Bump the actions group across 1 directory with 5 updates #6
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Safe PR Analysis - First Stage (Unprivileged) | |
| # Analyzes PR content and saves results as artifacts for privileged workflow | |
| name: AI PR Analysis (Safe) | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| # Cancel previous workflow runs for the same PR | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.number }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| # NO write permissions in this workflow for security | |
| jobs: | |
| analyze-pr: | |
| name: Analyze PR Content (Unprivileged) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code (Safe - uses default branch) | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| # SECURITY: Do NOT checkout PR head - use base branch only | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| - name: Get PR diff safely | |
| id: pr-diff | |
| run: | | |
| # SECURITY: Get diff without checking out untrusted code | |
| BASE_SHA="${{ github.event.pull_request.base.sha }}" | |
| HEAD_SHA="${{ github.event.pull_request.head.sha }}" | |
| # Use GitHub API to get diff instead of git checkout | |
| curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Accept: application/vnd.github.v3.diff" \ | |
| "https://api.github.com/repos/${{ github.repository }}/compare/$BASE_SHA...$HEAD_SHA" \ | |
| > pr_diff.txt | |
| echo "base-sha=$BASE_SHA" >> $GITHUB_OUTPUT | |
| echo "head-sha=$HEAD_SHA" >> $GITHUB_OUTPUT | |
| echo "pr-number=${{ github.event.number }}" >> $GITHUB_OUTPUT | |
| - name: Run AI Analysis (No secrets exposed) | |
| uses: google-github-actions/[email protected] | |
| with: | |
| prompt: | | |
| You are an expert WordPress plugin developer and security consultant reviewing a pull request for the "Simple WP Optimizer" WordPress plugin. | |
| PLUGIN CONTEXT: | |
| - WordPress performance optimization plugin | |
| - Removes unnecessary WordPress features and scripts to improve performance | |
| - Supports WordPress 6.5+ and PHP 7.4+ | |
| - Features include emoji removal, jQuery migrate removal, header cleanup, DNS prefetch optimization | |
| COMPREHENSIVE REVIEW CHECKLIST: | |
| 🔒 SECURITY ANALYSIS: | |
| 1. SQL Injection vulnerabilities | |
| 2. XSS (Cross-Site Scripting) issues | |
| 3. CSRF (Cross-Site Request Forgery) protection | |
| 4. Input validation and sanitization | |
| 5. Output escaping compliance | |
| 6. Authentication and authorization checks | |
| 7. File upload security (if applicable) | |
| 📝 WORDPRESS STANDARDS: | |
| 1. WordPress Coding Standards compliance | |
| 2. Proper use of WordPress APIs | |
| 3. Hook usage (actions/filters) | |
| 4. Internationalization (i18n) implementation | |
| 5. Plugin structure and organization | |
| 6. PHPDoc documentation quality | |
| ⚡ PERFORMANCE REVIEW: | |
| 1. Database query optimization | |
| 2. Caching strategies | |
| 3. Resource loading efficiency | |
| 4. Memory usage considerations | |
| 5. Scalability implications | |
| 🏗️ CODE QUALITY: | |
| 1. Function complexity and readability | |
| 2. Error handling implementation | |
| 3. Type safety and parameter validation | |
| 4. Code reusability and DRY principles | |
| 5. Naming conventions | |
| 🔧 PLUGIN-SPECIFIC: | |
| 1. WordPress optimization best practices | |
| 2. Performance impact assessment | |
| 3. Admin interface usability | |
| 4. Plugin activation/deactivation handling | |
| 5. Compatibility with WordPress core features | |
| REVIEW FORMAT: | |
| For each category, provide: | |
| - ✅ Approved items | |
| - ⚠️ Issues requiring attention (with severity: CRITICAL/HIGH/MEDIUM/LOW) | |
| - 💡 Improvement suggestions | |
| - 📚 Relevant documentation links | |
| Focus on actionable feedback that improves: | |
| - Security posture | |
| - WordPress ecosystem compatibility | |
| - Code maintainability | |
| - Performance and user experience | |
| Analyze the following PR diff: | |
| env: | |
| GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} | |
| - name: Save PR metadata for privileged workflow | |
| run: | | |
| mkdir -p ./pr-data | |
| echo "${{ github.event.number }}" > ./pr-data/pr-number.txt | |
| echo "${{ github.event.pull_request.head.sha }}" > ./pr-data/head-sha.txt | |
| echo "${{ github.event.pull_request.base.sha }}" > ./pr-data/base-sha.txt | |
| echo "${{ github.event.pull_request.user.login }}" > ./pr-data/author.txt | |
| echo "AI analysis completed successfully" > ./pr-data/status.txt | |
| - name: Upload analysis results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: pr-analysis-${{ github.event.number }} | |
| path: pr-data/ | |
| retention-days: 30 |