2026-02-01 06:11:00 +00:00
|
|
|
// cmd_ci.go implements the 'php ci' command for CI/CD pipeline integration.
|
|
|
|
|
//
|
|
|
|
|
// Usage:
|
|
|
|
|
// core php ci # Run full CI pipeline
|
|
|
|
|
// core php ci --json # Output combined JSON report
|
|
|
|
|
// core php ci --summary # Output markdown summary
|
|
|
|
|
// core php ci --sarif # Generate SARIF files
|
|
|
|
|
// core php ci --upload-sarif # Upload SARIF to GitHub Security
|
|
|
|
|
// core php ci --fail-on=high # Only fail on high+ severity
|
|
|
|
|
|
|
|
|
|
package php
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"os"
|
|
|
|
|
"os/exec"
|
|
|
|
|
"path/filepath"
|
|
|
|
|
"strings"
|
|
|
|
|
"time"
|
|
|
|
|
|
2026-02-16 00:30:41 +00:00
|
|
|
"forge.lthn.ai/core/cli/pkg/cli"
|
|
|
|
|
"forge.lthn.ai/core/cli/pkg/i18n"
|
2026-02-01 06:11:00 +00:00
|
|
|
"github.com/spf13/cobra"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// CI command flags
|
|
|
|
|
var (
|
|
|
|
|
ciJSON bool
|
|
|
|
|
ciSummary bool
|
|
|
|
|
ciSARIF bool
|
|
|
|
|
ciUploadSARIF bool
|
|
|
|
|
ciFailOn string
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// CIResult represents the overall CI pipeline result
|
|
|
|
|
type CIResult struct {
|
feat: git command, build improvements, and go fmt git-aware (#74)
* feat(go): make go fmt git-aware by default
- By default, only check changed Go files (modified, staged, untracked)
- Add --all flag to check all files (previous behaviour)
- Reduces noise when running fmt on large codebases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(build): minimal output by default, add missing i18n
- Default output now shows single line: "Success Built N artifacts (dir)"
- Add --verbose/-v flag to show full detailed output
- Add all missing i18n translations for build commands
- Errors still show failure reason in minimal mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add root-level `core git` command
- Create pkg/gitcmd with git workflow commands as root menu
- Export command builders from pkg/dev (AddCommitCommand, etc.)
- Commands available under both `core git` and `core dev` for compatibility
- Git commands: health, commit, push, pull, work, sync, apply
- GitHub orchestration stays in dev: issues, reviews, ci, impact
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add docblock coverage checking
Implement docblock/docstring coverage analysis for Go code:
- New `core qa docblock` command to check coverage
- Shows compact file:line list when under threshold
- Integrate with `core go qa` as a default check
- Add --docblock-threshold flag (default 80%)
The checker uses Go AST parsing to find exported symbols
(functions, types, consts, vars) without documentation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Fix doc comment: "status" → "health" in gitcmd package
- Implement --check flag for `core go fmt` (exits non-zero if files need formatting)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: add docstrings for 100% coverage
Add documentation comments to all exported symbols:
- pkg/build: ProjectType constants
- pkg/cli: LogLevel, RenderStyle, TableStyle
- pkg/framework: ServiceFor, MustServiceFor, Core.Core
- pkg/git: GitError.Error, GitError.Unwrap
- pkg/i18n: Handler Match/Handle methods
- pkg/log: Level constants
- pkg/mcp: Tool input/output types
- pkg/php: Service constants, QA types, service methods
- pkg/process: ServiceError.Error
- pkg/repos: RepoType constants
- pkg/setup: ChangeType, ChangeCategory constants
- pkg/workspace: AddWorkspaceCommands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: standardize line endings to LF
Add .gitattributes to enforce LF line endings for all text files.
Normalize all existing files to use Unix-style line endings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- cmd_format.go: validate --check/--fix mutual exclusivity, capture stderr
- cmd_docblock.go: return error instead of os.Exit(1) for proper error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback (round 2)
- linuxkit.go: propagate state update errors, handle cmd.Wait() errors in waitForExit
- mcp.go: guard against empty old_string in editDiff to prevent runaway edits
- cmd_docblock.go: log parse errors instead of silently skipping
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 10:48:44 +00:00
|
|
|
Passed bool `json:"passed"`
|
|
|
|
|
ExitCode int `json:"exit_code"`
|
|
|
|
|
Duration string `json:"duration"`
|
|
|
|
|
StartedAt time.Time `json:"started_at"`
|
2026-02-01 06:11:00 +00:00
|
|
|
Checks []CICheckResult `json:"checks"`
|
feat: git command, build improvements, and go fmt git-aware (#74)
* feat(go): make go fmt git-aware by default
- By default, only check changed Go files (modified, staged, untracked)
- Add --all flag to check all files (previous behaviour)
- Reduces noise when running fmt on large codebases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(build): minimal output by default, add missing i18n
- Default output now shows single line: "Success Built N artifacts (dir)"
- Add --verbose/-v flag to show full detailed output
- Add all missing i18n translations for build commands
- Errors still show failure reason in minimal mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add root-level `core git` command
- Create pkg/gitcmd with git workflow commands as root menu
- Export command builders from pkg/dev (AddCommitCommand, etc.)
- Commands available under both `core git` and `core dev` for compatibility
- Git commands: health, commit, push, pull, work, sync, apply
- GitHub orchestration stays in dev: issues, reviews, ci, impact
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add docblock coverage checking
Implement docblock/docstring coverage analysis for Go code:
- New `core qa docblock` command to check coverage
- Shows compact file:line list when under threshold
- Integrate with `core go qa` as a default check
- Add --docblock-threshold flag (default 80%)
The checker uses Go AST parsing to find exported symbols
(functions, types, consts, vars) without documentation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Fix doc comment: "status" → "health" in gitcmd package
- Implement --check flag for `core go fmt` (exits non-zero if files need formatting)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: add docstrings for 100% coverage
Add documentation comments to all exported symbols:
- pkg/build: ProjectType constants
- pkg/cli: LogLevel, RenderStyle, TableStyle
- pkg/framework: ServiceFor, MustServiceFor, Core.Core
- pkg/git: GitError.Error, GitError.Unwrap
- pkg/i18n: Handler Match/Handle methods
- pkg/log: Level constants
- pkg/mcp: Tool input/output types
- pkg/php: Service constants, QA types, service methods
- pkg/process: ServiceError.Error
- pkg/repos: RepoType constants
- pkg/setup: ChangeType, ChangeCategory constants
- pkg/workspace: AddWorkspaceCommands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: standardize line endings to LF
Add .gitattributes to enforce LF line endings for all text files.
Normalize all existing files to use Unix-style line endings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- cmd_format.go: validate --check/--fix mutual exclusivity, capture stderr
- cmd_docblock.go: return error instead of os.Exit(1) for proper error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback (round 2)
- linuxkit.go: propagate state update errors, handle cmd.Wait() errors in waitForExit
- mcp.go: guard against empty old_string in editDiff to prevent runaway edits
- cmd_docblock.go: log parse errors instead of silently skipping
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 10:48:44 +00:00
|
|
|
Summary CISummary `json:"summary"`
|
|
|
|
|
Artifacts []string `json:"artifacts,omitempty"`
|
2026-02-01 06:11:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CICheckResult represents an individual check result
|
|
|
|
|
type CICheckResult struct {
|
|
|
|
|
Name string `json:"name"`
|
|
|
|
|
Status string `json:"status"` // passed, failed, warning, skipped
|
|
|
|
|
Duration string `json:"duration"`
|
|
|
|
|
Details string `json:"details,omitempty"`
|
|
|
|
|
Issues int `json:"issues,omitempty"`
|
|
|
|
|
Errors int `json:"errors,omitempty"`
|
|
|
|
|
Warnings int `json:"warnings,omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CISummary contains aggregate statistics
|
|
|
|
|
type CISummary struct {
|
|
|
|
|
Total int `json:"total"`
|
|
|
|
|
Passed int `json:"passed"`
|
|
|
|
|
Failed int `json:"failed"`
|
|
|
|
|
Warnings int `json:"warnings"`
|
|
|
|
|
Skipped int `json:"skipped"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func addPHPCICommand(parent *cobra.Command) {
|
|
|
|
|
ciCmd := &cobra.Command{
|
|
|
|
|
Use: "ci",
|
|
|
|
|
Short: i18n.T("cmd.php.ci.short"),
|
|
|
|
|
Long: i18n.T("cmd.php.ci.long"),
|
|
|
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
|
|
|
return runPHPCI()
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ciCmd.Flags().BoolVar(&ciJSON, "json", false, i18n.T("cmd.php.ci.flag.json"))
|
|
|
|
|
ciCmd.Flags().BoolVar(&ciSummary, "summary", false, i18n.T("cmd.php.ci.flag.summary"))
|
|
|
|
|
ciCmd.Flags().BoolVar(&ciSARIF, "sarif", false, i18n.T("cmd.php.ci.flag.sarif"))
|
|
|
|
|
ciCmd.Flags().BoolVar(&ciUploadSARIF, "upload-sarif", false, i18n.T("cmd.php.ci.flag.upload_sarif"))
|
|
|
|
|
ciCmd.Flags().StringVar(&ciFailOn, "fail-on", "error", i18n.T("cmd.php.ci.flag.fail_on"))
|
|
|
|
|
|
|
|
|
|
parent.AddCommand(ciCmd)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func runPHPCI() error {
|
|
|
|
|
cwd, err := os.Getwd()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return cli.Err("%s: %w", i18n.T("i18n.fail.get", "working directory"), err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !IsPHPProject(cwd) {
|
|
|
|
|
return errors.New(i18n.T("cmd.php.error.not_php"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
startTime := time.Now()
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
|
|
|
|
|
// Define checks to run in order
|
|
|
|
|
checks := []struct {
|
feat: git command, build improvements, and go fmt git-aware (#74)
* feat(go): make go fmt git-aware by default
- By default, only check changed Go files (modified, staged, untracked)
- Add --all flag to check all files (previous behaviour)
- Reduces noise when running fmt on large codebases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(build): minimal output by default, add missing i18n
- Default output now shows single line: "Success Built N artifacts (dir)"
- Add --verbose/-v flag to show full detailed output
- Add all missing i18n translations for build commands
- Errors still show failure reason in minimal mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add root-level `core git` command
- Create pkg/gitcmd with git workflow commands as root menu
- Export command builders from pkg/dev (AddCommitCommand, etc.)
- Commands available under both `core git` and `core dev` for compatibility
- Git commands: health, commit, push, pull, work, sync, apply
- GitHub orchestration stays in dev: issues, reviews, ci, impact
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add docblock coverage checking
Implement docblock/docstring coverage analysis for Go code:
- New `core qa docblock` command to check coverage
- Shows compact file:line list when under threshold
- Integrate with `core go qa` as a default check
- Add --docblock-threshold flag (default 80%)
The checker uses Go AST parsing to find exported symbols
(functions, types, consts, vars) without documentation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Fix doc comment: "status" → "health" in gitcmd package
- Implement --check flag for `core go fmt` (exits non-zero if files need formatting)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: add docstrings for 100% coverage
Add documentation comments to all exported symbols:
- pkg/build: ProjectType constants
- pkg/cli: LogLevel, RenderStyle, TableStyle
- pkg/framework: ServiceFor, MustServiceFor, Core.Core
- pkg/git: GitError.Error, GitError.Unwrap
- pkg/i18n: Handler Match/Handle methods
- pkg/log: Level constants
- pkg/mcp: Tool input/output types
- pkg/php: Service constants, QA types, service methods
- pkg/process: ServiceError.Error
- pkg/repos: RepoType constants
- pkg/setup: ChangeType, ChangeCategory constants
- pkg/workspace: AddWorkspaceCommands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: standardize line endings to LF
Add .gitattributes to enforce LF line endings for all text files.
Normalize all existing files to use Unix-style line endings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- cmd_format.go: validate --check/--fix mutual exclusivity, capture stderr
- cmd_docblock.go: return error instead of os.Exit(1) for proper error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback (round 2)
- linuxkit.go: propagate state update errors, handle cmd.Wait() errors in waitForExit
- mcp.go: guard against empty old_string in editDiff to prevent runaway edits
- cmd_docblock.go: log parse errors instead of silently skipping
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 10:48:44 +00:00
|
|
|
name string
|
|
|
|
|
run func(context.Context, string) (CICheckResult, error)
|
|
|
|
|
sarif bool // Whether this check can generate SARIF
|
2026-02-01 06:11:00 +00:00
|
|
|
}{
|
|
|
|
|
{"test", runCITest, false},
|
|
|
|
|
{"stan", runCIStan, true},
|
|
|
|
|
{"psalm", runCIPsalm, true},
|
|
|
|
|
{"fmt", runCIFmt, false},
|
|
|
|
|
{"audit", runCIAudit, false},
|
|
|
|
|
{"security", runCISecurity, false},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result := CIResult{
|
|
|
|
|
StartedAt: startTime,
|
|
|
|
|
Passed: true,
|
|
|
|
|
Checks: make([]CICheckResult, 0, len(checks)),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var artifacts []string
|
|
|
|
|
|
|
|
|
|
// Print header unless JSON output
|
|
|
|
|
if !ciJSON {
|
|
|
|
|
cli.Print("\n%s\n", cli.BoldStyle.Render("core php ci - QA Pipeline"))
|
|
|
|
|
cli.Print("%s\n\n", strings.Repeat("─", 40))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Run each check
|
|
|
|
|
for _, check := range checks {
|
|
|
|
|
if !ciJSON {
|
|
|
|
|
cli.Print(" %s %s...", dimStyle.Render("→"), check.name)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
checkResult, err := check.run(ctx, cwd)
|
|
|
|
|
if err != nil {
|
|
|
|
|
checkResult = CICheckResult{
|
feat: git command, build improvements, and go fmt git-aware (#74)
* feat(go): make go fmt git-aware by default
- By default, only check changed Go files (modified, staged, untracked)
- Add --all flag to check all files (previous behaviour)
- Reduces noise when running fmt on large codebases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(build): minimal output by default, add missing i18n
- Default output now shows single line: "Success Built N artifacts (dir)"
- Add --verbose/-v flag to show full detailed output
- Add all missing i18n translations for build commands
- Errors still show failure reason in minimal mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add root-level `core git` command
- Create pkg/gitcmd with git workflow commands as root menu
- Export command builders from pkg/dev (AddCommitCommand, etc.)
- Commands available under both `core git` and `core dev` for compatibility
- Git commands: health, commit, push, pull, work, sync, apply
- GitHub orchestration stays in dev: issues, reviews, ci, impact
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add docblock coverage checking
Implement docblock/docstring coverage analysis for Go code:
- New `core qa docblock` command to check coverage
- Shows compact file:line list when under threshold
- Integrate with `core go qa` as a default check
- Add --docblock-threshold flag (default 80%)
The checker uses Go AST parsing to find exported symbols
(functions, types, consts, vars) without documentation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Fix doc comment: "status" → "health" in gitcmd package
- Implement --check flag for `core go fmt` (exits non-zero if files need formatting)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: add docstrings for 100% coverage
Add documentation comments to all exported symbols:
- pkg/build: ProjectType constants
- pkg/cli: LogLevel, RenderStyle, TableStyle
- pkg/framework: ServiceFor, MustServiceFor, Core.Core
- pkg/git: GitError.Error, GitError.Unwrap
- pkg/i18n: Handler Match/Handle methods
- pkg/log: Level constants
- pkg/mcp: Tool input/output types
- pkg/php: Service constants, QA types, service methods
- pkg/process: ServiceError.Error
- pkg/repos: RepoType constants
- pkg/setup: ChangeType, ChangeCategory constants
- pkg/workspace: AddWorkspaceCommands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: standardize line endings to LF
Add .gitattributes to enforce LF line endings for all text files.
Normalize all existing files to use Unix-style line endings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- cmd_format.go: validate --check/--fix mutual exclusivity, capture stderr
- cmd_docblock.go: return error instead of os.Exit(1) for proper error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback (round 2)
- linuxkit.go: propagate state update errors, handle cmd.Wait() errors in waitForExit
- mcp.go: guard against empty old_string in editDiff to prevent runaway edits
- cmd_docblock.go: log parse errors instead of silently skipping
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 10:48:44 +00:00
|
|
|
Name: check.name,
|
|
|
|
|
Status: "failed",
|
2026-02-01 06:11:00 +00:00
|
|
|
Details: err.Error(),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Checks = append(result.Checks, checkResult)
|
|
|
|
|
|
|
|
|
|
// Update summary
|
|
|
|
|
result.Summary.Total++
|
|
|
|
|
switch checkResult.Status {
|
|
|
|
|
case "passed":
|
|
|
|
|
result.Summary.Passed++
|
|
|
|
|
case "failed":
|
|
|
|
|
result.Summary.Failed++
|
|
|
|
|
if shouldFailOn(checkResult, ciFailOn) {
|
|
|
|
|
result.Passed = false
|
|
|
|
|
}
|
|
|
|
|
case "warning":
|
|
|
|
|
result.Summary.Warnings++
|
|
|
|
|
case "skipped":
|
|
|
|
|
result.Summary.Skipped++
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Print result
|
|
|
|
|
if !ciJSON {
|
|
|
|
|
cli.Print("\r %s %s %s\n", getStatusIcon(checkResult.Status), check.name, dimStyle.Render(checkResult.Details))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Generate SARIF if requested
|
|
|
|
|
if (ciSARIF || ciUploadSARIF) && check.sarif {
|
|
|
|
|
sarifFile := filepath.Join(cwd, check.name+".sarif")
|
|
|
|
|
if generateSARIF(ctx, cwd, check.name, sarifFile) == nil {
|
|
|
|
|
artifacts = append(artifacts, sarifFile)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Duration = time.Since(startTime).Round(time.Millisecond).String()
|
|
|
|
|
result.Artifacts = artifacts
|
|
|
|
|
|
|
|
|
|
// Set exit code
|
|
|
|
|
if result.Passed {
|
|
|
|
|
result.ExitCode = 0
|
|
|
|
|
} else {
|
|
|
|
|
result.ExitCode = 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Output based on flags
|
|
|
|
|
if ciJSON {
|
|
|
|
|
if err := outputCIJSON(result); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if !result.Passed {
|
feat: BugSETI app, WebSocket hub, browser automation, and MCP tools (#336)
* feat: add security logging and fix framework regressions
This commit implements comprehensive security event logging and resolves critical regressions in the core framework.
Security Logging:
- Enhanced `pkg/log` with a `Security` level and helper.
- Added `log.Username()` to consistently identify the executing user.
- Instrumented GitHub CLI auth, Agentic configuration, filesystem sandbox, MCP handlers, and MCP TCP transport with security logs.
- Added `SecurityStyle` to the CLI for consistent visual representation of security events.
UniFi Security (CodeQL):
- Refactored `pkg/unifi` to remove hardcoded `InsecureSkipVerify`, resolving a high-severity alert.
- Added a `--verify-tls` flag and configuration option to control TLS verification.
- Updated command handlers to support the new verification parameter.
Framework Fixes:
- Restored original signatures for `MustServiceFor`, `Config()`, and `Display()` in `pkg/framework/core`, which had been corrupted during a merge.
- Fixed `pkg/framework/framework.go` and `pkg/framework/core/runtime_pkg.go` to match the restored signatures.
- These fixes resolve project-wide compilation errors caused by the signature mismatches.
I encountered significant blockers due to a corrupted state of the `dev` branch after a merge, which introduced breaking changes in the core framework's DI system. I had to manually reconcile these signatures with the expected usage across the codebase to restore build stability.
* feat(mcp): add RAG tools (query, ingest, collections)
Add vector database tools to the MCP server for RAG operations:
- rag_query: Search for relevant documentation using semantic similarity
- rag_ingest: Ingest files or directories into the vector database
- rag_collections: List available collections
Uses existing internal/cmd/rag exports (QueryDocs, IngestDirectory, IngestFile)
and pkg/rag for Qdrant client access. Default collection is "hostuk-docs"
with topK=5 for queries.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(mcp): add metrics tools (record, query)
Add MCP tools for recording and querying AI/security metrics events.
The metrics_record tool writes events to daily JSONL files, and the
metrics_query tool provides aggregated statistics by type, repo, and agent.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add 'core mcp serve' command
Add CLI command to start the MCP server for AI tool integration.
