Add PHPStan as linter before pushing new version and switching to Psalm fore Vulnerability analysis

.github/workflows/bcc-keep-translated-posts-status-same-as-original-plugin-release.yml

@@ -25,71 +25,113 @@
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
+  lint:
+    name: Lint PHP - validate code
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./plugins/bcc-keep-translated-posts-status-same-as-original
+
+    steps:
+    - uses: actions/checkout@v6
+
+    # This config file gets auto-loaded by PHPStan
+    - name: Set PHPStan config
+      run: |
+        cat <<'EOF' > phpstan.neon
+        parameters:
+          level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest
+          errorFormat: github
+          paths:
+            - .
+          excludePaths:
+            - vendor
+          scanFiles:
+            - dependencies.stub
+          # One can ignore errors like this
+          # ignoreErrors:
+          #   - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#'
+        includes:
+          - vendor/szepeviktor/phpstan-wordpress/extension.neon
+        EOF
+
+    - name: Install PHPStan and Wordpress-stub
+      run: |
+        composer require --dev phpstan/phpstan
+        composer require --dev szepeviktor/phpstan-wordpress
+
+    - name: Run PHPStan
+      run: vendor/bin/phpstan analyse --no-progress
+
   build:
+    needs: lint
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
 
       - name: Get Package Version
         id: version
         uses: notiz-dev/github-action-json-property@release
         with: 
             path: 'plugins/bcc-keep-translated-posts-status-same-as-original/package.json'
             prop_path: 'version'
 
       - name: Get Previous Updated
         id: lastupdated
         uses: notiz-dev/github-action-json-property@release
         with: 
             path: 'plugins/bcc-keep-translated-posts-status-same-as-original/package.json'
             prop_path: 'last_updated'
 
       # Runs a set of commands using the runners shell
       - id: build-and-zip
         name: Build and Zip Plugin
         run: |
           # Build javascript
           yarn install --frozen-lockfile 
           cd plugins/bcc-keep-translated-posts-status-same-as-original
           yarn build
 
           # Get package version
           package_version=${{steps.version.outputs.prop}}
           previous_date="${{steps.lastupdated.outputs.prop}}"
           current_date=$(date -u +'%Y-%m-%d %H:%M:%S')
 
           build_version="$(echo $package_version | sed -re 's/([0-9]+\.[0-9]+\.)[0-9]+/\1/')${GITHUB_RUN_NUMBER}"
 
 
           sed -i "s|$package_version|$build_version|g" package.json
           sed -i "s|$previous_date|$current_date|g" package.json
           sed -i "s|<VERSION>|$build_version|g" bcc-keep-translated-posts-status-same-as-original.php
           sed -i "s|$package_version|$build_version|g" bcc-keep-translated-posts-status-same-as-original.php
 
 
           git config user.name "bcc-bot"
           git config user.email "<>"
           git tag "version-bump-v${build_version}"
           git commit -am "Released bcc-keep-translated-posts-status-same-as-original plugin v${build_version}"
           git push
 
           cd ..
           zip -r bcc-keep-translated-posts-status-same-as-original.zip bcc-keep-translated-posts-status-same-as-original
           cd ..
 
           echo "::set-output name=tag_name::bcc-keep-translated-posts-status-same-as-original-v${build_version}"
 
 
 
       - uses: ncipollo/release-action@v1
         name: Create Release
         with:
           artifacts: "plugins/bcc-keep-translated-posts-status-same-as-original.zip"
           tag: ${{steps.build-and-zip.outputs.tag_name}}
           token: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/bcc-login-plugin-release.yml

