Hi all,
Across the MediaWiki development community, we've increasingly been using phan https://www.mediawiki.org/wiki/Continuous_integration/Phan for static analysis and vulnerability checking. It's become very valuable in spotting issues during development, especially thanks to the security checking plugin maintained and extended by Daimona https://www.mediawiki.org/wiki/Continuous_integration/Phan/Phan-taint-check-plugin, but as phan has been run as a separate CI job, getting it configured for your repo was a bit of a chore, even assuming you knew it was available.
However, no more! Legoktm proposed https://phabricator.wikimedia.org/T283097 that we make the phan CI job pass when unconfigured, and as of a few minutes ago, I've deployed this change to CI to do this for (almost) all MediaWiki skins and extensions.
As a quick example, the Cargo extension previously did not have a phan CI job; it now does, as can be seen on this patch https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/693398. When the maintainers of that extension want actually use phan on their extension, configuring it in the normal way https://www.mediawiki.org/wiki/Continuous_integration/Tutorials/Add_phan_to_a_MediaWiki_extension should Just Work™ in a self-service manner, without needing to ask for CI to be configured.
If there are any issues, please file a Phabricator task. If you need any help getting phan working for your extension, please drop into Libera IRC; the #wikimedia-releng channel might be a good one.
There are a handful of situations where we cannot run phan usefully right now, unfortunately; I hope we can fix that in the next few weeks.
J.