- Create internal/cmd/mcpcmd package with serve subcommand
- Support --workspace flag for directory restriction
- Handle SIGINT/SIGTERM for clean shutdown
- Register in full.go build variant
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(ws): add WebSocket hub package for real-time streaming
Add pkg/ws package implementing a hub pattern for WebSocket connections:
- Hub manages client connections, broadcasts, and channel subscriptions
- Client struct represents connected WebSocket clients
- Message types: process_output, process_status, event, error, ping/pong
- Channel-based subscription system (subscribe/unsubscribe)
- SendProcessOutput and SendProcessStatus for process streaming integration
- Full test coverage including concurrency tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(mcp): add process management and WebSocket MCP tools
Add MCP tools for process management:
- process_start: Start a new external process
- process_stop: Gracefully stop a running process
- process_kill: Force kill a process
- process_list: List all managed processes
- process_output: Get captured process output
- process_input: Send input to process stdin
Add MCP tools for WebSocket:
- ws_start: Start WebSocket server for real-time streaming
- ws_info: Get hub statistics (clients, channels)
Update Service struct with optional process.Service and ws.Hub fields,
new WithProcessService and WithWSHub options, getter methods, and
Shutdown method for cleanup.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(webview): add browser automation package via Chrome DevTools Protocol
Add pkg/webview package for browser automation:
- webview.go: Main interface with Connect, Navigate, Click, Type, QuerySelector, Screenshot, Evaluate
- cdp.go: Chrome DevTools Protocol WebSocket client implementation
- actions.go: DOM action types (Click, Type, Hover, Scroll, etc.) and ActionSequence builder
- console.go: Console message capture and filtering with ConsoleWatcher and ExceptionWatcher
- angular.go: Angular-specific helpers for router navigation, component access, and Zone.js stability
Add MCP tools for webview:
- webview_connect/disconnect: Connection management
- webview_navigate: Page navigation
- webview_click/type/query/wait: DOM interaction
- webview_console: Console output capture
- webview_eval: JavaScript execution
- webview_screenshot: Screenshot capture
Add documentation:
- docs/mcp/angular-testing.md: Guide for Angular application testing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: document new packages and BugSETI application
- Update CLAUDE.md with documentation for:
- pkg/ws (WebSocket hub for real-time streaming)
- pkg/webview (Browser automation via CDP)
- pkg/mcp (MCP server tools: process, ws, webview)
- BugSETI application overview
- Add comprehensive README for BugSETI with:
- Installation and configuration guide
- Usage workflow documentation
- Architecture overview
- Contributing guidelines
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(bugseti): add BugSETI system tray app with auto-update
BugSETI - Distributed Bug Fixing like SETI@home but for code
Features:
- System tray app with Wails v3
- GitHub issue fetching with label filters
- Issue queue with priority management
- AI context seeding via seed-agent-developer skill
- Automated PR submission flow
- Stats tracking and leaderboard
- Cross-platform notifications
- Self-updating with stable/beta/nightly channels
Includes:
- cmd/bugseti: Main application with Angular frontend
- internal/bugseti: Core services (fetcher, queue, seeder, submit, config, stats, notify)
- internal/bugseti/updater: Auto-update system (checker, downloader, installer)
- .github/workflows/bugseti-release.yml: CI/CD for all platforms
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: resolve import cycle and code duplication
- Remove pkg/log import from pkg/io/local to break import cycle
(pkg/log/rotation.go imports pkg/io, creating circular dependency)
- Use stderr logging for security events in sandbox escape detection
- Remove unused sync/atomic import from core.go
- Fix duplicate LogSecurity function declarations in cli/log.go
- Update workspace/service.go Crypt() call to match interface
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: update tests for new function signatures and format code
- Update core_test.go: Config(), Display() now panic instead of returning error
- Update runtime_pkg_test.go: sr.Config() now panics instead of returning error
- Update MustServiceFor tests to use assert.Panics
- Format BugSETI, MCP tools, and webview packages with gofmt
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
Co-authored-by: Claude <developers@lethean.io>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 17:22:05 +00:00
|
|
|
return cli.Exit(result.ExitCode, cli.Err("CI pipeline failed"))
|
2026-02-01 06:11:00 +00:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ciSummary {
|
|
|
|
|
if err := outputCISummary(result); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if !result.Passed {
|
|
|
|
|
return cli.Err("CI pipeline failed")
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Default table output
|
|
|
|
|
cli.Print("\n%s\n", strings.Repeat("─", 40))
|
|
|
|
|
|
|
|
|
|
if result.Passed {
|
|
|
|
|
cli.Print("%s %s\n", successStyle.Render("✓ CI PASSED"), dimStyle.Render(result.Duration))
|
|
|
|
|
} else {
|
|
|
|
|
cli.Print("%s %s\n", errorStyle.Render("✗ CI FAILED"), dimStyle.Render(result.Duration))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(artifacts) > 0 {
|
|
|
|
|
cli.Print("\n%s\n", dimStyle.Render("Artifacts:"))
|
|
|
|
|
for _, a := range artifacts {
|
|
|
|
|
cli.Print(" → %s\n", filepath.Base(a))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Upload SARIF if requested
|
|
|
|
|
if ciUploadSARIF && len(artifacts) > 0 {
|
|
|
|
|
cli.Blank()
|
|
|
|
|
for _, sarifFile := range artifacts {
|
|
|
|
|
if err := uploadSARIFToGitHub(ctx, sarifFile); err != nil {
|
|
|
|
|
cli.Print(" %s %s: %s\n", errorStyle.Render("✗"), filepath.Base(sarifFile), err)
|
|
|
|
|
} else {
|
|
|
|
|
cli.Print(" %s %s uploaded\n", successStyle.Render("✓"), filepath.Base(sarifFile))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !result.Passed {
|
|
|
|
|
return cli.Err("CI pipeline failed")
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// runCITest runs Pest/PHPUnit tests
|
|
|
|
|
func runCITest(ctx context.Context, dir string) (CICheckResult, error) {
|
|
|
|
|
start := time.Now()
|
|
|
|
|
result := CICheckResult{Name: "test", Status: "passed"}
|
|
|
|
|
|
|
|
|
|
opts := TestOptions{
|
feat: git command, build improvements, and go fmt git-aware (#74)
* feat(go): make go fmt git-aware by default
- By default, only check changed Go files (modified, staged, untracked)
- Add --all flag to check all files (previous behaviour)
- Reduces noise when running fmt on large codebases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(build): minimal output by default, add missing i18n
- Default output now shows single line: "Success Built N artifacts (dir)"
- Add --verbose/-v flag to show full detailed output
- Add all missing i18n translations for build commands
- Errors still show failure reason in minimal mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add root-level `core git` command
- Create pkg/gitcmd with git workflow commands as root menu
- Export command builders from pkg/dev (AddCommitCommand, etc.)
- Commands available under both `core git` and `core dev` for compatibility
- Git commands: health, commit, push, pull, work, sync, apply
- GitHub orchestration stays in dev: issues, reviews, ci, impact
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add docblock coverage checking
Implement docblock/docstring coverage analysis for Go code:
- New `core qa docblock` command to check coverage
- Shows compact file:line list when under threshold
- Integrate with `core go qa` as a default check
- Add --docblock-threshold flag (default 80%)
The checker uses Go AST parsing to find exported symbols
(functions, types, consts, vars) without documentation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Fix doc comment: "status" → "health" in gitcmd package
- Implement --check flag for `core go fmt` (exits non-zero if files need formatting)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: add docstrings for 100% coverage
Add documentation comments to all exported symbols:
- pkg/build: ProjectType constants
- pkg/cli: LogLevel, RenderStyle, TableStyle
- pkg/framework: ServiceFor, MustServiceFor, Core.Core
- pkg/git: GitError.Error, GitError.Unwrap
- pkg/i18n: Handler Match/Handle methods
- pkg/log: Level constants
- pkg/mcp: Tool input/output types
- pkg/php: Service constants, QA types, service methods
- pkg/process: ServiceError.Error
- pkg/repos: RepoType constants
- pkg/setup: ChangeType, ChangeCategory constants
- pkg/workspace: AddWorkspaceCommands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: standardize line endings to LF
Add .gitattributes to enforce LF line endings for all text files.
Normalize all existing files to use Unix-style line endings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- cmd_format.go: validate --check/--fix mutual exclusivity, capture stderr
- cmd_docblock.go: return error instead of os.Exit(1) for proper error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback (round 2)
- linuxkit.go: propagate state update errors, handle cmd.Wait() errors in waitForExit
- mcp.go: guard against empty old_string in editDiff to prevent runaway edits
- cmd_docblock.go: log parse errors instead of silently skipping
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 10:48:44 +00:00
|
|
|
Dir: dir,
|
|
|
|
|
Output: nil, // Suppress output
|
2026-02-01 06:11:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := RunTests(ctx, opts); err != nil {
|
|
|
|
|
result.Status = "failed"
|
|
|
|
|
result.Details = err.Error()
|
|
|
|
|
} else {
|
|
|
|
|
result.Details = "all tests passed"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Duration = time.Since(start).Round(time.Millisecond).String()
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// runCIStan runs PHPStan
|
|
|
|
|
func runCIStan(ctx context.Context, dir string) (CICheckResult, error) {
|
|
|
|
|
start := time.Now()
|
|
|
|
|
result := CICheckResult{Name: "stan", Status: "passed"}
|
|
|
|
|
|
|
|
|
|
_, found := DetectAnalyser(dir)
|
|
|
|
|
if !found {
|
|
|
|
|
result.Status = "skipped"
|
|
|
|
|
result.Details = "PHPStan not configured"
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opts := AnalyseOptions{
|
|
|
|
|
Dir: dir,
|
|
|
|
|
Output: nil,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := Analyse(ctx, opts); err != nil {
|
|
|
|
|
result.Status = "failed"
|
|
|
|
|
result.Details = "errors found"
|
|
|
|
|
} else {
|
|
|
|
|
result.Details = "0 errors"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Duration = time.Since(start).Round(time.Millisecond).String()
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// runCIPsalm runs Psalm
|
|
|
|
|
func runCIPsalm(ctx context.Context, dir string) (CICheckResult, error) {
|
|
|
|
|
start := time.Now()
|
|
|
|
|
result := CICheckResult{Name: "psalm", Status: "passed"}
|
|
|
|
|
|
|
|
|
|
_, found := DetectPsalm(dir)
|
|
|
|
|
if !found {
|
|
|
|
|
result.Status = "skipped"
|
|
|
|
|
result.Details = "Psalm not configured"
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opts := PsalmOptions{
|
|
|
|
|
Dir: dir,
|
|
|
|
|
Output: nil,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := RunPsalm(ctx, opts); err != nil {
|
|
|
|
|
result.Status = "failed"
|
|
|
|
|
result.Details = "errors found"
|
|
|
|
|
} else {
|
|
|
|
|
result.Details = "0 errors"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Duration = time.Since(start).Round(time.Millisecond).String()
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// runCIFmt checks code formatting
|
|
|
|
|
func runCIFmt(ctx context.Context, dir string) (CICheckResult, error) {
|
|
|
|
|
start := time.Now()
|
|
|
|
|
result := CICheckResult{Name: "fmt", Status: "passed"}
|
|
|
|
|
|
|
|
|
|
_, found := DetectFormatter(dir)
|
|
|
|
|
if !found {
|
|
|
|
|
result.Status = "skipped"
|
|
|
|
|
result.Details = "no formatter configured"
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opts := FormatOptions{
|
|
|
|
|
Dir: dir,
|
|
|
|
|
Fix: false, // Check only
|
|
|
|
|
Output: nil,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := Format(ctx, opts); err != nil {
|
|
|
|
|
result.Status = "warning"
|
|
|
|
|
result.Details = "formatting issues"
|
|
|
|
|
} else {
|
|
|
|
|
result.Details = "code style OK"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Duration = time.Since(start).Round(time.Millisecond).String()
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// runCIAudit runs composer audit
|
|
|
|
|
func runCIAudit(ctx context.Context, dir string) (CICheckResult, error) {
|
|
|
|
|
start := time.Now()
|
|
|
|
|
result := CICheckResult{Name: "audit", Status: "passed"}
|
|
|
|
|
|
|
|
|
|
results, err := RunAudit(ctx, AuditOptions{
|
|
|
|
|
Dir: dir,
|
|
|
|
|
Output: nil,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
result.Status = "failed"
|
|
|
|
|
result.Details = err.Error()
|
|
|
|
|
result.Duration = time.Since(start).Round(time.Millisecond).String()
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
totalVulns := 0
|
|
|
|
|
for _, r := range results {
|
|
|
|
|
totalVulns += r.Vulnerabilities
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if totalVulns > 0 {
|
|
|
|
|
result.Status = "failed"
|
|
|
|
|
result.Details = fmt.Sprintf("%d vulnerabilities", totalVulns)
|
|
|
|
|
result.Issues = totalVulns
|
|
|
|
|
} else {
|
|
|
|
|
result.Details = "no vulnerabilities"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Duration = time.Since(start).Round(time.Millisecond).String()
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// runCISecurity runs security checks
|
|
|
|
|
func runCISecurity(ctx context.Context, dir string) (CICheckResult, error) {
|
|
|
|
|
start := time.Now()
|
|
|
|
|
result := CICheckResult{Name: "security", Status: "passed"}
|
|
|
|
|
|
|
|
|
|
secResult, err := RunSecurityChecks(ctx, SecurityOptions{
|
|
|
|
|
Dir: dir,
|
|
|
|
|
Output: nil,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
result.Status = "failed"
|
|
|
|
|
result.Details = err.Error()
|
|
|
|
|
result.Duration = time.Since(start).Round(time.Millisecond).String()
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if secResult.Summary.Critical > 0 || secResult.Summary.High > 0 {
|
|
|
|
|
result.Status = "failed"
|
|
|
|
|
result.Details = fmt.Sprintf("%d critical, %d high", secResult.Summary.Critical, secResult.Summary.High)
|
|
|
|
|
result.Issues = secResult.Summary.Critical + secResult.Summary.High
|
|
|
|
|
} else if secResult.Summary.Medium > 0 {
|
|
|
|
|
result.Status = "warning"
|
|
|
|
|
result.Details = fmt.Sprintf("%d medium issues", secResult.Summary.Medium)
|
|
|
|
|
result.Warnings = secResult.Summary.Medium
|
|
|
|
|
} else {
|
|
|
|
|
result.Details = "no issues"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Duration = time.Since(start).Round(time.Millisecond).String()
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// shouldFailOn determines if a check should cause CI failure based on --fail-on
|
|
|
|
|
func shouldFailOn(check CICheckResult, level string) bool {
|
|
|
|
|
switch level {
|
|
|
|
|
case "critical":
|
|
|
|
|
return check.Status == "failed" && check.Issues > 0
|
|
|
|
|
case "high", "error":
|
|
|
|
|
return check.Status == "failed"
|
|
|
|
|
case "warning":
|
|
|
|
|
return check.Status == "failed" || check.Status == "warning"
|
|
|
|
|
default:
|
|
|
|
|
return check.Status == "failed"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getStatusIcon returns the icon for a check status
|
|
|
|
|
func getStatusIcon(status string) string {
|
|
|
|
|
switch status {
|
|
|
|
|
case "passed":
|
|
|
|
|
return successStyle.Render("✓")
|
|
|
|
|
case "failed":
|
|
|
|
|
return errorStyle.Render("✗")
|
|
|
|
|
case "warning":
|
|
|
|
|
return phpQAWarningStyle.Render("⚠")
|
|
|
|
|
case "skipped":
|
|
|
|
|
return dimStyle.Render("-")
|
|
|
|
|
default:
|
|
|
|
|
return dimStyle.Render("?")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// outputCIJSON outputs the result as JSON
|
|
|
|
|
func outputCIJSON(result CIResult) error {
|
|
|
|
|
data, err := json.MarshalIndent(result, "", " ")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
fmt.Println(string(data))
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// outputCISummary outputs a markdown summary
|
|
|
|
|
func outputCISummary(result CIResult) error {
|
|
|
|
|
var sb strings.Builder
|
|
|
|
|
|
|
|
|
|
sb.WriteString("## CI Pipeline Results\n\n")
|
|
|
|
|
|
|
|
|
|
if result.Passed {
|
|
|
|
|
sb.WriteString("**Status:** ✅ Passed\n\n")
|
|
|
|
|
} else {
|
|
|
|
|
sb.WriteString("**Status:** ❌ Failed\n\n")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sb.WriteString("| Check | Status | Details |\n")
|
|
|
|
|
sb.WriteString("|-------|--------|----------|\n")
|
|
|
|
|
|
|
|
|
|
for _, check := range result.Checks {
|
|
|
|
|
icon := "✅"
|
|
|
|
|
switch check.Status {
|
|
|
|
|
case "failed":
|
|
|
|
|
icon = "❌"
|
|
|
|
|
case "warning":
|
|
|
|
|
icon = "⚠️"
|
|
|
|
|
case "skipped":
|
|
|
|
|
icon = "⏭️"
|
|
|
|
|
}
|
|
|
|
|
sb.WriteString(fmt.Sprintf("| %s | %s | %s |\n", check.Name, icon, check.Details))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sb.WriteString(fmt.Sprintf("\n**Duration:** %s\n", result.Duration))
|
|
|
|
|
|
|
|
|
|
fmt.Print(sb.String())
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// generateSARIF generates a SARIF file for a specific check
|
|
|
|
|
func generateSARIF(ctx context.Context, dir, checkName, outputFile string) error {
|
|
|
|
|
var args []string
|
|
|
|
|
|
|
|
|
|
switch checkName {
|
|
|
|
|
case "stan":
|
|
|
|
|
args = []string{"vendor/bin/phpstan", "analyse", "--error-format=sarif", "--no-progress"}
|
|
|
|
|
case "psalm":
|
|
|
|
|
args = []string{"vendor/bin/psalm", "--output-format=sarif"}
|
|
|
|
|
default:
|
|
|
|
|
return fmt.Errorf("SARIF not supported for %s", checkName)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cmd := exec.CommandContext(ctx, "php", args...)
|
|
|
|
|
cmd.Dir = dir
|
|
|
|
|
|
|
|
|
|
// Capture output - command may exit non-zero when issues are found
|
|
|
|
|
// but still produce valid SARIF output
|
|
|
|
|
output, err := cmd.CombinedOutput()
|
|
|
|
|
if len(output) == 0 {
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to generate SARIF: %w", err)
|
|
|
|
|
}
|
|
|
|
|
return fmt.Errorf("no SARIF output generated")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate output is valid JSON
|
|
|
|
|
var js json.RawMessage
|
|
|
|
|
if err := json.Unmarshal(output, &js); err != nil {
|
|
|
|
|
return fmt.Errorf("invalid SARIF output: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-05 18:14:59 +00:00
|
|
|
return getMedium().Write(outputFile, string(output))
|
2026-02-01 06:11:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// uploadSARIFToGitHub uploads a SARIF file to GitHub Security tab
|
|
|
|
|
func uploadSARIFToGitHub(ctx context.Context, sarifFile string) error {
|
|
|
|
|
// Validate commit SHA before calling API
|
|
|
|
|
sha := getGitSHA()
|
|
|
|
|
if sha == "" {
|
|
|
|
|
return errors.New("cannot upload SARIF: git commit SHA not available (ensure you're in a git repository)")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Use gh CLI to upload
|
|
|
|
|
cmd := exec.CommandContext(ctx, "gh", "api",
|
|
|
|
|
"repos/{owner}/{repo}/code-scanning/sarifs",
|
|
|
|
|
"-X", "POST",
|
|
|
|
|
"-F", "sarif=@"+sarifFile,
|
|
|
|
|
"-F", "ref="+getGitRef(),
|
|
|
|
|
"-F", "commit_sha="+sha,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if output, err := cmd.CombinedOutput(); err != nil {
|
|
|
|
|
return fmt.Errorf("%s: %s", err, string(output))
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getGitRef returns the current git ref
|
|
|
|
|
func getGitRef() string {
|
|
|
|
|
cmd := exec.Command("git", "symbolic-ref", "HEAD")
|
|
|
|
|
output, err := cmd.Output()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "refs/heads/main"
|
|
|
|
|
}
|
|
|
|
|
return strings.TrimSpace(string(output))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getGitSHA returns the current git commit SHA
|
|
|
|
|
func getGitSHA() string {
|
|
|
|
|
cmd := exec.Command("git", "rev-parse", "HEAD")
|
|
|
|
|
output, err := cmd.Output()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
return strings.TrimSpace(string(output))
|
|
|
|
|
}
|