@@ -25,71 +25,114 @@
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
+  lint:
+    name: Lint PHP - validate code
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./plugins/bcc-login
+
+    steps:
+    - uses: actions/checkout@v6
+
+    # This config file gets auto-loaded by PHPStan
+    - name: Set PHPStan config
+      run: |
+        cat <<'EOF' > phpstan.neon
+        parameters:
+          level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest
+          errorFormat: github
+          paths:
+            - .
+          excludePaths:
+            - vendor
+          scanFiles:
+            - dependencies.stub
+          bootstrapFiles:
+            - bcc-login.php
+          ignoreErrors:
+            - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#'
+        includes:
+          - vendor/szepeviktor/phpstan-wordpress/extension.neon
+        EOF
+
+    - name: Install PHPStan and Wordpress-stub
+      run: |
+        composer require --dev phpstan/phpstan
+        composer require --dev szepeviktor/phpstan-wordpress
+
+    - name: Run PHPStan
+      run: vendor/bin/phpstan analyse --no-progress
+
   build:
+    needs: lint
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
 
       - name: Get Package Version
         id: version
         uses: notiz-dev/github-action-json-property@release
         with: 
             path: 'plugins/bcc-login/package.json'
             prop_path: 'version'
 
       - name: Get Previous Updated
         id: lastupdated
         uses: notiz-dev/github-action-json-property@release
         with: 
             path: 'plugins/bcc-login/package.json'
             prop_path: 'last_updated'
 
       # Runs a set of commands using the runners shell
       - id: build-and-zip
         name: Build and Zip Plugin
         run: |
           # Build javascript
           yarn install --frozen-lockfile 
           cd plugins/bcc-login
           yarn build
 
           # Get package version
           package_version=${{steps.version.outputs.prop}}
           previous_date="${{steps.lastupdated.outputs.prop}}"
           current_date=$(date -u +'%Y-%m-%d %H:%M:%S')
 
           build_version="$(echo $package_version | sed -re 's/([0-9]+\.[0-9]+\.)[0-9]+/\1/')${GITHUB_RUN_NUMBER}"
 
 
           sed -i "s|$package_version|$build_version|g" package.json
           sed -i "s|$previous_date|$current_date|g" package.json
           sed -i "s|<VERSION>|$build_version|g" bcc-login.php
           sed -i "s|$package_version|$build_version|g" bcc-login.php
 
 
           git config user.name "bcc-bot"
           git config user.email "<>"
           git tag "version-bump-v${build_version}"
           git commit -am "Released bcc-login plugin v${build_version}"
           git push
 
           cd ..
           zip -r bcc-login.zip bcc-login
           cd ..
 
           echo "::set-output name=tag_name::bcc-login-v${build_version}"
 
 
 
       - uses: ncipollo/release-action@v1
         name: Create Release
         with:
           artifacts: "plugins/bcc-login.zip"
           tag: ${{steps.build-and-zip.outputs.tag_name}}
           token: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/bcc-post-update-translations-notifier-plugin-release.yml

@@ -25,71 +25,113 @@
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
+  lint:
+    name: Lint PHP - validate code
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./plugins/bcc-post-update-translations-notifier
+
+    steps:
+    - uses: actions/checkout@v6
+
+    # This config file gets auto-loaded by PHPStan
+    - name: Set PHPStan config
+      run: |
+        cat <<'EOF' > phpstan.neon
+        parameters:
+          level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest
+          errorFormat: github
+          paths:
+            - .
+          excludePaths:
+            - vendor
+          scanFiles:
+            - dependencies.stub
+          # One can ignore errors like this
+          # ignoreErrors:
+          #   - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#'
+        includes:
+          - vendor/szepeviktor/phpstan-wordpress/extension.neon
+        EOF
+
+    - name: Install PHPStan and Wordpress-stub
+      run: |
+        composer require --dev phpstan/phpstan
+        composer require --dev szepeviktor/phpstan-wordpress
+
+    - name: Run PHPStan
+      run: vendor/bin/phpstan analyse --no-progress
+
   build:
+    needs: lint
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
 
       - name: Get Package Version
         id: version
         uses: notiz-dev/github-action-json-property@release
         with: 
             path: 'plugins/bcc-post-update-translations-notifier/package.json'
             prop_path: 'version'
 
