Prepare release 10.5.0

.drone.yml

@@ -18,18 +18,13 @@ matrix:
     - lowest
     - highest
 
-services:
-  web:
-    image: registry.fpfis.eu/fpfis/httpd-php:${PHP_VERSION=8.1}-ci
-    environment: &env
-      - DOCUMENT_ROOT=/test/toolkit
-
 pipeline:
   composer-install:
     group: composer
     image: registry.fpfis.eu/fpfis/httpd-php:${PHP_VERSION=8.1}-ci
     secrets: [ github_api_token, gitlab_api_token, composer_auth ]
-    environment: *env
+    environment: &env
+      - DOCUMENT_ROOT=/test/toolkit
     volumes:
       - /cache/${DRONE_REPO_NAME}:/cache
     commands:

.gitignore

@@ -17,7 +17,7 @@ node_modules/
 package.json
 package-lock.json
 /docs_tmp/
-/mock
+/.toolkit-mock
 
 # Documentation folder exclusions.
 !docs/

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Toolkit change log
 
+## Version 9.15.0 | 10.5.0
+  - DQA-7938: Don't check for approval for dependencies inside project codebase.
+  - DQA-7662: Report unsupported modules.
+  - DQA-7759: Add new option to allow skip specific outdated component.
+  - DQA-7953: Remove dedicated drush check.
+  - DQA-7760: Create task to convert remote patches into local patches.
+  - DQA-7744: Force extra.enable-patching set to false.
+  - DQA-7745: Prevent use of remote patches from untrusted sources.
+  - DQA-7967: Force extra.composer-exit-on-patch-failure set to true.
+  - DQA-7577: Set DB transaction isolation level to READ COMMITTED.
+  - DQA-7735: Toolkit mock to use tag in mock-dir.
+  - DQA-7954: Improve commit message conditions.
+  - DQA-7989: Component check improvements.
+  - DQA-8010: Detail component check command information.
+
 ## Version 9.14.0 | 10.4.0
   - DQA-7830: Switch array_pop to array_shift in Toolkit secure check.
   - DQA-7713: Add support to phpunit/phpunit 10.

config/commands/patch.yml

@@ -0,0 +1,9 @@
+command:
+  toolkit:
+    patch-download:
+      options:
+        dir: ${toolkit.patches.dir}
+        composer: ${toolkit.patches.composer}
+    patch-list:
+      options:
+        composer: ${toolkit.patches.composer}

config/runner/toolkit.yml

@@ -18,8 +18,16 @@ toolkit:
   components:
     outdated:
       check: true
+      # Ignore packages in specific version, example:
+      # - name: drupal/webform
+      #   version: 1.1.1
+      ignores: [ ]
     abandoned:
       check: true
+    unsupported:
+      check: true
+    composer:
+      drupal_patches: true
   deploy:
     config_file: 'config/sync/core.extension.yml'
     sequence_file: '.opts.yml'
@@ -65,6 +73,9 @@ toolkit:
     - 1.x
     - 2.x
   install_dependencies: true
+  patches:
+    dir: resources/patches
+    composer: composer.json
   hooks:
     # A relative path from the project root where the hooks are located.
     dir: 'resources/git/hooks'
@@ -76,14 +87,14 @@ toolkit:
       # Run the PHPcs and linters (configurable).
       - pre-push
     commit-msg:
-      example: 'ABC-123: The commit message.'
+      example: 'AB1C-123: The commit message.'
       conditions:
         - message: 'The commit message must start with the JIRA issue number.'
-          regex: /^[A-Z]+\-\d+/
+          regex: /^[A-Z0-9]+\-\d+/
         - message: 'The JIRA issue number must be followed by a colon and space.'
-          regex: /^[A-Z]+\-\d+:\ /
+          regex: /^[A-Z0-9]+\-\d+:\ /
         - message: 'The subject must start with capital letter.'
-          regex: /^[A-Z]+\-\d+:\ [A-Z]/
+          regex: /^[A-Z0-9]+\-\d+:\ [A-Z]/
         - message: 'The commit message must end with a period.'
           regex: /\.$/
     pre-push:

docker-compose.yml

@@ -21,7 +21,7 @@ services:
       QA_API_AUTH_TOKEN:
       QA_WEBSITE_URL:
       TOOLKIT_MOCK_REPO:
-      TOOLKIT_MOCK_BRANCH: 0.0.2
+      CI: false
       GITHUB_API_TOKEN:
       GITLAB_API_TOKEN:
       XDEBUG_CONFIG: client_host=host.docker.internal

