From 03449d6b86fc2839063774976983cf58b7842170 Mon Sep 17 00:00:00 2001 From: Gary Jones Date: Thu, 11 Jun 2026 12:09:17 +0100 Subject: [PATCH 1/7] ci: run workflow on pull requests and manual dispatch The push-only trigger meant pull requests from forks never received CI feedback. Run on all pull requests, restrict pushes to main so branches with open PRs are not built twice, and allow manual runs via workflow_dispatch. --- .github/workflows/ci.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 20f8d91..92490d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,6 +1,10 @@ name: CI for Plugin Boilerplate -on: [push] +on: + push: + branches: [main] + pull_request: + workflow_dispatch: # Cancel any in-progress runs for the same branch when a new push lands. concurrency: From 2a3d429de43fbc70b7d939bc4e66f1084f4448f4 Mon Sep 17 00:00:00 2001 From: Gary Jones Date: Thu, 11 Jun 2026 12:09:35 +0100 Subject: [PATCH 2/7] ci: bump checkout to v6.0.3 and setup-php to 2.37.2 Refresh the SHA-pinned actions to their latest releases. --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 92490d6..9bfcfc2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,13 +31,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: path: plugin-slug persist-credentials: false - name: Setup PHP 8.4 - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2 with: php-version: '8.4' coverage: none @@ -94,7 +94,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: path: plugin-slug persist-credentials: false @@ -116,7 +116,7 @@ jobs: run: npm install -g @wordpress/env - name: Setup PHP - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 + uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From b23a71efb13232fa04ea6c6fdb597cb555f0d5d6 Mon Sep 17 00:00:00 2001 From: Gary Jones Date: Thu, 11 Jun 2026 12:10:04 +0100 Subject: [PATCH 3/7] ci: route lint job through composer scripts and add analysis Replace the ChristophWurst/xmllint-action steps and the separate PHP lint step with composer lint, so php-parallel-lint and bin/xml-lint give one code path locally and in CI. Validate composer.json strictly, check normalisation, and run PHPCS through cs2pr for inline PR annotations. Add Rector (dry run), PHPStan, and composer audit so static analysis and advisory checks run on every change. Drop the deprecated --no-suggest install option and cap the job at 15 minutes. --- .github/workflows/ci.yml | 41 +++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9bfcfc2..59f2f73 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,8 @@ jobs: runs-on: ubuntu-latest + timeout-minutes: 15 + permissions: contents: read @@ -41,37 +43,38 @@ jobs: with: php-version: '8.4' coverage: none - tools: composer:v2 + tools: composer:v2, cs2pr extensions: mbstring # Just enough to keep phpunit happy when installing Composer dependencies. - name: Validate composer.json - run: composer validate --no-check-lock + run: composer validate --strict - name: Install Composer dependencies uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 with: working-directory: plugin-slug - composer-options: --prefer-dist --no-progress --no-suggest + composer-options: --prefer-dist --no-progress - # Needed as runs-on: system doesn't have xml-lint by default. - - name: Lint .phpcs.xml.dist - uses: ChristophWurst/xmllint-action@7c54ff113fc0f6d4588a15cb4dfe31b6ecca5212 # v1.2.1 - with: - xml-file: ./plugin-slug/.phpcs.xml.dist - xml-schema-file: ./plugin-slug/vendor/squizlabs/php_codesniffer/phpcs.xsd + # php-parallel-lint and bin/xml-lint cover the PHP and XML files, + # so local runs and CI share one code path. + - name: Lint PHP and XML files + run: composer lint - # Needed as runs-on: system doesn't have xml-lint by default. - - name: Lint phpunit.xml.dist - uses: ChristophWurst/xmllint-action@7c54ff113fc0f6d4588a15cb4dfe31b6ecca5212 # v1.2.1 - with: - xml-file: ./plugin-slug/phpunit.xml.dist - xml-schema-file: ./plugin-slug/vendor/phpunit/phpunit/phpunit.xsd - - - name: Lint PHP files - run: bin/php-lint + - name: Check composer.json normalisation + run: composer normalize --dry-run + # Pipe through cs2pr so sniff violations show as inline PR annotations. - name: Run PHPCS - run: composer cs + run: vendor/bin/phpcs -q --report=checkstyle | cs2pr + + - name: Run Rector (dry run) + run: composer rector + + - name: Run PHPStan + run: composer phpstan + + - name: Audit dependencies + run: composer audit test: name: WP ${{ matrix.wordpress }} on PHP ${{ matrix.php }} From 6a6f09823e261d48237d1c6cfa62b4d150444d18 Mon Sep 17 00:00:00 2001 From: Gary Jones Date: Thu, 11 Jun 2026 12:10:35 +0100 Subject: [PATCH 4/7] ci: test against WordPress 7.0 and tighten the matrix WordPress 7.0 shipped on 2026-05-20, so the supported pairs are now PHP 8.4 with WP 6.9 and PHP 8.5 with WP 7.0; the master leg goes as only the latest two releases are supported. Use the new split test scripts, adding a multisite integration run, and pin wp-env to 11.8.0 for reproducible environments. Infection now runs on the latest PHP leg only and without continue-on-error, since its config gates on a minimum MSI. Cap the job at 30 minutes. --- .github/workflows/ci.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59f2f73..28d9346 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,6 +81,8 @@ jobs: runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: contents: read @@ -91,9 +93,9 @@ jobs: # Lowest supported PHP with lowest supported WordPress. - php: '8.4' wordpress: '6.9' - # Latest supported PHP with the latest WordPress. + # Latest supported PHP with latest supported WordPress. - php: '8.5' - wordpress: 'master' + wordpress: '7.0' steps: - name: Checkout @@ -116,7 +118,7 @@ jobs: ${{ runner.os }}-npm-wp-env- - name: Install wp-env - run: npm install -g @wordpress/env + run: npm install -g @wordpress/env@11.8.0 - name: Setup PHP uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2 @@ -133,7 +135,7 @@ jobs: uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 with: working-directory: plugin-slug - composer-options: --prefer-dist --no-progress --no-suggest + composer-options: --prefer-dist --no-progress - name: Setup Problem Matchers for PHPUnit env: @@ -141,11 +143,13 @@ jobs: run: echo "::add-matcher::${RUNNER_TOOL_CACHE}/phpunit.json" - name: Run unit tests - run: composer unit + run: composer test:unit + # Mutation testing is slow; one leg on the latest PHP is enough, + # and infection.json5 gates on minimum MSI so failures are real. - name: Run infection tests + if: matrix.php == '8.5' run: composer infection - continue-on-error: true - name: Start wp-env run: wp-env start @@ -154,4 +158,7 @@ jobs: WP_ENV_PHP_VERSION: ${{ matrix.php }} - name: Run integration tests - run: composer integration + run: composer test:integration + + - name: Run multisite integration tests + run: composer test:integration-ms From 3b7cd6baae4c01cf50385ca388dbb3e25b93c749 Mon Sep 17 00:00:00 2001 From: Gary Jones Date: Thu, 11 Jun 2026 12:10:44 +0100 Subject: [PATCH 5/7] ci: extend Dependabot to actions and npm, group Composer The SHA-pinned workflow actions and the package.json devDependency had no update coverage, so add github-actions and npm ecosystems with weekly schedules and their own commit prefixes. Composer moves from daily to weekly with minor and patch updates grouped into one pull request to cut review noise, and all ecosystems now use the dependencies label. --- .github/dependabot.yml | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 99c4eda..079e42b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,7 +6,7 @@ updates: - package-ecosystem: "composer" # See documentation for possible values directory: "/" # Location of package manifests schedule: - interval: "daily" + interval: "weekly" # Add assignees assignees: - "GaryJones" @@ -17,4 +17,40 @@ updates: include: "scope" # Specify labels for Composer pull requests labels: - - "maintenance" + - "dependencies" + # Bundle minor and patch updates into a single pull request. + groups: + composer-minor-and-patch: + update-types: + - "minor" + - "patch" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + assignees: + - "GaryJones" + # Prefix all commit messages with "Actions" + # include a list of updated dependencies + commit-message: + prefix: "Actions" + include: "scope" + # Specify labels for GitHub Actions pull requests + labels: + - "dependencies" + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + assignees: + - "GaryJones" + # Prefix all commit messages with "NPM" + # include a list of updated dependencies + commit-message: + prefix: "NPM" + include: "scope" + # Specify labels for npm pull requests + labels: + - "dependencies" From 416b0e7e10e124c02e8dd713d34452f78e421c7c Mon Sep 17 00:00:00 2001 From: Gary Jones Date: Thu, 11 Jun 2026 15:38:52 +0100 Subject: [PATCH 6/7] build: drop the transitional CI entry points With the workflow now calling the new script names directly, the deprecated unit and integration aliases and the bin/php-lint shim from the testing branch have no remaining callers. --- bin/php-lint | 10 ---------- composer.json | 8 ++------ 2 files changed, 2 insertions(+), 16 deletions(-) delete mode 100755 bin/php-lint diff --git a/bin/php-lint b/bin/php-lint deleted file mode 100755 index 9649d28..0000000 --- a/bin/php-lint +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env bash -# -# Temporary shim for the pre-refresh CI workflow, which calls bin/php-lint -# directly. PHP syntax linting now lives in `composer lint` via -# php-parallel-lint; the CI refresh removes this file when it switches the -# workflow to the new entry points. - -set -euo pipefail - -exec vendor/bin/parallel-lint . --exclude vendor --exclude node_modules diff --git a/composer.json b/composer.json index f5a94ef..2fdf410 100644 --- a/composer.json +++ b/composer.json @@ -71,7 +71,6 @@ "cs": "@php ./vendor/bin/phpcs", "cs-fix": "@php ./vendor/bin/phpcbf", "infection": "./vendor/bin/infection --no-progress --threads=max --show-mutations", - "integration": "@test:integration", "lint": [ "@php ./vendor/bin/parallel-lint . --exclude vendor --exclude node_modules", "bin/xml-lint" @@ -95,15 +94,13 @@ ], "test:integration": "bin/wp-env-phpunit --testsuite integration", "test:integration-ms": "bin/wp-env-phpunit --multisite --testsuite integration", - "test:unit": "@php ./vendor/bin/phpunit --testsuite unit", - "unit": "@test:unit" + "test:unit": "@php ./vendor/bin/phpunit --testsuite unit" }, "scripts-descriptions": { "coverage": "Run the unit tests and generate an HTML coverage report in .phpunit.cache/coverage-html.", "cs": "Check coding standards with PHP_CodeSniffer.", "cs-fix": "Fix automatically fixable coding standards violations with PHP Code Beautifier and Fixer.", "infection": "Run mutation testing with Infection.", - "integration": "Deprecated alias for test:integration, kept until CI moves to the new script names.", "lint": "Check PHP files for syntax errors and XML config files against their schemas.", "phpstan": "Run static analysis with PHPStan.", "rector": "Preview automated refactorings with Rector (dry run).", @@ -112,7 +109,6 @@ "test-full": "Run every check: lint, coding standards, Rector, unit, mutation, and integration tests.", "test:integration": "Run the integration tests inside the wp-env tests container.", "test:integration-ms": "Run the integration tests against WordPress multisite inside the wp-env tests container.", - "test:unit": "Run the unit tests.", - "unit": "Deprecated alias for test:unit, kept until CI moves to the new script names." + "test:unit": "Run the unit tests." } } From 9fcd28ddcf4a3100e434431138d86cefb5db2d67 Mon Sep 17 00:00:00 2001 From: Gary Jones Date: Thu, 11 Jun 2026 15:46:00 +0100 Subject: [PATCH 7/7] ci: install xmllint for the lint job The ubuntu-latest image no longer ships libxml2-utils, so bin/xml-lint failed with command not found once CI switched from the Docker-based xmllint action to the shared composer lint script. --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 28d9346..eca9b64 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,6 +55,11 @@ jobs: working-directory: plugin-slug composer-options: --prefer-dist --no-progress + # The runner image does not ship xmllint, which bin/xml-lint uses to + # validate the XML configs against their schemas. + - name: Install xmllint + run: sudo apt-get install --yes --no-install-recommends libxml2-utils + # php-parallel-lint and bin/xml-lint cover the PHP and XML files, # so local runs and CI share one code path. - name: Lint PHP and XML files @@ -146,7 +151,7 @@ jobs: run: composer test:unit # Mutation testing is slow; one leg on the latest PHP is enough, - # and infection.json5 gates on minimum MSI so failures are real. + # and infection.json.dist gates on minimum MSI so failures are real. - name: Run infection tests if: matrix.php == '8.5' run: composer infection