Add WordPress plugin-check-action workflow #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Plugin Check | |
| on: | |
| push: | |
| branches: [trunk] | |
| pull_request: | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| plugin-check: | |
| name: Plugin Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run plugin check | |
| id: plugin-check | |
| continue-on-error: true | |
| uses: WordPress/plugin-check-action@v1 | |
| with: | |
| slug: multi-author-posts | |
| exclude-directories: | | |
| env | |
| tests | |
| vendor | |
| node_modules | |
| .github | |
| exclude-files: | | |
| .wp-env.json | |
| .wp-env.override.json | |
| phpunit.xml.dist | |
| composer.json | |
| composer.lock | |
| package.json | |
| package-lock.json | |
| README.md | |
| .gitignore | |
| # We deliberately don't escape WordPress.org-supplied translation strings. | |
| # plugin-check can't downgrade individual sniffs to warnings, so we | |
| # reclassify these codes here: emit them as ::warning:: annotations and | |
| # only fail the job on remaining real errors. | |
| - name: Reclassify findings | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| RESULTS="${RUNNER_TEMP}/plugin-check-results.txt" | |
| if [ ! -s "$RESULTS" ]; then | |
| echo "No plugin-check results file at $RESULTS; nothing to reclassify." | |
| exit 0 | |
| fi | |
| # Codes we accept by policy — emitted as warnings, never fail the build. | |
| # *EscapeOutput.UnsafePrintingFunction / *OutputNotEscaped: we trust w.org translations. | |
| # missing_direct_file_access_protection: namespaced bootstrap + autoloader; no top-level side-effect files. | |
| DOWNGRADE_RE='^(WordPress\.Security\.EscapeOutput\.UnsafePrintingFunction|WordPress\.Security\.EscapeOutput\.OutputNotEscaped|missing_direct_file_access_protection)$' | |
| # plugin-check writes paired lines: `FILE: <path>\n[ {line,column,type,code,message}, ... ]`. | |
| # Pair each file header with its JSON array, then expand each finding into one TSV row. | |
| : > findings.tsv | |
| awk '/^FILE: /{file=substr($0,7); next} NF{print file "\t" $0}' "$RESULTS" \ | |
| | while IFS=$'\t' read -r file json; do | |
| printf '%s' "$json" | jq -r --arg file "$file" --arg dr "$DOWNGRADE_RE" ' | |
| .[] | |
| | { | |
| file: $file, | |
| line: .line, | |
| col: .column, | |
| code: .code, | |
| type: (if (.type == "ERROR" and (.code | test($dr))) then "DOWNGRADED" else .type end), | |
| message: .message | |
| } | |
| | [.file, (.line|tostring), (.col|tostring), .type, .code, .message] | @tsv | |
| ' >> findings.tsv | |
| done | |
| real_errors=0 | |
| downgraded=0 | |
| warnings=0 | |
| while IFS=$'\t' read -r file line col type code msg; do | |
| case "$type" in | |
| ERROR) | |
| printf '::error file=%s,line=%s,col=%s::[%s] %s\n' "$file" "$line" "$col" "$code" "$msg" | |
| real_errors=$((real_errors+1)) | |
| ;; | |
| DOWNGRADED) | |
| printf '::warning file=%s,line=%s,col=%s::[%s] (downgraded per policy) %s\n' "$file" "$line" "$col" "$code" "$msg" | |
| downgraded=$((downgraded+1)) | |
| ;; | |
| WARNING) | |
| printf '::warning file=%s,line=%s,col=%s::[%s] %s\n' "$file" "$line" "$col" "$code" "$msg" | |
| warnings=$((warnings+1)) | |
| ;; | |
| esac | |
| done < findings.tsv | |
| { | |
| echo "## Plugin Check summary" | |
| echo "" | |
| echo "| Type | Count |" | |
| echo "| --- | --- |" | |
| echo "| Errors (fail the build) | $real_errors |" | |
| echo "| Downgraded by policy (warnings) | $downgraded |" | |
| echo "| Warnings | $warnings |" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| if [ "$real_errors" -gt 0 ]; then | |
| echo "::error::plugin-check found $real_errors error(s) after policy downgrade" | |
| exit 1 | |
| fi |