MokoConsulting/MokoCassiopeia
1
1
Fork 0
Code Issues 4 Pull Requests Actions Packages Releases 1 Activity

Enforce MokoStandards compliance with security workflows and documentation #44

Merged
Copilot merged 6 commits from copilot/enforce-mokostandards-requirements into main 2026-01-09 03:29:53 +00:00
Conversation 4 Commits 6 Files Changed 5 +846
5 changed files with 846 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,65 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# This file is part of a Moko Consulting project.
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
# FILE INFORMATION
# DEFGROUP: GitHub.Dependabot
# INGROUP: Moko-Cassiopeia.Security
# REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia
# PATH: /.github/dependabot.yml
# VERSION: 01.00.00
# BRIEF: Dependabot configuration for automated dependency updates and security patches
# NOTE: Monitors GitHub Actions and Composer for vulnerabilities
version: 2
updates:
# Monitor GitHub Actions for security updates
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "security"
- "automated"
commit-message:
prefix: "chore(deps)"
include: "scope"
# Monitor Composer dependencies for security updates
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "security"
- "automated"
- "php"
commit-message:
prefix: "chore(deps)"
include: "scope"
# Group all patch updates together
groups:
php-patches:
patterns:
- "*"
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:05 +00:00 (Migrated from github.com)
Review
Copy Link

The wildcard pattern '' on line 63 will match all Composer dependencies for grouping patch updates. This is very broad and may result in very large grouped PRs with many unrelated changes. Consider being more selective by specifying specific package patterns or limiting to certain namespaces (e.g., 'joomla/', 'symfony/*') to keep PRs focused and reviewable.

    # Group patch updates for selected Composer package namespaces
    groups:
      php-patches:
        patterns:
          - "joomla/*"
          - "symfony/*"
          - "phpunit/*"
The wildcard pattern '*' on line 63 will match all Composer dependencies for grouping patch updates. This is very broad and may result in very large grouped PRs with many unrelated changes. Consider being more selective by specifying specific package patterns or limiting to certain namespaces (e.g., 'joomla/*', 'symfony/*') to keep PRs focused and reviewable. ```suggestion # Group patch updates for selected Composer package namespaces groups: php-patches: patterns: - "joomla/*" - "symfony/*" - "phpunit/*" ```
update-types:
- "patch"

218
.github/workflows/dependency-review.yml vendored Normal file
View File

@@ -0,0 +1,218 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# This file is part of a Moko Consulting project.
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
# FILE INFORMATION
# DEFGROUP: GitHub.Workflow
# INGROUP: Moko-Cassiopeia.Security
# REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia
# PATH: /.github/workflows/dependency-review.yml
# VERSION: 01.00.00
# BRIEF: Dependency review workflow for vulnerability scanning in pull requests
# NOTE: Scans dependencies for security vulnerabilities and license compliance
name: Dependency Review
on:
pull_request:
branches:
- main
- dev/**
- rc/**
- version/**
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
name: Dependency Security Review
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
# Fail on critical or high severity vulnerabilities
fail-on-severity: moderate
# Allow specific licenses (customize for your project)
# Common open-source licenses
allow-licenses: GPL-3.0, GPL-3.0-or-later, MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, LGPL-3.0
# Comment on PR with results
comment-summary-in-pr: always
- name: Generate Dependency Report
if: always()
run: |
echo "# Dependency Review Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ Dependency review completed" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "This workflow checks:" >> $GITHUB_STEP_SUMMARY
echo "- Security vulnerabilities in new dependencies" >> $GITHUB_STEP_SUMMARY
echo "- License compatibility" >> $GITHUB_STEP_SUMMARY
echo "- Dependency changes between base and head" >> $GITHUB_STEP_SUMMARY
composer-audit:
name: Composer Audit
runs-on: ubuntu-latest
if: hashFiles('composer.json') != ''
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.1'
tools: composer:v2
- name: Install Dependencies
run: composer install --no-interaction --prefer-dist
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:07 +00:00 (Migrated from github.com)
Review
Copy Link

The 'composer install' command should include the '--no-dev' flag for security auditing to avoid installing development dependencies that won't be part of production deployments. Alternatively, if you want to audit dev dependencies as well, this should be explicitly documented in a comment.