       - name: Get Previous Updated
         id: lastupdated
         uses: notiz-dev/github-action-json-property@release
         with: 
             path: 'plugins/bcc-post-update-translations-notifier/package.json'
             prop_path: 'last_updated'
 
       # Runs a set of commands using the runners shell
       - id: build-and-zip
         name: Build and Zip Plugin
         run: |
           # Build javascript
           yarn install --frozen-lockfile 
           cd plugins/bcc-post-update-translations-notifier
           yarn build
 
           # Get package version
           package_version=${{steps.version.outputs.prop}}
           previous_date="${{steps.lastupdated.outputs.prop}}"
           current_date=$(date -u +'%Y-%m-%d %H:%M:%S')
 
           build_version="$(echo $package_version | sed -re 's/([0-9]+\.[0-9]+\.)[0-9]+/\1/')${GITHUB_RUN_NUMBER}"
 
 
           sed -i "s|$package_version|$build_version|g" package.json
           sed -i "s|$previous_date|$current_date|g" package.json
           sed -i "s|<VERSION>|$build_version|g" bcc-post-update-translations-notifier.php
           sed -i "s|$package_version|$build_version|g" bcc-post-update-translations-notifier.php
 
 
           git config user.name "bcc-bot"
           git config user.email "<>"
           git tag "version-bump-v${build_version}"
           git commit -am "Released bcc-post-update-translations-notifier plugin v${build_version}"
           git push
 
           cd ..
           zip -r bcc-post-update-translations-notifier.zip bcc-post-update-translations-notifier
           cd ..
 
           echo "::set-output name=tag_name::bcc-post-update-translations-notifier-v${build_version}"
 
 
 
       - uses: ncipollo/release-action@v1
         name: Create Release
         with:
           artifacts: "plugins/bcc-post-update-translations-notifier.zip"
           tag: ${{steps.build-and-zip.outputs.tag_name}}
           token: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/php-sast.yml

@@ -13,6 +13,7 @@ on:
 
 permissions:
   contents: read
+  security-events: write # Required to upload SARIF files
 
 jobs:
   scan:
@@ -21,33 +22,36 @@ jobs:
     steps:
     - uses: actions/checkout@v6
 
-    # - name: Validate composer.json and composer.lock
-    #   run: composer validate --strict
-
-    # This config file gets auto-loaded by PHPStan
+    # This config file gets auto-loaded by Psalm
     # !!!! The old bcc-signon plugin and the bcc-wp-proxy plugin are excluded from analysis!
-    - name: Set PHPStan config
+    - name: Set Psalm config
       run: |
-        cat <<'EOF' > phpstan.neon
-        parameters:
-          level: 1 # form 0 to 11 where 0 is the loosest and 11 the strictest
-          errorFormat: github
-          paths:
-            - plugins
-          scanFiles:
-            - custom-defs.stub
-          bootstrapFiles:
-            - plugins/bcc-login/bcc-login.php
-          ignoreErrors:
-            - '#Path in require\(\) "build/.+\.asset\.php" is not a file or it does not exist\.#'
-          excludePaths:
-            - plugins/bcc-signon/*
-            - plugins/bcc-wp-proxy/*
-        includes:
-          - vendor/szepeviktor/phpstan-wordpress/extension.neon
+        cat <<'EOF' > psalm.xml
+        <?xml version="1.0"?>
+        <!-- Psalm has levels of strictness (errorLevel) from 1 (most strict) to 8 (most lenient). -->
+        <psalm
+          xmlns="https://getpsalm.org/schema/config"
+          errorLevel="2"
+        >
+          <projectFiles>
+            <directory name="plugins" />
+            <ignoreFiles>
+              <directory name="plugins/bcc-signon" />
+              <directory name="plugins/bcc-wp-proxy" />
+            </ignoreFiles>
+          </projectFiles>
+          <stubs>
+            <file name="custom-defs.stub" />
+          </stubs>
+          <plugins>
+            <pluginClass class="PsalmWordPress\Plugin">
+              <requireAllParams value="true" />
+            </pluginClass>
+          </plugins>
+        </psalm>
         EOF
 
