t3x-rte_ckeditor_image/.github/workflows/ci.yml at fbff4143e67c6b72fb0e73ba2f59d101e217617a · netresearch/t3x-rte_ckeditor_image · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
name: CI

on:
  push:
    branches: [main]
  pull_request:
  merge_group:
  schedule:
    - cron: '0 6 * * 1'

permissions: {}

jobs:
  ci:
    uses: netresearch/typo3-ci-workflows/.github/workflows/ci.yml@main
    permissions:
      contents: read
      # `actions: read` lets the reusable workflow's preflight gate query
      # actions/workflows/{file}/runs and skip the post-merge `push` run
      # when a successful `merge_group` run for the same SHA exists. Same
      # rationale for e2e/security/fuzz/license-check below.
      actions: read
    with:
        php-versions: '["8.2","8.3","8.4","8.5"]'
        typo3-versions: '["^13.4.21","^14.3"]'
        run-functional-tests: true
        typo3-packages: '["typo3/cms-core","typo3/cms-rte-ckeditor"]'
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

  # E2E (Playwright) across TYPO3 versions x extension-setup variants.
  # Variants exercise the extension under different sitepackage / FSC /
  # Bootstrap-Package combinations to surface regressions that are only
  # visible in specific configurations. See Build/Scripts/runTests.sh -X
  # for variant definitions.
  #
  # Advisory mode: new variants are not yet listed in the repo's
  # required_status_checks ruleset, so a failing variant won't block
  # merge. Once each variant stabilizes (failures investigated/fixed),
  # the corresponding context can be added to the ruleset to make it
  # blocking.
  e2e:
    uses: netresearch/typo3-ci-workflows/.github/workflows/e2e.yml@main
    permissions:
      contents: read
      actions: read
    with:
      typo3-versions: '["^13.4.21","^14.3"]'
      typo3-packages: '["typo3/cms-core","typo3/cms-rte-ckeditor"]'
      setup-variants: '["fsc","core-only","bootstrap"]'
      setup-script: 'Build/Scripts/ci-e2e.sh'
      artifact-path: 'Build/test-results/'
      timeout-minutes: 45

  security:
    uses: netresearch/typo3-ci-workflows/.github/workflows/security.yml@main
    permissions:
      contents: read
      security-events: write
      actions: read

  fuzz:
    uses: netresearch/typo3-ci-workflows/.github/workflows/fuzz.yml@main
    permissions:
      contents: read
      actions: read
    with:
      run-fuzz-tests: false
      run-mutation-tests: false

  license-check:
    uses: netresearch/typo3-ci-workflows/.github/workflows/license-check.yml@main
    permissions:
      contents: read
      actions: read

  scorecard:
    if: github.event_name == 'schedule' || (github.event_name == 'push' && github.ref_name == github.event.repository.default_branch)
    uses: netresearch/.github/.github/workflows/scorecard.yml@main
    permissions:
      contents: read
      security-events: write
      id-token: write
      actions: read

  dependency-review:
    if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
    uses: netresearch/.github/.github/workflows/dependency-review.yml@main
    permissions:
      contents: read
      pull-requests: write

  pr-quality:
    if: github.event_name == 'pull_request'
    uses: netresearch/.github/.github/workflows/pr-quality.yml@main
    permissions:
      contents: read
      pull-requests: write

  sonarqube:
    # Sonar covers push to main + same-repo PRs. Fork PRs do not receive
    # repository secrets, so SONAR_TOKEN would be empty and the scan would
    # fail; skip them. merge_group / schedule add no new signal (same code
    # already analyzed) and would only burn analysis quota.
    #
    # Inline (not the language-agnostic
    # netresearch/.github/.github/workflows/sonarqube.yml) so we can run
    # PHPUnit with coverage and feed the resulting Clover report to the
    # scanner — the reusable workflow only checks out + scans, with no
    # test execution. Single PHP/TYPO3 combo to keep CI cost bounded;
    # the `ci` job still exercises the full matrix.
    if: >-
      github.event_name == 'push' ||
      (github.event_name == 'pull_request' &&
       github.event.pull_request.head.repo.full_name == github.repository)
    runs-on: ubuntu-latest
    timeout-minutes: 20
    permissions:
      contents: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          # Sonar requires full history for accurate blame / new-code detection.
          fetch-depth: 0
          persist-credentials: false

      - name: Setup PHP
        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
        with:
          php-version: '8.3'
          tools: composer:v2
          coverage: xdebug

      - name: Get Composer cache directory
        id: composer-cache
        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"

      - name: Cache Composer dependencies
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ${{ steps.composer-cache.outputs.dir }}
          key: ${{ runner.os }}-composer-sonar-${{ hashFiles('composer.json') }}
          restore-keys: |
            ${{ runner.os }}-composer-sonar-

      - name: Install TYPO3
        run: |
          composer require --no-update "typo3/cms-core:^14.3" "typo3/cms-rte-ckeditor:^14.3"
          composer install --prefer-dist --no-progress

      - name: Run PHP unit tests with coverage
        env:
          XDEBUG_MODE: coverage
        # Reuses the existing composer script (which writes to
        # .Build/logs/clover-unit.xml) so the CI command matches what
        # developers run locally — same Xdebug driver, same output paths.
        run: composer ci:coverage:unit

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '24'

      - name: Run JS unit tests with coverage
        # Vitest writes lcov to Tests/JavaScript/coverage/lcov.info,
        # picked up via `sonar.javascript.lcov.reportPaths` in
        # sonar-project.properties. Coverage is bounded — only files
        # importable without the CKEditor module graph (typolink-parser,
        # sanitize-src, select-image-bparams) get instrumented;
        # typo3image.js itself can't be loaded by vitest.
        #
        # Vitest's v8 provider emits SF paths relative to the cwd
        # (Tests/JavaScript), so they read as "../../Resources/...".
        # SonarCloud's scanner anchors SF lines to the project root and
        # otherwise warns "Could not resolve N file paths" → 0% coverage.
        # Strip the "../../" prefix so SF reads "Resources/..." (project
        # root-relative) and the scanner can match it to sonar.sources.
        run: |
          cd Tests/JavaScript
          npm ci --silent
          npm test -- --coverage
          sed -i 's|^SF:\.\./\.\./|SF:|g' coverage/lcov.info

      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1.0
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: 'https://sonarcloud.io'