        run: composer install --no-interaction --prefer-dist --no-dev
The 'composer install' command should include the '--no-dev' flag for security auditing to avoid installing development dependencies that won't be part of production deployments. Alternatively, if you want to audit dev dependencies as well, this should be explicitly documented in a comment. ```suggestion run: composer install --no-interaction --prefer-dist --no-dev ```
- name: Run Composer Audit
run: |
echo "### Composer Audit Results" >> $GITHUB_STEP_SUMMARY
# Run audit and capture results
if composer audit; then
echo "✅ No vulnerabilities found in Composer dependencies" >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ Vulnerabilities detected - please review" >> $GITHUB_STEP_SUMMARY
composer audit || true
fi
- name: Check for Outdated Packages
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Outdated Composer Packages" >> $GITHUB_STEP_SUMMARY
composer outdated --direct || echo "All packages are up to date" >> $GITHUB_STEP_SUMMARY
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:05 +00:00 (Migrated from github.com)
Review
Copy Link

The 'composer outdated --direct' command on line 111 may fail with a non-zero exit code when outdated packages are found, but it uses '|| echo' which only prints a message without redirecting it to GITHUB_STEP_SUMMARY. This means the success message won't appear in the step summary. Consider: 'composer outdated --direct >> $GITHUB_STEP_SUMMARY || echo "All packages are up to date" >> $GITHUB_STEP_SUMMARY'

          composer outdated --direct >> $GITHUB_STEP_SUMMARY || echo "All packages are up to date" >> $GITHUB_STEP_SUMMARY
The 'composer outdated --direct' command on line 111 may fail with a non-zero exit code when outdated packages are found, but it uses '|| echo' which only prints a message without redirecting it to GITHUB_STEP_SUMMARY. This means the success message won't appear in the step summary. Consider: 'composer outdated --direct >> $GITHUB_STEP_SUMMARY || echo "All packages are up to date" >> $GITHUB_STEP_SUMMARY' ```suggestion composer outdated --direct >> $GITHUB_STEP_SUMMARY || echo "All packages are up to date" >> $GITHUB_STEP_SUMMARY ```
python-safety:
name: Python Safety Check
runs-on: ubuntu-latest
if: hashFiles('requirements.txt', 'pyproject.toml', 'Pipfile') != ''
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:06 +00:00 (Migrated from github.com)
Review
Copy Link

The hashFiles function call includes multiple file patterns without proper path handling. If any of these files exist in subdirectories, they won't be detected. Consider using more specific patterns like '/requirements.txt', '/pyproject.toml', '**/Pipfile' to search recursively, or clarify that only root-level files are intended.

    if: hashFiles('requirements.txt') != ''
The hashFiles function call includes multiple file patterns without proper path handling. If any of these files exist in subdirectories, they won't be detected. Consider using more specific patterns like '**/requirements.txt', '**/pyproject.toml', '**/Pipfile' to search recursively, or clarify that only root-level files are intended. ```suggestion if: hashFiles('requirements.txt') != '' ```
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Safety
run: pip install safety
- name: Run Safety Check
run: |
echo "### Python Safety Check Results" >> $GITHUB_STEP_SUMMARY
# Check requirements.txt if exists
if [ -f "requirements.txt" ]; then
if safety check -r requirements.txt 2>&1 | tee safety_output.txt; then
echo "✅ No known vulnerabilities in Python dependencies" >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ Vulnerabilities detected in Python dependencies" >> $GITHUB_STEP_SUMMARY
cat safety_output.txt >> $GITHUB_STEP_SUMMARY || true
rm -f safety_output.txt
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:05 +00:00 (Migrated from github.com)
Review
Copy Link

The exit code handling for the safety check is confusing. On line 142, 'exit 0' is used after detecting vulnerabilities, which prevents the workflow from failing even when vulnerabilities are found. If this is intentional (to make the check informational only), it should be documented. If vulnerabilities should cause the job to fail, remove the 'exit 0' statement.

              rm -f safety_output.txt
              # Intentionally exit with success so this safety check remains informational-only
              # and does not cause the workflow to fail when vulnerabilities are detected.
The exit code handling for the safety check is confusing. On line 142, 'exit 0' is used after detecting vulnerabilities, which prevents the workflow from failing even when vulnerabilities are found. If this is intentional (to make the check informational only), it should be documented. If vulnerabilities should cause the job to fail, remove the 'exit 0' statement. ```suggestion rm -f safety_output.txt # Intentionally exit with success so this safety check remains informational-only # and does not cause the workflow to fail when vulnerabilities are detected. ```
exit 0
fi
rm -f safety_output.txt
else
echo " No requirements.txt found" >> $GITHUB_STEP_SUMMARY
fi
license-check:
name: License Compliance Check
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Check License File
run: |
echo "### License Compliance" >> $GITHUB_STEP_SUMMARY
if [ -f "LICENSE" ] || [ -f "LICENSE.md" ] || [ -f "LICENSE.txt" ]; then
echo "✅ LICENSE file present" >> $GITHUB_STEP_SUMMARY
# Check for GPL-3.0 (MokoStandards default)
if grep -qi "GNU GENERAL PUBLIC LICENSE" LICENSE* 2>/dev/null; then
echo "✅ GPL-3.0 or compatible license detected" >> $GITHUB_STEP_SUMMARY
else
echo " Non-GPL license detected - verify compatibility" >> $GITHUB_STEP_SUMMARY
fi
else
echo "❌ LICENSE file missing" >> $GITHUB_STEP_SUMMARY
echo "Please add a LICENSE file to the repository root" >> $GITHUB_STEP_SUMMARY
exit 1
fi
- name: Check SPDX Headers (Optional)
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### SPDX Header Compliance" >> $GITHUB_STEP_SUMMARY
# Check for SPDX identifiers in source files
MISSING_HEADERS=0
# Check PHP files
if find . -name "*.php" -type f ! -path "./vendor/*" | head -1 | grep -q .; then
TOTAL_PHP=$(find . -name "*.php" -type f ! -path "./vendor/*" | wc -l)
WITH_SPDX=$(find . -name "*.php" -type f ! -path "./vendor/*" -exec grep -l "SPDX-License-Identifier" {} \; | wc -l)
echo "- PHP files: $WITH_SPDX/$TOTAL_PHP with SPDX headers" >> $GITHUB_STEP_SUMMARY
fi
# Check JavaScript files
if find . -name "*.js" -type f ! -path "./node_modules/*" ! -path "./vendor/*" | head -1 | grep -q .; then
TOTAL_JS=$(find . -name "*.js" -type f ! -path "./node_modules/*" ! -path "./vendor/*" | wc -l)
WITH_SPDX_JS=$(find . -name "*.js" -type f ! -path "./node_modules/*" ! -path "./vendor/*" -exec grep -l "SPDX-License-Identifier" {} \; | wc -l)
echo "- JavaScript files: $WITH_SPDX_JS/$TOTAL_JS with SPDX headers" >> $GITHUB_STEP_SUMMARY
fi
echo " SPDX headers are recommended but not required for this check" >> $GITHUB_STEP_SUMMARY
summary:
name: Review Summary
runs-on: ubuntu-latest
needs: [dependency-review, composer-audit, python-safety, license-check]
if: always()
steps:
- name: Generate Final Summary
run: |
echo "# Dependency Review Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "All dependency security and license checks have been executed." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Checks Performed:" >> $GITHUB_STEP_SUMMARY
echo "- ✅ GitHub Dependency Review" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Package Manager Audits (composer, pip)" >> $GITHUB_STEP_SUMMARY
echo "- ✅ License Compliance" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Review the job results above for any issues that need attention." >> $GITHUB_STEP_SUMMARY

426
.github/workflows/standards-compliance.yml vendored Normal file
View File

@@ -0,0 +1,426 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# This file is part of a Moko Consulting project.
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
# FILE INFORMATION
# DEFGROUP: GitHub.Workflow
# INGROUP: Moko-Cassiopeia.Compliance
# REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia
# PATH: /.github/workflows/standards-compliance.yml
# VERSION: 01.00.00
# BRIEF: MokoStandards compliance validation workflow
# NOTE: Validates repository structure, documentation, and coding standards
name: Standards Compliance
on:
push:
branches:
- main
- dev/**
- rc/**
- version/**
pull_request:
branches:
- main
- dev/**
- rc/**
- version/**
workflow_dispatch:
permissions:
contents: read
pull-requests: write
jobs:
repository-structure:
name: Repository Structure Validation
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Check Required Directories
run: |
echo "### Required Directories" >> $GITHUB_STEP_SUMMARY
MISSING=0
# Check required directories
for dir in docs tests scripts .github; do
if [ -d "$dir" ]; then
echo "✅ $dir/" >> $GITHUB_STEP_SUMMARY
else
echo "❌ $dir/ (missing)" >> $GITHUB_STEP_SUMMARY
MISSING=$((MISSING + 1))
fi
done
if [ $MISSING -gt 0 ]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "⚠️ $MISSING required directories are missing" >> $GITHUB_STEP_SUMMARY
exit 1
fi
- name: Check Required Files
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Required Files" >> $GITHUB_STEP_SUMMARY
MISSING=0
# Check required files
for file in README.md LICENSE CONTRIBUTING.md SECURITY.md CHANGELOG.md .editorconfig; do
if [ -f "$file" ]; then
echo "✅ $file" >> $GITHUB_STEP_SUMMARY
else
echo "❌ $file (missing)" >> $GITHUB_STEP_SUMMARY
MISSING=$((MISSING + 1))
fi
done
if [ $MISSING -gt 0 ]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "⚠️ $MISSING required files are missing" >> $GITHUB_STEP_SUMMARY
echo "See: https://github.com/mokoconsulting-tech/MokoStandards/tree/main/templates/docs/required" >> $GITHUB_STEP_SUMMARY
exit 1
fi
documentation-quality:
name: Documentation Quality Check
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Validate README.md
run: |
echo "### README.md Validation" >> $GITHUB_STEP_SUMMARY
if [ ! -f "README.md" ]; then
echo "❌ README.md not found" >> $GITHUB_STEP_SUMMARY
exit 1
fi
# Check minimum length
SIZE=$(wc -c < README.md)
if [ $SIZE -lt 500 ]; then
echo "⚠️ README.md is too short ($SIZE bytes, minimum 500)" >> $GITHUB_STEP_SUMMARY
else
echo "✅ README.md has adequate content ($SIZE bytes)" >> $GITHUB_STEP_SUMMARY
fi
# Check for key sections
MISSING_SECTIONS=""
grep -qi "# \|## " README.md || MISSING_SECTIONS="${MISSING_SECTIONS}- No headings found\n"
if [ -n "$MISSING_SECTIONS" ]; then
echo "⚠️ README.md may be missing important sections" >> $GITHUB_STEP_SUMMARY
else
echo "✅ README.md appears well-structured" >> $GITHUB_STEP_SUMMARY
fi
- name: Validate CHANGELOG.md
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### CHANGELOG.md Validation" >> $GITHUB_STEP_SUMMARY
if [ ! -f "CHANGELOG.md" ]; then
echo "❌ CHANGELOG.md not found" >> $GITHUB_STEP_SUMMARY
exit 1
fi
# Check for Keep a Changelog format markers
if grep -qi "## \[.*\]" CHANGELOG.md; then
echo "✅ CHANGELOG.md follows Keep a Changelog format" >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ CHANGELOG.md may not follow Keep a Changelog format" >> $GITHUB_STEP_SUMMARY
echo "See: https://keepachangelog.com/" >> $GITHUB_STEP_SUMMARY
fi
- name: Check Documentation Index
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Documentation Index" >> $GITHUB_STEP_SUMMARY
if [ -f "docs/index.md" ] || [ -f "docs/README.md" ]; then
echo "✅ Documentation index found" >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ No documentation index (docs/index.md or docs/README.md)" >> $GITHUB_STEP_SUMMARY
fi
coding-standards:
name: Coding Standards Check
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Check for Tab Characters
run: |
echo "### Tab Character Detection" >> $GITHUB_STEP_SUMMARY
# Find files with tabs (excluding certain file types)
TABS_FOUND=$(find . -type f \
! -path "./vendor/*" \
! -path "./node_modules/*" \
! -path "./.git/*" \
! -name "Makefile*" \
! -name "*.tsv" \
-exec grep -l $'\t' {} \; 2>/dev/null | head -10)
if [ -n "$TABS_FOUND" ]; then
echo "⚠️ Tab characters found in files:" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "$TABS_FOUND" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:06 +00:00 (Migrated from github.com)
Review
Copy Link

The find command uses unquoted $'\t' in the grep pattern which could be misinterpreted in some shells. While it works in bash, it's more portable to use grep -P '\t' or awk to search for tabs. Additionally, the command results are not properly handled if they exceed 10 files - users won't know there are more files with tabs beyond the displayed 10.

