Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
0308f9e
tests: phpstan level 0
justlevine Nov 7, 2025
b427ca6
Merge branch 'trunk' into tests/phpstan/level-0
justlevine Jan 16, 2026
a741131
chore: phpstan v2 and post merge cleanup
justlevine Jan 16, 2026
88c5426
chore: cleanup readme
justlevine Jan 16, 2026
03b4080
tests: remove unnecessary @phpstan-ignore
justlevine Jan 16, 2026
cd1149a
docs: add `never|void` return type to `wp_die()`
justlevine Jan 16, 2026
aec7e74
ci: run `build:dev`
justlevine Jan 16, 2026
acfeb8d
Merge branch 'trunk' into tests/phpstan/level-0
westonruter Feb 12, 2026
d429181
Update src/wp-includes/functions.php
justlevine Feb 12, 2026
de6d304
Update tests/phpstan/bootstrap.php
justlevine Feb 12, 2026
d43edb1
Update tests/phpstan/README.md
justlevine Feb 12, 2026
8e5e8b0
Update .github/workflows/php-static-analysis.yml
justlevine Feb 12, 2026
75c8c54
Merge branch 'trunk' into tests/phpstan/level-0
justlevine Feb 12, 2026
4c255e5
PHPStan: Use explicit paths to avoid hanging on wp-content traversal
westonruter Feb 16, 2026
522147a
Remove excludePaths for non-PHP directories since files already excluded
westonruter Feb 16, 2026
f77df14
Merge branch 'trunk' of https://github.com/WordPress/wordpress-develo…
westonruter Feb 16, 2026
baf4516
Address issues with class-wp-html-processor.php which required it to …
westonruter Feb 16, 2026
1603823
Fix return types for core themes
westonruter Feb 16, 2026
367af1c
Add variable return type for WP_Theme::get()
westonruter Feb 16, 2026
ae6c4b6
Ensure Customizer setting exists before setting transport to postMessage
westonruter Feb 16, 2026
9d178c6
Pass empty strings instead of null in twenty_twenty_one_generate_css()
westonruter Feb 16, 2026
b1005dc
Ensure Twenty_Twenty_One_SVG_Icons::get_svg() always returns string v…
westonruter Feb 16, 2026
f95668e
Merge branch 'trunk' of https://github.com/WordPress/wordpress-develo…
westonruter Feb 16, 2026
2f72407
Fix return types for Customize setting update methods
westonruter Feb 16, 2026
22370b6
Update return value for WP_Customize_Background_Image_Setting::update()
westonruter Feb 16, 2026
199f15f
Use phpstan as composer script name
westonruter Feb 16, 2026
ec446a1
Update phpstan as script name in docs
westonruter Feb 16, 2026
420731d
Rename test:php:stan to typecheck:php
westonruter Feb 16, 2026
e0398cd
Declare 7.0.0 as the verison which introduced PHPStan
westonruter Feb 16, 2026
8132f48
Fix paths in readme
westonruter Feb 16, 2026
9ebcf81
Use US spelling of 'analyze' for consistency with the rest of the cod…
westonruter Feb 16, 2026
c87e560
Add baseline.php to list of files which triggers the workflow
westonruter Feb 16, 2026
ee31281
Fix grammar typo in readme
westonruter Feb 16, 2026
1c1cb16
Use same version of actions/cache as rest of codebase
westonruter Feb 16, 2026
cc01268
CI: Optimize PHP Static Analysis by caching Gutenberg build
westonruter Feb 16, 2026
77d9403
Improve placement and formatting of phpstan-return
westonruter Feb 17, 2026
61f8a11
Fix wp_insert_user() so PHPStan won't hang
westonruter Feb 17, 2026
fd8f672
Fix handling of ArrayAccess since PHPStan still would hang
westonruter Feb 17, 2026
512e368
Revert now-unnecessary change since $userdata is always an array
westonruter Feb 17, 2026
dd0727f
Update tests/phpunit/tests/user.php
justlevine Feb 17, 2026
dada996
Add assertion for warning
westonruter Feb 17, 2026
b883096
Merge branch 'trunk' of https://github.com/WordPress/wordpress-develo…
westonruter Feb 17, 2026
646edd0
Merge branch 'trunk' of https://github.com/WordPress/wordpress-develo…
westonruter Feb 18, 2026
03b9766
Update package.json
justlevine Feb 18, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions .github/workflows/php-static-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: PHPStan Static Analysis

on:
# PHPStan testing was introduced in 7.0.0.
push:
branches:
- trunk
- '[7-9].[0-9]'
tags:
- '[7-9].[0-9]'
- '[7-9]+.[0-9].[0-9]+'
pull_request:
branches:
- trunk
- '[7-9].[0-9]'
paths:
# This workflow only scans PHP files.
- '**.php'
# These files configure Composer. Changes could affect the outcome.
- 'composer.*'
# These files configure PHPStan. Changes could affect the outcome.
- 'phpstan.neon.dist'
- 'tests/phpstan/base.neon'
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow paths configuration should also include 'tests/phpstan/bootstrap.php' as changes to this file could affect PHPStan analysis by modifying constant definitions used during static analysis.

Suggested change
- 'tests/phpstan/base.neon'
- 'tests/phpstan/base.neon'
- 'tests/phpstan/bootstrap.php'

Copilot uses AI. Check for mistakes.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I committed this but it actually isn't needed because **.php is already included.

- 'tests/phpstan/baseline.php'
# Confirm any changes to relevant workflow files.
- '.github/workflows/php-static-analysis.yml'
- '.github/workflows/reusable-php-static-analysis.yml'
workflow_dispatch:

# Cancels all previous workflow runs for pull requests that have not completed.
concurrency:
# The concurrency group contains the workflow name and the branch name for pull requests
# or the commit hash for any other events.
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
# Runs PHPStan Static Analysis.
phpstan:
name: PHP static analysis
uses: ./.github/workflows/reusable-php-static-analysis.yml
permissions:
contents: read
if: ${{ github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) }}

slack-notifications:
name: Slack Notifications
uses: ./.github/workflows/slack-notifications.yml
permissions:
actions: read
contents: read
needs: [ phpstan ]
if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event_name != 'pull_request' && always() }}
with:
calling_status: ${{ contains( needs.*.result, 'cancelled' ) && 'cancelled' || contains( needs.*.result, 'failure' ) && 'failure' || 'success' }}
secrets:
SLACK_GHA_SUCCESS_WEBHOOK: ${{ secrets.SLACK_GHA_SUCCESS_WEBHOOK }}
SLACK_GHA_CANCELLED_WEBHOOK: ${{ secrets.SLACK_GHA_CANCELLED_WEBHOOK }}
SLACK_GHA_FIXED_WEBHOOK: ${{ secrets.SLACK_GHA_FIXED_WEBHOOK }}
SLACK_GHA_FAILURE_WEBHOOK: ${{ secrets.SLACK_GHA_FAILURE_WEBHOOK }}

failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-24.04
permissions:
actions: write
needs: [ slack-notifications ]
if: |
always() &&
github.repository == 'WordPress/wordpress-develop' &&
github.event_name != 'pull_request' &&
github.run_attempt < 2 &&
(
contains( needs.*.result, 'cancelled' ) ||
contains( needs.*.result, 'failure' )
)

steps:
- name: Dispatch workflow run
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
retries: 2
retry-exempt-status-codes: 418
script: |
github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'failed-workflow.yml',
ref: 'trunk',
inputs: {
run_id: `${context.runId}`,
}
});
121 changes: 121 additions & 0 deletions .github/workflows/reusable-php-static-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
##
# A reusable workflow that runs PHP Static Analysis tests.
##
name: PHP Static Analysis

on:
workflow_call:
inputs:
php-version:
description: 'The PHP version to use.'
required: false
type: 'string'
default: 'latest'

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
# Runs PHP static analysis tests.
#
# Violations are reported inline with annotations.
#
# Performs the following steps:
# - Checks out the repository.
# - Sets up PHP.
# - Logs debug information.
# - Installs Composer dependencies.
# - Configures caching for PHP static analysis scans.
# - Make Composer packages available globally.
# - Runs PHPStan static analysis (with Pull Request annotations).
# - Saves the PHPStan result cache.
# - Ensures version-controlled files are not modified or deleted.
phpstan:
name: Run PHP static analysis
runs-on: ubuntu-24.04
permissions:
contents: read
timeout-minutes: 20

steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Set up Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version-file: '.nvmrc'
cache: npm

- name: Set up PHP
uses: shivammathur/setup-php@20529878ed81ef8e78ddf08b480401e6101a850f # v2.35.3
with:
php-version: ${{ inputs.php-version }}
coverage: none
tools: cs2pr

# This date is used to ensure that the Composer cache is cleared at least once every week.
# http://man7.org/linux/man-pages/man1/date.1.html
- name: "Get last Monday's date"
id: get-date
run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"

- name: General debug information
run: |
npm --version
node --version
composer --version

# Since Composer dependencies are installed using `composer update` and no lock file is in version control,
# passing a custom cache suffix ensures that the cache is flushed at least once per week.
- name: Install Composer dependencies
uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # v3.1.1
with:
custom-cache-suffix: ${{ steps.get-date.outputs.date }}

- name: Make Composer packages available globally
run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH"

- name: Get Gutenberg ref
id: gutenberg-ref
run: echo "ref=$(node -e 'console.log(require("./package.json").gutenberg.ref)')" >> "$GITHUB_OUTPUT"

- name: Cache Gutenberg
uses: actions/cache@v4
with:
path: |
gutenberg
.gutenberg-hash
key: gutenberg-${{ steps.gutenberg-ref.outputs.ref }}-${{ hashFiles('tools/gutenberg/*') }}

- name: Install npm dependencies
run: npm ci --ignore-scripts

- name: Build WordPress
run: npm run build:dev

- name: Cache PHP Static Analysis scan cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: .cache # This is defined in the base.neon file.
key: "phpstan-result-cache-${{ github.run_id }}"
restore-keys: |
phpstan-result-cache-

- name: Run PHP static analysis tests
id: phpstan
run: phpstan analyse -vvv --error-format=checkstyle | cs2pr
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@justlevine Shouldn't this re-use the same wrapper command?

Suggested change
run: phpstan analyse -vvv --error-format=checkstyle | cs2pr
run: composer run phpstan -- -vvv --error-format=checkstyle | cs2pr

Copy link
Author

@justlevine justlevine Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recently I've been wondering if we need to run the entire thing in wp-env so we can matrix through the supported PHP versions. Even with the php min/maxes in the .neon I still see different errors depending on the php version I run against. 🤔

Thoughts?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hummm. I don't know. I should think that we'd only run it on the highest version of PHP supported which we run PHPUnit in.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So that was my instinct too, but related to your point re wp-content/*, we want all developers to be able to run phpstan locally with the command passing, not just if they're on a specific php version. If your get_file() smell wasn't caused by the new build process or your change to the neon, then the reason it wasn't caught was because neither the version locally nor the ci version would catch that.

(Iirc another example of this is our \GDImage references will fail when run against PHP7.4 because even though doctyles are back-compat, phpstan still recognizes the incompatibility. )


- name: "Save result cache"
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
if: ${{ !cancelled() }}
with:
path: .cache
key: "phpstan-result-cache-${{ github.run_id }}"

- name: Ensure version-controlled files are not modified or deleted
run: git diff --exit-code
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ wp-tests-config.php
/gutenberg
/tests/phpunit/build
/wp-cli.local.yml
/phpstan.neon
/jsdoc
/composer.lock
/vendor
Expand Down
2 changes: 2 additions & 0 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
"squizlabs/php_codesniffer": "3.13.5",
"wp-coding-standards/wpcs": "~3.3.0",
"phpcompatibility/phpcompatibility-wp": "~2.1.3",
"phpstan/phpstan": "~2.1.33",
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version constraint "~2.1.33" is very specific and may cause issues. The tilde operator (~) for a three-part version like 2.1.33 means ">=2.1.33 <2.2.0". This constraint locks to a specific patch version which may not exist or may prevent receiving important bug fixes. Consider using "^2.1" (which means ">=2.1.0 <3.0.0") or "~2.1.0" (which means ">=2.1.0 <2.2.0") instead to allow flexibility for patch updates while staying within the same minor version

Suggested change
"phpstan/phpstan": "~2.1.33",
"phpstan/phpstan": "~2.1.0",

Copilot uses AI. Check for mistakes.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@westonruter what are your thoughts on this one?

