wpallstars/wp-plugin-starter-template-for-ai-coding
Template
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: wpallstars:bugfix/ci-composer-dns-timeouts
Branches Tags
wpallstars:main wpallstars:bugfix/issue-106-s7636-v3 wpallstars:bugfix/issue-106-s7636-v2 wpallstars:fix/sonarcloud-s7636-hotspots wpallstars:bugfix/ci-composer-dns-timeouts wpallstars:quality-debt/wp-plugin-45
wpallstars:v0.1.3-stable wpallstars:v0.1.3 wpallstars:v0.1.2-stable wpallstars:v0.1.2 wpallstars:v0.1.1-stable wpallstars:v0.1.1 wpallstars:v0.1.0-stable wpallstars:v0.1.0
..
compare: wpallstars:fix/sonarcloud-s7636-hotspots
Branches Tags
wpallstars:bugfix/issue-106-s7636-v3 wpallstars:bugfix/issue-106-s7636-v2 wpallstars:fix/sonarcloud-s7636-hotspots wpallstars:bugfix/ci-composer-dns-timeouts wpallstars:quality-debt/wp-plugin-45 wpallstars:main
wpallstars:v0.1.3-stable wpallstars:v0.1.3 wpallstars:v0.1.2-stable wpallstars:v0.1.2 wpallstars:v0.1.1-stable wpallstars:v0.1.1 wpallstars:v0.1.0-stable wpallstars:v0.1.0

1 Commits
bugfix/ci- ... fix/sonarc

Author SHA1 Message Date
marcusquinn
523574a93e fix: move secret expansion from run blocks to env blocks (SonarCloud S7636) 
Resolves SonarCloud security hotspots S7636 in three workflow files:
- code-quality.yml: CODACY_PROJECT_TOKEN moved to env block on check step
- sonarcloud.yml: SONARCLOUD_GITHUB moved to env block on check step
- sync-wiki.yml: GITHUB_TOKEN and context vars moved to env block on sync step

Secrets are now passed as environment variables and referenced via $VAR
rather than being expanded inline in run: shell blocks, which prevents
secret values from appearing in workflow logs and resolves the hotspots.

Closes #106
 2026-03-19 03:17:06 +00:00
5 changed files with 23 additions and 24 deletions
Expand all files Collapse all files

16
.github/workflows/code-quality.yml vendored
View File

@@ -27,9 +27,7 @@ jobs:
tools: composer:v2 tools: composer:v2
- name: Install dependencies - name: Install dependencies
uses: ramsey/composer-install@83af392bf5f031813d25e6fe4cd626cdba9a2df6 # v2.2.0 run: composer install --prefer-dist --no-progress
with:
composer-options: "--prefer-dist --no-progress"
- name: Run PHPCS - name: Run PHPCS
run: composer phpcs run: composer phpcs
@@ -56,9 +54,7 @@ jobs:
tools: composer:v2, phpstan tools: composer:v2, phpstan
- name: Install dependencies - name: Install dependencies
uses: ramsey/composer-install@83af392bf5f031813d25e6fe4cd626cdba9a2df6 # v2.2.0 run: composer install --prefer-dist --no-progress
with:
composer-options: "--prefer-dist --no-progress"
- name: Run PHPStan - name: Run PHPStan
run: composer phpstan run: composer phpstan
@@ -79,9 +75,7 @@ jobs:
tools: composer:v2, phpmd tools: composer:v2, phpmd
- name: Install dependencies - name: Install dependencies
uses: ramsey/composer-install@83af392bf5f031813d25e6fe4cd626cdba9a2df6 # v2.2.0 run: composer install --prefer-dist --no-progress
with:
composer-options: "--prefer-dist --no-progress"
- name: Run PHPMD - name: Run PHPMD
run: composer phpmd run: composer phpmd
@@ -149,8 +143,10 @@ jobs:
- name: Check if Codacy token is set - name: Check if Codacy token is set
id: check_codacy_token id: check_codacy_token
env:
CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
run: | run: |
if [ -z "${{ secrets.CODACY_PROJECT_TOKEN }}" ]; then if [ -z "$CODACY_PROJECT_TOKEN" ]; then
echo "CODACY_PROJECT_TOKEN is not set, running Codacy without upload" echo "CODACY_PROJECT_TOKEN is not set, running Codacy without upload"
echo "skip_upload=true" >> $GITHUB_OUTPUT echo "skip_upload=true" >> $GITHUB_OUTPUT
else else

7
.github/workflows/release.yml vendored
View File

@@ -34,12 +34,7 @@ jobs:
echo "VERSION=$VERSION" >> $GITHUB_ENV echo "VERSION=$VERSION" >> $GITHUB_ENV
- name: Install dependencies - name: Install dependencies
run: | run: composer install --no-dev --optimize-autoloader
for i in 1 2 3; do
composer install --no-dev --optimize-autoloader --prefer-dist && break
echo "Composer install attempt $i failed, retrying in 15s..."
sleep 15
done
- name: Create build directory - name: Create build directory
run: | run: |

4
.github/workflows/sonarcloud.yml vendored
View File

@@ -39,8 +39,10 @@ jobs:
- name: Check if SonarCloud token is set - name: Check if SonarCloud token is set
id: check_token id: check_token
env:
SONARCLOUD_GITHUB: ${{ secrets.SONARCLOUD_GITHUB }}
run: | run: |
if [ -z "${{ secrets.SONARCLOUD_GITHUB }}" ]; then if [ -z "$SONARCLOUD_GITHUB" ]; then
echo "SONARCLOUD_GITHUB is not set, skipping SonarCloud analysis" echo "SONARCLOUD_GITHUB is not set, skipping SonarCloud analysis"
echo "skip=true" >> $GITHUB_OUTPUT echo "skip=true" >> $GITHUB_OUTPUT
else else

6
.github/workflows/sync-wiki.yml vendored
View File

@@ -27,6 +27,10 @@ jobs:
git clone https://github.com/${{ github.repository }}.wiki.git wiki git clone https://github.com/${{ github.repository }}.wiki.git wiki
- name: Sync wiki content - name: Sync wiki content
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: | run: |
# Remove all files from wiki repository except .git # Remove all files from wiki repository except .git
find wiki -mindepth 1 -maxdepth 1 -not -name '.git' -exec rm -rf {} \; find wiki -mindepth 1 -maxdepth 1 -not -name '.git' -exec rm -rf {} \;
@@ -50,4 +54,4 @@ jobs:
git commit -m "Sync wiki from source repository" git commit -m "Sync wiki from source repository"
# Push changes # Push changes
git push https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.wiki.git git push https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY.wiki.git

14
.github/workflows/tests.yml vendored
View File

@@ -28,10 +28,11 @@ jobs:
extensions: mbstring, intl, zip extensions: mbstring, intl, zip
tools: composer:v2 tools: composer:v2
- name: Clear Composer Cache
run: composer clear-cache
- name: Install dependencies - name: Install dependencies
uses: ramsey/composer-install@83af392bf5f031813d25e6fe4cd626cdba9a2df6 # v2.2.0 run: composer install --prefer-dist --no-progress
with:
composer-options: "--prefer-dist --no-progress"
- name: Run tests - name: Run tests
run: ./vendor/bin/phpunit run: ./vendor/bin/phpunit
@@ -53,10 +54,11 @@ jobs:
extensions: mbstring, intl, zip extensions: mbstring, intl, zip
tools: composer:v2, phpcs tools: composer:v2, phpcs
- name: Clear Composer Cache
run: composer clear-cache
- name: Install dependencies - name: Install dependencies
uses: ramsey/composer-install@83af392bf5f031813d25e6fe4cd626cdba9a2df6 # v2.2.0 run: composer install --prefer-dist --no-progress
with:
composer-options: "--prefer-dist --no-progress"
- name: Run PHPCS - name: Run PHPCS
run: composer run phpcs run: composer run phpcs