Modernize CI/CD configuration and add .github/ infrastructure#1600
Merged
Conversation
- Update .gitattributes with LF enforcement and comprehensive export-ignore rules - Update .gitignore with organized sections and modern tooling entries - Update .scrutinizer.yml to match XMF/RegDom structure with trailing slash patterns - Add .coderabbit.yaml for AI-powered code review with PHP 7.4 compatibility checks - Add sonar-project.properties for SonarCloud analysis - Add renovate.json for automated dependency updates with separateMinorPatch - Add qodana.yaml for JetBrains Qodana PHP static analysis - Add phpstan.neon for PHPStan static analysis at level 2 - Add CI workflow with PHP 7.4-8.5 matrix, lowest-deps test, Codecov coverage - Add Qodana and SonarCloud workflows - Add dependabot.yml for automated composer and GH Actions updates - Add copilot-instructions.md with XoopsCore25 architecture and conventions - Add xoops-copilot-template.md for reuse in XOOPS modules - Update CONTRIBUTING.md with correct repository link - Update bug-report.yml with PHP 8.5 and XOOPS 2.5.13 options Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds CI/CD workflows, static-analysis and dependency automation configs, repository export/ignore rules, contributor docs and templates, PHP static-analysis configs, and a CodeRabbit project-level review configuration with path-specific PHP review rules. Changes
Sequence Diagram(s)mermaid Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 13
🤖 Fix all issues with AI agents
In @.coderabbit.yaml:
- Around line 20-29: The folded scalar under path_instructions contains
unnecessary backslash-escaped underscores (`$\_GET`, `$\_POST`, `$\_REQUEST`);
update that scalar to use the normal PHP superglobal spellings (`$_GET`,
`$_POST`, `$_REQUEST`) (edit the instructions string under the path_instructions
entry) so the YAML is simpler and clearer while preserving the same checklist
content and behavior.
In @.github/copilot-instructions.md:
- Around line 11-25: Add a language identifier to the fenced code block in
.github/copilot-instructions.md (the block showing the project layout) by
changing the opening triple-backticks to include a language such as "text" or
"plaintext" (e.g., ```text) so markdownlint stops flagging the block and
rendering is consistent; leave the rest of the block unchanged.
- Line 40: Update the PHP 8.0+ feature exclusion list in
.github/copilot-instructions.md to also mention Attributes (#[Attribute]), the
nullsafe operator (?->), the explicit mixed type, and trailing commas in
parameter lists so the policy clearly forbids these PHP 8.0-only constructs in
addition to the existing items (named arguments, match, union types, enums,
fibers, readonly properties, intersection types, never return, first-class
callables, constructor promotion); ensure the wording is concise and consistent
with the existing list and emphasizes compatibility with PHP 7.4–8.5 CI tests.
In @.github/dependabot.yml:
- Around line 1-18: This repo currently enables Composer updates in Dependabot
(package-ecosystem: "composer" in .github/dependabot.yml) while Renovate also
runs with config:recommended; to avoid duplicate PRs disable Composer in one
tool—preferably add a rule in renovate.json to turn Composer off (e.g., set
composer enabled false in the appropriate packageRules or packageManager
configuration) so only Dependabot manages Composer, or conversely remove/disable
the "composer" entry from .github/dependabot.yml if you want Renovate to manage
it.
In @.github/ISSUE_TEMPLATE/bug-report.yml:
- Line 10: The YAML line "options: [ '2.5.11', '2.5.12', '2.5.13' ]" has extra
spaces inside the square brackets; update it to remove the inner bracket spacing
(e.g., change to "options: ['2.5.11','2.5.12','2.5.13']") so it conforms with
YAMLlint bracket-spacing rules and keeps consistent formatting.
- Line 17: Fix the YAML bracket spacing for the options array and keep the PHP
8.5 entry: replace the current "options: [ '7.4', '8.0', '8.1', '8.2', '8.3',
'8.4', '8.5' ]" with a lint-friendly form such as "options: ['7.4', '8.0',
'8.1', '8.2', '8.3', '8.4', '8.5']" (no space after the opening bracket or
before the closing bracket) while preserving the '8.5' element under the options
key.
In @.github/workflows/ci.yml:
- Around line 102-131: The PHPunit config created in the Create PHPUnit Config
step currently sets coverage to <directory>src</directory>, which doesn't match
XOOPS layout; update the coverage include in the phpunit.xml generation (the
here-doc inside the "Create PHPUnit Config" job) to point to the actual source
directories (for example htdocs/class, htdocs/kernel, and any module folders you
expect tests against) or add multiple <directory> entries for those paths, and
document in the workflow comment that coverage targets are provisional and will
be expanded when real tests are added.
