phpbench pulled in doctrine/annotations which has a security advisory.
The bench script and its only benchmark file are unused in CI.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
setup-php sets COMPOSER_NO_AUDIT=1 by default, which causes composer
audit to skip. Override it to 0 for the audit step.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace docker-based composer/node invocations in the format and analyze
jobs with shivammathur/setup-php@v2 and actions/setup-node@v4. Split
locale check and composer validate/audit into dedicated jobs for clarity.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Upgrade phpstan/phpstan from 1.12.* to ^2.0
- Raise analysis level to max
- Expand paths from 3 specific dirs to src/, app/, bin/, tests/
- Generate baseline capturing 95,365 existing errors for incremental adoption
- Rename composer script from `check` to `analyze`
- Add --memory-limit=1G to handle larger scan scope
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move all TablesDB* test files from tests/e2e/Services/Databases/ to a
new tests/e2e/Services/TablesDB/ directory, updating namespaces and
adding explicit imports for shared base traits. Add TablesDB as a
separate service in the CI matrix so /v1/databases and /v1/tables tests
run as independent parallel jobs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace paginated listFiles API call with targeted getContent calls
to avoid timeouts on large PRs with thousands of changed files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Resolves GHSA-cfw5-2vxh-hr84 (CVSS 6.3) and GHSA-mwv9-gp5h-frr4
(CVSS 2.7) in astro test resource sites.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use $memory (which includes minMemory floor) and $cpus instead of raw
spec values in MB-seconds metrics, fixing underreporting for sites and
frameworks bumped to the minimum memory. Also remove redundant double
quotes around escapeshellarg() calls in mv command.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Move check-dependencies into ci.yml as Checks / Dependencies
(upgrade to osv-scanner-reusable-pr.yml@v2.3.3, drop merge_group)
- Move pr-scan into ci.yml as Checks / Image
(upgrade Trivy to 0.33.1, use SARIF + upload-sarif instead of
custom PR comment logic)
- Rename Setup job to Build
- Fix format job git checkout HEAD^2 to only run on pull_request
- Rename PHPStan step correctly (was mislabeled CodeQL)
- Add Docker Hub login to benchmark job
- Remove no-op pull_request trigger from ai-moderator
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merge linter, static-analysis, tests, and benchmark workflows into ci.yml
with structured job naming (Checks / Format, Tests / E2E / ..., etc.).
Shared Docker image build between tests and benchmark. Update actions to
latest versions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace shell-based database change detection with github-script using
the GitHub API, eliminating the need for a full checkout. Restructure
matrix generation with guard clauses and no mutation. Remove ciIgnore
exclude group from test command.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hardcode lowercase env vars per database branch instead of using tr.
Use proper casing for database matrix values (MongoDB, MariaDB, PostgreSQL).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merge 6 E2E jobs into 3 by combining dedicated/shared mode variants
into a single matrix dimension. Database adapters and table modes
expand dynamically based on whether utopia-php/database changed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Re-add itznotabug/php-retry@v3 wrapping all test steps with
max_attempts: 2 and retry_wait_seconds: 300. Also restore
pull-requests: write permission needed by the action.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Change .env defaults back from MongoDB to MariaDB
- Bump all remaining "Load and Start Appwrite" timeouts from 3 to 5 minutes
- Filter listener.* span logs to only export on error
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The abuseEnabled jobs previously only ran tests in Services/Projects,
missing the Account abuse test and any future abuseEnabled tests in
other services. Also rename jobs to "Abuse" for consistency.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The docker compose pull step alone can take over 2.5 minutes on CI
(e.g. openruntimes-executor, traefik), leaving no time for
docker compose up --wait within 3 minutes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Chirag Aggarwal
Luke B. Silver
Matej Bačo
Matej Bačo
Eldad A. Fux