Merge pull request #213 from bcc-code/test/psalm-analysis

adelinn · web-flow · commit 5faadb6749d4 · 2026-01-16T20:55:46.000+02:00
Add PHPStan as linter before pushing new version and switching to Psalm fore Vulnerability analysis
diff --git a/.github/workflows/bcc-keep-translated-posts-status-same-as-original-plugin-release.yml b/.github/workflows/bcc-keep-translated-posts-status-same-as-original-plugin-release.yml
@@ -25,15 +25,57 @@ on:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
+  lint:
+    name: Lint PHP - validate code
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./plugins/bcc-keep-translated-posts-status-same-as-original
+
+    steps:
+    - uses: actions/checkout@v6
+
+    # This config file gets auto-loaded by PHPStan
+    - name: Set PHPStan config
+      run: |
+        cat <<'EOF' > phpstan.neon
+        parameters:
+          level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest
+          errorFormat: github
+          paths:
+            - .
+          excludePaths:
+            - vendor
+          scanFiles:
+            - dependencies.stub
+          # One can ignore errors like this
+          # ignoreErrors:
+          #   - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#'
+        includes:
+          - vendor/szepeviktor/phpstan-wordpress/extension.neon
+        EOF
+
+    - name: Install PHPStan and Wordpress-stub
+      run: |
+        composer require --dev phpstan/phpstan
+        composer require --dev szepeviktor/phpstan-wordpress
+
+    - name: Run PHPStan
+      run: vendor/bin/phpstan analyse --no-progress
+      
   build:
+    needs: lint
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
 
       - name: Get Package Version
         id: version
diff --git a/.github/workflows/bcc-login-plugin-release.yml b/.github/workflows/bcc-login-plugin-release.yml
@@ -25,15 +25,58 @@ on:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
+  lint:
+    name: Lint PHP - validate code
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./plugins/bcc-login
+
+    steps:
+    - uses: actions/checkout@v6
+
+    # This config file gets auto-loaded by PHPStan
+    - name: Set PHPStan config
+      run: |
+        cat <<'EOF' > phpstan.neon
+        parameters:
+          level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest
+          errorFormat: github
+          paths:
+            - .
+          excludePaths:
+            - vendor
+          scanFiles:
+            - dependencies.stub
+          bootstrapFiles:
+            - bcc-login.php
+          ignoreErrors:
+            - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#'
+        includes:
+          - vendor/szepeviktor/phpstan-wordpress/extension.neon
+        EOF
+
+    - name: Install PHPStan and Wordpress-stub
+      run: |
+        composer require --dev phpstan/phpstan
+        composer require --dev szepeviktor/phpstan-wordpress
+
+    - name: Run PHPStan
+      run: vendor/bin/phpstan analyse --no-progress
+
   build:
+    needs: lint
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
 
       - name: Get Package Version
         id: version
diff --git a/.github/workflows/bcc-post-update-translations-notifier-plugin-release.yml b/.github/workflows/bcc-post-update-translations-notifier-plugin-release.yml
@@ -25,15 +25,57 @@ on:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
+  lint:
+    name: Lint PHP - validate code
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./plugins/bcc-post-update-translations-notifier
+
+    steps:
+    - uses: actions/checkout@v6
+
+    # This config file gets auto-loaded by PHPStan
+    - name: Set PHPStan config
+      run: |
+        cat <<'EOF' > phpstan.neon
+        parameters:
+          level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest
+          errorFormat: github
+          paths:
+            - .
+          excludePaths:
+            - vendor
+          scanFiles:
+            - dependencies.stub
+          # One can ignore errors like this
+          # ignoreErrors:
+          #   - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#'
+        includes:
+          - vendor/szepeviktor/phpstan-wordpress/extension.neon
+        EOF
+
+    - name: Install PHPStan and Wordpress-stub
+      run: |
+        composer require --dev phpstan/phpstan
+        composer require --dev szepeviktor/phpstan-wordpress
+
+    - name: Run PHPStan
+      run: vendor/bin/phpstan analyse --no-progress
+
   build:
+    needs: lint
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
 
       - name: Get Package Version
         id: version
diff --git a/.github/workflows/php-sast.yml b/.github/workflows/php-sast.yml
@@ -13,6 +13,7 @@ on:
 
 permissions:
   contents: read
+  security-events: write # Required to upload SARIF files
 
 jobs:
   scan:
@@ -21,33 +22,36 @@ jobs:
     steps:
     - uses: actions/checkout@v6
 
