wp-plugin-starter-template-for-ai-coding/.github/workflows/code-quality.yml

name: Code Quality

on:
  # Only run on push to main (not feature branches) to avoid duplicate runs.
  # Feature branches get CI via pull_request trigger.
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

jobs:
  phpcs:
    name: PHP CodeSniffer
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          clean: 'true'

      - name: Setup PHP
        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
        with:
          php-version: '8.1'
          extensions: mbstring, intl, zip
          tools: composer:v2

      - name: Install dependencies
        run: composer install --prefer-dist --no-progress

      - name: Run PHPCS
        run: composer phpcs
        continue-on-error: true

      - name: Run PHPCBF (report only)
        run: |
          echo "Running PHPCBF in dry-run mode to show what would be fixed"
          composer phpcbf -- --dry-run
        continue-on-error: true

  phpstan:
    name: PHPStan Static Analysis
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Setup PHP
        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
        with:
          php-version: '8.1'
          extensions: mbstring, intl, zip
          tools: composer:v2, phpstan

      - name: Install dependencies
        run: composer install --prefer-dist --no-progress

      - name: Run PHPStan
        run: composer phpstan
        continue-on-error: true

  phpmd:
    name: PHP Mess Detector
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Setup PHP
        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
        with:
          php-version: '8.1'
          extensions: mbstring, intl, zip
          tools: composer:v2, phpmd

      - name: Install dependencies
        run: composer install --prefer-dist --no-progress

      - name: Run PHPMD
        run: composer phpmd
        continue-on-error: true

  # NOTE: SonarCloud job is disabled because SONAR_TOKEN is not properly configured.
  # To enable, configure a valid SONAR_TOKEN secret and uncomment this job.
  # Generate a token at: https://sonarcloud.io/account/security
  #
  # sonarcloud:
  #   name: SonarCloud Analysis
  #   runs-on: ubuntu-latest
  #   steps:
  #     - name: Checkout code
  #       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  #       with:
  #         fetch-depth: 0
  #
  #     - name: Set up JDK 17
  #       uses: actions/setup-java@v4
  #       with:
  #         java-version: 17
  #         distribution: 'temurin'
  #
  #     - name: Cache SonarCloud packages
  #       uses: actions/cache@v4
  #       with:
  #         path: ~/.sonar/cache
  #         key: ${{ runner.os }}-sonar
  #         restore-keys: ${{ runner.os }}-sonar
  #
  #     - name: Check if SonarCloud token is set
  #       id: check_sonar_token
  #       run: |
  #         if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then
  #           echo "SONAR_TOKEN is not set, skipping SonarCloud analysis"
  #           echo "skip=true" >> $GITHUB_OUTPUT
  #         else
  #           echo "skip=false" >> $GITHUB_OUTPUT
  #         fi
  #
  #     - name: SonarCloud Scan
  #       if: steps.check_sonar_token.outputs.skip != 'true'
  #       uses: SonarSource/sonarqube-scan-action@9598b8a83feef37de07f549027fab50ecffe6a6e # master
  #       env:
  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  #         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
  #       with:
  #         args: >
  #           -Dsonar.projectKey=wpallstars_wp-plugin-starter-template-for-ai-coding
  #           -Dsonar.organization=wpallstars
  #           -Dsonar.sources=.
  #           -Dsonar.exclusions=vendor/**,node_modules/**,tests/**,bin/**,build/**,dist/**,.github/**,.git/**,cypress/**,playground/**,.wiki/**
  #           -Dsonar.sourceEncoding=UTF-8
  #       continue-on-error: true

  codacy:
    name: Codacy Analysis
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0

      - name: Check if Codacy token is set
        id: check_codacy_token
        run: |
          if [ -z "${{ secrets.CODACY_PROJECT_TOKEN }}" ]; then
            echo "CODACY_PROJECT_TOKEN is not set, running Codacy without upload"
            echo "skip_upload=true" >> $GITHUB_OUTPUT
          else
            echo "skip_upload=false" >> $GITHUB_OUTPUT
          fi

      - name: Run Codacy Analysis CLI
        uses: codacy/codacy-analysis-cli-action@562ee3e92b8e92df8b67e0a5ff8aa8e261919c08 # v4
        with:
          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
          verbose: true
          output: results.sarif
          format: sarif
          # Limit the number of issues to prevent GitHub Code Scanning rejection
          gh-code-scanning-compat: true
          max-allowed-issues: 20
          # Limit tools to prevent timeouts and stay under GitHub's 20 runs limit
          tool: phpcs,phpmd,markdownlint
        continue-on-error: true

      - name: Upload SARIF results file
        if: steps.check_codacy_token.outputs.skip_upload != 'true'
        uses: github/codeql-action/upload-sarif@603b797f8b14b413fe025cd935a91c16c4782713 # v3
        with:
          sarif_file: results.sarif
        continue-on-error: true