In @.github/workflows/qodana.yml:
- Around line 13-16: The workflow currently grants excessive repo modification
rights via the permissions block (specifically "contents: write"); change the
"contents" permission to "read" in the permissions section unless this workflow
actually needs to commit or modify repository files (e.g., auto-fix behavior),
and keep "pull-requests" and "checks" scopes as-is—this reduces privilege to
least-privilege while preserving Qodana analysis functionality.
In @.github/workflows/sonarcloud.yml:
- Around line 27-31: The step "SonarCloud Scan" uses the secrets context in its
step-level if condition which is invalid; change the conditional to use a
repository/environment variable instead (for example check vars.HAS_SONAR_TOKEN
or an env flag) and keep the existing env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN
}} so the secret is injected at runtime; specifically update the step named
"SonarCloud Scan" to use if: ${{ vars.HAS_SONAR_TOKEN == 'true' }} or an
equivalent env-based check rather than if: ${{ secrets.SONAR_TOKEN != '' }}.
In @.github/xoops-copilot-template.md:
- Around line 38-41: Update the PHP Compatibility section to explicitly forbid
additional PHP 8+ features: add "constructor property promotion (e.g., public
function __construct(private int $x))", the nullsafe operator (?->), and PHP
Attributes (#[Attribute]) to the existing list that already mentions named
arguments, match, union types, enums, fibers, readonly, intersection types,
never, and first-class callables so authors know to avoid these newer
syntax/features for PHP 7.4 compatibility.
In @.gitignore:
- Around line 39-40: Remove the unused patches.lock.json ignore entry from
.gitignore if the Composer patches plugin is definitively not used; if you
prefer to keep it for potential local use, replace the bare filename with a
short explanatory comment (e.g., "# Composer patches plugin - only keep if using
plugin") so its purpose is clear; target the line containing "patches.lock.json"
in the .gitignore for this change.
In `@phpstan.neon`:
- Around line 24-25: The phpstan.neon bootstrapFiles entry references a
non-existent "constants.php"; either remove that bootstrapFiles entry or replace
it with the actual constants file(s) used by the project (for example the
existing comment_constants.php, notification_constants.php or
system/constants.php) so PHPStan loads real definitions. Edit phpstan.neon to
delete the "constants.php" line if it isn't required, or change it to point to
the correct constant file(s) that exist in the repo and are needed for analysis.
In `@renovate.json`:
- Around line 9-16: The config sets separateMinorPatch: true but then
immediately groups minor and patch updates via a packageRules entry with
matchUpdateTypes ["minor","patch"] and groupName "Minor and patch dependencies",
which conflicts; either remove or set separateMinorPatch to false to keep the
grouping, or change the packageRules matchUpdateTypes to only one type (e.g.,
["minor"] or ["patch"]) or remove that packageRules entry to honor separation —
update the renovate.json setting (separateMinorPatch) or adjust the packageRules
(matchUpdateTypes/groupName) accordingly so the two directives no longer
contradict each other.
Comment on lines
+38
to
+41
| ## PHP Compatibility | ||
|
|
||
| Code must run on PHP 7.4 through 8.5. Do not use features exclusive to PHP 8.0+ (named arguments, match expressions, union type hints in signatures, enums, fibers, readonly properties, intersection types, `never` return type, first-class callable syntax). | ||
|
|
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Comprehensive PHP 8.0+ feature exclusion list.
The list accurately covers the major PHP 8.0+ language features that must be avoided for 7.4 compatibility: named arguments, match expressions, union types in signatures, constructor promotion (notably absent—consider adding), enums (8.1), fibers (8.1), readonly (8.1), intersection types (8.1), never return type (8.1), and first-class callables (8.1).
Consider also mentioning:
- Constructor property promotion (
public function __construct(private int $x)) - Nullsafe operator (
?->) - Attributes (
#[Attribute])
📝 More complete feature list
-Code must run on PHP 7.4 through 8.5. Do not use features exclusive to PHP 8.0+ (named arguments, match expressions, union type hints in signatures, enums, fibers, readonly properties, intersection types, `never` return type, first-class callable syntax).
