IBX-12028: Refactored composer audit ignore to rely on shared source of truth#141
Open
alongosz wants to merge 5 commits into
Open
IBX-12028: Refactored composer audit ignore to rely on shared source of truth#141alongosz wants to merge 5 commits into
alongosz wants to merge 5 commits into
Conversation
This was referenced Jul 2, 2026
3d12456 to
87e3c48
Compare
The prepare scripts fetched composer_audit_ignore.sh, which in turn fetched configure_composer_audit_ignores.sh, from a hardcoded raw.githubusercontent.com/ibexa/ci-scripts/main URL. This defeated the ci-scripts-branch testing mechanism: even when CI pointed at a feature branch, the nested fetches still pulled main, so branch changes to these scripts (e.g. the twig advisory in the shared source of truth) never ran on CI and could not be validated before merge. Introduced a CI_SCRIPTS_REF environment variable (defaulting to main) threaded through every nested fetch: the prepare scripts use it in their composer_audit_ignore.sh curl and pass it into the install_dependencies container, and composer_audit_ignore.sh forwards it via docker exec -e so the container's bash resolves the configure_composer_audit_ignores.sh URL against the same ref. Setting the ref once now propagates through the whole chain. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Verified that add_composer_audit_ignore_config() fetches configure_composer_audit_ignores.sh from the ref given by CI_SCRIPTS_REF, defaulting to main when the variable is unset. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
87e3c48 to
d5ed104
Compare
|
alongosz
commented
Jul 3, 2026
Comment on lines
+51
to
+53
| PHP_VERSION_INPUT=${1:-$(php -r 'echo PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION;')} | ||
| IFS=. read -r PHP_MAJOR_VERSION PHP_MINOR_VERSION _ <<< "$PHP_VERSION_INPUT" | ||
| PHP_VERSION=${PHP_MAJOR_VERSION}.${PHP_MINOR_VERSION} |
Member
Author
There was a problem hiding this comment.
Note
L52 looks a bit redundant, but it comes from script's optional input parameter ${1}, which is a PHP version passed by GHA as ${{ inputs.php-version }}. Seems it can contain major.minor.patch (depending on what produced that input).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Related PRs:
Description:
Looks like Twig released yet another advisory, published yesterday evening: PKSA-8zx5-v2nz-58pb (GHSA-529h-vh3j-85hq).
We need a common reusable place so updating this list is easy.
This PR:
bin/_common/configure_composer_audit_ignores.shas the shared/common/reusable source of truthbin/_common/composer_audit_ignore.shto fetch reusable advisories bash snippetbin/_common/configure_composer_audit_ignores.shcurlon-the-fly so have no self awareness of their source branch. It's now exposed asCI_SCRIPTS_REFenvironment variable propagated from the outer caller.For QA:
Let's just verify that regressions on PHP 7.4 and 8.0 for Commerce 4.6 pass. See ibexa/gh-workflows#104 for the testing results.
Failing build ref.: https://github.com/ibexa/commerce/actions/runs/28562515595
Documentation:
Add
PKSA-8zx5-v2nz-58pbto the documentation.