bravo-handlebars-content/.github/workflows/code-quality.yml at c84bc96c3f26cdd0d48e527e9598c4f2e460e7e8 · CPS-IT/bravo-handlebars-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
name: Code Quality

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  schedule:
    # Run quality checks weekly on Sunday at 6 AM UTC
    - cron: '0 6 * * 0'

jobs:
  static-analysis:
    name: Static Code Analysis
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.2'
          extensions: mbstring, xml, intl, zip, json, iconv, gd
          tools: composer:v2

      - name: Get composer cache directory
        id: composer-cache
        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT

      - name: Cache dependencies
        uses: actions/cache@v4
        with:
          path: ${{ steps.composer-cache.outputs.dir }}
          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}
          restore-keys: ${{ runner.os }}-composer-

      - name: Install dependencies
        run: composer install --no-progress --prefer-dist --optimize-autoloader

      - name: Run PHPStan analysis (Level 8)
        run: |
          mkdir -p var/phpstan
          composer sca:php

      - name: Upload PHPStan results
        uses: actions/upload-artifact@v4
        with:
          name: phpstan-results
          path: var/phpstan/
        if: always()

      - name: Check for TODO/FIXME comments
        run: |
          echo "Checking for TODO/FIXME comments..."
          todos=$(find Classes -name "*.php" -type f -exec grep -l "TODO\|FIXME" {} \; || true)
          if [[ -n "$todos" ]]; then
            echo "Found TODO/FIXME comments in:"
            echo "$todos"
            echo "::warning::TODO/FIXME comments found - consider addressing them"
          else
            echo "No TODO/FIXME comments found"
          fi

  code-style:
    name: Code Style Check
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.2'
          extensions: mbstring, xml, intl, zip, json, iconv, gd
          tools: composer:v2

      - name: Install dependencies
        run: composer install --no-progress --prefer-dist --optimize-autoloader

      - name: Check PHP coding standards
        run: composer lint:php

      - name: Check EditorConfig compliance
        run: composer lint:editorconfig

      - name: Check composer.json format
        run: composer lint:composer

      - name: Verify file permissions
        run: |
          echo "Checking file permissions..."
          # Check that no files have execute permissions unless they should
          executable_files=$(find . -name "*.php" -type f -perm /111 | grep -v vendor || true)
          if [[ -n "$executable_files" ]]; then
            echo "Found PHP files with execute permissions:"
            echo "$executable_files"
            echo "::error::PHP files should not have execute permissions"
            exit 1
          fi

      - name: Check for Windows line endings
        run: |
          echo "Checking for Windows line endings..."
          crlf_files=$(find Classes Tests -name "*.php" -type f -exec file {} \; | grep CRLF || true)
          if [[ -n "$crlf_files" ]]; then
            echo "Found files with Windows line endings:"
            echo "$crlf_files"
            echo "::error::Files should use Unix line endings (LF)"
            exit 1
          fi

  architecture-compliance:
    name: Architecture Compliance
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.2'
          extensions: mbstring, xml, intl, zip, json, iconv, gd
          tools: composer:v2

      - name: Install dependencies
        run: composer install --no-progress --prefer-dist --optimize-autoloader

      - name: Check for strict types
        run: |
          echo "Checking for missing strict types declarations..."
          missing_strict_types=()
          while IFS= read -r -d '' file; do
            if ! head -20 "$file" | grep -q "declare(strict_types=1)"; then
              missing_strict_types+=("$file")
            fi
          done < <(find Classes Tests -name "*.php" -type f -print0)

          if [[ ${#missing_strict_types[@]} -gt 0 ]]; then
            echo "Files missing strict types declaration:"
            printf '%s\n' "${missing_strict_types[@]}"
            echo "::error::All PHP files must have strict types declaration"
            exit 1
          fi
          echo "All PHP files have strict types declaration"

      - name: Check for proper namespacing
        run: |
          echo "Checking namespace compliance..."
          find Classes -name "*.php" -type f | while read -r file; do
            expected_namespace=$(echo "$file" | sed 's|Classes/||' | sed 's|/|\\|g' | sed 's|\.php$||')
            if [[ -n "$expected_namespace" ]]; then
              expected_namespace="Cpsit\\BravoHandlebarsContent\\$expected_namespace"
              if ! grep -q "namespace $expected_namespace;" "$file"; then
                echo "::warning::Namespace mismatch in $file (expected: $expected_namespace)"
              fi
            fi
          done

      - name: Check for dependency injection compliance
        run: |
          echo "Checking for GeneralUtility::makeInstance usage..."
          makeinstance_files=$(grep -r "GeneralUtility::makeInstance" Classes || true)
          if [[ -n "$makeinstance_files" ]]; then
            echo "Found GeneralUtility::makeInstance usage:"
            echo "$makeinstance_files"
            echo "::warning::Consider using dependency injection instead of GeneralUtility::makeInstance"
          fi

      - name: Check for global variable usage
        run: |
          echo "Checking for global variable usage..."
          global_vars=$(grep -r "\$GLOBALS\|\$_GET\|\$_POST\|\$_SESSION\|\$_COOKIE" Classes || true)
          if [[ -n "$global_vars" ]]; then
            echo "Found global variable usage:"
            echo "$global_vars"
            echo "::warning::Avoid direct global variable access"
          fi

  security-analysis:
    name: Security Analysis
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.2'
          extensions: mbstring, xml, intl, zip, json, iconv, gd
          tools: composer:v2

      - name: Install dependencies
        run: composer install --no-progress --prefer-dist --optimize-autoloader

      - name: Run security audit
        run: composer audit

      - name: Check for potential security issues
        run: |
          echo "Checking for potential security issues..."

