Hi all,

Across the MediaWiki development community, we've increasingly been using phan for static analysis and vulnerability checking. It's become very valuable in spotting issues during development, especially thanks to the security checking plugin maintained and extended by Daimona, but as phan has been run as a separate CI job, getting it configured for your repo was a bit of a chore, even assuming you knew it was available.

However, no more! Legoktm proposed that we make the phan CI job pass when unconfigured, and as of a few minutes ago, I've deployed this change to CI to do this for (almost) all MediaWiki skins and extensions.

As a quick example, the Cargo extension previously did not have a phan CI job; it now does, as can be seen on this patch. When the maintainers of that extension want actually use phan on their extension, configuring it in the normal way should Just Work™ in a self-service manner, without needing to ask for CI to be configured.

If there are any issues, please file a Phabricator task. If you need any help getting phan working for your extension, please drop into Libera IRC; the #wikimedia-releng channel might be a good one.

There are a handful of situations where we cannot run phan usefully right now, unfortunately; I hope we can fix that in the next few weeks.

James D. Forrester (he/him or they/themself)

Wikimedia Foundation