+Code must run on PHP 7.4 through 8.5. Do not use features exclusive to PHP 8.0+ (named arguments, match expressions, union type hints in signatures, constructor property promotion, nullsafe operator `?->`, attributes `#[...]`, enums, fibers, readonly properties, intersection types, `never` return type, first-class callable syntax).📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| ## PHP Compatibility | |
| Code must run on PHP 7.4 through 8.5. Do not use features exclusive to PHP 8.0+ (named arguments, match expressions, union type hints in signatures, enums, fibers, readonly properties, intersection types, `never` return type, first-class callable syntax). | |
| ## PHP Compatibility | |
| Code must run on PHP 7.4 through 8.5. Do not use features exclusive to PHP 8.0+ (named arguments, match expressions, union type hints in signatures, constructor property promotion, nullsafe operator `?->`, attributes `#[...]`, enums, fibers, readonly properties, intersection types, `never` return type, first-class callable syntax). | |
🤖 Prompt for AI Agents
In @.github/xoops-copilot-template.md around lines 38 - 41, Update the PHP
Compatibility section to explicitly forbid additional PHP 8+ features: add
"constructor property promotion (e.g., public function __construct(private int
$x))", the nullsafe operator (?->), and PHP Attributes (#[Attribute]) to the
existing list that already mentions named arguments, match, union types, enums,
fibers, readonly, intersection types, never, and first-class callables so
authors know to avoid these newer syntax/features for PHP 7.4 compatibility.
Comment on lines
+39
to
+40
| # Composer patches plugin (not used by this project) | ||
| patches.lock.json |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider removing the unused patches.lock.json entry.
The comment states this project doesn't use the Composer patches plugin. If that's definitively the case, this entry adds noise. However, if there's a possibility of future use or if contributors might add it locally, keeping it is harmless.
🤖 Prompt for AI Agents
In @.gitignore around lines 39 - 40, Remove the unused patches.lock.json ignore
entry from .gitignore if the Composer patches plugin is definitively not used;
if you prefer to keep it for potential local use, replace the bare filename with
a short explanatory comment (e.g., "# Composer patches plugin - only keep if
using plugin") so its purpose is clear; target the line containing
"patches.lock.json" in the .gitignore for this change.
Comment on lines
+24
to
+25
| bootstrapFiles: | ||
| - constants.php |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
fd -t f 'constants.php' | head -10Repository: XOOPS/XoopsCore25
Length of output: 175
🏁 Script executed:
# Find phpstan.neon location
fd -t f 'phpstan.neon'
# Check if constants.php exists at project root or common bootstrap locations
find . -maxdepth 3 -name 'constants.php' -type fRepository: XOOPS/XoopsCore25
Length of output: 170
🏁 Script executed:
cat -n phpstan.neonRepository: XOOPS/XoopsCore25
Length of output: 834
Remove or correct the non-existent bootstrap file path.
The constants.php file referenced in bootstrapFiles does not exist in the repository. No file with this exact name was found at the project root or within htdocs/. The specialized constants files (comment_constants.php, notification_constants.php, system/constants.php) exist only in subdirectories. Either remove this bootstrap entry if it's not needed, or identify and specify the correct constants file to load.
🤖 Prompt for AI Agents
In `@phpstan.neon` around lines 24 - 25, The phpstan.neon bootstrapFiles entry
references a non-existent "constants.php"; either remove that bootstrapFiles
entry or replace it with the actual constants file(s) used by the project (for
example the existing comment_constants.php, notification_constants.php or
system/constants.php) so PHPStan loads real definitions. Edit phpstan.neon to
delete the "constants.php" line if it isn't required, or change it to point to
the correct constant file(s) that exist in the repo and are needed for analysis.
There was a problem hiding this comment.
Pull request overview
This PR modernizes repository automation and meta-configuration by adding CI workflows, dependency update tooling, and static-analysis configuration, along with GitHub repository infrastructure and guidance docs.
Changes:
- Add GitHub Actions workflows for CI testing, SonarCloud, and Qodana.
- Add/update repo tooling configs: Renovate, Dependabot, Sonar, PHPStan, Scrutinizer, CodeRabbit.
- Standardize repo hygiene and guidance:
.gitattributes,.gitignore, issue templates, contributing and Copilot instruction docs.
