new file: .eslintrc.json

new file:   .github/workflows/ci.yml
	new file:   .github/workflows/codeql.yml
	deleted:    .github/workflows/mega-linter.yml
	new file:   .github/workflows/pr-auto-fix.yml
	deleted:    .mega-linter.yml
	new file:   .stylelintrc.json
	modified:   phpcs.xml
	new file:   phpstan.neon
	new file:   phpunit.xml
This commit is contained in:
nikolai@vontainment.com 2025-08-13 22:26:00 -04:00
parent a9110e6f51
commit fb88a9e08a
10 changed files with 216 additions and 111 deletions

15
.eslintrc.json Normal file
View file

@ -0,0 +1,15 @@
{
"env": {
"browser": true,
"es2021": true
},
"extends": "eslint:recommended",
"parserOptions": {
"ecmaVersion": 12,
"sourceType": "module"
},
"rules": {
"no-unused-vars": "warn",
"no-console": "off"
}
}

60
.github/workflows/ci.yml vendored Normal file
View file

@ -0,0 +1,60 @@
name: CI
on:
push:
branches: [ "main", "dev" ]
permissions:
contents: read
security-events: write
jobs:
build-test-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.2'
tools: composer, phpstan, phpunit, phpcs
- name: Cache Composer
uses: actions/cache@v4
with:
path: ~/.composer/cache
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
restore-keys: ${{ runner.os }}-composer-
- name: Install PHP dependencies
run: composer install --no-interaction --prefer-dist
- name: Run PHPStan (static analysis)
run: vendor/bin/phpstan analyse --memory-limit=1G
- name: Run PHPUnit (unit tests)
run: vendor/bin/phpunit --coverage-clover coverage.xml
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
files: coverage.xml
fail_ci_if_error: true
- name: Run Trivy FS scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
severity: 'HIGH,CRITICAL'
- name: Build Docker image
run: docker build -t myapp:ci .
- name: Run Trivy image scan
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:ci'
severity: 'HIGH,CRITICAL'

47
.github/workflows/codeql.yml vendored Normal file
View file

@ -0,0 +1,47 @@
name: "CodeQL"
on:
push:
branches: [ "main", "dev" ]
pull_request:
branches: [ "main", "dev" ]
schedule:
- cron: '0 0 * * 0' # weekly scan
permissions:
contents: read
security-events: write
jobs:
analyze:
name: Analyze PHP and JavaScript
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'php', 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v3
# If autobuild fails for PHP, uncomment and adjust:
# - run: composer install --no-interaction --prefer-dist
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"

View file

@ -1,85 +0,0 @@
name: MegaLinter
on:
push:
branches: [ "main", "dev" ]
pull_request:
permissions:
contents: write # needed to commit to a fixes branch
pull-requests: write # needed to open PRs with fixes
security-events: write # for SARIF upload (optional)
jobs:
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
# Cache Composer (PHP)
- name: Cache Composer
uses: actions/cache@v4
with:
path: |
~/.composer/cache
vendor
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
restore-keys: ${{ runner.os }}-composer-
# Cache npm (JS/CSS linters)
- name: Cache npm
uses: actions/cache@v4
with:
path: |
~/.npm
node_modules
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
restore-keys: ${{ runner.os }}-npm-
# Install dev deps if present (WPCS, ESLint plugins, etc.)
- name: Composer install (no scripts)
run: |
if [ -f composer.json ]; then
composer install --no-interaction --no-progress --no-scripts || true
fi
- name: npm install if present
run: |
if [ -f package.json ]; then
npm ci || npm i
fi
- name: Run MegaLinter
uses: oxsecurity/megalinter@v8
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Only lint changed files
VALIDATE_ALL_CODEBASE: false
# Enable just these linters
ENABLE_LINTERS: >-
PHP_PHPCS,
PHP_PHPLINT,
JAVASCRIPT_ES,
CSS_STYLELINT,
HTML_HTMLHINT
# Limit JS/CSS/HTML to update-api/ only
JAVASCRIPT_ES_FILTER_REGEX_INCLUDE: "^update-api/"
CSS_STYLELINT_FILTER_REGEX_INCLUDE: "^update-api/"
HTML_HTMLHINT_FILTER_REGEX_INCLUDE: "^update-api/"
# PHPCS ruleset file assigns WordPress vs PSR-12 per directory
PHP_PHPCS_CONFIG_FILE: "phpcs.xml"
# Auto-fix only changed files and open a PR with fixes
APPLY_FIXES: all
APPLY_FIXES_EVENT: pull_request
APPLY_FIXES_MODE: pull_request
# Reports (optional)
REPORT_OUTPUT_FOLDER: megalinter-reports
- name: Upload SARIF (optional)
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: megalinter-reports/megalinter-report.sarif