            -exec grep -lP '\t' {} + 2>/dev/null)
          
          if [ -n "$TABS_FOUND" ]; then
            TABS_DISPLAY=$(printf '%s\n' "$TABS_FOUND" | head -10)
            TOTAL_TABS=$(printf '%s\n' "$TABS_FOUND" | wc -l)
            echo "⚠️ Tab characters found in files:" >> $GITHUB_STEP_SUMMARY
            echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
            echo "$TABS_DISPLAY" >> $GITHUB_STEP_SUMMARY
            echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
            if [ "$TOTAL_TABS" -gt 10 ]; then
              REMAINING=$((TOTAL_TABS - 10))
              echo "... and $REMAINING more file(s) with tab characters not shown." >> $GITHUB_STEP_SUMMARY
            fi
The find command uses unquoted $'\t' in the grep pattern which could be misinterpreted in some shells. While it works in bash, it's more portable to use grep -P '\t' or awk to search for tabs. Additionally, the command results are not properly handled if they exceed 10 files - users won't know there are more files with tabs beyond the displayed 10. ```suggestion -exec grep -lP '\t' {} + 2>/dev/null) if [ -n "$TABS_FOUND" ]; then TABS_DISPLAY=$(printf '%s\n' "$TABS_FOUND" | head -10) TOTAL_TABS=$(printf '%s\n' "$TABS_FOUND" | wc -l) echo "⚠️ Tab characters found in files:" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY echo "$TABS_DISPLAY" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY if [ "$TOTAL_TABS" -gt 10 ]; then REMAINING=$((TOTAL_TABS - 10)) echo "... and $REMAINING more file(s) with tab characters not shown." >> $GITHUB_STEP_SUMMARY fi ```
echo "MokoStandards requires spaces over tabs (except in Makefiles)" >> $GITHUB_STEP_SUMMARY
else
echo "✅ No inappropriate tab characters found" >> $GITHUB_STEP_SUMMARY
fi
- name: Check File Encoding
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### File Encoding Check" >> $GITHUB_STEP_SUMMARY
# Check for UTF-8 encoding
NON_UTF8=$(find . -type f \( -name "*.php" -o -name "*.js" -o -name "*.md" \) \
! -path "./vendor/*" \
! -path "./node_modules/*" \
! -path "./.git/*" \
-exec file {} \; | grep -v "UTF-8" | head -5)
if [ -n "$NON_UTF8" ]; then
echo "⚠️ Non-UTF-8 files detected:" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "$NON_UTF8" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
else
echo "✅ All source files appear to be UTF-8 encoded" >> $GITHUB_STEP_SUMMARY
fi
- name: Check Line Endings
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Line Ending Check" >> $GITHUB_STEP_SUMMARY
# Check for CRLF line endings
CRLF_FILES=$(find . -type f \( -name "*.php" -o -name "*.js" -o -name "*.md" \) \
! -path "./vendor/*" \
! -path "./node_modules/*" \
! -path "./.git/*" \
-exec file {} \; | grep "CRLF" | head -5)
if [ -n "$CRLF_FILES" ]; then
echo "⚠️ Files with CRLF line endings found:" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "$CRLF_FILES" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "MokoStandards requires LF line endings" >> $GITHUB_STEP_SUMMARY
else
echo "✅ Line endings are consistent (LF)" >> $GITHUB_STEP_SUMMARY
fi
license-compliance:
name: License Header Validation
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Check SPDX Headers
run: |
echo "### SPDX License Header Check" >> $GITHUB_STEP_SUMMARY
# Count source files with and without SPDX headers
TOTAL_PHP=0
WITH_SPDX_PHP=0
if find . -name "*.php" -type f ! -path "./vendor/*" | head -1 | grep -q .; then
TOTAL_PHP=$(find . -name "*.php" -type f ! -path "./vendor/*" | wc -l)
WITH_SPDX_PHP=$(find . -name "*.php" -type f ! -path "./vendor/*" -exec grep -l "SPDX-License-Identifier" {} \; | wc -l)
fi
if [ $TOTAL_PHP -gt 0 ]; then