Reviewed changes
Copilot reviewed 15 out of 16 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
sonar-project.properties |
SonarCloud project configuration (sources/tests/coverage paths and exclusions). |
renovate.json |
Renovate bot configuration for dependency update automation and auto-merge rules. |
qodana.yaml |
Qodana linter configuration with PHP version and excluded paths. |
phpstan.neon |
PHPStan configuration (level, paths, excludes, bootstrap/include). |
.scrutinizer.yml |
Scrutinizer CI configuration simplification + excluded paths updates. |
.gitignore |
Expanded ignores for build artifacts, caches, local configs, and tool files. |
.github/xoops-copilot-template.md |
Reusable Copilot instruction template for XOOPS modules. |
.github/workflows/sonarcloud.yml |
Workflow to run SonarCloud scan on pushes/PRs. |
.github/workflows/qodana.yml |
Workflow to run JetBrains Qodana analysis on pushes/PRs. |
.github/workflows/ci.yml |
New CI workflow with PHP matrix, dependency install, and coverage upload. |
.github/dependabot.yml |
Dependabot configuration for Composer and GitHub Actions updates. |
.github/copilot-instructions.md |
Repo-specific Copilot instructions (architecture, security, compatibility). |
.github/ISSUE_TEMPLATE/bug-report.yml |
Bug report template updated with new XOOPS/PHP version options. |
.github/CONTRIBUTING.md |
Fix GitHub repo link + adjust badge text. |
.gitattributes |
Enforce LF endings + add export-ignore rules for release archives. |
.coderabbit.yaml |
CodeRabbit configuration with review guidance and tool enablement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+79
to
+83
| "require-dev": { | ||
| "phpunit/phpunit": "^9.6 || ^10.5 || ^11.2" | ||
| }, | ||
| "minimum-stability": "stable" | ||
| } |
There was a problem hiding this comment.
The generated composer.json here-doc is invalid JSON: the require-dev object closing brace is missing a trailing comma before "minimum-stability". This will cause composer update to fail in CI.
- Fix .gitattributes export-ignore: use /** for recursive directory matching - Fix renovate.json: group only minor updates (not minor+patch) to avoid conflict with separateMinorPatch setting - Fix sonarcloud.yml: move SONAR_TOKEN to job-level env, use env context in step-level if (secrets context unavailable at step level) - Fix ci.yml: add concurrency control and job timeout-minutes - Fix qodana.yml: narrow permissions from contents: write to contents: read - Fix CONTRIBUTING.md: move heading to first line for MD041 compliance - Fix bug-report.yml: remove extra spaces inside YAML bracket notation - Fix xoops-copilot-template.md: add language specifier to code fence - Fix dependabot.yml: remove composer ecosystem (Renovate handles it) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Fix all issues with AI agents
In @.gitattributes:
- Around line 20-26: The .gitattributes entry for the .ai directory is
inconsistent: change the pattern ".ai/** export-ignore" to use a leading slash
("/.ai/** export-ignore") so it anchors to the repository root like the other
entries (e.g., "/_archive/**", "/tests/**"); update the .ai line accordingly to
ensure it only matches the root-level .ai directory and keep pattern style
consistent.
In @.github/CONTRIBUTING.md:
- Line 3: Update the README/CONTRIBUTING logo reference to a version-neutral
image: replace the current image filename "logoXoopsPhp81.png" with the
alternate "logoXoops4GithubRepository.png" (or keep as-is if you prefer to
retain the existing branded file); ensure the markdown image tag still points to
https://xoops.org/images/<new-filename> so the logo remains accessible and
consistent across docs.
In @.github/workflows/ci.yml:
- Around line 80-82: Tighten the Composer PHP version constraint by changing the
"php" entry under "require" from a broad ">=${PHP_VERSION}" to a caret-style
constraint (e.g. "^${PHP_VERSION}") so dependency resolution is restricted to
the intended major/minor range; update the "require" "php" value (which
currently references ${PHP_VERSION}) accordingly while leaving the existing
platform.php setting intact.
In @.github/workflows/sonarcloud.yml:
- Around line 21-33: The workflow enables Xdebug in the "Setup PHP" step but
never generates a coverage report before the "SonarCloud Scan" step, which will
cause SonarCloud to see no coverage or fail if sonar-project.properties expects
a file like clover.xml; fix by either adding a test step that runs PHPUnit (or
your test runner) with coverage output (e.g., generate clover.xml) and place
that step before the SonarCloud Scan, or remove the coverage: xdebug setting
from the "Setup PHP" step if you don't intend to collect coverage, or add a
short comment documenting that coverage is intentionally omitted and handled
elsewhere (ci.yml).
In @.github/xoops-copilot-template.md:
- Around line 44-58: Add a blank line immediately before and after the fenced
PHP code block that begins with "```php" and contains the "<?php" header so the
fenced block is separated from surrounding list text (fixes markdownlint MD031);
update the block boundaries to ensure there is an empty line above the opening
```php and an empty line below the closing ``` to satisfy MD031 compliance.
- Fix .gitattributes: add leading slash to .ai/ and .github/ patterns - Fix actions/checkout SHA to match actual v5 release (08c6903) - Fix ci.yml: tighten PHP constraint (^), fix coverage dir, add CODECOV_TOKEN - Fix sonarcloud.yml: remove unused xdebug coverage (handled by ci.yml) - Update CONTRIBUTING.md: replace legacy PEAR link with GitHub/Composer - Fix xoops-copilot-template.md: MD031 blank lines around code fence - Remove GH Actions rule from renovate.json (Dependabot handles it) - Fix coderabbit.yaml: remove backslash escapes from superglobal names - Fix phpstan.neon: remove non-existent phpstan-baseline.neon include Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add concurrency block to prevent duplicate SonarCloud runs - Add timeout-minutes: 15 for consistency with ci.yml Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update root CONTRIBUTING.md with modern links and licensing section - Make .github/CONTRIBUTING.md a redirect to root to avoid divergent guidance Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 16 changed files in this pull request and generated 10 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - php: "8.2" | ||
| - php: "8.3" | ||
| - php: "8.4" | ||
| - php: "8.5" |
There was a problem hiding this comment.
PHP 8.5 is included in the matrix, but the currently bundled dependency meta-package requires PHP "^7.4.0 || ^8.4.0". Unless dependencies have been updated to allow 8.5, this job will fail; consider removing 8.5 from the matrix or updating the dependency set to explicitly support 8.5 before enabling it in CI.
Suggested change
| - php: "8.5" |
Comment on lines
+21
to
+22
| bootstrapFiles: | ||
| - constants.php |
There was a problem hiding this comment.
phpstan.neon references constants.php as a bootstrap file, but there is no constants.php in the repository root. This will cause PHPStan to error out when run; either add the referenced bootstrap file or update bootstrapFiles to point at an existing bootstrap (or remove it if not needed).
Suggested change
| bootstrapFiles: | |
| - constants.php |
Comment on lines
+1
to
+6
| version: 2 | ||
| updates: | ||
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" |
There was a problem hiding this comment.
PR description says Dependabot is configured for both Composer and GitHub Actions updates, but this config only enables the github-actions ecosystem. If Composer updates are intended, add an additional updates entry for the Composer manifest directory (and ensure there is a supported composer.json/composer.lock for Dependabot to monitor).
Comment on lines
+15
to
+19
| analyse: | ||
| - htdocs/class/auth/ | ||
| - htdocs/install/ | ||
| - htdocs/xoops_lib/vendor/ | ||
| scanFiles: |
There was a problem hiding this comment.
PHPStan is configured to analyze htdocs, but excludePaths does not exclude htdocs/class/libraries/vendor (vendored dependencies). This can significantly increase analysis time and produce irrelevant errors; add that vendor directory to excludePaths (analyse and/or analyseAndScan) so PHPStan focuses on the project’s source.
Comment on lines
+1
to
+2
| name: CI | ||
| on: [push, pull_request] |
There was a problem hiding this comment.
This workflow is named "CI" and also triggers on push/pull_request, but the repo already contains .github/workflows/pr_tests.yml with the same workflow name and triggers. That will result in two separate CI workflows running for every push/PR; consider renaming one workflow or removing/consolidating the older workflow to avoid duplicate runs and confusing status checks.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In @.github/workflows/ci.yml:
- Around line 9-12: Update the CI job configuration for the tests job by
replacing the floating runner label `runs-on: ubuntu-latest` with the pinned
image `runs-on: ubuntu-22.04` to ensure a stable, predictable environment for
legacy PHP versions; locate the `tests` job (the block containing `name: PHP ${{
matrix.php }}` and `timeout-minutes: 15`) and change only the `runs-on` value,
and if there are other workflows using `ubuntu-latest` for PHP matrix jobs,
apply the same pin to keep environments consistent.
- Around line 61-103: The CI matrix includes PHP versions that are unsupported
by xoops/base-requires25, causing composer check-platform-reqs to fail; update
the workflow by modifying the matrix entries that set matrix.php (used by the
Create composer.json step and the Install dependencies step) to remove PHP 8.0,
8.1, 8.2, and 8.3 (or alternatively update the dependency version constraint for
xoops/base-requires25 in the composer.json generation block to a release that
supports those PHP versions), so the generated composer.json (in the Create
composer.json step) and the subsequent Install dependencies and Check platform
requirements steps align with supported PHP versions.
- Around line 33-60: Replace the hard-pinned commit SHAs for GitHub Actions with
either updated SHAs or floating major-version tags: change uses:
actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 to uses:
actions/checkout@v5 (or a current v5 SHA), change uses:
shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 to uses:
shivammathur/setup-php@v2 (or the latest v2 SHA), and change uses:
actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 to uses: actions/cache@v4
(or an updated v4 SHA); update the SHAs periodically if you prefer pinning to
ensure patch fixes are included.
Comment on lines
+33
to
+60
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | ||
|
|
||
| - name: Setup PHP | ||
| uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 | ||
| with: | ||
| php-version: ${{ matrix.php }} | ||
| extensions: intl, mbstring, mysqli | ||
| tools: composer | ||
| coverage: ${{ matrix.coverage && 'xdebug' || 'none' }} | ||
|
|
||
| - name: Show versions | ||
| run: | | ||
| php -v | ||
| composer --version | ||
|
|
||
| - name: Get Composer cache dir | ||
| id: composer-cache | ||
| run: echo "dir=$(composer config cache-dir)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Cache Composer | ||
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | ||
| with: | ||
| path: ${{ steps.composer-cache.outputs.dir }} | ||
| key: composer-${{ runner.os }}-${{ matrix.php }}-${{ matrix.deps || 'stable' }}-${{ hashFiles('**/composer.json') }} | ||
| restore-keys: | | ||
| composer-${{ runner.os }}-${{ matrix.php }}- | ||
|
|
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🌐 Web query:
actions/checkout v5 release SHA github
💡 Result:
actions/checkout@v5(floating major tag) currently points to commit93cb6efe18208431cddfb8368fd83d5badbf9bfd(v5.0.1). [1][2]actions/checkout@v5.0.0(the v5.0.0 release tag) points to commit08c6903cd8c0fde910a37f88322edcfb5dd907a8. [3][4]
Sources: GitHub tags/releases and the linked commit pages. [1][2][3][4]
🌐 Web query:
shivammathur/setup-php v2 release SHA github
💡 Result:
The latest shivammathur/setup-php v2.x release shown on GitHub Releases is v2.35.5, and its associated commit (short) SHA is bf6b4fb. [1]
Source: GitHub Releases page for shivammathur/setup-php. [1]
[1] (github.com)
Citations:
🌐 Web query:
actions/cache v4 release SHA github
💡 Result:
actions/cache@v4 (the moving major tag) currently points to commit 0057852bfaa89a56745cba8c7296529d2fc39830 (tagged alongside v4.3.0, dated Sep 24, 2025). [1][2]
Sources:
[1] actions/cache tags page (shows v4 → 0057852) (github.com)
[2] Commit page with full SHA for 0057852 (github.com)
Citations:
The pinned SHAs are from older patch versions — consider updating or using floating tags.
While the SHAs map to their intended major releases (v5, v2, v4), they're pinned to older patch versions: actions/checkout is at v5.0.0 (v5 now at v5.0.1+), and shivammathur/setup-php trails behind the latest v2.35.5. This strategy prevents automatic security and bug-fix patches. Either update the pinned SHAs regularly to stay current with patch releases, or switch to floating major version tags if you prefer the latest patches within each major version.
🤖 Prompt for AI Agents
In @.github/workflows/ci.yml around lines 33 - 60, Replace the hard-pinned
commit SHAs for GitHub Actions with either updated SHAs or floating
major-version tags: change uses:
actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 to uses:
actions/checkout@v5 (or a current v5 SHA), change uses:
shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 to uses:
shivammathur/setup-php@v2 (or the latest v2 SHA), and change uses:
actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 to uses: actions/cache@v4
(or an updated v4 SHA); update the SHAs periodically if you prefer pinning to
ensure patch fixes are included.
…clusions - ci.yml: Remove PHP 8.0-8.3 from matrix (unsupported by xoops/base-requires25 which requires ^7.4.0 || ^8.4.0), move coverage to PHP 8.4, pin ubuntu-22.04, update dependency to ^1.1.10@beta with minimum-stability: beta - Remove duplicate pr_tests.yml workflow (same "CI" name and triggers as ci.yml) - Pin ubuntu-22.04 in sonarcloud.yml and qodana.yml for reproducibility - Add htdocs/class/libraries/vendor/ to phpstan, sonar, and qodana exclusions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@CONTRIBUTING.md`:
- Around line 12-20: Update the SemVer link in the "Pull Requests" section so it
uses HTTPS instead of HTTP: locate the line that begins with "Consider our
release cycle" (the SemVer link) and replace "http://semver.org/" with
"https://semver.org/" to ensure the URL is secure.
Comment on lines
+12
to
+20
| ## Pull Requests | ||
|
|
||
| # Licensing | ||
| - **[PSR-12 Coding Standard](https://www.php-fig.org/psr/psr-12/)** - The easiest way to apply the conventions is to install [PHP_CodeSniffer](https://github.com/PHPCSStandards/PHP_CodeSniffer) via Composer: `composer require --dev squizlabs/php_codesniffer`. | ||
| - **Add tests!** - We encourage providing tests for your contributions. | ||
| - **Document any change in behavior** - Make sure the `/docs/changelog.txt` and any other relevant documentation are up-to-date. | ||
| - **Consider our release cycle** - We try to follow [Semantic Versioning v2.0.0](http://semver.org/). Randomly breaking public APIs is not an option. | ||
| - **Create feature branches** - Don't ask us to pull from your master branch. | ||
| - **One pull request per feature** - If you want to do more than one thing, send multiple pull requests. | ||
| - **Send coherent history** - Make sure each individual commit in your pull request is meaningful. If you had to make multiple intermediate commits while developing, please squash them before submitting. |
There was a problem hiding this comment.
Solid PR guidelines with one minor URL improvement.
The Pull Requests section covers the essentials: PSR-12, testing, documentation, SemVer, branching, and commit hygiene. However, the SemVer link on line 17 uses http:// instead of https://.
🔒 Proposed fix for secure URL
-- **Consider our release cycle** - We try to follow [Semantic Versioning v2.0.0](http://semver.org/). Randomly breaking public APIs is not an option.
+- **Consider our release cycle** - We try to follow [Semantic Versioning v2.0.0](https://semver.org/). Randomly breaking public APIs is not an option.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| ## Pull Requests | |
| # Licensing | |
| - **[PSR-12 Coding Standard](https://www.php-fig.org/psr/psr-12/)** - The easiest way to apply the conventions is to install [PHP_CodeSniffer](https://github.com/PHPCSStandards/PHP_CodeSniffer) via Composer: `composer require --dev squizlabs/php_codesniffer`. | |
| - **Add tests!** - We encourage providing tests for your contributions. | |
| - **Document any change in behavior** - Make sure the `/docs/changelog.txt` and any other relevant documentation are up-to-date. | |
| - **Consider our release cycle** - We try to follow [Semantic Versioning v2.0.0](http://semver.org/). Randomly breaking public APIs is not an option. | |
| - **Create feature branches** - Don't ask us to pull from your master branch. | |
| - **One pull request per feature** - If you want to do more than one thing, send multiple pull requests. | |
| - **Send coherent history** - Make sure each individual commit in your pull request is meaningful. If you had to make multiple intermediate commits while developing, please squash them before submitting. | |
| ## Pull Requests | |
| - **[PSR-12 Coding Standard](https://www.php-fig.org/psr/psr-12/)** - The easiest way to apply the conventions is to install [PHP_CodeSniffer](https://github.com/PHPCSStandards/PHP_CodeSniffer) via Composer: `composer require --dev squizlabs/php_codesniffer`. | |
| - **Add tests!** - We encourage providing tests for your contributions. | |
| - **Document any change in behavior** - Make sure the `/docs/changelog.txt` and any other relevant documentation are up-to-date. | |
| - **Consider our release cycle** - We try to follow [Semantic Versioning v2.0.0](https://semver.org/). Randomly breaking public APIs is not an option. | |
| - **Create feature branches** - Don't ask us to pull from your master branch. | |
| - **One pull request per feature** - If you want to do more than one thing, send multiple pull requests. | |
| - **Send coherent history** - Make sure each individual commit in your pull request is meaningful. If you had to make multiple intermediate commits while developing, please squash them before submitting. |
🤖 Prompt for AI Agents
In `@CONTRIBUTING.md` around lines 12 - 20, Update the SemVer link in the "Pull
Requests" section so it uses HTTPS instead of HTTP: locate the line that begins
with "Consider our release cycle" (the SemVer link) and replace
"http://semver.org/" with "https://semver.org/" to ensure the URL is secure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.github/workflows/ci.yml:
- Around line 47-58: The cache key is computed in the "Cache Composer" step
before composer.json is generated, so update the cache key expression (and
optionally restore-keys) used in the "Cache Composer" step to include the
workflow file hash as well as composer.json; locate the "Cache Composer" step
(uses: actions/cache..., key: composer-...) and change the hashFiles(...) part
to include the workflow file (e.g. add '.github/workflows/ci.yml' to the
hashFiles list) so changes to the here-doc generation invalidate the cache; you
can keep the "Get Composer cache dir" step (id: composer-cache) unchanged.
