Right now we run them in separate jobs because taint-check is still sort of experimental, and because it was built on top of an old version of phan. However, things have changed in the meanwhile, and IMHO we're ready for that step. Notably, this would have two benefits:
- We would avoid the `extra` key in composer.json for seccheck
- We'd use less CI resources (running one phan job instead of two)
This is necessary because otherwise we'd have to require two (possibly different) versions of phan in composer.json (see T235053#5571224 for details).
In order to resolve this task, we should first release 3.0.0 (T235383), which uses the same version as mw-phan does right now. Then require it from mw-phan's composer.json and release a new version of mw-phan. Then cleanup CI config/dockerfiles.
===Plan===
[x] Wait for taint-check 3.0.1, which will use the same phan version as mw-phan.
[] Add taint-check to the `require` section of mw-phan's composer.json, and load it from the 'plugins' option in the cfg file, importing some required settings.
[x] Add some kind of testing for taint-check within mw-phan. E.g. find a way to run taint-check tests, or T226117
[] Update [[https://www.mediawiki.org/wiki/Phan-taint-check-plugin|docs]] on mw.org.
[] Tag a new version of phan
[] Have LibUp update all repos to that version, removing taint-check from the "extra" key at the same time
Notably, this will force us to keep mw-phan and taint-check on the same phan version. That shouldn't be too hard, though, as long as both are constantly kept up-to-date.