From e3357eb0b0faea5ada0295ce681908f4b3747b0d Mon Sep 17 00:00:00 2001 From: roadynet <163515962+roadynet@users.noreply.github.com> Date: Fri, 5 Jun 2026 21:57:01 +0200 Subject: [PATCH] Publish PHPStan audit evidence --- README.md | 2 + docs/phpstan-audit-2026-06-05.md | 85 ++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 docs/phpstan-audit-2026-06-05.md diff --git a/README.md b/README.md index b3c2fee..b2462a1 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,7 @@ Only published SkillBuilder lessons are synchronized as Shopware products. Draft - [Interview Q&A](docs/interview-qa.md) - [Recruiter project summary](docs/project-summary-for-recruiters.md) - [Portfolio audit report](docs/audit-report-2026-05-23.md) +- [PHPStan audit evidence](docs/phpstan-audit-2026-06-05.md) - [Demo script](docs/demo-script.md) - [Changelog](CHANGELOG.md) - [Demo checklist](docs/demo-checklist.md) @@ -215,6 +216,7 @@ Additional checks performed: - Doctrine mapping validation - router checks - live smoke checks for public and protected routes +- PHPStan audit setup added in the private codebase; baseline reduced from 56 findings to 17 Doctrine generated-ID findings ## Portfolio Positioning diff --git a/docs/phpstan-audit-2026-06-05.md b/docs/phpstan-audit-2026-06-05.md new file mode 100644 index 0000000..2647ccf --- /dev/null +++ b/docs/phpstan-audit-2026-06-05.md @@ -0,0 +1,85 @@ +# PHPStan Audit - 2026-06-05 + +This audit documents the current static-analysis setup and cleanup state from the private SkillBuilder application. + +## Scope + +- Added PHPStan as a private-codebase audit tool. +- Added a GitHub Actions workflow named `Testing` for the private application branch. +- Reduced the PHPStan baseline from 56 findings to 17 findings. +- Kept the remaining 17 baseline entries limited to Doctrine generated ID properties. + +## Implemented In Private Codebase + +Private audit commit: + +```text +b5fd3f2 Add PHPStan audit workflow +``` + +Main files added or changed in the private application: + +- `composer.json` +- `composer.lock` +- `phpstan.neon` +- `phpstan-baseline.neon` +- `scripts/run-phpstan.ps1` +- `.github/workflows/testing.yml` +- targeted PHPStan cleanups in commands, controllers, services, tests, and one Doctrine entity callback + +## Findings Reduced + +Before cleanup: + +```text +56 PHPStan baseline entries +``` + +After cleanup: + +```text +17 PHPStan baseline entries +``` + +The removed findings covered: + +- invalid or missing imports +- unreachable code +- redundant `method_exists()` guards +- redundant null-coalescing expressions +- overly broad user type checks +- direct session flash bag calls where controller flash helpers are clearer +- unused constructor dependency in GDPR export logic +- redundant lifecycle fallback for an initialized Doctrine timestamp + +## Remaining Baseline + +The remaining 17 entries are all Doctrine generated ID warnings of this form: + +```text +Property App\Entity\...\$id (int|null) is never assigned int +``` + +These are intentionally kept because Doctrine assigns `#[GeneratedValue]` IDs at runtime. They should be removed later with a Doctrine-aware PHPStan setup, not by weakening entity ID types. + +## Verification + +Checks performed locally: + +```text +php -l across changed PHP files: OK +PHPStan on changed command/controller/service files without baseline: OK +PHPStan on src/Entity with reduced baseline: OK +``` + +The full private-codebase PHPStan run is wired through the `Testing` workflow. The local Windows/P-drive environment required a PowerShell wrapper that copies the PHPStan PHAR to `%TEMP%` before execution. + +## Current Quality Impact + +This audit turns PHPStan from a one-off scan into repeatable project evidence: + +- static analysis is now part of the private repository setup +- real PHPStan findings were fixed rather than hidden +- the baseline is narrow and explainable +- the remaining debt has a clear next step: add Doctrine-aware PHPStan support +