PERCENT=$((WITH_SPDX_PHP * 100 / TOTAL_PHP))
echo "- PHP files: $WITH_SPDX_PHP/$TOTAL_PHP ($PERCENT%) with SPDX headers" >> $GITHUB_STEP_SUMMARY
if [ $PERCENT -lt 80 ]; then
echo "⚠️ Less than 80% of PHP files have SPDX headers" >> $GITHUB_STEP_SUMMARY
else
echo "✅ Good SPDX header coverage" >> $GITHUB_STEP_SUMMARY
fi
fi
- name: Validate License File
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### License File Validation" >> $GITHUB_STEP_SUMMARY
if [ ! -f "LICENSE" ]; then
echo "❌ LICENSE file not found" >> $GITHUB_STEP_SUMMARY
exit 1
fi
# Check license type
if grep -qi "GNU GENERAL PUBLIC LICENSE" LICENSE; then
VERSION=$(grep -i "Version 3" LICENSE || echo "")
if [ -n "$VERSION" ]; then
echo "✅ GPL-3.0-or-later license detected" >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ GPL license detected but version unclear" >> $GITHUB_STEP_SUMMARY
fi
elif grep -qi "MIT License" LICENSE; then
echo "✅ MIT license detected" >> $GITHUB_STEP_SUMMARY
elif grep -qi "Apache License" LICENSE; then
echo "✅ Apache license detected" >> $GITHUB_STEP_SUMMARY
else
echo " License type could not be automatically detected" >> $GITHUB_STEP_SUMMARY
fi
git-hygiene:
name: Git Repository Hygiene
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check .gitignore
run: |
echo "### .gitignore Validation" >> $GITHUB_STEP_SUMMARY
if [ ! -f ".gitignore" ]; then
echo "⚠️ .gitignore file not found" >> $GITHUB_STEP_SUMMARY
exit 0
fi
# Check for common exclusions
MISSING=""
grep -q "vendor/" .gitignore || MISSING="${MISSING}vendor/ "
grep -q "node_modules/" .gitignore || MISSING="${MISSING}node_modules/ "
if [ -n "$MISSING" ]; then
echo "⚠️ .gitignore may be missing common exclusions: $MISSING" >> $GITHUB_STEP_SUMMARY
else
echo "✅ .gitignore appears complete" >> $GITHUB_STEP_SUMMARY
fi
- name: Check for Large Files
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Large File Detection" >> $GITHUB_STEP_SUMMARY
# Find files larger than 1MB
LARGE_FILES=$(find . -type f -size +1M ! -path "./.git/*" ! -path "./vendor/*" ! -path "./node_modules/*" | head -5)
if [ -n "$LARGE_FILES" ]; then
echo "⚠️ Large files detected (>1MB):" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "$LARGE_FILES" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "Consider using Git LFS for large binary files" >> $GITHUB_STEP_SUMMARY
else
echo "✅ No unusually large files detected" >> $GITHUB_STEP_SUMMARY
fi
workflow-validation:
name: Workflow Configuration Check
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Check Required Workflows
run: |
echo "### GitHub Actions Workflows" >> $GITHUB_STEP_SUMMARY
WORKFLOWS_DIR=".github/workflows"
if [ ! -d "$WORKFLOWS_DIR" ]; then
echo "❌ No workflows directory found" >> $GITHUB_STEP_SUMMARY
exit 1
fi
# Check for recommended workflows
if [ -f "$WORKFLOWS_DIR/ci.yml" ] || [ -f "$WORKFLOWS_DIR/build.yml" ]; then
echo "✅ CI workflow present" >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ No CI workflow found (ci.yml or build.yml)" >> $GITHUB_STEP_SUMMARY
fi
if [ -f "$WORKFLOWS_DIR/codeql-analysis.yml" ]; then
echo "✅ CodeQL security scanning present" >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ CodeQL workflow not found" >> $GITHUB_STEP_SUMMARY
fi
- name: Validate Workflow Syntax
run: |
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Workflow YAML Syntax" >> $GITHUB_STEP_SUMMARY
INVALID=0
shopt -s nullglob
for workflow in .github/workflows/*.yml .github/workflows/*.yaml; do
if [ -f "$workflow" ]; then
if python3 -c "import yaml; yaml.safe_load(open('$workflow'))" 2>/dev/null; then
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:07 +00:00 (Migrated from github.com)
Review
Copy Link

