diff --git a/.github/workflows/bcc-keep-translated-posts-status-same-as-original-plugin-release.yml b/.github/workflows/bcc-keep-translated-posts-status-same-as-original-plugin-release.yml index a46c21c..63d0ad2 100644 --- a/.github/workflows/bcc-keep-translated-posts-status-same-as-original-plugin-release.yml +++ b/.github/workflows/bcc-keep-translated-posts-status-same-as-original-plugin-release.yml @@ -25,15 +25,57 @@ on: # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - # This workflow contains a single job called "build" + lint: + name: Lint PHP - validate code + runs-on: ubuntu-latest + permissions: + contents: read + + defaults: + run: + shell: bash + working-directory: ./plugins/bcc-keep-translated-posts-status-same-as-original + + steps: + - uses: actions/checkout@v6 + + # This config file gets auto-loaded by PHPStan + - name: Set PHPStan config + run: | + cat <<'EOF' > phpstan.neon + parameters: + level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest + errorFormat: github + paths: + - . + excludePaths: + - vendor + scanFiles: + - dependencies.stub + # One can ignore errors like this + # ignoreErrors: + # - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#' + includes: + - vendor/szepeviktor/phpstan-wordpress/extension.neon + EOF + + - name: Install PHPStan and Wordpress-stub + run: | + composer require --dev phpstan/phpstan + composer require --dev szepeviktor/phpstan-wordpress + + - name: Run PHPStan + run: vendor/bin/phpstan analyse --no-progress + build: + needs: lint # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 - name: Get Package Version id: version diff --git a/.github/workflows/bcc-login-plugin-release.yml b/.github/workflows/bcc-login-plugin-release.yml index 82e4862..1b0dda7 100644 --- a/.github/workflows/bcc-login-plugin-release.yml +++ b/.github/workflows/bcc-login-plugin-release.yml @@ -25,15 +25,58 @@ on: # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - # This workflow contains a single job called "build" + lint: + name: Lint PHP - validate code + runs-on: ubuntu-latest + permissions: + contents: read + + defaults: + run: + shell: bash + working-directory: ./plugins/bcc-login + + steps: + - uses: actions/checkout@v6 + + # This config file gets auto-loaded by PHPStan + - name: Set PHPStan config + run: | + cat <<'EOF' > phpstan.neon + parameters: + level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest + errorFormat: github + paths: + - . + excludePaths: + - vendor + scanFiles: + - dependencies.stub + bootstrapFiles: + - bcc-login.php + ignoreErrors: + - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#' + includes: + - vendor/szepeviktor/phpstan-wordpress/extension.neon + EOF + + - name: Install PHPStan and Wordpress-stub + run: | + composer require --dev phpstan/phpstan + composer require --dev szepeviktor/phpstan-wordpress + + - name: Run PHPStan + run: vendor/bin/phpstan analyse --no-progress + build: + needs: lint # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 - name: Get Package Version id: version diff --git a/.github/workflows/bcc-post-update-translations-notifier-plugin-release.yml b/.github/workflows/bcc-post-update-translations-notifier-plugin-release.yml index 2c7af9a..89d6798 100644 --- a/.github/workflows/bcc-post-update-translations-notifier-plugin-release.yml +++ b/.github/workflows/bcc-post-update-translations-notifier-plugin-release.yml @@ -25,15 +25,57 @@ on: # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - # This workflow contains a single job called "build" + lint: + name: Lint PHP - validate code + runs-on: ubuntu-latest + permissions: + contents: read + + defaults: + run: + shell: bash + working-directory: ./plugins/bcc-post-update-translations-notifier + + steps: + - uses: actions/checkout@v6 + + # This config file gets auto-loaded by PHPStan + - name: Set PHPStan config + run: | + cat <<'EOF' > phpstan.neon + parameters: + level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest + errorFormat: github + paths: + - . + excludePaths: + - vendor + scanFiles: + - dependencies.stub + # One can ignore errors like this + # ignoreErrors: + # - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#' + includes: + - vendor/szepeviktor/phpstan-wordpress/extension.neon + EOF + + - name: Install PHPStan and Wordpress-stub + run: | + composer require --dev phpstan/phpstan + composer require --dev szepeviktor/phpstan-wordpress + + - name: Run PHPStan + run: vendor/bin/phpstan analyse --no-progress + build: + needs: lint # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 - name: Get Package Version id: version diff --git a/.github/workflows/php-sast.yml b/.github/workflows/php-sast.yml index b3935e8..758a32f 100644 --- a/.github/workflows/php-sast.yml +++ b/.github/workflows/php-sast.yml @@ -13,6 +13,7 @@ on: permissions: contents: read + security-events: write # Required to upload SARIF files jobs: scan: @@ -21,33 +22,36 @@ jobs: steps: - uses: actions/checkout@v6 - # - name: Validate composer.json and composer.lock - # run: composer validate --strict - - # This config file gets auto-loaded by PHPStan + # This config file gets auto-loaded by Psalm # !!!! The old bcc-signon plugin and the bcc-wp-proxy plugin are excluded from analysis! - - name: Set PHPStan config + - name: Set Psalm config run: | - cat <<'EOF' > phpstan.neon - parameters: - level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest - errorFormat: github - paths: - - plugins - scanFiles: - - custom-defs.stub - bootstrapFiles: - - plugins/bcc-login/bcc-login.php - ignoreErrors: - - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#' - excludePaths: - - plugins/bcc-signon/* - - plugins/bcc-wp-proxy/* - includes: - - vendor/szepeviktor/phpstan-wordpress/extension.neon + cat <<'EOF' > psalm.xml + + + + + + + + + + + + + + + + + + + EOF - - name: Create custom stubs for plugin functions. If this grows too big it can be commited as a separate file + - name: Create stubs for dependency functions (e.g. other plugin funcions). If this grows too big it can be commited as a separate file run: | cat <<'EOF' > custom-defs.stub BCC Code", "author_profile": "https://github.com/bcc-code", "requires": "3.0", "tested": "5.8", "requires_php": "5.3", - "last_updated": "2026-01-15 11:18:18", + "last_updated": "2026-01-16 18:44:44", "sections": { "description": "BCC Login", "installation": "Add OIDC_CLIENT_ID and OIDC_CLIENT_SECRET as environment variables or constants in wp-config.php, and active plugin", diff --git a/plugins/bcc-post-update-translations-notifier/dependencies.stub b/plugins/bcc-post-update-translations-notifier/dependencies.stub new file mode 100644 index 0000000..8c7cd32 --- /dev/null +++ b/plugins/bcc-post-update-translations-notifier/dependencies.stub @@ -0,0 +1,12 @@ +