Update dev environment#2
Conversation
BrianHenryIE
commented
Feb 13, 2026
BrianHenryIE
commented
- Add .editorconfig, .gitattributes, rector.php
- Add .wp-env.json with PHP 8.4, test-plugin and src/assets mappings, woocommerce
- Add package.json with @wordpress/env
- Add tests/_wp-env/ lifecycle scripts (external + internal)
- Add .github/dependabot.yml (Actions, npm, Composer)
- Add .github/workflows/unit-coverage.yml (multi-PHP 8.0-8.4, PR coverage comments)
- Add .github/workflows/phpcbf.yml (PHP 8.4, PR trigger)
- Add .github/workflows/phpstan.yml (PR-aware, only fails on changed files)
- Update phpcs.xml with standard global exclusions
- Update .env.testing to standard format (root/password, separate DB_PORT)
- Update codeception.dist.yml (cleaned up)
- Update .gitignore with additional patterns
- Update composer.json:
- Add johnpbloch/wordpress-core-installer to allow-plugins
- Add autoload-dev PSR-4 for test dirs + classmap for tests/_support
- Add rector, php-codecoverage-markdown, johnpbloch/wordpress to require-dev
- Replace coverage-tests/lint/lint-changes with test/test-coverage/cs/cs-fix/cs-strict/cs-changes/cs-changes-strict
- Add .editorconfig, .gitattributes, rector.php - Add .wp-env.json with PHP 8.4, test-plugin and src/assets mappings, woocommerce - Add package.json with @wordpress/env - Add tests/_wp-env/ lifecycle scripts (external + internal) - Add .github/dependabot.yml (Actions, npm, Composer) - Add .github/workflows/unit-coverage.yml (multi-PHP 8.0-8.4, PR coverage comments) - Add .github/workflows/phpcbf.yml (PHP 8.4, PR trigger) - Add .github/workflows/phpstan.yml (PR-aware, only fails on changed files) - Update phpcs.xml with standard global exclusions - Update .env.testing to standard format (root/password, separate DB_PORT) - Update codeception.dist.yml (cleaned up) - Update .gitignore with additional patterns - Update composer.json: - Add johnpbloch/wordpress-core-installer to allow-plugins - Add autoload-dev PSR-4 for test dirs + classmap for tests/_support - Add rector, php-codecoverage-markdown, johnpbloch/wordpress to require-dev - Replace coverage-tests/lint/lint-changes with test/test-coverage/cs/cs-fix/cs-strict/cs-changes/cs-changes-strict
Summary of ChangesHello @BrianHenryIE, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly upgrades the project's development and continuous integration environment. It introduces standardized configurations for code style, version control attributes, and automated code refactoring. A new Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request significantly updates the development environment by introducing new configuration files for editor settings, git, wp-env, and Dependabot, as well as adding several GitHub Actions workflows for CI/CD. It also refactors composer scripts and updates dependencies. My review focuses on improving the consistency, security, and maintainability of these new configurations. I've pointed out a potential security risk with a disabled PHPCS security rule, use of weak credentials in the test environment, inconsistencies in editor configuration, and overly complex shell scripts in composer.json.
| <!-- I'm not really sure how this is a security problem. --> | ||
| <rule ref="WordPress.Security.EscapeOutput.ExceptionNotEscaped"> | ||
| <exclude-pattern>*</exclude-pattern> | ||
| </rule> |
There was a problem hiding this comment.
Disabling the WordPress.Security.EscapeOutput.ExceptionNotEscaped rule globally is a security risk. Exception messages can sometimes contain user-controllable data. If these messages are displayed without escaping (e.g., in an error log viewable in a browser or on a debug page), it could lead to Cross-Site Scripting (XSS) vulnerabilities. It is strongly recommended to address these warnings on a case-by-case basis, either by ensuring the data is safe or by using a // phpcs:ignore comment with a justification, rather than disabling the rule for the entire project.
| [*.xml] | ||
| indent_style = tab | ||
| indent_size = 4 |
There was a problem hiding this comment.
The indentation style for XML files is set to tab, but the phpcs.xml file in this repository uses spaces for indentation. To maintain consistency across the project's configuration files, it's recommended to use spaces for XML files as well.
[*.xml]
indent_style = space
indent_size = 4
| TEST_DB_USER="root" | ||
| TEST_DB_PASSWORD="password" |
There was a problem hiding this comment.
Using common default credentials like root and password (here and on lines 13-14) is a security risk, even in a testing environment. If this configuration is ever accidentally used in a more exposed setting, it could be easily compromised. It's better practice to use more specific and less guessable credentials, for example by appending the project name.
| "cs-changes": [ | ||
| "updated_files=$(echo $(git diff --name-only `git merge-base origin/master HEAD` | grep \\.php | tr '\\n' '\\0' | xargs -0 ls -1df 2>/dev/null)); if [ -n \"$updated_files\" ]; then phpcbf $(echo $updated_files); phpcs $(echo $updated_files); phpstan analyse $(echo $updated_files) --memory-limit 1G; else echo \"No modified php files for phpstan.\"; fi;" | ||
| ], |
There was a problem hiding this comment.
The cs-changes script is overly complex and not fully robust. The echo $(...) is redundant, and $(echo $updated_files) is not safe for filenames with spaces. The file discovery part using grep, tr, and xargs ls can also be simplified. Consider rewriting this for better readability and robustness. A more modern approach would use git diff --name-only --diff-filter=ACMRTUXB to get the list of files and pipe it to xargs.
| "cs-changes-strict": [ | ||
| "updated_files=$(echo $(git diff --name-only `git merge-base origin/master HEAD` | grep \\.php | tr '\\n' '\\0' | xargs -0 ls -1df 2>/dev/null)); if [ -n \"$updated_files\" ]; then phpcbf $(echo $updated_files); phpcs $(echo $updated_files); phpstan analyse $(echo $updated_files) --level max --memory-limit 1G; else echo \"No modified php files for phpstan.\"; fi;" | ||
| ] |
There was a problem hiding this comment.
Similar to the cs-changes script, this script is overly complex and not fully robust. It has the same issues with redundant commands and unsafe handling of filenames with spaces. It should be simplified for better readability and robustness.
|
Generated: Fri, Feb 13, 2026, 7:28:56 UTC.
phpcov 8.2.1 by Sebastian Bergmann. Unable to detect executable lines that were changed. |
1 participant
