Skip to content

👷 Add GitHub Actions CI#4

Merged
rickyheijnen merged 1 commit into
mainfrom
ci/github-actions
Jul 10, 2026
Merged

👷 Add GitHub Actions CI#4
rickyheijnen merged 1 commit into
mainfrom
ci/github-actions

Conversation

@rickyheijnen

@rickyheijnen rickyheijnen commented Jul 10, 2026

Copy link
Copy Markdown
Member

Summary

  • Runs PHPUnit on PHP 8.2, 8.3, 8.4, and 8.5
  • Runs PHPStan static analysis
  • Runs PHP CS Fixer in dry-run mode
  • Caches Composer dependencies and cancels stale runs on the same branch

Co-authored-by: Cursor <cursoragent@cursor.com>
@rickyheijnen rickyheijnen self-assigned this Jul 10, 2026
@brixion brixion deleted a comment from coderabbitai Bot Jul 10, 2026
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a GitHub Actions CI workflow triggered by pushes to main and pull request events. It cancels overlapping runs for the same workflow and ref, runs PHPUnit across PHP 8.2–8.5, and runs PHPStan and PHP CS Fixer on PHP 8.2. Each job checks out the repository, configures PHP and Composer, caches dependencies, installs them, and executes its corresponding Composer command.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise, English, starts with an emoji, and clearly describes the GitHub Actions CI workflow.
Description check ✅ Passed The description matches the CI workflow changes and summarizes the test, analysis, style, caching, and concurrency behavior.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/github-actions

Comment @coderabbitai help to get the list of available commands.

@rickyheijnen rickyheijnen changed the title Add GitHub Actions CI 👷 Add GitHub Actions CI Jul 10, 2026
@rickyheijnen
rickyheijnen merged commit bb3a71a into main Jul 10, 2026
7 checks passed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)

31-40: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Include composer.lock in the cache key.

A lockfile-only dependency change currently reuses the old vendor cache. Hash both dependency manifests in all three jobs.

Proposed fix
-          key: composer-${{ runner.os }}-${{ matrix.php }}-${{ hashFiles('composer.json') }}
+          key: composer-${{ runner.os }}-${{ matrix.php }}-${{ hashFiles('composer.json', 'composer.lock') }}

Apply the equivalent change to the PHP 8.2 cache keys.

Also applies to: 58-67, 85-94

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 31 - 40, Update the Composer cache key
in all three CI job cache steps, including the PHP 8.2 jobs, to hash both
composer.json and composer.lock via hashFiles; keep the existing runner and PHP
matrix components and ensure restore-keys remain compatible.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 1-3: Add workflow-level read-only token permissions by placing a
permissions block with contents: read alongside the top-level name and on
declarations in the CI workflow, ensuring all jobs inherit the restricted scope.
- Line 22: Disable Git credential persistence for every actions/checkout@v4 step
in the workflow by adding persist-credentials: false to each checkout action
configuration, including the checkout step shown in the diff.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 31-40: Update the Composer cache key in all three CI job cache
steps, including the PHP 8.2 jobs, to hash both composer.json and composer.lock
via hashFiles; keep the existing runner and PHP matrix components and ensure
restore-keys remain compatible.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: affa5bd7-f56d-45cc-92dd-a7461b61e8a8

📥 Commits

Reviewing files that changed from the base of the PR and between ecb2e85 and 3fa1bf1.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/ci.yml
Comment on lines +1 to +3
name: CI

on:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '1,220p' .github/workflows/ci.yml | cat -n

Repository: brixion/ulu-php

Length of output: 3200


Restrict workflow token permissions
.github/workflows/ci.yml:1-3
Add permissions: contents: read at the workflow level so the CI jobs don't inherit broader repository write access they don't need.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 1-98: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 1 - 3, Add workflow-level read-only
token permissions by placing a permissions block with contents: read alongside
the top-level name and on declarations in the CI workflow, ensuring all jobs
inherit the restricted scope.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml
matrix:
php: ['8.2', '8.3', '8.4', '8.5']
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/ci.yml
echo '---'
cat -n .github/workflows/ci.yml | sed -n '1,220p'

Repository: brixion/ulu-php

Length of output: 3229


🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files composer.json
echo '---'
cat -n composer.json | sed -n '1,220p'

Repository: brixion/ulu-php

Length of output: 1999


Disable checkout credential persistence. Set persist-credentials: false on each actions/checkout@v4 step; the Composer install and test commands run repository-controlled code that can read the persisted Git token from local config.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 22, Disable Git credential persistence for
every actions/checkout@v4 step in the workflow by adding persist-credentials:
false to each checkout action configuration, including the checkout step shown
in the diff.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant