feat: move to Github actions

[fabianwgl]

User description

PR Type

Enhancement

Description

• Migrate CI/CD from Travis CI to GitHub Actions

• Add comprehensive test matrix for PHP 5.6-8.2 versions

• Include PHPCS linting and PHPUnit testing workflows

• Update README badge to reflect GitHub Actions status

Diagram Walkthrough

flowchart LR
  TravisCI["Travis CI<br/>(.travis.yml)"] -- "migrate to" --> GHA["GitHub Actions<br/>(.github/workflows/test.yml)"]
  GHA -- "runs" --> PHPCS["PHPCS Linting<br/>PHP 7.4"]
  GHA -- "runs" --> PHPUnit["PHPUnit Tests<br/>PHP 5.6-8.2"]
  README["README.md"] -- "update badge" --> GHABadge["GitHub Actions Badge"]

Loading

File Walkthrough

	Relevant files
Configuration changes	test.yml GitHub Actions test workflow configuration                              .github/workflows/test.yml New GitHub Actions workflow file for automated testing Defines test matrix with 10 PHP versions (5.6 to 8.2) Configures PHPCS linting for PHP 7.4 Sets up MySQL service and installs dependencies Runs PHPUnit tests with version-specific configurations +121/-0  .travis.yml Remove Travis CI configuration                                                      .travis.yml Removed entire Travis CI configuration file Replaces legacy CI/CD pipeline with GitHub Actions +0/-104
Documentation	README.md Update CI status badge to GitHub Actions                                  README.md Update CI status badge from Travis CI to GitHub Actions Change badge URL to point to GitHub Actions workflow Maintain same visual placement in documentation +1/-1

---

CodeAnt-AI Description

Improve SVN add-on file fetching and migrate tests to GitHub Actions

What Changed

• Fetching add-on files from SVN now sends a browser-like request and falls back to a direct SVN command if the web request fails, reducing cases where add-on data cannot be loaded
• Automated tests now run on GitHub Actions across supported PHP (5.6–8.2) and WordPress versions, replacing the previous Travis CI setup

Impact

✅ Fewer failures when loading add-on data from SVN
✅ More reliable add-on behavior on hosts that block HTTP fetches
✅ Lower risk of PHP/WordPress compatibility regressions in new releases

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Insecure service port exposure Description: The MySQL service maps container port 3306 to host port 3306, potentially conflicting with host services or exposing the database port unnecessarily on the runner; omit explicit port mapping to use service containers securely. test.yml [71-76] Referred Code image: mysql:5.7 env: MYSQL_ROOT_PASSWORD: root ports: - 3306:3306 options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
	Hardcoded credentials Description: Hardcoded MySQL root password 'root' in the workflow environment could leak via logs or forks; use GitHub Secrets or non-privileged users instead. test.yml [73-74] Referred Code MYSQL_ROOT_PASSWORD: root ports:
	Unverified binary download Description: PHPUnit is downloaded via HTTP(S) without checksum or signature verification, enabling potential supply-chain tampering; verify against a SHA256 or GPG signature before execution. test.yml [110-111] Referred Code wget -q https://phar.phpunit.de/phpunit-$PHPUNIT_VERSION.phar -O /tmp/phpunit chmod +x /tmp/phpunit
	Unpinned action versions Description: The workflow pins to broad action versions (e.g., 'actions/checkout@v4', 'shivammathur/setup-php@v2') which are mutable and could introduce supply-chain risk; pin to immutable commit SHAs. test.yml [83-89] Referred Code uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php }} extensions: mysql, mysqli, pdo, pdo_mysql, zip, libonig5 coverage: none tools: composer:v2
	Deprecated extension enabled Description: Enabling the legacy 'mysql' PHP extension may reduce security posture and is deprecated; prefer 'mysqli' or 'pdo_mysql' only to minimize attack surface. test.yml [86-86] Referred Code extensions: mysql, mysqli, pdo, pdo_mysql, zip, libonig5 coverage: none
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: The workflow adds CI jobs but does not include any explicit audit logging of critical actions; if audit trails are required for CI events, this change lacks such instrumentation. Referred Code jobs: test: runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: - php: '7.4' env: PHPCS: '1' name: 'PHP 7.4 Lint' - php: '8.2' env: PHPUNIT_VERSION: '9.6.7' WP: 'latest' name: 'PHP 8.2 / WP latest' - php: '8.1' env: PHPUNIT_VERSION: '9.6.7' WP: 'latest' name: 'PHP 8.1 / WP latest' ... (clipped 91 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No failure handling: The workflow steps (e.g., downloading PHPUnit, installing WP tests) do not include retries or graceful fallbacks, which may cause brittle failures without contextual diagnostics. Referred Code - name: Setup Test Environment if: matrix.env.PHPCS != '1' env: PHPUNIT_VERSION: ${{ matrix.env.PHPUNIT_VERSION }} WP_VERSION: ${{ matrix.env.WP }} run: | # Install WP Tests bash bin/install-wp-tests.sh wordpress_test root root 127.0.0.1:$((3306)) $WP_VERSION # Install PHPUnit wget -q https://phar.phpunit.de/phpunit-$PHPUNIT_VERSION.phar -O /tmp/phpunit chmod +x /tmp/phpunit - name: Install Polyfills if: matrix.env.PHPCS != '1' run: composer require yoast/phpunit-polyfills - name: Run Tests if: matrix.env.PHPCS != '1' run: | /tmp/phpunit ... (clipped 1 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Secrets handling risk: The workflow uses MySQL with a hardcoded root password 'root' which may surface in logs or encourage insecure patterns, and no masking or secrets usage is shown. Referred Code mysql: image: mysql:5.7 env: MYSQL_ROOT_PASSWORD: root ports: - 3306:3306 options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3 Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Insecure defaults: The workflow config sets up services and downloads tools over HTTPS without checksum verification and uses default DB credentials, which may not meet strict security validation requirements. Referred Code mysql: image: mysql:5.7 env: MYSQL_ROOT_PASSWORD: root ports: - 3306:3306 options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php }} extensions: mysql, mysqli, pdo, pdo_mysql, zip, libonig5 coverage: none tools: composer:v2 - name: Install dependencies (PHPCS) ... (clipped 31 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[pantoaibot]

PR Summary:

Move CI from Travis to GitHub Actions and add a matrix-based test workflow; update README badge.

• Added .github/workflows/test.yml: new GitHub Actions workflow named "Test" that runs on push and pull_request.

  • Matrixed jobs across PHP versions 5.6, 7.0–7.4, 8.0–8.2 with specific PHPUnit & WordPress versions.
  • Includes a PHPCS-only job (PHP 7.4) and multiple PHPUnit test jobs, running tests also with WP_MULTISITE=1.
  • Uses actions/checkout@v4 and shivammathur/setup-php@v2, installs MySQL 5.7 service for tests.
  • Installs WP test environment via bin/install-wp-tests.sh, downloads phpunit phar to /tmp/phpunit, installs yoast/phpunit-polyfills, then runs tests.
  • Runs both standard and multisite PHPUnit runs; composer installed for PHPCS job.

• README.md: replaced Travis CI build badge with GitHub Actions "Test" workflow badge.

No code logic changes to the plugin itself.

Reviewed by Panto AI

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Use correct database service hostname Change the database host from 127.0.0.1 to the service name mysql to ensure a successful connection to the database container. .github/workflows/test.yml [107] -bash bin/install-wp-tests.sh wordpress_test root root 127.0.0.1:$((3306)) $WP_VERSION +bash bin/install-wp-tests.sh wordpress_test root root mysql:3306 $WP_VERSION Apply / Chat Suggestion importance[1-10]: 9 __ Why: This is a critical correction; the workflow would fail to connect to the MySQL service using 127.0.0.1 because the service is accessible via its name, mysql, on the Docker network.	High
	Correctly configure PHP extensions setup In the setup-php step, replace the system library libonig5 with the correct PHP extension mbstring to prevent workflow failure. .github/workflows/test.yml [86] -extensions: mysql, mysqli, pdo, pdo_mysql, zip, libonig5 +extensions: mysql, mysqli, pdo, pdo_mysql, zip, mbstring Apply / Chat Suggestion importance[1-10]: 9 __ Why: This is a critical fix, as libonig5 is a system library, not a PHP extension, and its inclusion would cause the setup-php step to fail. Replacing it with the mbstring extension is the correct approach.	High
High-level	Simplify the GitHub Actions matrix Refactor the GitHub Actions workflow matrix to be less repetitive and more maintainable. This can be achieved by using matrix axes for variables like PHP versions instead of a long list of include entries. Examples: .github/workflows/test.yml [13-65] strategy: fail-fast: false matrix: include: - php: '7.4' env: PHPCS: '1' name: 'PHP 7.4 Lint' - php: '8.2' env: ... (clipped 43 lines) Solution Walkthrough: Before: jobs: test: strategy: fail-fast: false matrix: include: - php: '7.4' env: PHPCS: '1' name: 'PHP 7.4 Lint' - php: '8.2' env: PHPUNIT_VERSION: '9.6.7' WP: 'latest' name: 'PHP 8.2 / WP latest' # ... many more repetitive entries After: jobs: test: strategy: fail-fast: false matrix: php: ['8.2', '8.1', '8.0', '7.4', '7.3', '7.2', '7.1', '7.0', '5.6'] task: ['test'] include: - php: '7.4' task: 'lint' name: 'PHP 7.4 Lint' - php: '8.2' phpunit: '9.6.7' wp: 'latest' # ... other version-specific variables exclude: - php: '7.4' task: 'test' Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that the GitHub Actions matrix is verbose and repetitive, and refactoring it would improve maintainability, which is a significant quality improvement for the new CI workflow.	Medium
Update

