spacedmonkey
diff --git a/‎.distignore‎
Lines changed: 3 additions & 0 deletions b/‎.distignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/actions/setup-php-composer/action.yml‎
Lines changed: 59 additions & 0 deletions b/‎.github/actions/setup-php-composer/action.yml‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 44 additions & 20 deletions b/‎.github/dependabot.yml‎
Lines changed: 44 additions & 20 deletions
diff --git a/‎.github/workflows/continuous-integration-lint-php.yml‎
Lines changed: 12 additions & 32 deletions b/‎.github/workflows/continuous-integration-lint-php.yml‎
Lines changed: 12 additions & 32 deletions
diff --git a/‎.github/workflows/deploytowp.yml‎
Lines changed: 10 additions & 20 deletions b/‎.github/workflows/deploytowp.yml‎
Lines changed: 10 additions & 20 deletions
diff --git a/‎.github/workflows/reusable-php-lint.yml‎
Lines changed: 61 additions & 0 deletions b/‎.github/workflows/reusable-php-lint.yml‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎.github/workflows/security.yml‎
Lines changed: 48 additions & 0 deletions b/‎.github/workflows/security.yml‎
Lines changed: 48 additions & 0 deletions
@@ -7,6 +7,9 @@
 .travis.yml
 .DS_Store
 .wordpress-org
+.wp-env.json
+.wp-env.override.json
+.wp-env-home
 composer.json
 composer.lock
 Thumbs.db
 
@@ -0,0 +1,59 @@
+name: 'Setup PHP with Composer'
+description: 'Setup PHP environment with Composer cache and dependencies'
+
+inputs:
+    php-version:
+        description: 'PHP version to use'
+        required: false
+        default: '7.4'
+    composer-args:
+        description: 'Additional arguments for composer install'
+        required: false
+        default: '--prefer-dist --no-progress --no-interaction'
+    tools:
+        description: 'Tools to install'
+        required: false
+        default: 'composer, cs2pr'
+    coverage:
+        description: 'Coverage driver'
+        required: false
+        default: 'none'
+    extensions:
+        description: 'PHP extensions to install'
+        required: false
+        default: ''
+
+outputs:
+    composer-cache-dir:
+        description: 'Composer cache directory'
+        value: ${{ steps.composer-cache.outputs.dir }}
+
+runs:
+    using: 'composite'
+    steps:
+        - name: Setup PHP
+          uses: shivammathur/setup-php@v2
+          with:
+              php-version: ${{ inputs.php-version }}
+              coverage: ${{ inputs.coverage }}
+              tools: ${{ inputs.tools }}
+              extensions: ${{ inputs.extensions }}
+
+        - name: Get Composer cache directory
+          id: composer-cache
+          shell: bash
+          run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
+
+        - name: Setup Composer cache
+          uses: actions/cache@v4
+          with:
+              path: ${{ steps.composer-cache.outputs.dir }}
+              key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}
+              restore-keys: |
+                  ${{ runner.os }}-composer-
+                  ${{ runner.os }}-
+
+        - name: Install dependencies
+          shell: bash
+          run: composer install ${{ inputs.composer-args }}
+
@@ -1,23 +1,47 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# Dependabot configuration for keeping GitHub Actions up to date
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
 
 version: 2
 updates:
-  - package-ecosystem: composer
-    directory: '/'
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 10
-    labels:
-      - Dependencies
-      - PHP
-  - package-ecosystem: npm
-    directory: '/'
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 15
-    labels:
-      - Dependencies
-      - JavaScript
+    # Monitor GitHub Actions versions
+    - package-ecosystem: 'github-actions'
+      directory: '/'
+      schedule:
+          interval: 'weekly'
+          day: 'monday'
+      open-pull-requests-limit: 10
+      labels:
+          - 'dependencies'
+          - 'github-actions'
+      commit-message:
+          prefix: 'chore(deps)'
+          include: 'scope'
+
+    # Monitor Composer dependencies
+    - package-ecosystem: 'composer'
+      directory: '/'
+      schedule:
+          interval: 'weekly'
+          day: 'monday'
+      open-pull-requests-limit: 10
+      labels:
+          - 'dependencies'
+          - 'php'
+      commit-message:
+          prefix: 'chore(deps)'
+          include: 'scope'
+
+    # Monitor npm dependencies
+    - package-ecosystem: 'npm'
+      directory: '/'
+      schedule:
+          interval: 'weekly'
+          day: 'monday'
+      open-pull-requests-limit: 10
+      labels:
+          - 'dependencies'
+          - 'javascript'
+      commit-message:
+          prefix: 'chore(deps)'
+          include: 'scope'
+
@@ -7,38 +7,18 @@ on:
             - release/*
     pull_request:
 
-jobs:
-    lint-php:
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v2
-
-            - name: Setup PHP
-              uses: shivammathur/setup-php@v2
-              with:
-                  php-version: '7.4'
-                  coverage: none
-                  tools: composer, cs2pr
-
-            - name: Get Composer cache directory
-              id: composer-cache
-              run: echo "::set-output name=dir::$(composer config cache-files-dir)"
+# Cancel in-progress runs for the same workflow and branch/PR
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
 
