Added Shipshape binary to CLI container.

.circleci/config.yml

@@ -65,6 +65,10 @@ aliases:
   - &runner_config
     # Location of checked-out files within "runner" container.
     working_directory: &working_directory ~/project
+    parameters:
+      shipshape_run_audit:
+        default: false
+        type: boolean
     environment:
       DREVOPS_DEPLOY_SSH_FINGERPRINT: *deploy_ssh_fingerprint
       DEPLOY_SSH_FINGERPRINT1: *deploy_ssh_fingerprint1
@@ -269,6 +273,13 @@ job-build: &job-build
             docker compose exec -T cli php -d memory_limit=-1 vendor/bin/behat --colors --strict --rerun --profile="${DREVOPS_CI_BEHAT_PROFILE:-default}" || \
             [ "${DREVOPS_CI_BEHAT_IGNORE_FAILURE:-0}" -eq 1 ]
         no_output_timeout: 30m
+    # Optionally run Shipshape audit.
+    - when:
+        condition: << parameters.shipshape_run_audit >>
+        steps:
+          - run:
+              name: Audit code with shipshape
+              command: docker compose exec -T cli sh -c "/usr/local/bin/shipshape -e -o junit > /app/.logs/test_results/shipshape-results.xml" || [ "${DREVOPS_CI_SHIPSHAPE_IGNORE_FAILURE:-0}" -eq 1 ]
     - run:
         name: Process test logs and artifacts
         command: |
@@ -360,6 +371,10 @@ jobs:
   # GovCMS profile, no sub-theme.
   build-govcms:
     <<: *runner_config
+    parameters:
+      shipshape_run_audit:
+        default: true
+        type: boolean
     environment:
       DRUPAL_PROFILE: govcms
       CIVICTHEME_SUBTHEME_ACTIVATION_SKIP: 1
@@ -370,6 +385,10 @@ jobs:
   # GovCMS profile, sub-theme. Longest test run.
   build-govcms-subtheme:
     <<: *runner_config
+    parameters:
+      shipshape_run_audit:
+        default: true
+        type: boolean
     environment:
       DRUPAL_PROFILE: govcms
       DREVOPS_CI_DRUPAL_THEME_CONFIG_LINT_IGNORE_FAILURE: 1

.docker/cli.dockerfile

@@ -63,6 +63,9 @@ RUN mkdir -p web/themes/contrib/civictheme \
     && mkdir -p web/modules/custom/civictheme_dev \
     && mkdir -p web/modules/custom/cs_generated_content
 
+# Add shipshape binary so that we can execute audits.
+COPY --from=ghcr.io/salsadigitalauorg/shipshape:latest /usr/local/bin/shipshape /usr/local/bin/shipshape
+
 # Copy files required for PHP dependencies resolution.
 # Note that composer.lock is not explicitly copied, allowing to run the stack
 # without existing lock file (this is not advisable, but allows to build

.docker/cli.onlytheme.dockerfile

@@ -62,6 +62,9 @@ RUN mkdir -p web/themes/contrib/civictheme \
     && mkdir -p web/modules/custom/civictheme_dev \
     && mkdir -p web/modules/custom/cs_generated_content
 
+# Add shipshape binary so that we can execute audits.
+COPY --from=ghcr.io/salsadigitalauorg/shipshape:latest /usr/local/bin/shipshape /usr/local/bin/shipshape
+
 # Copy files required for PHP dependencies resolution.
 # Note that composer.lock is not explicitly copied, allowing to run the stack
 # without existing lock file (this is not advisable, but allows to build

.docker/cli.sibling.dockerfile

@@ -63,6 +63,9 @@ RUN mkdir -p web/themes/contrib/civictheme \
     && mkdir -p web/modules/custom/civictheme_dev \
     && mkdir -p web/modules/custom/cs_generated_content
 
+# Add shipshape binary so that we can execute audits.
+COPY --from=ghcr.io/salsadigitalauorg/shipshape:latest /usr/local/bin/shipshape /usr/local/bin/shipshape
+
 # Copy files required for PHP dependencies resolution.
 # Note that composer.lock is not explicitly copied, allowing to run the stack
 # without existing lock file (this is not advisable, but allows to build

phpstan-govcms.neon

@@ -0,0 +1,99 @@
+parameters:
+  # Disable all phpstan rules.
+  customRulesetUsed: true
+  fileExtensions:
+    - php
+    - theme
+    - inc
+  reportUnmatchedIgnoredErrors: false
+  ignoreErrors:
+    - message: '#^Calling debug_backtrace\(\) is forbidden, please change the code$#'
+      count: 1
+      path: /app/web/themes/custom/bootstrap/src/Bootstrap.php
+    - message: '#^Calling print_r\(\) is forbidden, please change the code$#'
+      count: 1
+      path: /app/web/themes/custom/bootstrap/src/Bootstrap.php
+  disallowedFunctionCalls:
+    - function: 'curl_exec()'
+      message: 'please change the code'
+    - function: 'curl_init()'
+      message: 'please change the code'
+    - function: 'curl_multi_exec()'
+      message: 'please change the code'
+    - function: 'db_*()'
+      message: 'please change the code'
+    - function: 'dd()'
+      message: 'please change the code'
+    - function: 'debug_backtrace()'
+      message: 'please change the code'
+    - function: 'dump()'
+      message: 'please change the code'
+    - function: 'escapeshellcmd()'
+      message: 'please change the code'
+    - function: 'eval()'
+      message: 'please change the code'
+    - function: 'exec()'
+      message: 'please change the code'
+    - function: 'ftp_*()'
+      message: 'please change the code'
+    - function: 'mysql_*()'
+      message: 'please change the code'
+    - function: 'mysqli_*()'
+      message: 'please change the code'
+    - function: 'passthru()'
+      message: 'please change the code'
+    - function: 'pcntl_*()'
+      message: 'please change the code'
+    - function: 'phpinfo()'
+      message: 'please change the code'
+    - function: 'popen()'
+      message: 'please change the code'
+    - function: 'posix_getpwuid()'
+      message: 'please change the code'
+    - function: 'posix_kill()'
+      message: 'please change the code'
+    - function: 'posix_mkfifo()'
+      message: 'please change the code'
+    - function: 'posix_setpgid()'
+      message: 'please change the code'
+    - function: 'posix_setsid()'
+      message: 'please change the code'
+    - function: 'posix_setuid()'
+      message: 'please change the code'
+    - function: 'posix_uname()'
+      message: 'please change the code'
+    - function: 'print_r()'
+      message: 'please change the code'
+    - function: 'proc_open()'
+      message: 'please change the code'
+    - function: 'proc_get_status()'
+      message: 'please change the code'
+    - function: 'proc_terminate()'
+      message: 'please change the code'
+    - function: 'proc_close()'
+      message: 'please change the code'
+    - function: 'proc_nice()'
+      message: 'please change the code'
+    - function: 'shell_exec()'
+      message: 'please change the code'
+    - function: 'sleep()'
+      message: 'please change the code'
+    - function: 'system()'
+      message: 'please change the code'
+    - function: 'var_dump()'
+      message: 'please change the code'
+  disallowedMethodCalls:
+    - method: 'mysqli::*()'
+      message: 'please change the code'
+    - method: 'SQLite3::*()'
+      message: 'please change the code'
+    - method: 'SQLite3Stmt::*()'
+      message: 'please change the code'
+    - method: 'SQLite3Result::*()'
+      message: 'please change the code'
+  disallowedStaticCalls:
+    - method: 'Drupal::httpClient()'
+      message: 'please change the code'
+  disallowedNamespaces:
+    - class: 'GuzzleHttp\Client'
+      message: 'please change the code'

scripts/drevops/build.sh

@@ -129,6 +129,8 @@ docker compose cp -L behat.yml cli:/app/ 2>"${composer_verbose_output}"
 docker compose cp -L phpcs.xml cli:/app/ 2>"${composer_verbose_output}"
 docker compose cp -L phpmd.xml cli:/app/ 2>"${composer_verbose_output}"
 docker compose cp -L phpstan.neon cli:/app/ 2>"${composer_verbose_output}"
+docker compose cp -L phpstan-govcms.neon cli:/app/ 2>"${composer_verbose_output}"
+docker compose cp -L shipshape.yml cli:/app/ 2>"${composer_verbose_output}"
 docker compose cp -L phpunit.xml cli:/app/ 2>"${composer_verbose_output}"
 docker compose cp -L rector.php cli:/app/ 2>"${composer_verbose_output}"
 docker compose cp -L tests cli:/app/ 2>"${composer_verbose_output}"