The Python script execution on line 390 uses an f-string-like approach with the workflow path directly embedded in the command string. This could be vulnerable to command injection if workflow filenames contain special characters. Consider using subprocess or a safer approach, or at minimum validate the filename before use.

              if python3 - "$workflow" << 'EOF' 2>/dev/null; then
                import sys
                from pathlib import Path
                import yaml

                workflow_path = Path(sys.argv[1])
                with workflow_path.open('r', encoding='utf-8') as f:
                    yaml.safe_load(f)
EOF
The Python script execution on line 390 uses an f-string-like approach with the workflow path directly embedded in the command string. This could be vulnerable to command injection if workflow filenames contain special characters. Consider using subprocess or a safer approach, or at minimum validate the filename before use. ```suggestion if python3 - "$workflow" << 'EOF' 2>/dev/null; then import sys from pathlib import Path import yaml workflow_path = Path(sys.argv[1]) with workflow_path.open('r', encoding='utf-8') as f: yaml.safe_load(f) EOF ```
echo "✅ $(basename $workflow)" >> $GITHUB_STEP_SUMMARY
else
echo "❌ $(basename $workflow) - invalid YAML" >> $GITHUB_STEP_SUMMARY
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:04 +00:00 (Migrated from github.com)
Review
Copy Link

The glob pattern matching in the for loop uses unquoted wildcards which could fail if no matching files are found. The 'shopt -s nullglob' on line 387 helps prevent errors when no files match, but the loop variable should be quoted when used. Consider quoting the workflow variable: 'for workflow in ".github/workflows/"*.{yml,yaml}' or using a more explicit approach.

              if python3 -c 'import sys, yaml; yaml.safe_load(open(sys.argv[1]))' "$workflow" 2>/dev/null; then
                echo "✅ $(basename "$workflow")" >> $GITHUB_STEP_SUMMARY
              else
                echo "❌ $(basename "$workflow") - invalid YAML" >> $GITHUB_STEP_SUMMARY
The glob pattern matching in the for loop uses unquoted wildcards which could fail if no matching files are found. The 'shopt -s nullglob' on line 387 helps prevent errors when no files match, but the loop variable should be quoted when used. Consider quoting the workflow variable: 'for workflow in ".github/workflows/"*.{yml,yaml}' or using a more explicit approach. ```suggestion if python3 -c 'import sys, yaml; yaml.safe_load(open(sys.argv[1]))' "$workflow" 2>/dev/null; then echo "✅ $(basename "$workflow")" >> $GITHUB_STEP_SUMMARY else echo "❌ $(basename "$workflow") - invalid YAML" >> $GITHUB_STEP_SUMMARY ```
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:05 +00:00 (Migrated from github.com)
Review
Copy Link

The basename command output in the echo statement is not quoted. While this is unlikely to cause issues in practice, it's better to quote command substitutions: echo " $(basename "$workflow")"

                echo "✅ $(basename "$workflow")" >> $GITHUB_STEP_SUMMARY
              else
                echo "❌ $(basename "$workflow") - invalid YAML" >> $GITHUB_STEP_SUMMARY
The basename command output in the echo statement is not quoted. While this is unlikely to cause issues in practice, it's better to quote command substitutions: echo "✅ $(basename "$workflow")" ```suggestion echo "✅ $(basename "$workflow")" >> $GITHUB_STEP_SUMMARY else echo "❌ $(basename "$workflow") - invalid YAML" >> $GITHUB_STEP_SUMMARY ```
INVALID=$((INVALID + 1))
fi
fi
done
if [ $INVALID -gt 0 ]; then
exit 1
fi
summary:
name: Compliance Summary
runs-on: ubuntu-latest
needs: [repository-structure, documentation-quality, coding-standards, license-compliance, git-hygiene, workflow-validation]
if: always()
steps:
- name: Generate Compliance Report
run: |
echo "# MokoStandards Compliance Report" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "All compliance checks have been executed." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Validation Areas:" >> $GITHUB_STEP_SUMMARY
echo "- Repository Structure" >> $GITHUB_STEP_SUMMARY
echo "- Documentation Quality" >> $GITHUB_STEP_SUMMARY
echo "- Coding Standards" >> $GITHUB_STEP_SUMMARY
echo "- License Compliance" >> $GITHUB_STEP_SUMMARY
echo "- Git Repository Hygiene" >> $GITHUB_STEP_SUMMARY
echo "- Workflow Configuration" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "For detailed results, review individual job outputs above." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "📚 Learn more: https://github.com/mokoconsulting-tech/MokoStandards" >> $GITHUB_STEP_SUMMARY

14
CHANGELOG.md
View File

@@ -21,6 +21,20 @@
# Changelog — Moko-Cassiopeia (VERSION: 03.05.00)
## [03.05.01] 2026-01-09
### Added
- Added `dependency-review.yml` workflow for dependency vulnerability scanning
- Added `standards-compliance.yml` workflow for MokoStandards validation
- Added `.github/dependabot.yml` configuration for automated security updates
- Added `docs/README.md` as documentation index
### Changed
- Removed custom `codeql-analysis.yml` workflow (repository uses GitHub's default CodeQL setup)
### Changed
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:06 +00:00 (Migrated from github.com)
Review
Copy Link

