Change Details

Right now we run them in separate jobs because taint-check is still sort of experimental, and because it was built on top of an old version of phan. However, things have changed in the meanwhile, and IMHO we're ready for that step. Notably, this would have two benefits: - We would avoid the `extra` key in composer.json for seccheck - We'd use less CI resources (running one phan job instead of two) This is necessary because otherwise we'd have to require two (possibly different) versions of phan in composer.json (see T235053#5571224 for details). In order to resolve this task, we should first release 3.0.0 (T235383), which uses the same version as mw-phan does right now. Then require it from mw-phan's composer.json and release a new version of mw-phan. Then cleanup CI config/dockerfiles. **TODO**: Update [[https://www.mediawiki.org/wiki/Phan-taint-check-plugin|docs]] on mw.org.

Right now we run them in separate jobs because taint-check is still sort of experimental, and because it was built on top of an old version of phan. However, things have changed in the meanwhile, and IMHO we're ready for that step. Notably, this would have two benefits: - We would avoid the `extra` key in composer.json for seccheck - We'd use less CI resources (running one phan job instead of two) This is necessary because otherwise we'd have to require two (possibly different) versions of phan in composer.json (see T235053#5571224 for details). In order to resolve this task, we should first release 3.0.0 (T235383), which uses the same version as mw-phan does right now. Then require it from mw-phan's composer.json and release a new version of mw-phan. Then cleanup CI config/dockerfiles. **PLAN**: -Wait for taint-check 3.0.0, or any subsequent release which will make taint-check use the same phan version as mw-phan. -Add taint-check to the `require` section of mw-phan's composer.json. -Add taint-check to the 'plugins' option in mw-phan. -Add some kind of testing for taint-check within mw-phan. E.g. find a way to run taint-check tests, or T226117 -Update [[https://www.mediawiki.org/wiki/Phan-taint-check-plugin|docs]] on mw.org. Notably, this will force us to keep mw-phan and taint-check on the same phan version. That shouldn't be too hard, though, as long as both are constantly kept up-to-date.

Right now we run them in separate jobs because taint-check is still sort of experimental, and because it was built on top of an old version of phan. However, things have changed in the meanwhile, and IMHO we're ready for that step. Notably, this would have two benefits: - We would avoid the `extra` key in composer.json for seccheck - We'd use less CI resources (running one phan job instead of two) This is necessary because otherwise we'd have to require two (possibly different) versions of phan in composer.json (see T235053#5571224 for details). In order to resolve this task, we should first release 3.0.0 (T235383), which uses the same version as mw-phan does right now. Then require it from mw-phan's composer.json and release a new version of mw-phan. Then cleanup CI config/dockerfiles. **TODO**: PLAN**: -Wait for taint-check 3.0.0, or any subsequent release which will make taint-check use the same phan version as mw-phan. -Add taint-check to the `require` section of mw-phan's composer.json. -Add taint-check to the 'plugins' option in mw-phan. -Add some kind of testing for taint-check within mw-phan. E.g. find a way to run taint-check tests, or T226117 -Update [[https://www.mediawiki.org/wiki/Phan-taint-check-plugin|docs]] on mw.org. Notably, this will force us to keep mw-phan and taint-check on the same phan version. That shouldn't be too hard, though, as long as both are constantly kept up-to-date.