-            - name: Setup Composer cache
-              uses: pat-s/always-upload-cache@v2.1.3
-              with:
-                  path: ${{ steps.composer-cache.outputs.dir }}
-                  key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
-                  restore-keys: |
-                      ${{ runner.os }}-composer-
-                      ${{ runner.os }}-
+permissions:
+    contents: read
+    pull-requests: write
 
-            - name: Validate composer.json
-              run: composer --no-interaction validate --no-check-all
-
-            - name: Install dependencies
-              run: composer install --prefer-dist --no-suggest --no-progress --no-interaction
+jobs:
+    lint-php:
+        uses: ./.github/workflows/reusable-php-lint.yml
+        with:
+            php-version: '7.4'
 
-            - name: Detect coding standard violations (PHPCS)
-              run: vendor/bin/phpcs -q --report=checkstyle --runtime-set ignore_errors_on_exit 1 --runtime-set ignore_warnings_on_exit 1 | cs2pr --graceful-warnings
@@ -3,37 +3,27 @@ on:
     push:
         tags:
             - '**'
+
+permissions:
+    contents: read
+
 jobs:
     tag:
         name: New tag
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@main
+            - uses: actions/checkout@v4
 
-            - name: Setup PHP
-              uses: shivammathur/setup-php@v2
+            - name: Setup PHP with Composer
+              uses: ./.github/actions/setup-php-composer
               with:
-                  php-version: '7.0'
-                  coverage: none
-                  tools: composer
+                  php-version: '7.4'
+                  composer-args: '--prefer-dist --no-progress --no-dev --optimize-autoloader --no-interaction'
+                  tools: 'composer'
 
             - name: Validate composer.json and composer.lock
               run: composer validate
 
-            - name: Get Composer Cache Directory
-              id: composer-cache
-              run: echo "::set-output name=dir::$(composer config cache-files-dir)"
-
-            - name: Cache Composer vendor directory
-              uses: actions/cache@v2
-              with:
-                  path: ${{ steps.composer-cache.outputs.dir }}
-                  key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
-                  restore-keys: |
-                      ${{ runner.os }}-composer-
-
-            - name: Install PHP Dependencies
-              run: composer install --prefer-dist --no-progress --no-dev --optimize-autoloader --no-interaction
 
             - name: WordPress Plugin Deploy
               uses: 10up/action-wordpress-plugin-deploy@stable
 
@@ -0,0 +1,61 @@
+name: Reusable PHP Lint
+
+on:
+    workflow_call:
+        inputs:
+            php-version:
+                description: 'PHP version to use'
+                type: string
+                default: '7.4'
+            run-phpcs:
+                description: 'Run PHPCS checks'
+                type: boolean
+                default: true
+            run-phpstan:
+                description: 'Run PHPStan checks'
+                type: boolean
+                default: true
+            run-phpmd:
+                description: 'Run PHPMD checks'
+                type: boolean
+                default: true
+            run-composer-normalize:
+                description: 'Run composer normalize check'
+                type: boolean
+                default: true
+
+permissions:
+    contents: read
+    pull-requests: write
+
+jobs:
+    lint:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Setup PHP with Composer
+              uses: ./.github/actions/setup-php-composer
+              with:
+                  php-version: ${{ inputs.php-version }}
+
+            - name: Validate composer.json
+              run: composer --no-interaction validate --no-check-all
+
+            - name: Normalize composer.json
+              if: ${{ inputs.run-composer-normalize }}
+              run: composer normalize --no-interaction --dry-run
+
+            - name: Detect coding standard violations (PHPCS)
+              if: ${{ inputs.run-phpcs }}
+              run: composer lint -- -q --report=checkstyle --severity=1 --runtime-set ignore_errors_on_exit 1 --runtime-set ignore_warnings_on_exit 1 | cs2pr --graceful-warnings
+
+            - name: Detect PHPStan issues
+              if: ${{ inputs.run-phpstan }}
+              run: composer phpstan -- --error-format=checkstyle | cs2pr --graceful-warnings
+
+            - name: Detect PHP Mess Detector issues
+              if: ${{ inputs.run-phpmd }}
+              run: composer phpmd
+
@@ -0,0 +1,48 @@
+name: Security Scanning
+
+on:
+    push:
+        branches:
+            - master
+    pull_request:
+    schedule:
+        # Run weekly on Monday at 00:00 UTC
+        - cron: '0 0 * * 1'
+    workflow_dispatch:
+
+# Cancel in-progress runs for the same workflow and branch/PR
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
+permissions:
+    contents: read
+    security-events: write
+
+jobs:
+    dependency-review:
+        name: Dependency Review
+        runs-on: ubuntu-latest
+        if: github.event_name == 'pull_request'
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Dependency Review
+              uses: actions/dependency-review-action@v4
+
+    composer-audit:
+        name: Composer Security Audit
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Setup PHP with Composer
+              uses: ./.github/actions/setup-php-composer
+              with:
+                  php-version: '7.4'
+
+            - name: Run Composer Audit
+              run: composer audit --format=plain
+