There are several large problems with how editor-controlled Javascript/CSS (user/site scripts/styles and gadgets) are used in MediaWiki:
* {T71445}: there is no code review process, which is both a security nightmare and a barrier to creating maintainer communities around scripts. Also no good way to test code changes before applying them.
* {T121470}: there is no good way of sharing the same resources between multiple sites (or, in the case of long-tail scripts that are not popular enough to become site scripts or gadgets, sharing between multiple users) - resulting in either outdated copies or performance-degrading sharing methods.
* {T39230} / {T53651}: there is no continuous integration style support (linting, unit tests, browser tests, documentation generation etc) for editor-controlled Javascript/CSS.
Moving the code to some external version control platform should be a good solution for some of these issues and at least a foundation for a good solution for the rest:
* code sharing would be trivial and easy to track
* many public code repositories (most notably Github) also serve as development platforms and provide excellent code review and continuous integration support (and issue management and various other things)
* while testing/debugging support would still have to be implemented on the MediaWiki side, pull requests / feature branches at least provide a sane basis for it (as opposed to the current state of the art for code review, which is pasting suggested changes to the talk page)
(frwiki is already [[https://fr.wikipedia.org/wiki/Discussion_Projet:JavaScript#Discussion_tech_.C3.A0_la_WikiConvention_et_maintenance_du_projet_JavaScript|working on]] moving their gadget code to git and might be interested in this. The [[https://www.mediawiki.org/wiki/Wikimedia_Hackathon_2018/Prehackathon_Montpellier|2018 Montpellier pre-hackathon]] also has a related theme.)
Implementation proposal:
* Provide a configuration setting to associate a wiki with a list of repository providers.
* Provide a web configuration interface for associating wiki pages (`MediaWiki:*.js/css/json`, maybe `User:*.js/css/json`) with files in a git repository (on some specified branch/tag).
* Lock those pages from editing.
* Modify the appearance of these pages to give some hint of what's going on.
* Provide some kind of form for updating the pages associated to a certain repository to the latest version. This would work much like a normal edit (appear in recent changes etc.) so monitoring such code with the usual set of wiki tools would still be possible.
* Optionally, provide a webhook for listening to updates; when the code is updated in git, notify the maintainers (how would they be identified though)? Or even update automatically, although that might be a bad security-convenience tradeoff.
* Provide some [[https://www.mediawiki.org/wiki/Extension:TemplateSandbox|TemplateSandbox]]-like tool to override which branch the files are loaded from (for the purposes of testing pull requests). [[https://gerrit.wikimedia.org/r/#/c/340768/|gerrit 340768]] will make this fairly easy.
* Probably provide some sort of monitoring/reporting so that security engineers can get an easy overview of what repos to watch.