docs/guide/commands.rst

@@ -41,7 +41,7 @@ See bellow current list of available commands:
    toolkit:check-version             Check the Toolkit version.
    toolkit:code-review               This command will execute all the testing tools.
    toolkit:complock-check            Check if 'composer.lock' exists on the project root folder.
-   toolkit:component-check           Check composer.json for components that are not whitelisted/blacklisted.
+   toolkit:component-check           Check composer for components that are not whitelisted/blacklisted.
    toolkit:create-dump               [tk-cdump] Export the local snapshot.
    toolkit:download-dump             [tk-ddump] Download ASDA snapshot.
    toolkit:fix-permissions           Run script to fix permissions (experimental).
@@ -59,6 +59,8 @@ See bellow current list of available commands:
    toolkit:lint-php                  [tk-php|tlp] Run lint PHP.
    toolkit:lint-yaml                 [tk-yaml|tly] Run lint YAML.
    toolkit:opts-review               Check project's .opts.yml file for forbidden commands.
+   toolkit:patch-download            [tk-pd] Download remote patches into a local directory.
+   toolkit:patch-list                [tk-pl] Download remote patches into a local directory.
    toolkit:requirements              Check the Toolkit Requirements.
    toolkit:run-blackfire             [tk-bfire|tbf] Run Blackfire.
    toolkit:run-deploy                Run deployment sequence.

docs/guide/components.rst

@@ -1,6 +1,86 @@
 Components
 ===================
 
-In the QA Website, you can find the components being controlled by our CI/CD.
+In the `QA Website <https://digit-dqa.fpfis.tech.ec.europa.eu>`_, you can find the components being controlled by our CI/CD.
 
 `Components <https://digit-dqa.fpfis.tech.ec.europa.eu/package-reviews>`_
+
+Mandatory module check
+----
+Ensure that packages marked as Mandatory in the QA website inventory are being used by the project.
+
+You can check the `list of mandatory modules <https://digit-dqa.fpfis.tech.ec.europa.eu/package-reviews?f[0]=package_mandatory:1>`_.
+
+* It is not possible to bypass this check.
+
+Recommended module check
+----
+Ensure that packages marked as Recommended in the QA website inventory are being used by the project.
+
+You can check the `list of recommended modules <https://digit-dqa.fpfis.tech.ec.europa.eu/package-reviews?f[0]=package_usage:3>`_.
+
+* This step is in reporting mode.
+
+Insecure module check
+----
+Uses the ``drush pm:security`` command in combination with ``composer audit`` command.
+
+* It is possible to bypass this check using the environment variable ``QA_SKIP_INSECURE=true`` or by using the
+token ``[SKIP_INSECURE]`` in the commit message.
+
+Outdated module check
+----
+Uses the ``composer outdated`` command.
+
+* It is possible to bypass this check using the token ``[SKIP_OUTDATED]`` in the commit message or by configuration
+``toolkit.components.outdated.check: false``.
+
+* It is also possible to bypass specific package in a specific version, example:
+
+.. code-block::
+
+    toolkit:
+      components:
+        outdated:
+          ignores:
+            - name: drupal/webform
+              version: 1.1.1
+
+Abandoned module check
+----
+Uses the ``composer outdated`` command.
+
+* It is possible to bypass this check using the configuration ``toolkit.components.abandoned.check: false``.
+
+Unsupported module check
+----
+Uses the `update_available_releases() <https://api.drupal.org/api/drupal/core%21modules%21update%21update.module/function/update_get_available/10>`_  in combination with `update_calculate_project_data() <https://api.drupal.org/api/drupal/core%21modules%21update%21update.compare.inc/function/update_calculate_project_data/8.0.x>`_ functions.
+
+* It is possible to bypass this check using the configuration ``toolkit.components.unsupported.check: false``.
+
+Evaluation module check
+----
+Uses the Quality Assurance packages inventory to validate the used components if they are whitelisted or blacklisted.
+
+Using a set of vendors configured in the endpoint to validate the packages, it is possible to restrict the use of packages by project-id, type of
+project or profile.
+
+All ``metapackages`` and local packages are ignored.
+
+Development module check
+----
+Uses the Quality Assurance packages inventory to validate that no development packages are used in the production environment.
+
+Composer validation check
+----
+Performs a series of checks in the ``composer.json`` file.
+
+Ensures that packages are not used in dev branches (like: ``^dev-*`` or ``*-dev$``).
+
+Enforce the setting ``extra.enable-patching`` to be ``false``.
+
+Enforce the setting ``extra.composer-exit-on-patch-failure`` to be ``true``.
+
+Validate existing patches, by default only local and Drupal.org patches are allowed.
+
+* It is possible to block remote patches from Drupal.org by using configuration ``toolkit.components.composer.drupal_patches: false``.

phpdoc.dist.xml

@@ -9,7 +9,7 @@
     <paths>
         <output>docs</output>
     </paths>
-    <version number="10.4.0">
+    <version number="10.5.0">
         <folder>latest</folder>
         <api>
             <source dsn=".">

phpunit.xml.dist

@@ -10,7 +10,6 @@
     <php>
         <env name="CI" value="true"/>
         <env name="QA_WEBSITE_URL" value="http://web:8080" force="true"/>
-        <env name="TOOLKIT_MOCK_BRANCH" value="0.0.2"/>
         <env name="TOOLKIT_DEBUG_EXPECTATIONS" value="false"/>
         <env name="DRUPAL_DATABASE_NAME" value="drupal"/>
         <env name="DRUPAL_DATABASE_USERNAME" value="root"/>
@@ -54,6 +53,9 @@
         <testsuite name="Lint">
             <file>tests/Features/Commands/LintCommandsTest.php</file>
         </testsuite>
+        <testsuite name="Patch">
+            <file>tests/Features/Commands/PatchCommandsTest.php</file>
+        </testsuite>
         <testsuite name="Release">
             <file>tests/Features/Commands/ReleaseCommandsTest.php</file>
         </testsuite>

src/Mock.php

@@ -12,6 +12,20 @@
 final class Mock
 {
 
+    /**
+     * The default mock tag to use to download and local directory.
+     *
+     * @var string
+     */
+    private static string $defaultTag = '0.0.2';
+
+    /**
+     * The directory to download the mock to.
+     *
+     * @var string
+     */
+    private static string $directory = '.toolkit-mock';
+
     /**
      * Downloads the mock from the repo.
      *
@@ -23,15 +37,13 @@ public static function download(): bool
         if (!Toolkit::isCiCd()) {
             return false;
         }
-        $mockDir = getenv('TOOLKIT_MOCK_DIR') ?: 'mock';
+        $tag = self::tag();
+        $mockDir = self::$directory . '/' . $tag;
         if (file_exists($mockDir)) {
             return true;
         }
-        if (empty($repo = getenv('TOOLKIT_MOCK_REPO'))) {
-            throw new \Exception('Missing env var TOOLKIT_MOCK_REPO.');
-        }
-        $branch = getenv('TOOLKIT_MOCK_BRANCH') ?: '0.0.2';
-        $command = "git clone --depth 1 --branch $branch $repo $mockDir";
+        $repo = self::repo();
+        $command = "git clone --depth 1 --branch $tag $repo $mockDir";
         $process = Process::fromShellCommandline($command);
         $process->run();
         if ($process->getExitCode()) {
@@ -54,7 +66,8 @@ public static function getEndpointContent(string $endpoint)
         if (!Toolkit::isCiCd()) {
             return false;
         }
-        $mockDir = getenv('TOOLKIT_MOCK_DIR') ?: 'mock';
+        $tag = self::tag();
+        $mockDir = self::$directory . '/' . $tag;
         if (!file_exists($mockDir)) {
             throw new \Exception("Mock not found at '$mockDir'.");
         }
@@ -65,4 +78,29 @@ public static function getEndpointContent(string $endpoint)
         return file_get_contents($endpointFile);
     }
 
+    /**
+     * Returns the repository url.
+     *
+     * @throws \Exception
+     *   If missing env var TOOLKIT_MOCK_REPO.
+     */
+    public static function repo(): string
+    {
+        if (empty($repo = getenv('TOOLKIT_MOCK_REPO'))) {
+            throw new \Exception('Missing env var TOOLKIT_MOCK_REPO.');
+        }
+        return (string) $repo;
+    }
+
+    /**
+     * Returns the tag to use.
+     */
+    public static function tag(): string
+    {
+        if (!empty($tag = getenv('TOOLKIT_MOCK_TAG'))) {
+            return (string) $tag;
+        }
+        return self::$defaultTag;
+    }
+
 }

src/TaskRunner/AbstractCommands.php

@@ -128,4 +128,28 @@ public function getWorkingDir(): string
         return (string) $this->input->getParameterOption('--working-dir', getcwd());
     }
 
+    /**
+     * Returns the composer.json parsed content.
+     */
+    public function getComposerJson(): array
+    {
+        $file = $this->getWorkingDir() . '/composer.json';
+        if (!file_exists($file)) {
+            throw new \Exception("The '$file' was not found.");
+        }
+        return (array) json_decode(file_get_contents($file), true);
+    }
+
+    /**
+     * Returns the composer.lock parsed content.
+     */
+    public function getComposerLock(): array
+    {
+        $file = $this->getWorkingDir() . '/composer.lock';
+        if (!file_exists($file)) {
+            throw new \Exception("The '$file' was not found.");
+        }
+        return (array) json_decode(file_get_contents($file), true);
+    }
+
 }