In `@sonar-project.properties`:
- Around line 9-10: The sonar-project.properties file references a coverage
artifact via the sonar.php.coverage.reportPaths setting (set to
build/logs/clover.xml) which SonarCloud won't receive from the current
sonarcloud.yml workflow; remove the sonar.php.coverage.reportPaths property (or
alternatively point it to an accessible path/artifact and update the SonarCloud
workflow to download the CI coverage artifact) so SonarCloud no longer expects
build/logs/clover.xml.
Comment on lines
+47
to
+58
| - name: Get Composer cache dir | ||
| id: composer-cache | ||
| run: echo "dir=$(composer config cache-dir)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Cache Composer | ||
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | ||
| with: | ||
| path: ${{ steps.composer-cache.outputs.dir }} | ||
| key: composer-${{ runner.os }}-${{ matrix.php }}-${{ matrix.deps || 'stable' }}-${{ hashFiles('**/composer.json') }} | ||
| restore-keys: | | ||
| composer-${{ runner.os }}-${{ matrix.php }}- | ||
|
|
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/ci.ymlRepository: XOOPS/XoopsCore25
Length of output: 7100
Cache key is computed before composer.json generation — consider including the workflow file in the hash.
The cache step (lines 51-57) executes before the dynamically generated composer.json (lines 59-88) is created. While matrix.php provides per-version cache variation, changes to the here-doc generation logic won't invalidate existing cache entries. Include the workflow file in the hash to catch generation changes:
- key: composer-${{ runner.os }}-${{ matrix.php }}-${{ matrix.deps || 'stable' }}-${{ hashFiles('**/composer.json') }}
+ key: composer-${{ runner.os }}-${{ matrix.php }}-${{ matrix.deps || 'stable' }}-${{ hashFiles('**/composer.json', '.github/workflows/ci.yml') }}🤖 Prompt for AI Agents
In @.github/workflows/ci.yml around lines 47 - 58, The cache key is computed in
the "Cache Composer" step before composer.json is generated, so update the cache
key expression (and optionally restore-keys) used in the "Cache Composer" step
to include the workflow file hash as well as composer.json; locate the "Cache
Composer" step (uses: actions/cache..., key: composer-...) and change the
hashFiles(...) part to include the workflow file (e.g. add
'.github/workflows/ci.yml' to the hashFiles list) so changes to the here-doc
generation invalidate the cache; you can keep the "Get Composer cache dir" step
(id: composer-cache) unchanged.
- Remove unreachable sonar.php.coverage.reportPaths from sonar-project.properties - Include workflow file in ci.yml Composer cache hash key - Add language identifier to copilot-instructions.md code block (MD040) - Expand PHP 8.0+ feature exclusion list with attributes, nullsafe, mixed type Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.gitattributeswith LF line ending enforcement and comprehensive export-ignore rules (consistent with XMF/RegDom).gitignorewith organized sections, modern tooling entries (PHPUnit cache, build artifacts, Claude local files).scrutinizer.ymlto match XMF/RegDom structure with trailing slash patterns for recursive directory exclusion.coderabbit.yamlfor AI-powered code review with PHP 7.4 compatibility checks (tools nested under reviews per schema)sonar-project.propertiesfor SonarCloud static analysisrenovate.jsonfor automated dependency updates withseparateMinorPatchfor proper patch automergeqodana.yamlfor JetBrains Qodana PHP static analysis (usingqodana.recommendedprofile)phpstan.neonfor PHPStan static analysis at level 2ci.yml) with PHP 7.4-8.5 matrix, lowest-deps test, and Codecov coverage uploadqodana.ymlandsonarcloud.ymlGitHub Actions workflowsdependabot.ymlfor automated Composer and GitHub Actions dependency updatescopilot-instructions.mdwith XoopsCore25 architecture, conventions, and security practicesxoops-copilot-template.mdreusable template for XOOPS modulesCONTRIBUTING.mdrepository link (was pointing to XoopsModules25x/mymenus)bug-report.ymlto add PHP 8.5 and XOOPS 2.5.13 version optionsTest plan
.gitattributesexport-ignore rules work correctly withgit archive.gitignoreproperly excludes all intended paths🤖 Generated with Claude Code
Summary by CodeRabbit
Documentation
Chores
New Features