Refresh CI for WordPress 7.0 and consolidate quality gates#35
Merged
Conversation
The push-only trigger meant pull requests from forks never received CI feedback. Run on all pull requests, restrict pushes to main so branches with open PRs are not built twice, and allow manual runs via workflow_dispatch.
Refresh the SHA-pinned actions to their latest releases.
Replace the ChristophWurst/xmllint-action steps and the separate PHP lint step with composer lint, so php-parallel-lint and bin/xml-lint give one code path locally and in CI. Validate composer.json strictly, check normalisation, and run PHPCS through cs2pr for inline PR annotations. Add Rector (dry run), PHPStan, and composer audit so static analysis and advisory checks run on every change. Drop the deprecated --no-suggest install option and cap the job at 15 minutes.
WordPress 7.0 shipped on 2026-05-20, so the supported pairs are now PHP 8.4 with WP 6.9 and PHP 8.5 with WP 7.0; the master leg goes as only the latest two releases are supported. Use the new split test scripts, adding a multisite integration run, and pin wp-env to 11.8.0 for reproducible environments. Infection now runs on the latest PHP leg only and without continue-on-error, since its config gates on a minimum MSI. Cap the job at 30 minutes.
The SHA-pinned workflow actions and the package.json devDependency had no update coverage, so add github-actions and npm ecosystems with weekly schedules and their own commit prefixes. Composer moves from daily to weekly with minor and patch updates grouped into one pull request to cut review noise, and all ecosystems now use the dependencies label.
With the workflow now calling the new script names directly, the deprecated unit and integration aliases and the bin/php-lint shim from the testing branch have no remaining callers.
The ubuntu-latest image no longer ships libxml2-utils, so bin/xml-lint failed with command not found once CI switched from the Docker-based xmllint action to the shared composer lint script.
GaryJones
force-pushed
the
GaryJones/ci-refresh
branch
from
ef26f09 to
9fcd28d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The workflow only ran on push, so pull requests from forks never received CI, and the test matrix still treated master as the latest WordPress even though 7.0 shipped in May. CI now runs on pull requests and manual dispatch, tests the two supported pairs (PHP 8.4 with WordPress 6.9, PHP 8.5 with WordPress 7.0), and bumps the pinned checkout and setup-php actions to their latest releases, with timeouts on both jobs.
The lint job now leans on the composer scripts so local runs and CI share one code path:
composer lintcovers the PHP and XML files, replacing the two xmllint actions, while PHPCS pipes through cs2pr for inline PR annotations. Strict composer validation, a normalisation check, Rector, PHPStan, andcomposer auditround out the static checks. Mutation testing runs once, on the latest PHP leg, and now fails properly because the Infection config gates on a minimum MSI; wp-env is pinned to 11.8.0 for reproducible integration environments, which now include a multisite run. Dependabot gains github-actions and npm ecosystems, so the SHA-pinned actions and the wp-env devDependency finally get update PRs, with Composer moving to weekly updates that group minor and patch bumps.This PR merges last and is stacked on #34 (which stacks on #40), so it retargets to main automatically as each base merges and every layer stays green: #40 carries temporary
unit/integrationaliases and abin/php-lintshim for the old workflow, and this PR removes them as it switches CI to the new entry points. Merge #36 first for thepackage.jsondevDependency the npm Dependabot ecosystem expects, and #37 for the refreshed Rector config. If #34 is declined, drop the PHPStan step here.