ci: Add psalm baseline for security and make CI fail on changeci/noid/improve-running-psalm-locally

Signed-off-by: Joas Schilling <coding@schilljs.com>

2 files changed, 6 insertions, 2 deletions

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index e448bf922ce..afe17a95f84 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -37,9 +37,9 @@
 /apps/files_trashbin/src*         @skjnldsv
 
 # Security team
+/build/psalm-baseline-security.xml  @nickvergessen
 /resources/codesigning              @mgallien @miaulalala @nickvergessen
 /resources/config/ca-bundle.crt     @ChristophWurst @miaulalala @nickvergessen
-/.drone.yml                         @nickvergessen
 
 # Two-Factor Authentication
 # https://github.com/nextcloud/wg-two-factor-authentication#members
diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml
index 63ad51a26c6..c5e8e957077 100644
--- a/.github/workflows/static-code-analysis.yml
+++ b/.github/workflows/static-code-analysis.yml
@@ -60,7 +60,11 @@ jobs:
         run: composer i
 
       - name: Psalm taint analysis
-        run: composer run psalm:security -- --threads=1 --monochrome --no-progress --output-format=github --report=results.sarif
+        run: composer run psalm:security -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif
+
+      - name: Show potential changes in Psalm baseline
+        if: always()
+        run: git diff --exit-code -- . ':!lib/composer'
 
       - name: Upload Security Analysis results to GitHub
         if: always()