[pantoaibot]

[CRITICAL_BUG] The extensions list contains invalid or inappropriate entries for shivammathur/setup-php: mysql doesn’t exist in modern PHP, pdo is not a valid extension token for the action, and libonig5 is a Debian package name (not the PHP extension). Replace with actual PHP extension names supported by the action (for example: mysqli, pdo_mysql, zip, mbstring) and remove mysql/pdo and libonig5.

extensions: mysqli, pdo_mysql, zip, mbstring

[pantoaibot]

[CRITICAL_BUG] Mapping the MySQL service to host port 3306:3306 can cause port conflicts on the runner and is unnecessary for service containers in GitHub Actions. Remove the ports: mapping and rely on the service network (use localhost or the service hostname provided by Actions). Also confirm the --health-cmd works for the image used; if you need stricter health checks prefer --health-cmd='mysqladmin ping -p$MYSQL_ROOT_PASSWORD' or rely on built-in images' defaults.

# Remove the ports mapping
services:
  mysql:
    image: mysql:5.7
    env:
      MYSQL_ROOT_PASSWORD: root
    options: --health-cmd="mysqladmin ping -p$MYSQL_ROOT_PASSWORD" --health-interval=10s --health-timeout=5s --health-retries=3

[pantoaibot]

[REFACTORING] You're using shivammathur/setup-php@v2. Consider updating to a maintained/latest major tag (e.g. shivammathur/setup-php@v4 as of recent versions) and pin to a specific minor if you need reproducibility. Also verify the tools: composer:v2 and coverage values are what you expect for all matrix entries.

uses: shivammathur/setup-php@v4

[pantoaibot]

[CRITICAL_BUG] Running composer require yoast/phpunit-polyfills in CI will attempt to modify composer.json/composer.lock in the workspace and may fail on older PHP versions or with missing composer setup. Instead: (1) Add yoast/phpunit-polyfills to your dev dependencies in composer.json and commit the lockfile, then run composer install --no-interaction --prefer-dist in CI; or (2) run composer install to pull dependencies from composer.lock before tests. Avoid composer require during the job.

[pantoaibot]

[VALIDATION] The call to bin/install-wp-tests.sh uses 127.0.0.1:$((3306)) — $((3306)) is an unnecessary arithmetic expansion and looks odd. Use 127.0.0.1:3306 or pass host and port in the format the script expects. Confirm the script expects a single host:port argument and adjust accordingly.

bash bin/install-wp-tests.sh wordpress_test root root 127.0.0.1:3306 $WP_VERSION

[pantoaibot]

[REFACTORING] Downloading phpunit via wget without verification can cause non-reproducible builds and security risks. Prefer installing PHPUnit via composer (commit the lockfile) or use a maintained action/setup-php tool integration that provides phpunit. If you must download the PHAR, verify the checksum/signature for the version you download and ensure the phpunit version is compatible with the current PHP matrix entry.

[pantoaibot]

[NITPICK] You replaced the Travis badge with a generic GitHub Actions badge titled Test. Consider using a clearer badge text or updating the workflow name to something descriptive (e.g., CI / Tests) so the badge conveys what it represents.

[![CI / Tests](https://github.com/CybotAS/CookiebotWP/actions/workflows/test.yml/badge.svg)](https://github.com/CybotAS/CookiebotWP/actions/workflows/test.yml)

Or, update the workflow name in .github/workflows/test.yml to a more descriptive name like CI / Tests:

name: CI / Tests

[pantoaibot]

Reviewed up to commit:9ec6636c297997564b5178d577c19e333f9100f8

Additional Suggestion

.github/workflows/test.yml, line:16-65

The matrix includes many very old PHP versions (5.6, 7.0, 7.1, 7.2, 7.3, etc.). These versions are EOL and may not be supported by actions, setup-php, or many libraries. Trim the matrix to supported/supported-by-your-plugin PHP versions or document explicit support policy. Running many EOL versions increases CI time and failure surface.

Others

- Overall suggestions: add caching for Composer (`actions/cache`) to speed CI, run `composer install` (with `--prefer-dist --no-interaction`) before tests, pin action versions where stability is required, and avoid modifying repository files during CI (do not use `composer require`). Also add explicit failure handling and set `--no-scripts` where appropriate to avoid unexpected behavior during install.

Reviewed by Panto AI

[codeant-ai]

CodeAnt AI is running Incremental review

[codeant-ai]

CodeAnt AI Incremental review completed.

[codeant-ai]

CodeAnt AI is running Incremental review

[codeant-ai]

CodeAnt AI Incremental review completed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud