
@@ -52,6 +52,9 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
+      - name: Check for vulnerable PHP dependencies
+        run: composer require --dev roave/security-advisories:dev-latest
+
       - name: Install nextcloud/ocp
         run: composer require --dev nextcloud/ocp:dev-${{ steps.versions.outputs.branches-max }} --ignore-platform-reqs --with-dependencies