-    - name: Create custom stubs for plugin functions. If this grows too big it can be commited as a separate file
+    - name: Create stubs for dependency functions (e.g. other plugin funcions). If this grows too big it can be commited as a separate file
       run: |
         cat <<'EOF' > custom-defs.stub
         <?php
@@ -69,11 +73,19 @@ jobs:
         function get_culture() {};
         EOF
 
-    - name: Install PHPStan and Wordpress-stub
+    - name: Install Psalm and Wordpress stubs
       run: |
-        composer require --dev phpstan/phpstan
-        composer require --dev szepeviktor/phpstan-wordpress
+        composer require --dev php-stubs/wordpress-stubs ~6.8.0
+        composer require --dev humanmade/psalm-plugin-wordpress
 
-    - name: Run PHPStan
-      run: vendor/bin/phpstan analyse --no-progress
+    - name: Run Psalm
+      uses: psalm/psalm-github-actions@26f175f4d1d9006ea675bb78831ae94126017b07
+      with:
+        security_analysis: true
+        composer_require_dev: true
+        report_file: results.sarif
 
+    - name: Upload Security Analysis results to GitHub
+      uses: github/codeql-action/upload-sarif@v4
+      with:
+        sarif_file: results.sarif

plugins/bcc-keep-translated-posts-status-same-as-original/dependencies.stub

@@ -0,0 +1,3 @@
+<?php
+
+// No plugin/theme dependencies so no stubs needed

plugins/bcc-login/bcc-login.php

@@ -3,11 +3,15 @@
 /**
  * Plugin Name: BCC Login
  * Description: Integration to BCC's Login System.
- * Version: 1.1.431
+ * Version: 1.1.433
  * Author: BCC IT
  * License: GPL2
  */
 
+if ( ! defined( 'ABSPATH' ) ) {
+	exit; // Exit if accessed directly.
+}
+
 define( 'BCC_LOGIN_PATH', plugin_dir_path( __FILE__ ) );
 define( 'BCC_LOGIN_URL', plugin_dir_url( __FILE__ ) );
 
@@ -30,7 +34,7 @@ class BCC_Login {
      * The plugin instance.
      */
     private static $instance = null;
-    private $plugin_version = "1.1.431";
+    private $plugin_version = "1.1.433";
     private $plugin;
     private $plugin_slug;
     private $plugin_name = "BCC Login";

plugins/bcc-login/dependencies.stub

@@ -0,0 +1,6 @@
+<?php
+
+/**
+* @return string
+*/
+function get_culture() {};

plugins/bcc-login/package.json

@@ -1,14 +1,14 @@
 {
 	"private": true,
 	"name": "bcc-login",
-	"version": "1.1.431",
+	"version": "1.1.433",
 	"slug": "bcc-login",
 	"author": "<a href='https://github.com/bcc-code'>BCC Code</a>",
 	"author_profile": "https://github.com/bcc-code",
 	"requires": "3.0",
 	"tested": "5.8",
 	"requires_php": "5.3",
-	"last_updated": "2026-01-15 11:18:18",
+	"last_updated": "2026-01-16 18:44:44",
 	"sections": {
 		"description": "BCC Login",
 		"installation": "Add OIDC_CLIENT_ID and OIDC_CLIENT_SECRET as environment variables or constants in wp-config.php, and active plugin",

plugins/bcc-post-update-translations-notifier/dependencies.stub

@@ -0,0 +1,12 @@
+<?php
+
+/**
+* @param mixed $post_id
+* @return mixed|null
+*/
+function get_field(
+    string $selector,
+    $post_id = false,
+    bool $format_value = true,
+    bool $escape_html = false
+) {};