          # Check for eval() usage
          eval_usage=$(grep -r "eval(" Classes || true)
          if [[ -n "$eval_usage" ]]; then
            echo "::error::Found eval() usage - potential security risk"
            echo "$eval_usage"
            exit 1
          fi

          # Check for system() usage
          system_usage=$(grep -r "system(\|exec(\|shell_exec(\|passthru(" Classes || true)
          if [[ -n "$system_usage" ]]; then
            echo "::warning::Found system command execution - review for security"
            echo "$system_usage"
          fi

          # Check for SQL concatenation
          sql_concat=$(grep -r "SELECT.*\." Classes | grep -E '\$|"' || true)
          if [[ -n "$sql_concat" ]]; then
            echo "::warning::Potential SQL injection - use prepared statements"
            echo "$sql_concat"
          fi

      - name: Check for hardcoded credentials
        run: |
          echo "Checking for hardcoded credentials..."

          # Common patterns for credentials
          patterns=("password.*=" "secret.*=" "key.*=" "token.*=")
          found_credentials=""

          for pattern in "${patterns[@]}"; do
            results=$(grep -ri "$pattern" Classes --include="*.php" | grep -v "// " | grep -v "/* " || true)
            if [[ -n "$results" ]]; then
              found_credentials+="$results\n"
            fi
          done

          if [[ -n "$found_credentials" ]]; then
            echo "::warning::Potential hardcoded credentials found:"
            echo -e "$found_credentials"
          fi

  documentation-quality:
    name: Documentation Quality
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Check PHPDoc coverage
        run: |
          echo "Checking PHPDoc coverage..."

          # Find public methods without proper documentation
          undocumented=$(find Classes -name "*.php" -type f -exec grep -l "public function" {} \; | \
            xargs grep -L "@param\|@return\|@throws" || true)

          if [[ -n "$undocumented" ]]; then
            echo "Files with potentially undocumented public methods:"
            echo "$undocumented"
            echo "::warning::Consider adding comprehensive PHPDoc comments"
          fi

      - name: Check for missing @throws annotations
        run: |
          echo "Checking for missing @throws annotations..."

          # Find methods that throw exceptions without @throws annotation
          exception_methods=$(grep -r "throw new" Classes | cut -d: -f1 | sort -u)
          if [[ -n "$exception_methods" ]]; then
            for file in $exception_methods; do
              if ! grep -q "@throws" "$file"; then
                echo "::warning::Missing @throws annotation in $file"
              fi
            done
          fi

  complexity-analysis:
    name: Complexity Analysis
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.2'
          extensions: mbstring, xml, intl, zip, json, iconv, gd
          tools: composer:v2

      - name: Install dependencies
        run: composer install --no-progress --prefer-dist --optimize-autoloader

      - name: Analyze method complexity
        run: |
          echo "Analyzing method complexity..."

          # Find long methods (>50 lines)
          long_methods=$(find Classes -name "*.php" -exec awk '
            /function / { start=NR; func=$0; next }
            /^[[:space:]]*}[[:space:]]*$/ && start {
              if (NR-start > 50)
                print FILENAME ":" start ": " func " (" (NR-start) " lines)"
              start=0
            }' {} \; || true)

          if [[ -n "$long_methods" ]]; then
            echo "Methods longer than 50 lines:"
            echo "$long_methods"
            echo "::warning::Consider refactoring long methods"
          fi

      - name: Check for deep nesting
        run: |
          echo "Checking for deep nesting..."

          # Simple check for multiple nested if/for/while statements
          deep_nesting=$(find Classes -name "*.php" -exec grep -n "^[[:space:]]*[[:space:]]*[[:space:]]*[[:space:]]*if\|for\|while" {} \; || true)
          if [[ -n "$deep_nesting" ]]; then
            echo "Potentially deeply nested code found:"
            echo "$deep_nesting" | head -20
            echo "::warning::Consider reducing nesting complexity"
          fi

      - name: Generate complexity report
        run: |
          echo "Generating complexity metrics..."
          echo "Files: $(find Classes -name "*.php" | wc -l)"
          echo "Lines of code: $(find Classes -name "*.php" -exec wc -l {} + | tail -1)"
          echo "Classes: $(find Classes -name "*.php" -exec grep -l "^class " {} \; | wc -l)"
          echo "Interfaces: $(find Classes -name "*.php" -exec grep -l "^interface " {} \; | wc -l)"
          echo "Traits: $(find Classes -name "*.php" -exec grep -l "^trait " {} \; | wc -l)"