From 031d64a163c46e50985fb87990146d921b8f07e8 Mon Sep 17 00:00:00 2001
From: Joe Fusco <hello@josephfus.co>
Date: Wed, 10 Jun 2026 13:00:09 -0400
Subject: [PATCH] Run WordPress Plugin Check in CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Runs the same lint suite the WordPress.org plugin directory's
automated review applies on submission — `readme.txt` field checks,
license-header drift, forbidden function calls, and similar
guideline violations — at PR time instead of at submission time.

Pieces that work together:

  - `.wp-env.json` is updated to track `WordPress/WordPress` (latest
    trunk) instead of the pinned `wordpress-7.0-RC2.zip` URL. Trunk
    is where the plugin needs to keep working anyway, and the pin
    produced a compose file the cli service didn't initialize
    cleanly from.

  - The workflow installs `@wordpress/env@11.7.0` globally (matching
    Performance Lab) and writes `~/.composer/auth.json` with the
    workflow's GITHUB_TOKEN before `wp-env start` so the Docker
    build's GitHub-API calls aren't throttled by the unauthenticated
    60/hour rate limit.

  - The plugin is rebuilt via rsync + `.distignore` before being
    mounted into wp-env, so plugin-check sees only what would ship —
    excluding `.wp-env.json`, `*.dist` configs, tests, and other
    dev files that wouldn't be in the distributed zip.

  - `wp plugin check ... --format=github` renders findings as inline
    PR diff annotations.

Skips `WordPress/plugin-check-action@v1` entirely — it bundles its
own wp-env invocation that consistently failed with 'service "cli"
is not running' against wp-env 11.7.0. Calling `wp-env run cli wp
plugin check` directly is simpler and more debuggable.
---
 .github/workflows/plugin-check.yml | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/plugin-check.yml b/.github/workflows/plugin-check.yml
index ced230a..ad1bba9 100644
--- a/.github/workflows/plugin-check.yml
+++ b/.github/workflows/plugin-check.yml
@@ -40,20 +40,10 @@ jobs:
 
       - run: npm install -g @wordpress/env@11.7.0
 
-      # Authenticate composer's GitHub API calls. Without this, wp-env's
-      # Docker build hits the 60/hour unauthenticated rate limit on
-      # `api.github.com/repos/.../zipball/...` and 504s while pulling
-      # the Sebastian Bergmann package tree. Writing the auth file at
-      # `~/.composer/auth.json` raises the limit to 5000/hour using the
-      # workflow's GITHUB_TOKEN.
+      # Avoids the intermittent 504s on api.github.com during wp-env's
+      # Docker build (PR #22). Authenticated requests dodge the issue.
       - name: Authenticate composer to GitHub
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mkdir -p ~/.composer
-          cat > ~/.composer/auth.json <<JSON
-          { "github-oauth": { "github.com": "${GH_TOKEN}" } }
-          JSON
+        run: composer config --global --auth github-oauth.github.com '${{ secrets.GITHUB_TOKEN }}'
 
       # Build the plugin tree the same way `release.yml` does so
       # plugin-check sees only what would actually ship — `.distignore`