70
.github/workflows/pr-auto-fix.yml vendored Normal file
View file

@ -0,0 +1,70 @@
name: PR Lint and Auto-Fix
on:
pull_request:
permissions:
contents: write
pull-requests: write
jobs:
lint-fix:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.2'
tools: composer, php-cs-fixer, phpcs
- name: Cache Composer
uses: actions/cache@v4
with:
path: ~/.composer/cache
key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
restore-keys: ${{ runner.os }}-composer-
- name: Install PHP dependencies
run: composer install --no-interaction --prefer-dist || true
- name: Cache npm
uses: actions/cache@v4
with:
path: |
~/.npm
node_modules
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
restore-keys: ${{ runner.os }}-npm-
- name: Install npm dependencies
run: if [ -f package.json ]; then npm ci || npm i; fi
# PHPCS WordPress for mu-plugins/
- name: Fix PHP (WordPress standard in mu-plugins/)
run: vendor/bin/phpcbf --standard=WordPress mu-plugins || true
# PHPCS PSR-12 for update-api/
- name: Fix PHP (PSR-12 standard in update-api/)
run: vendor/bin/phpcbf --standard=PSR12 update-api || true
- name: PHP-CS-Fixer
run: vendor/bin/php-cs-fixer fix --allow-risky=yes || true
- name: ESLint Fix
run: npx eslint update-api/**/*.js --fix || true
- name: Stylelint Fix
run: npx stylelint "update-api/**/*.css" --fix || true
- name: Commit fixes to PR branch
uses: peter-evans/create-pull-request@v6
with:
commit-message: "chore: auto-fix lint issues"
branch: lint-fixes
title: "Lint Auto-Fixes"
body: "Automated lint fixes from PR workflow"

View file

@ -1,23 +0,0 @@
# MegaLinter configuration
# Lints only changed files and only selected linters.
VALIDATE_ALL_CODEBASE: false
ENABLE_LINTERS: >
PHP_PHPCS,
PHP_PHPLINT,
JAVASCRIPT_ES,
CSS_STYLELINT,
HTML_HTMLHINT
# Restrict web linters to update-api/
JAVASCRIPT_ES_FILTER_REGEX_INCLUDE: "^update-api/"
CSS_STYLELINT_FILTER_REGEX_INCLUDE: "^update-api/"
HTML_HTMLHINT_FILTER_REGEX_INCLUDE: "^update-api/"
# Use project ruleset to target different PHP standards per directory
PHP_PHPCS_CONFIG_FILE: "phpcs.xml"
# Auto-fix behavior controlled from workflow env, can be overridden here if needed
# APPLY_FIXES: all
# APPLY_FIXES_EVENT: pull_request
# APPLY_FIXES_MODE: pull_request
# REPORT_OUTPUT_FOLDER: megalinter-reports

7
.stylelintrc.json Normal file
View file

@ -0,0 +1,7 @@
{
"extends": "stylelint-config-standard",
"rules": {
"indentation": 2,
"color-hex-length": "short"
}
}

View file

@ -4,16 +4,13 @@
<arg name="basepath" value="."/> <arg name="basepath" value="."/>
<arg name="extensions" value="php"/> <arg name="extensions" value="php"/>
<!-- Scope the analysis to these dirs -->
<file>mu-plugins</file> <file>mu-plugins</file>
<file>update-api</file> <file>update-api</file>
<!-- WordPress standard for mu-plugins/ -->
<rule ref="WordPress"> <rule ref="WordPress">
<include-pattern>^mu-plugins/.*</include-pattern> <include-pattern>^mu-plugins/.*</include-pattern>
</rule> </rule>
<!-- PSR-12 for update-api/ -->
<rule ref="PSR12"> <rule ref="PSR12">
<include-pattern>^update-api/.*</include-pattern> <include-pattern>^update-api/.*</include-pattern>
</rule> </rule>

6
phpstan.neon Normal file
View file

@ -0,0 +1,6 @@
parameters:
level: 6
paths:
- mu-plugins
- update-api
memoryLimit: 1G

11
phpunit.xml Normal file
View file

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<phpunit bootstrap="vendor/autoload.php"
colors="true"
verbose="true"
stopOnFailure="false">
<testsuites>
<testsuite name="Application Test Suite">
<directory>tests</directory>
</testsuite>
</testsuites>
</phpunit>