Merge branch 'main' into feat/plugin_search_operators

Author: nnjeim

.github/workflows/codeql.yml

@@ -43,9 +43,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
 
       # Initializes the CodeQL tools for scanning.
+      # These all use the @v3 tag instead of a commit hash because I can't make hashes work with the three-level path.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:

.github/workflows/dependency-review.yml

@@ -17,6 +17,6 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683    # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9    # v4.7.1
+        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b    # v4.7.3

.github/workflows/php-static-analysis.yml

@@ -0,0 +1,49 @@
+name: Commit Pipeline
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  php-static-analysis:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        with:
+          php-version: 8.4
+
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: Cache composer dependencies
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: Run PHPStan
+        run: vendor/bin/phpstan --memory-limit=1G analyse -v
+
+      - name: Run Psalm
+        run: vendor/bin/psalm --memory-limit=2G
+

.github/workflows/phpunit.yml

@@ -0,0 +1,84 @@
+name: Commit Pipeline
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  phpunit:
+    runs-on: ubuntu-24.04
+
+    strategy:
+      matrix:
+        php-versions: [ '8.4' ]
+
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: aspirecloud_testing
+        ports:
+          - 5432/tcp
+        options: --health-cmd pg_isready --health-interval 2s --health-timeout 2s --health-retries 10
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: mbstring, pgsql
+          # not doing coverage in CI yet
+          # coverage: xdebug
+
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: Cache composer dependencies
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: Prepare tests
+        run: |
+          cp .env.example .env
+          php artisan key:generate
+          php artisan migrate
+        env:
+          CACHE_STORE: array
+          DB_HOST: localhost
+          DB_PORT: ${{ job.services.postgres.ports[5432] }}
+          DB_USERNAME: postgres
+          DB_PASSWORD: postgres
+          DB_DATABASE: aspirecloud_testing
+
+      - name: Run Pest
+        run: vendor/bin/pest --ci
+        env:
+          CACHE_STORE: array
+          DB_HOST: localhost
+          DB_PORT: ${{ job.services.postgres.ports[5432] }}
+          DB_USERNAME: postgres
+          DB_PASSWORD: postgres
+          DB_DATABASE: aspirecloud_testing
+

.github/workflows/run-checks.yaml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8    # v5.0.0
         with:
           persist-credentials: false
 
@@ -66,14 +66,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v3 # I can't make commit hashes work with these three-level paths...
         with:
           sarif_file: results.sarif

.github/workflows/scorecards.yml

@@ -14,6 +14,7 @@
 use Laravel\Fortify\TwoFactorAuthenticatable;
 use Laravel\Jetstream\HasProfilePhoto;
 use Laravel\Sanctum\HasApiTokens;
+use Laravel\Sanctum\PersonalAccessToken;
 use Spatie\Permission\Traits\HasRoles;
 
 /**
@@ -30,12 +31,13 @@
  */
 class User extends Authenticatable
 {
+    /** @use HasApiTokens<PersonalAccessToken> */
     use HasApiTokens;
-    use HasRoles;
 
     /** @use HasFactory<UserFactory> */
     use HasFactory;
 
+    use HasRoles;
     use HasProfilePhoto;
     use Notifiable;
     use TwoFactorAuthenticatable;

app/Models/User.php

@@ -18,7 +18,7 @@
     /**
      * @param list<string>|null $tags
      * @param list<string>|null $ac_tags
-     * @param string|array<string,bool> $fields
+     * @param string|array<string,bool>|null $fields
      */
     public function __construct(
         public ?string $search = null, // text to search

app/Values/WpOrg/Themes/QueryThemesRequest.php

@@ -33,9 +33,11 @@
         "pestphp/pest": "^3.8.0",
         "pestphp/pest-plugin-laravel": "^3.1",
         "phpstan/phpstan": "^2.1.11",
+        "psalm/plugin-laravel": "^3.0",
         "roave/security-advisories": "dev-latest",
         "spatie/laravel-web-tinker": "^1.10.1",
-        "thecodingmachine/phpstan-safe-rule": "^1.4"
+        "thecodingmachine/phpstan-safe-rule": "^1.4",
+        "vimeo/psalm": "^6.13"
     },
     "autoload": {
         "psr-4": {