Merge pull request #229 from fredden/feature/security-check-no-dev

Ignore development-only packages in security check

Author: jrfnl

.github/workflows/securitycheck.yml

@@ -35,16 +35,15 @@ jobs:
           php-version: ${{ matrix.php }}
           coverage: none
 
-      - name: Enable creation of `composer.lock` file
-        run: composer config --unset lock
-
       # Install dependencies and handle caching in one go.
       # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer
       - name: Install Composer dependencies
         uses: "ramsey/composer-install@v3"
         with:
           # Bust the cache at least once a month - output format: YYYY-MM.
           custom-cache-suffix: $(date -u "+%Y-%m")
+          # Ignore development-only packages in security check
+          composer-options: "--no-dev"
 
       - name: Download security checker
         # yamllint disable-line rule:line-length
@@ -54,4 +53,4 @@ jobs:
         run: chmod +x ./local-php-security-checker_2.0.6_linux_amd64
 
       - name: Check against insecure dependencies
-        run: ./local-php-security-checker_2.0.6_linux_amd64 --path=composer.lock
+        run: ./local-php-security-checker_2.0.6_linux_amd64 --path=vendor/composer/installed.json