Skip to content

IBX-12028: Refactored composer audit ignore to rely on shared source of truth#141

Open
alongosz wants to merge 5 commits into
mainfrom
ibx-12028-ci-advisories-patch-revamp
Open

IBX-12028: Refactored composer audit ignore to rely on shared source of truth#141
alongosz wants to merge 5 commits into
mainfrom
ibx-12028-ci-advisories-patch-revamp

Conversation

@alongosz

@alongosz alongosz commented Jul 2, 2026

Copy link
Copy Markdown
Member
🎫 Issue IBX-12028

Related PRs:

Description:

Looks like Twig released yet another advisory, published yesterday evening: PKSA-8zx5-v2nz-58pb (GHSA-529h-vh3j-85hq).

We need a common reusable place so updating this list is easy.

This PR:

  • adds the new script bin/_common/configure_composer_audit_ignores.sh as the shared/common/reusable source of truth
  • refactors existing bin/_common/composer_audit_ignore.sh to fetch reusable advisories bash snippet
  • adds sanity test coverage for bin/_common/configure_composer_audit_ignores.sh
  • parametrizes CI script branch in inner scripts - this makes testing any changes against these script easier. These scripts are downloaded via curl on-the-fly so have no self awareness of their source branch. It's now exposed as CI_SCRIPTS_REF environment variable propagated from the outer caller.

For QA:

Let's just verify that regressions on PHP 7.4 and 8.0 for Commerce 4.6 pass. See ibexa/gh-workflows#104 for the testing results.

Failing build ref.: https://github.com/ibexa/commerce/actions/runs/28562515595

Documentation:

Add PKSA-8zx5-v2nz-58pb to the documentation.

@alongosz alongosz changed the title Ibx 12028 ci advisories patch revamp IBX-12028: Refactored composer audit ignore to rely on shared source of truth Jul 2, 2026
@alongosz alongosz added the Doc needed The changes require some documentation label Jul 2, 2026
@alongosz alongosz force-pushed the ibx-12028-ci-advisories-patch-revamp branch from 3d12456 to 87e3c48 Compare July 3, 2026 13:57
alongosz and others added 4 commits July 3, 2026 16:31
The prepare scripts fetched composer_audit_ignore.sh, which in turn
fetched configure_composer_audit_ignores.sh, from a hardcoded
raw.githubusercontent.com/ibexa/ci-scripts/main URL. This defeated the
ci-scripts-branch testing mechanism: even when CI pointed at a feature
branch, the nested fetches still pulled main, so branch changes to these
scripts (e.g. the twig advisory in the shared source of truth) never ran
on CI and could not be validated before merge.

Introduced a CI_SCRIPTS_REF environment variable (defaulting to main)
threaded through every nested fetch: the prepare scripts use it in their
composer_audit_ignore.sh curl and pass it into the install_dependencies
container, and composer_audit_ignore.sh forwards it via docker exec -e so
the container's bash resolves the configure_composer_audit_ignores.sh
URL against the same ref. Setting the ref once now propagates through the
whole chain.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Verified that add_composer_audit_ignore_config() fetches
configure_composer_audit_ignores.sh from the ref given by CI_SCRIPTS_REF,
defaulting to main when the variable is unset.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@alongosz alongosz force-pushed the ibx-12028-ci-advisories-patch-revamp branch from 87e3c48 to d5ed104 Compare July 3, 2026 14:33
@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

Comment on lines +51 to +53
PHP_VERSION_INPUT=${1:-$(php -r 'echo PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION;')}
IFS=. read -r PHP_MAJOR_VERSION PHP_MINOR_VERSION _ <<< "$PHP_VERSION_INPUT"
PHP_VERSION=${PHP_MAJOR_VERSION}.${PHP_MINOR_VERSION}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note

L52 looks a bit redundant, but it comes from script's optional input parameter ${1}, which is a PHP version passed by GHA as ${{ inputs.php-version }}. Seems it can contain major.minor.patch (depending on what produced that input).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Doc needed The changes require some documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant