fix: Update .gitattributes to exclude additional files from the package, update LICENSE.md and add stable version worflows actions.

[terabytesoftw]

Q	A
Is bugfix?	✔️
New feature?	❌
Breaks BC?	❌

Summary by CodeRabbit

• Documentation
  • Updated license attribution and refreshed README badge.
• Chores
  • Pinned CI workflows to stable v1 actions for reliability.
  • Refined exported files to exclude additional development and runtime artifacts from release archives.
• Tests
  • Enhanced mutation testing workflow with automated MySQL/PostgreSQL setup and expanded coverage options.
• Build
  • Adjusted development dependency constraint to support a newer mutation testing release.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@e0bf71c). Learn more about missing BASE report.
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff            @@
##             main       #87   +/-   ##
========================================
  Coverage        ?   100.00%           
  Complexity      ?       133           
========================================
  Files           ?         4           
  Lines           ?       522           
  Branches        ?         0           
========================================
  Hits            ?       522           
  Misses          ?         0           
  Partials        ?         0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Warning

Rate limit exceeded

@terabytesoftw has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 9 minutes and 41 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between a3e0f72 and e98ede8.

📒 Files selected for processing (1)

• CHANGELOG.md (1 hunks)

Walkthrough

This PR pins multiple GitHub Actions reusable workflows to v1, refactors the mutation workflow to set up MySQL/Postgres containers and new inputs, adds export-ignore entries to .gitattributes, bumps infection to allow ^0.31, updates a license line, and adjusts a README badge link.

Changes

Cohort / File(s)	Summary
Pinned reusable workflows .github/workflows/build.yml, .../build-mysql.yml, .../build-mssql.yml, .../build-oracle.yml, .../build-pgsql.yml, .../dependency-check.yml, .../ecs.yml, .../static.yml	Replaced action references from @main to @v1 (pinning reusable workflow/action versions).
Mutation workflow .github/workflows/mutation.yml	Switched to infection.yml@v1; moved/restructured inputs (hook → before-hook); added before-hook script to start MySQL 8.0 and PostgreSQL 16 with healthchecks and export DSNs/credentials; added command-coverage-options and adjusted extensions/framework-options placement.
Packaging export-ignores .gitattributes	Added export-ignore entries for .editorconfig, ecs.php, infection.json*, phpstan*.neon*, and runtime/.
Composer dev dependency composer.json	Bumped infection/infection constraint from `^0.27
License text LICENSE.md	Changed non-endorsement entity name to “Yii2 Extensions (Terabytesoftw)”.
README badge README.md	Updated PHPStan level badge link to point to this repository’s workflow URL.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Job as Mutation Job
  participant MySQL as Docker MySQL 8.0
  participant PG as Docker PostgreSQL 16
  participant Inf as Infection
  participant PHPU as PHPUnit

  Dev->>GH: Push/PR triggers mutation workflow
  GH->>Job: Start mutation job (infection.yml@v1)
  Job->>MySQL: docker run + healthcheck
  Job->>PG: docker run + healthcheck
  MySQL-->>Job: healthy
  PG-->>Job: healthy
  Job->>Job: export MYSQL_* and PGSQL_* to GITHUB_ENV
  Job->>Inf: run infection with configured extensions/options
  Inf->>PHPU: execute tests (framework options)
  PHPU-->>Inf: test results/coverage
  Inf-->>Job: mutation report
  Job-->>GH: Job status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A rabbit taps the pipeline keys,
Pins the flows to calm v1 breeze.
Spins up MySQL and Postgres bright,
Mutants tremble in the night.
Archive trimmed, a badge in place—thump-thump, CI race. 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-mini-73

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.github/workflows/build-mysql.yml (1)

23-23: Prefer pinning reusable workflow to a commit SHA for supply-chain hardening

Switching from @main to a tag is already better. For stronger integrity guarantees and to avoid tag retargeting, consider pinning to a specific commit SHA of php-forge/actions.

Would you like me to fetch the latest commit SHA for fix-mini-31 and propose the exact pin?

.github/workflows/build.yml (1)

22-22: Pin reusable workflows to commit SHAs (not just tags)

Good move from @main to @fix-mini-31. To further harden the pipeline, prefer pinning to immutable commit SHAs to prevent tag retargeting.

I can look up the current SHAs for fix-mini-31 and provide the exact replacements if you want to lock them down.

Also applies to: 32-32

.github/workflows/mutation.yml (2)

22-22: Pin infection workflow to a commit SHA

As with other jobs, consider pinning the reusable workflow to a commit SHA for reproducibility and security.

I can retrieve and propose the specific SHA corresponding to fix-mini-31 if you’d like to lock it down.

---

24-75: Harden the before-hook and fix PostgreSQL readiness user mismatch

• The PostgreSQL health checks and readiness waits use user “postgres” while the container is started with POSTGRES_USER=root. Aligning the user avoids potential flakiness.
• Add “set -Eeuo pipefail” and a simple trap to fail fast and emit DB logs on errors for easier diagnostics.

Apply this patch to the before-hook:

       before-hook: |
+        set -Eeuo pipefail
+        trap 'echo "--- docker logs (mysql) ---"; docker logs --tail=200 mysql-test || true; \
+              echo "--- docker logs (postgres) ---"; docker logs --tail=200 postgres-test || true' ERR
         # Config MySQL with Docker
         docker run -d \
           --name mysql-test \
           -e MYSQL_ROOT_PASSWORD=root \
           -e MYSQL_DATABASE=yiitest \
           -e MYSQL_USER=test \
           -e MYSQL_PASSWORD=test \
           -p 3306:3306 \
           --health-cmd="mysqladmin ping -h localhost" \
           --health-interval=10s \
           --health-timeout=5s \
           --health-retries=5 \
           mysql:8.0

         # Config PostgreSQL with Docker
         docker run -d \
           --name postgres-test \
           -e POSTGRES_DB=yiitest \
           -e POSTGRES_USER=root \
           -e POSTGRES_PASSWORD=root \
           -p 5432:5432 \
-          --health-cmd="pg_isready -U postgres" \
+          --health-cmd="pg_isready -U root" \
           --health-interval=10s \
           --health-timeout=5s \
           --health-retries=3 \
           postgres:16

         # Wait for MySQL to be ready
         echo "Waiting for MySQL to be ready..."
         timeout 120s bash -c 'until docker exec mysql-test mysqladmin ping -h localhost --silent; do sleep 3; done'

         # Wait for PostgreSQL to be ready
         echo "Waiting for PostgreSQL to be ready..."
-        timeout 60s bash -c 'until docker exec postgres-test pg_isready -U postgres; do sleep 2; done'
+        timeout 60s bash -c 'until docker exec postgres-test pg_isready -U root; do sleep 2; done'

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e0bf71c and 8e1b9d5.

📒 Files selected for processing (5)

• .gitattributes (1 hunks)
• .github/workflows/build-mysql.yml (1 hunks)
• .github/workflows/build.yml (2 hunks)
• .github/workflows/mutation.yml (2 hunks)
• composer.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: MySQL tests. / PHP 8.4-mysql-8.0
• GitHub Check: MySQL tests. / PHP 8.4-mysql-8.4
• GitHub Check: phpunit / PHP 8.4-windows-latest
• GitHub Check: phpunit / PHP 8.2-windows-latest
• GitHub Check: mutation / PHP 8.4-ubuntu-latest
• GitHub Check: phpunit / PHP 8.1-windows-latest
• GitHub Check: phpunit-compatibility / PHP 8.4-windows-latest
• GitHub Check: SQL Server tests. / PHP 8.4-mssql-2022-latest
• GitHub Check: Oracle tests. / PHP 8.4-oci-23

🔇 Additional comments (2)

composer.json (1)

19-19: Aligns with CI: allow Infection 0.31

The broader CI changes reference fix-mini-31 which expects Infection 0.31; relaxing the constraint to ^0.27|^0.31 is appropriate.

Please verify locally that your composer scripts still work under Infection 0.31 (flags like --ignore-msi-with-no-mutations, --only-covered, and static analysis integration). If you need, I can run through the option compatibility matrix and adjust scripts.

.gitattributes (1)

29-29: LGTM: better packaging hygiene with export-ignore

Excluding editor/linter configs, static analysis configs, and runtime dir from archives is a good improvement. This keeps distributed packages lean and focused on runtime artifacts.

Also applies to: 37-40, 43-43

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (6)

.github/workflows/build-pgsql.yml (1)

23-23: Optional: Pin to a commit SHA for maximum supply‑chain safety

If you want immutability (avoid surprises if v1 is retagged), consider pinning to the release commit SHA instead of the moving v1 tag. Apply similarly across all updated workflows in this PR.

Example (replace <commit-sha> with the actual SHA of the v1 release):

-uses: php-forge/actions/.github/workflows/phpunit-database.yml@v1
+uses: php-forge/actions/.github/workflows/phpunit-database.yml@<commit-sha>

.github/workflows/static.yml (1)

22-22: Pinning to v1 improves stability; consider pinning to a commit SHA for supply-chain safety.

Tags can be retargeted. If the upstream action publishes a breaking v1, your workflow could change unexpectedly. Prefer pinning to a known good commit SHA and optionally adding a comment with the release tag for readability.

Example:

-    uses: php-forge/actions/.github/workflows/phpstan.yml@v1
+    uses: php-forge/actions/.github/workflows/phpstan.yml@<commit-sha>
+    # v1

.github/workflows/ecs.yml (1)

22-22: Nice: version pin to v1. Consider hard-pinning to a commit SHA.

Same rationale as other workflows: reduce risk from a retagged or force-pushed v1.

-    uses: php-forge/actions/.github/workflows/ecs.yml@v1
+    uses: php-forge/actions/.github/workflows/ecs.yml@<commit-sha>
+    # v1

.github/workflows/mutation.yml (3)

22-22: Good move: action pinned to v1. Consider pinning to a commit SHA.

Prevents unexpected changes if v1 is moved upstream.

-    uses: php-forge/actions/.github/workflows/infection.yml@v1
+    uses: php-forge/actions/.github/workflows/infection.yml@<commit-sha>
+    # v1

---

69-74: Align exported DB credentials with created users; prefer least privilege.

MySQL: container creates both root and test users, but you export root creds. Prefer the non-root user you created (test/test) to follow least-privilege.

-        echo "MYSQL_USERNAME=root" >> $GITHUB_ENV
-        echo "MYSQL_PASSWORD=root" >> $GITHUB_ENV
+        echo "MYSQL_USERNAME=test" >> $GITHUB_ENV
+        echo "MYSQL_PASSWORD=test" >> $GITHUB_ENV

---

24-51: Consider using GitHub Actions services for DBs instead of ad-hoc docker run.

Services integrate health checks, avoid port collisions, and simplify teardown. Your current approach works, but services are more idiomatic and predictable on GH-hosted runners.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f1a7a6a and aa9163a.

📒 Files selected for processing (10)

• .github/workflows/build-mssql.yml (1 hunks)
• .github/workflows/build-mysql.yml (1 hunks)
• .github/workflows/build-oracle.yml (1 hunks)
• .github/workflows/build-pgsql.yml (1 hunks)
• .github/workflows/build.yml (2 hunks)
• .github/workflows/dependency-check.yml (1 hunks)
• .github/workflows/ecs.yml (1 hunks)
• .github/workflows/mutation.yml (2 hunks)
• .github/workflows/static.yml (1 hunks)
• LICENSE.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/build.yml
• LICENSE.md

🔇 Additional comments (7)

.github/workflows/build-pgsql.yml (1)

23-23: Good hardening: reusable workflow pinned to a version tag

Referencing phpunit-database via @v1 improves stability and reproducibility across CI runs.

.github/workflows/dependency-check.yml (1)

22-22: LGTM: action pinned to @v1

Pinning composer-require-checker to @v1 aligns with best practices and the rest of the repo’s workflows.

.github/workflows/build-oracle.yml (1)

23-23: LGTM: phpunit-database workflow pinned to @v1

Consistent with other DB workflows; this improves CI determinism.

.github/workflows/build-mysql.yml (1)

23-23: LGTM: stable reference to reusable workflow

Using phpunit-database.yml@v1 enhances CI stability without changing behavior.

.github/workflows/build-mssql.yml (1)

23-23: LGTM: pinned reusable workflow

Moving from @main to @v1 is a solid improvement; consistent with other workflow updates.

.github/workflows/mutation.yml (2)

65-66: PostgreSQL connection test likely needs password and TCP.

psql inside the container with -U root may fail under peer/md5 auth when no password is provided. Force TCP and pass the password via env to make the check robust.

-        docker exec postgres-test psql -U root -d yiitest -c "SELECT version();"
+        docker exec -e PGPASSWORD=root postgres-test psql -h localhost -U root -d yiitest -c "SELECT version();"

---

75-78: Verify test groups include DB-backed tests if desired.

framework-options currently filter to groups sqlite,mutation. If you expect MySQL/PGSQL paths to execute during mutation testing, ensure those groups are included or not filtered out.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

.github/workflows/mutation.yml (1)

64-66: Fix PostgreSQL connection test: provide password to psql

psql will require a password for user root by default; without it, this check can fail and abort the before-hook. Pass PGPASSWORD (inside the container) and explicitly set host to avoid peer auth surprises.

Apply this diff:

-        docker exec postgres-test psql -U root -d yiitest -c "SELECT version();"
+        docker exec -e PGPASSWORD=root postgres-test psql -h localhost -U root -d yiitest -c "SELECT version();"

♻️ Duplicate comments (1)

.github/workflows/mutation.yml (1)

75-77: pdo_mysql addition resolves prior breaking issue

Including pdo_mysql alongside pdo_pgsql and pdo_sqlite addresses the earlier “could not find driver” risk for MySQL DSNs. Thanks for closing that gap.

🧹 Nitpick comments (3)

.github/workflows/mutation.yml (3)

46-47: Optional: Align health check user with created role

You create POSTGRES_USER=root; using that same role for pg_isready removes ambiguity.

-          --health-cmd="pg_isready -U postgres" \
+          --health-cmd="pg_isready -U root" \

---

26-31: Optional: Use a non-root DB user consistently

You create a MySQL test user (test/test) but export root credentials to GITHUB_ENV. Prefer the non-root user for tests (or drop creating it if you intend to use root).

Example aligning to non-root for MySQL:

-        echo "MYSQL_USERNAME=root" >> $GITHUB_ENV
-        echo "MYSQL_PASSWORD=root" >> $GITHUB_ENV
+        echo "MYSQL_USERNAME=test" >> $GITHUB_ENV
+        echo "MYSQL_PASSWORD=test" >> $GITHUB_ENV

Alternatively, if you intend to use root, remove MYSQL_USER/MYSQL_PASSWORD from the docker run and rely only on root.

Also applies to: 68-74

---

24-74: Optional: Add cleanup to avoid lingering containers

If the reusable workflow supports an after-hook, clean up containers to keep runners tidy and avoid port collisions across matrix runs.

       before-hook: |
         # ...
         echo "PGSQL_PASSWORD=root" >> $GITHUB_ENV
+      after-hook: |
+        docker rm -f mysql-test postgres-test >/dev/null 2>&1 || true

If after-hook is not supported, consider adding cleanup commands to the action’s supported teardown mechanism instead.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3abe1c8 and a3e0f72.

📒 Files selected for processing (2)

• .github/workflows/mutation.yml (2 hunks)
• .github/workflows/static.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: PostgreSQL tests. / PHP 8.4-pgsql-17
• GitHub Check: PostgreSQL tests. / PHP 8.4-pgsql-16
• GitHub Check: PostgreSQL tests. / PHP 8.4-pgsql-15
• GitHub Check: phpunit / PHP 8.3-ubuntu-latest
• GitHub Check: phpunit / PHP 8.4-ubuntu-latest
• GitHub Check: phpunit / PHP 8.1-windows-latest
• GitHub Check: phpunit-compatibility / PHP 8.1-ubuntu-latest
• GitHub Check: phpunit-compatibility / PHP 8.2-ubuntu-latest
• GitHub Check: phpunit-compatibility / PHP 8.4-ubuntu-latest
• GitHub Check: MySQL tests. / PHP 8.4-mysql-latest
• GitHub Check: MySQL tests. / PHP 8.4-mysql-8.4
• GitHub Check: MySQL tests. / PHP 8.4-mysql-8.0
• GitHub Check: Oracle tests. / PHP 8.4-oci-23
• GitHub Check: mutation / PHP 8.4-ubuntu-latest
• GitHub Check: phpunit / PHP 8.2-windows-latest
• GitHub Check: phpunit / PHP 8.3-windows-latest
• GitHub Check: Oracle tests. / PHP 8.4-oci-23
• GitHub Check: mutation / PHP 8.4-ubuntu-latest
• GitHub Check: SQL Server tests. / PHP 8.4-mssql-2022-latest

🔇 Additional comments (2)

.github/workflows/static.yml (1)

22-22: Pinning to v1 is a good hardening step

Switching from a floating ref to a major tag reduces supply-chain risk and stabilizes runs.

.github/workflows/mutation.yml (1)

22-22: Pin to reusable workflow v1 — good change

Using a major tag instead of main improves reproducibility and safety of CI.