Skip to content

Static Analyzer (PHPStan) Integration #671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
UlrichEckhardt wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Static Analyzer (PHPStan) Integration #671

UlrichEckhardt wants to merge 5 commits into from

Conversation

@UlrichEckhardt
Copy link
Contributor

@UlrichEckhardt UlrichEckhardt commented Jan 22, 2024

Greetings,

this PR integrates PHPStan into the Clockwork sources. The analyzer is automatically executed on every push using a Github action. As alternatives to PHPStan, there would be Psalm and perhaps SonarQube. I have worked with Psalm before and it works similarly to PHPStan. About SonarQube, I can't say much, but it seems to have a much larger scope. In particular, it provides a multi-language (not just PHP) framework and also includes support for making code reviews.

If you look at the README, there is a section on how to work with PHPStan, also the commit messages should contain some interesting context infos.

As for what drove me to develop this

  • It helps find bugs (two of them just recently fixed as byproducts from this integration).
  • It prevents regressions.
  • It gives the devs more time to work on the important stuff. ;)

Cheers!

Uli

@UlrichEckhardt UlrichEckhardt mentioned this pull request Feb 2, 2024
Closed
@UlrichEckhardt UlrichEckhardt mentioned this pull request Feb 12, 2024
Closed
@UlrichEckhardt UlrichEckhardt force-pushed the feat/phpstan branch 4 times, most recently from 7df86c9 to 861d949 Compare February 24, 2024 16:00
@UlrichEckhardt UlrichEckhardt force-pushed the feat/phpstan branch 3 times, most recently from 659e30c to dbfeee5 Compare March 19, 2024 19:22
@itsgoingd
Copy link
Owner

itsgoingd commented Apr 20, 2025

Hey, I'm not sure how I feel about this, hence the delay in responding.

I can see how this can be helpful, but on the other hand also very annoying with false positives, especially in the slightly unconventional Clockwork code-base.

Anyway, before we can think about trying this, we need to solve two big problems:

  • How to deal with third-party dependencies. One solution would be to require-dev everything, which I'm not excited about, but whatever. The unique issue with Clockwork is, that we sometimes support multiple versions of a dependency, and we can't install all of them at the same time. 🤔
  • Obviously we can't do level 9, as demonstrated by the incredible amount of exceptions needed to make it pass. We would need to settle on a lower level and possibly even some custom configuration to get around the Clockwork code-base quirks.

Thanks for the PR tho.

@UlrichEckhardt
Composer: Install PHPStan as dev-dependency
6475c5c 
Specifically that is
- phpstan/phpstan - the linter itself
- phpstan/extension-installer - convenience package for loading extensions
- spaze/phpstan-disallowed-calls - an extension that checks for some additional flaws
@UlrichEckhardt
PHPStan: Add configuration
235454d
@UlrichEckhardt
PHPStan: Add baseline
3bba431 
The baseline lists the existing flaws that were found. This has two uses:
- We can use a high sensitivity for scanning, without having to fix all
  issues right away.
- It still prevents new issues from coming up and also tracks resolved
  issues.
@UlrichEckhardt
Github: Run PHPStan as action on every push
91e824a 
This should prevent regressions in code flaws detected by PHPStan. Also,
PHPStan complains when the baseline is not advanced after fixing a flaw.
This should prevent a flaw from reappearing later on.
@UlrichEckhardt
README.md: Add a section on PHPStan use
a96df53
@UlrichEckhardt
Copy link
Contributor Author

UlrichEckhardt commented Apr 21, 2025

About how to deal with third-party dependencies, I have no idea. I never worked on a similar codebase that had so many "optional" parts. The approach I took here was to simply restrict scanning to the core components and ignore the optional ones. I could imagine running multiple scans with different third-party dependencies installed, but I have no clear idea how to manage that.

The scanning level 9 isn't actually a problem. Yes, it finds lots of issues, but it doesn't raise them as errors. Instead, they first get matched against the known ones in the baseline. That way, you will only receive notifications for code that is touched by your own changes, and that isn't much in practice.

I just updated the PR, there were some changes to the code it scanned. Still, I'm also not fully satisfied by the use of a baseline in the code. What I prefer is the Code Quality feature of GitLab, which manages the baseline for you as part of its CI/CD. That relieves you from any manual baseline management and it integrates in the code review.

@UlrichEckhardt
Copy link
Contributor Author

UlrichEckhardt commented Apr 22, 2025
edited
Loading

Take a look at UlrichEckhardt#6. This makes any baseline completely redundant, because that is now managed by GitHub's infrastructure and properly integrated into the PRs. I think that this could be the way to go.

What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@UlrichEckhardt @itsgoingd