I definitely think we should pin at the version we commit, but I wouldn't want to Semver because contextually "nonbreaking enhancements" are breaking from an implementation POV if they create a new quality gate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense to me. So switching to ~2.1.0 would keep it at 2.1.x. This seems necessary because there is no composer.lock, which actually is curious since we package-lock.json. If we had a composer.lock then we'd be free to use ^2.1. But I suppose can't use it because of the different versions of PHP which may end up getting used when doing composer install.

So yeah, I guess go with ~2.1.0 and not ^2.1. When PHPStan 2.2 comes out, we'll have to manually upgrade.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Depending on when we merge, there might be some value to pinning a minimum patch release too e.g. phpstan/phpstan#8438 (comment) . Leaving this for now, and might even bump it if this PR lingers. Keeping the issue open as a reminder to drop this as low as we think is worthwhile before we merge.

"yoast/phpunit-polyfills": "^1.1.0"
},
"config": {
Expand All @@ -32,6 +33,7 @@
"lock": false
},
"scripts": {
"phpstan": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
"compat": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcs --standard=phpcompat.xml.dist --report=summary,source",
"format": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcbf --report=summary,source",
"lint": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcs --report=summary,source",
Expand Down
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@
"test:coverage": "npm run test:php -- --coverage-html ./coverage/html/ --coverage-php ./coverage/php/report.php --coverage-text=./coverage/text/report.txt",
"test:e2e": "wp-scripts test-playwright --config tests/e2e/playwright.config.js",
"test:visual": "wp-scripts test-playwright --config tests/visual-regression/playwright.config.js",
"typecheck:php": "node ./tools/local-env/scripts/docker.js run --rm php composer phpstan",
"gutenberg:checkout": "node tools/gutenberg/checkout-gutenberg.js",
"gutenberg:build": "node tools/gutenberg/build-gutenberg.js",
"gutenberg:copy": "node tools/gutenberg/copy-gutenberg-build.js",
Expand Down
3 changes: 3 additions & 0 deletions phpcs.xml.dist
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@
<exclude-pattern>/tests/phpunit/build*</exclude-pattern>
<exclude-pattern>/tests/phpunit/data/*</exclude-pattern>

<!-- PHPStan bootstrap, stubs, and baseline. -->
<exclude-pattern>/tests/phpstan/*</exclude-pattern>

<exclude-pattern>/tools/*</exclude-pattern>

<!-- Drop-in plugins. -->
Expand Down
36 changes: 36 additions & 0 deletions phpstan.neon.dist
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# PHPStan configuration for WordPress Core.
#
# To overload this configuration, copy this file to phpstan.neon and adjust as needed.
#
# https://phpstan.org/config-reference

includes:
# The base configuration file for using PHPStan with the WordPress core codebase.
- tests/phpstan/base.neon

# The baseline file includes preexisting errors in the codebase that should be ignored.
# https://phpstan.org/user-guide/baseline
- tests/phpstan/baseline.php

parameters:
# https://phpstan.org/user-guide/rule-levels
level: 0
reportUnmatchedIgnoredErrors: true

ignoreErrors:
# Level 0:
- # Inner functions aren't supported by PHPStan.
message: '#Function wxr_[a-z_]+ not found#'
path: src/wp-admin/includes/export.php
-
identifier: function.inner
path: src/wp-admin/includes/export.php
count: 13
-
identifier: function.inner
path: src/wp-admin/includes/file.php
count: 1
-
identifier: function.inner
path: src/wp-includes/canonical.php
count: 1
1 change: 1 addition & 0 deletions src/wp-admin/includes/class-wp-filesystem-ssh2.php
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,7 @@ public function size( $file ) {
* Default 0.
*/
public function touch( $file, $time = 0, $atime = 0 ) {
// @phpstan-ignore-next-line
// Not implemented.
}

