refactor: gold standard modernization

[CybotTM]

Summary

• PHPStan level 10 with baseline for 487 pre-existing issues
• CaptainHook replaces GrumPHP for git hooks (CGL, PHPStan, unit tests on pre-commit)
• 676 unit tests — 9 previously untested classes now have comprehensive test coverage
• Mutation testing at MSI 84% (Infection configured with >80% threshold)
• Docker-based runTests.sh — replaces local CLI wrapper with TYPO3 core-style Docker runner
• 9 workflows upstreamed to netresearch/typo3-ci-workflows as reusable workflow_call workflows, local files replaced with thin callers (-68% workflow LOC)
• DDEV environment — make up fully bootstraps TYPO3 v12 + v13 with extension symlinked
• Community files — Code of Conduct, SECURITY_CONTROLS.md, labeler config, PR quality gates
• OpenSSF Best Practices badge and documentation improvements

Docker-based runTests.sh

Suite	Description
unit / unitCoverage	Unit tests with optional coverage
functional / functionalCoverage	Functional tests (sqlite/mariadb/mysql/postgres)
lint	PHP syntax check
cgl	PHP-CS-Fixer (dry-run with -n)
phpstan / phpstanBaseline	Static analysis
rector	Rector (dry-run with -n)
mutation	Infection mutation testing
composer / composerUpdate / composerValidate	Composer operations

DDEV environment

• make up — starts DDEV, installs deps, installs TYPO3 v12 + v13, renders docs
• make ci — runs all quality checks (CGL, PHPStan, Rector, lint, unit, functional)
• Docker volume permissions handled via sudo chown
• Separate databases (db_v12, db_v13) with proper grants
• Docs rendering cleans up root-owned files via Alpine container

Workflows upstreamed (9 new reusable workflows)

Workflow	Purpose
labeler.yml	Automatic PR labeling
lock.yml	Lock stale threads
greetings.yml	Welcome first-time contributors
docs.yml	TYPO3 documentation rendering
stale.yml	Mark/close stale issues
license-check.yml	PHP dependency license audit
security.yml	Gitleaks + Composer audit
pr-quality.yml	PR size check + auto-approve
release.yml	Enterprise release (SBOM, cosign, attestation)

Security review (20 cycles)

• 12 actionable findings identified and fixed across both repos
• All actions SHA-pinned to latest versions (20/20 verified)
• persist-credentials: false on all checkout steps
• Randomized heredoc delimiters to prevent output injection
• Input validation for path traversal in release workflow
• Sanitized workflow commands in license-check
• Fixed attest-build-provenance SHA typo that would have broken releases

Test plan

• 676 unit tests pass
• Mutation testing MSI 84%
• PHPStan level 10 clean
• CGL clean
• Rector clean
• actionlint clean (zero errors)
• YAML validation passes all 15 workflows
• All pre-commit hooks pass (CGL, PHPStan, unit tests)
• make up fully bootstraps DDEV with TYPO3 v12 + v13
• ddev render-docs renders without errors
• 5 review cycles with all findings addressed
• CI passes on this PR
• Verify workflow triggers fire correctly after merge

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA c942ca0.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/lock.yml

Package	Version	License	Issue Type
netresearch/typo3-ci-workflows/.github/workflows/lock.yml	main	Null	Unknown License

.github/workflows/stale.yml

Package	Version	License	Issue Type
netresearch/typo3-ci-workflows/.github/workflows/stale.yml	main	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/netresearch/typo3-ci-workflows/.github/workflows/lock.yml	main	Unknown	Unknown
actions/netresearch/typo3-ci-workflows/.github/workflows/stale.yml	main	Unknown	Unknown
composer/captainhook/captainhook	>= 5.28, < 6.0	Unknown	Unknown
composer/captainhook/hook-installer	>= 1.0, < 2.0	Unknown	Unknown

Scanned Files

• .github/workflows/lock.yml
• .github/workflows/stale.yml
• composer.json

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a significant modernization initiative, elevating the project's code quality, security, and development efficiency. Key improvements include upgrading static analysis to the strictest level, enhancing unit test coverage, streamlining CI/CD processes through reusable workflows, and integrating robust security controls. These changes collectively improve maintainability, reduce technical debt, and ensure a more secure and efficient development environment.

Highlights

• PHPStan Level 10: The static analysis level has been increased to 10, the strictest possible, with a baseline established for 487 pre-existing issues.
• Git Hooks Modernization: GrumPHP has been replaced by CaptainHook for managing Git hooks, ensuring robust pre-commit checks for CGL, PHPStan, and unit tests.
• Expanded Unit Test Coverage: An additional 676 unit tests were introduced, providing comprehensive coverage for 9 previously untested classes.
• Streamlined CI/CD Workflows: Nine GitHub Actions workflows were refactored and upstreamed to a reusable repository, resulting in a 68% reduction in local workflow code.
• Enhanced Community & Security Documentation: New community files, including a Code of Conduct and SECURITY_CONTROLS.md, were added, alongside improvements to OpenSSF Best Practices documentation.
• Security Review Findings Addressed: A thorough security review identified and fixed 12 actionable findings, implementing best practices such as SHA-pinning actions and input validation.

Changelog

• .ddev/commands/web/install-v12
  • Updated the default admin password for TYPO3 v12 installations.
• .ddev/commands/web/setup
  • Added 'set -e' to ensure the script exits on error during setup.
• .github/SECURITY_CONTROLS.md
  • Introduced a document outlining compensating security controls for the solo-maintainer auto-approval workflow.
• .github/labeler.yml
  • Added configuration for automatic pull request labeling based on changed file paths.
• AGENTS.md
  • Updated the document to reflect the switch from GrumPHP to CaptainHook.
  • Updated the PHPStan level to 10.
  • Added new GitHub workflows to the overview.
• Build/captainhook.json
  • Added the configuration file for CaptainHook, defining pre-commit, commit-msg, pre-push, post-merge, and post-checkout hooks.
• Build/php-cs-fixer.php
  • Included the 'var' directory in the list of excluded paths for PHP-CS-Fixer.
  • Updated a comment regarding PHP_CodeSniffer compatibility.
• Build/phpstan-baseline.neon
  • Added a new baseline file to ignore 487 pre-existing PHPStan issues, allowing for a stricter analysis level.
• Build/phpstan.neon
  • Configured PHPStan to run at level 10 and included the new 'phpstan-baseline.neon' file.
  • Expanded ignore patterns for test files.
• CODE_OF_CONDUCT.md
  • Added the Contributor Covenant Code of Conduct to foster an inclusive community.
• Documentation/Installation/Index.rst
  • Updated the supported PHP version range for extension version 4.x to include PHP 8.5.
• README.md
  • Refreshed project badges to reflect updated CI status, code coverage, documentation, OpenSSF scores, PHPStan level, PHP/TYPO3 versions, license, contributor covenant, and SLSA level.
  • Updated repository links.
• Tests/Unit/Classes/Context/Type/CombinationContextTest.php
  • Added comprehensive unit tests for the 'CombinationContext' class, covering dependency resolution and logical expression evaluation.
• Tests/Unit/Classes/ExpressionLanguage/ContextConditionProviderTest.php
  • Added unit tests for 'ContextConditionProvider', verifying its integration with TYPO3's expression language.
• Tests/Unit/Classes/ExpressionLanguage/FunctionsProvider/ContextFunctionsProviderTest.php
  • Added unit tests for 'ContextFunctionsProvider', ensuring correct functionality of the 'contextMatch()' expression language function.
• Tests/Unit/Classes/Form/CombinationFormElementTest.php
  • Added unit tests for 'CombinationFormElement', focusing on its rendering logic and handling of missing aliases.
• Tests/Unit/Classes/Form/DefaultSettingsFormElementTest.php
  • Added unit tests for 'DefaultSettingsFormElement', covering rendering of default setting checkboxes for records.
• Tests/Unit/Classes/Form/RecordSettingsFormElementTest.php
  • Added extensive unit tests for 'RecordSettingsFormElement', verifying table rendering, context visibility, and select box options.
• Tests/Unit/Classes/Middleware/ContainerInitializationTest.php
  • Added unit tests for 'ContainerInitialization' middleware, ensuring correct container setup and request handling.
• Tests/Unit/Classes/Service/DataHandlerServiceTest.php
  • Added comprehensive unit tests for 'DataHandlerService' data handling, covering pre-processing and post-database operations for context settings.
• Tests/Unit/Classes/Service/InstallServiceTest.php
  • Added unit tests for 'InstallService', verifying its ability to append SQL table definitions for flat settings columns.
• composer.json
  • Updated development dependencies by removing 'phpro/grumphp' and adding 'captainhook/captainhook' and 'captainhook/hook-installer'.
  • Configured CaptainHook's config path.
• grumphp.yml
  • Removed the GrumPHP configuration file as it has been replaced by CaptainHook.

Ignored Files

• Ignored by pattern: .github/workflows/** (9)
  • .github/workflows/docs.yml
  • .github/workflows/greetings.yml
  • .github/workflows/labeler.yml
  • .github/workflows/license-check.yml
  • .github/workflows/lock.yml
  • .github/workflows/pr-quality.yml
  • .github/workflows/release.yml
  • .github/workflows/security.yml
  • .github/workflows/stale.yml

Activity

• The pull request was created by CybotTM.
• No human activity (comments, reviews) has been recorded yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[gemini-code-assist]

Code Review

This pull request introduces a significant modernization of the project's development standards. Key improvements include upgrading PHPStan to level 10, replacing GrumPHP with CaptainHook for git hooks, and adding comprehensive unit test coverage for 9 previously untested classes. The CI/CD pipeline has also been streamlined by upstreaming several workflows.

The changes are of high quality and substantially improve the maintainability and reliability of the codebase. My review only identified a couple of minor inconsistencies in the new SECURITY_CONTROLS.md documentation file, which should be updated to reflect the changes to PHPStan and the git hook tool.

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.