Duplicate "### Changed" section header found. The second "### Changed" section (lines 34-36) should be merged with the first one (lines 31-32) or changed to a different section type if it represents a different category of changes.
Duplicate "### Changed" section header found. The second "### Changed" section (lines 34-36) should be merged with the first one (lines 31-32) or changed to a different section type if it represents a different category of changes. ```suggestion ```
- Enforced repository compliance with MokoStandards requirements
- Improved security posture with automated scanning and dependency management
## [03.05.00] 2026-01-04
- Created `.github/workflows`
- Replaced `./CODE_OF_CONDUCT.md` from `MokoStandards`

123
docs/README.md Normal file
View File

@@ -0,0 +1,123 @@
<!--
Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
This file is part of a Moko Consulting project.
SPDX-License-Identifier: GPL-3.0-or-later
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see https://www.gnu.org/licenses/ .
# FILE INFORMATION
DEFGROUP: Joomla.Template.Site
INGROUP: Moko-Cassiopeia.Documentation
REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia
FILE: docs/README.md
VERSION: 01.00.00
BRIEF: Documentation index for Moko-Cassiopeia template
PATH: /docs/README.md
-->
# Moko-Cassiopeia Documentation
This directory contains comprehensive documentation for the Moko-Cassiopeia Joomla template.
## Documentation Overview
### Developer Documentation
* **[Quick Start Guide](QUICK_START.md)** - Get up and running in 5 minutes
* Development environment setup
* Essential commands and workflows
* First-time contributor guide
* **[Workflow Guide](WORKFLOW_GUIDE.md)** - Complete workflow reference
* Git branching strategy
* Development workflow
* Release process
* Pull request guidelines
* **[Joomla Development Guide](JOOMLA_DEVELOPMENT.md)** - Joomla-specific development
* Testing with Codeception
* PHP quality checks (PHPStan, PHPCS)
* Joomla extension packaging
* Multi-version testing
### User Documentation
For end-user documentation, installation instructions, and feature guides, see the main [README.md](../README.md) in the repository root.
## Project Structure
```
moko-cassiopeia/
├── docs/ # Documentation (you are here)
│ ├── README.md # This file - documentation index
│ ├── QUICK_START.md # Quick start guide for developers
│ ├── WORKFLOW_GUIDE.md # Development workflow guide
│ └── JOOMLA_DEVELOPMENT.md # Joomla-specific development guide
├── src/ # Template source code
│ ├── templates/ # Joomla template files
│ └── media/ # Assets (CSS, JS, images)
├── scripts/ # Build and automation scripts
├── tests/ # Automated tests
└── .github/ # GitHub configuration and workflows
```
## Contributing
Before contributing, please read:
1. **[CONTRIBUTING.md](../CONTRIBUTING.md)** - Contribution guidelines and standards
2. **[CODE_OF_CONDUCT.md](../CODE_OF_CONDUCT.md)** - Community standards and expectations
3. **[SECURITY.md](../SECURITY.md)** - Security policy and reporting procedures
## Standards Compliance
This project adheres to [MokoStandards](https://github.com/mokoconsulting-tech/MokoStandards) for:
* Coding standards and formatting
* Documentation requirements
* Git workflow and branching
* CI/CD pipeline configuration
* Security scanning and dependency management
## Additional Resources
* **Repository**: [https://github.com/mokoconsulting-tech/moko-cassiopeia](https://github.com/mokoconsulting-tech/moko-cassiopeia)
* **Issue Tracker**: [GitHub Issues](https://github.com/mokoconsulting-tech/moko-cassiopeia/issues)
* **Changelog**: [CHANGELOG.md](../CHANGELOG.md)
* **License**: [GPL-3.0-or-later](../LICENSE)
## Support
* **Email**: hello@mokoconsulting.tech
* **Website**: https://mokoconsulting.tech/support/joomla-cms/moko-cassiopeia-roadmap
---
## Metadata
* Document: docs/README.md
* Repository: [https://github.com/mokoconsulting-tech/moko-cassiopeia](https://github.com/mokoconsulting-tech/moko-cassiopeia)
* Path: /docs/README.md
* Owner: Moko Consulting
* Version: 01.00.00
* Status: Active
* Effective Date: 2026-01-09
## Revision History
| Date | Change Summary | Author |
| ---------- | ----------------------------------------------------- | --------------- |
| 2026-01-09 | Initial documentation index created for MokoStandards compliance. | GitHub Copilot |