Expand Down
4 changes: 2 additions & 2 deletions src/wp-admin/press-this.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ function wp_load_press_this() {
403
);
} elseif ( is_plugin_active( $plugin_file ) ) {
include WP_PLUGIN_DIR . '/press-this/class-wp-press-this-plugin.php';
$wp_press_this = new WP_Press_This_Plugin();
include WP_PLUGIN_DIR . '/press-this/class-wp-press-this-plugin.php'; // @phpstan-ignore include.fileNotFound
$wp_press_this = new WP_Press_This_Plugin(); // @phpstan-ignore class.notFound
$wp_press_this->html();
} elseif ( current_user_can( 'activate_plugins' ) ) {
if ( file_exists( WP_PLUGIN_DIR . '/' . $plugin_file ) ) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,7 @@ public static function delete_transient() {
* @since Twenty Fourteen 1.0
*
* @param WP_Query $query WP_Query object.
* @return WP_Query Possibly-modified WP_Query.
* @return void
*/
public static function pre_get_posts( $query ) {

Expand Down
6 changes: 3 additions & 3 deletions src/wp-content/themes/twentytwenty/inc/template-tags.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
*
* @param array $args Arguments for displaying the site logo either as an image or text.
* @param bool $display Display or return the HTML.
* @return string Compiled HTML based on our arguments.
* @return string|void Compiled HTML based on our arguments.
*/
function twentytwenty_site_logo( $args = array(), $display = true ) {
$logo = get_custom_logo();
Expand Down Expand Up @@ -107,7 +107,7 @@ function twentytwenty_site_logo( $args = array(), $display = true ) {
* @since Twenty Twenty 1.0
*
* @param bool $display Display or return the HTML.
* @return string The HTML to display.
* @return string|void The HTML to display.
*/
function twentytwenty_site_description( $display = true ) {
$description = get_bloginfo( 'description' );
Expand Down Expand Up @@ -249,7 +249,7 @@ function twentytwenty_edit_post_link( $link, $post_id, $text ) {
*
* @param int $post_id The ID of the post.
* @param string $location The location where the meta is shown.
* @return string Post meta HTML.
* @return string|void Post meta HTML.
*/
function twentytwenty_get_post_meta( $post_id = null, $location = 'single-top' ) {

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,12 @@ public function __construct() {
public function register( $wp_customize ) {

// Change site-title & description to postMessage.
$wp_customize->get_setting( 'blogname' )->transport = 'postMessage'; // @phpstan-ignore-line. Assume that this setting exists.
$wp_customize->get_setting( 'blogdescription' )->transport = 'postMessage'; // @phpstan-ignore-line. Assume that this setting exists.
foreach ( array( 'blogname', 'blogdescription' ) as $setting_id ) {
$setting = $wp_customize->get_setting( $setting_id );
if ( $setting ) {
$setting->transport = 'postMessage';
}
}

// Add partial for blogname.
$wp_customize->selective_refresh->add_partial(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ public function enqueue_scripts() {
if ( is_rtl() ) {
$url = get_template_directory_uri() . '/assets/css/style-dark-mode-rtl.css';
}
wp_enqueue_style( 'tt1-dark-mode', $url, array( 'twenty-twenty-one-style' ), wp_get_theme()->get( 'Version' ) ); // @phpstan-ignore-line. Version is always a string.
wp_enqueue_style( 'tt1-dark-mode', $url, array( 'twenty-twenty-one-style' ), wp_get_theme()->get( 'Version' ) );
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -189,10 +189,9 @@ public static function get_svg( $group, $icon, $size ) {
if ( array_key_exists( $icon, $arr ) ) {
$repl = sprintf( '<svg class="svg-icon" width="%d" height="%d" aria-hidden="true" role="img" focusable="false" ', $size, $size );

$svg = preg_replace( '/^<svg /', $repl, trim( $arr[ $icon ] ) ); // Add extra attributes to SVG code.
$svg = (string) preg_replace( '/^<svg /', $repl, trim( $arr[ $icon ] ) ); // Add extra attributes to SVG code.
}

// @phpstan-ignore-next-line.
return $svg;
}

Expand Down
Loading
Loading