-    # - name: Validate composer.json and composer.lock
-    #   run: composer validate --strict
-
-    # This config file gets auto-loaded by PHPStan
+    # This config file gets auto-loaded by Psalm
     # !!!! The old bcc-signon plugin and the bcc-wp-proxy plugin are excluded from analysis!
-    - name: Set PHPStan config
+    - name: Set Psalm config
       run: |
-        cat <<'EOF' > phpstan.neon
-        parameters:
-          level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest
-          errorFormat: github
-          paths:
-            - plugins
-          scanFiles:
-            - custom-defs.stub
-          bootstrapFiles:
-            - plugins/bcc-login/bcc-login.php
-          ignoreErrors:
-            - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#'
-          excludePaths:
-            - plugins/bcc-signon/*
-            - plugins/bcc-wp-proxy/*
-        includes:
-          - vendor/szepeviktor/phpstan-wordpress/extension.neon
+        cat <<'EOF' > psalm.xml
+        <?xml version="1.0"?>
+        <!-- Psalm has levels of strictness (errorLevel) from 1 (most strict) to 8 (most lenient). -->
+        <psalm
+          xmlns="https://getpsalm.org/schema/config"
+          errorLevel="2"
+        >
+          <projectFiles>
+            <directory name="plugins" />
+            <ignoreFiles>
+              <directory name="plugins/bcc-signon" />
+              <directory name="plugins/bcc-wp-proxy" />
+            </ignoreFiles>
+          </projectFiles>
+          <stubs>
+            <file name="custom-defs.stub" />
+          </stubs>
+          <plugins>
+            <pluginClass class="PsalmWordPress\Plugin">
+              <requireAllParams value="true" />
+            </pluginClass>
+          </plugins>
+        </psalm>
         EOF
 
-    - name: Create custom stubs for plugin functions. If this grows too big it can be commited as a separate file
+    - name: Create stubs for dependency functions (e.g. other plugin funcions). If this grows too big it can be commited as a separate file
       run: |
         cat <<'EOF' > custom-defs.stub
         <?php
@@ -69,11 +73,19 @@ jobs:
         function get_culture() {};
         EOF
 
-    - name: Install PHPStan and Wordpress-stub
+    - name: Install Psalm and Wordpress stubs
       run: |
-        composer require --dev phpstan/phpstan
-        composer require --dev szepeviktor/phpstan-wordpress
+        composer require --dev php-stubs/wordpress-stubs ~6.8.0
+        composer require --dev humanmade/psalm-plugin-wordpress
 
-    - name: Run PHPStan
-      run: vendor/bin/phpstan analyse --no-progress
+    - name: Run Psalm
+      uses: psalm/psalm-github-actions@26f175f4d1d9006ea675bb78831ae94126017b07
+      with:
+        security_analysis: true
+        composer_require_dev: true
+        report_file: results.sarif
 
+    - name: Upload Security Analysis results to GitHub
+      uses: github/codeql-action/upload-sarif@v4
+      with:
+        sarif_file: results.sarif
diff --git a/plugins/bcc-keep-translated-posts-status-same-as-original/dependencies.stub b/plugins/bcc-keep-translated-posts-status-same-as-original/dependencies.stub
@@ -0,0 +1,3 @@
+<?php
+
+// No plugin/theme dependencies so no stubs needed
diff --git a/plugins/bcc-login/bcc-login.php b/plugins/bcc-login/bcc-login.php
@@ -3,11 +3,15 @@
 /**
  * Plugin Name: BCC Login
  * Description: Integration to BCC's Login System.
- * Version: 1.1.431
+ * Version: 1.1.433
  * Author: BCC IT
  * License: GPL2
  */
 
+if ( ! defined( 'ABSPATH' ) ) {
+	exit; // Exit if accessed directly.
+}
+
 define( 'BCC_LOGIN_PATH', plugin_dir_path( __FILE__ ) );
 define( 'BCC_LOGIN_URL', plugin_dir_url( __FILE__ ) );
 
@@ -30,7 +34,7 @@ class BCC_Login {
      * The plugin instance.
      */
     private static $instance = null;
-    private $plugin_version = "1.1.431";
+    private $plugin_version = "1.1.433";
     private $plugin;
     private $plugin_slug;
     private $plugin_name = "BCC Login";
diff --git a/plugins/bcc-login/dependencies.stub b/plugins/bcc-login/dependencies.stub
@@ -0,0 +1,6 @@
+<?php
+
+/**
+* @return string
+*/
+function get_culture() {};
diff --git a/plugins/bcc-login/package.json b/plugins/bcc-login/package.json
@@ -1,14 +1,14 @@
 {
 	"private": true,
 	"name": "bcc-login",
-	"version": "1.1.431",
+	"version": "1.1.433",
 	"slug": "bcc-login",
 	"author": "<a href='https://github.com/bcc-code'>BCC Code</a>",
 	"author_profile": "https://github.com/bcc-code",
 	"requires": "3.0",
 	"tested": "5.8",
 	"requires_php": "5.3",
-	"last_updated": "2026-01-15 11:18:18",
+	"last_updated": "2026-01-16 18:44:44",
 	"sections": {
 		"description": "BCC Login",
 		"installation": "Add OIDC_CLIENT_ID and OIDC_CLIENT_SECRET as environment variables or constants in wp-config.php, and active plugin",
diff --git a/plugins/bcc-post-update-translations-notifier/dependencies.stub b/plugins/bcc-post-update-translations-notifier/dependencies.stub
@@ -0,0 +1,12 @@
+<?php
+
+/**
+* @param mixed $post_id
+* @return mixed|null
+*/
+function get_field(
+    string $selector,
+    $post_id = false,
+    bool $format_value = true,
+    bool $escape_html = false
+) {};

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+// No plugin/theme dependencies so no stubs needed`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +<?php
++
 +/**
 +* @return string
 +*/
 +function get_culture() {};