Fixes

Author: PDowney

.github/workflows/branch-cleanup.yml

@@ -23,7 +23,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Delete merged branch
-        if: github.event.pull_request.merged == true
+        if: github.event.pull_request.merged == true && github.event.pull_request.head.repo.full_name == github.repository
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
@@ -44,4 +44,4 @@ jobs:
           else
             echo "::error::Failed to delete branch: $BRANCH_NAME"
             exit 1
-          fi
+          fi

.github/workflows/issue-management.yml

@@ -11,7 +11,7 @@ on:
     types: [opened, reopened]
 
 permissions:
-  contents: write
+  contents: read
   pull-requests: write
   issues: write
 
@@ -20,6 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/labeler@v6
+      if: github.event_name == 'pull_request'
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         configuration-path: .github/labeler.yml
@@ -29,4 +30,4 @@ jobs:
         days-before-stale: 30
         days-before-close: 7
         stale-issue-message: 'This issue is stale due to inactivity'
-        stale-pr-message: 'This PR is stale due to inactivity'
+        stale-pr-message: 'This PR is stale due to inactivity'

.github/workflows/release.yml

@@ -38,6 +38,40 @@ jobs:
             echo "Release v${{ steps.get_version.outputs.version }} does not exist yet"
           fi
 
+      - name: Update README version
+        if: steps.check_release.outputs.exists == 'false'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.get_version.outputs.version }}
+        run: |
+          README_FILE="README.md"
+          TMP_FILE=$(mktemp)
+
+          # Update the version badge with the new version and logo
+          sed -E 's#\[!\[Version\]\(https://img\.shields\.io/badge/Version-[0-9]+\.[0-9]+\.[0-9]+-orange\.svg\?logo=github\)\]\(https://github\.com/EngineScript/enginescript-site-optimizer/releases/download/v[0-9]+\.[0-9]+\.[0-9]+/enginescript-site-optimizer-[0-9]+\.[0-9]+\.[0-9]+\.zip\)#[![Version](https://img.shields.io/badge/Version-'"$VERSION"'-orange.svg?logo=github)](https://github.com/EngineScript/enginescript-site-optimizer/releases/download/v'"$VERSION"'/enginescript-site-optimizer-'"$VERSION"'.zip)#g' "$README_FILE" > "$TMP_FILE"
+
+          # Replace file if changes were made
+          if ! cmp -s "$README_FILE" "$TMP_FILE"; then
+            cp "$TMP_FILE" "$README_FILE"
+            echo "Updated README.md with version $VERSION"
+
+            # Configure git
+            git config --local user.email "github-actions[bot]@users.noreply.github.com"
+            git config --local user.name "github-actions[bot]"
+
+            # Commit and push the changes
+            git add "$README_FILE"
+            git commit -m "docs: update README.md version to $VERSION [skip ci]"
+            git push https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git
+
+            echo "::notice::README.md updated with latest version $VERSION"
+          else
+            echo "::notice::README.md already has the correct version"
+          fi
+
+          # Clean up temporary file
+          rm "$TMP_FILE"
+
       - name: Create zip file
         if: steps.check_release.outputs.exists == 'false'
         run: |
@@ -83,37 +117,3 @@ jobs:
           draft: false
           prerelease: false
           generate_release_notes: false
-
-      - name: Update README version
-        if: steps.check_release.outputs.exists == 'false'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VERSION: ${{ steps.get_version.outputs.version }}
-        run: |
-          README_FILE="README.md"
-          TMP_FILE=$(mktemp)
-
-          # Update the version badge with the new version and logo
-          sed -E 's#\[!\[Version\]\(https://img\.shields\.io/badge/Version-[0-9]+\.[0-9]+\.[0-9]+-orange\.svg\?logo=github\)\]\(https://github\.com/EngineScript/enginescript-site-optimizer/releases/download/v[0-9]+\.[0-9]+\.[0-9]+/enginescript-site-optimizer-[0-9]+\.[0-9]+\.[0-9]+\.zip\)#[![Version](https://img.shields.io/badge/Version-'"$VERSION"'-orange.svg?logo=github)](https://github.com/EngineScript/enginescript-site-optimizer/releases/download/v'"$VERSION"'/enginescript-site-optimizer-'"$VERSION"'.zip)#g' "$README_FILE" > "$TMP_FILE"
-
-          # Replace file if changes were made
-          if ! cmp -s "$README_FILE" "$TMP_FILE"; then
-            cp "$TMP_FILE" "$README_FILE"
-            echo "Updated README.md with version $VERSION"
-
-            # Configure git
-            git config --local user.email "github-actions[bot]@users.noreply.github.com"
-            git config --local user.name "github-actions[bot]"
-
-            # Commit and push the changes
-            git add "$README_FILE"
-            git commit -m "docs: update README.md version to $VERSION [skip ci]"
-            git push https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git
-
-            echo "::notice::README.md updated with latest version $VERSION"
-          else
-            echo "::notice::README.md already has the correct version"
-          fi
-
-          # Clean up temporary file
-          rm "$TMP_FILE"

.github/workflows/wp-compatibility-test.yml

@@ -455,48 +455,73 @@ jobs:
 
           # Basic security pattern checks for common WordPress vulnerabilities
           echo "Checking for common security issues..."
+          security_findings=0
+
+          grep_php() {
+            grep -r "$1" \
+              --include="*.php" \
+              --exclude-dir=.github \
+              --exclude-dir=.vscode \
+              --exclude-dir=build \
+              --exclude-dir=coverage \
+              --exclude-dir=plugin-check-build \
+              --exclude-dir=stubs \
+              --exclude-dir=tests \
+              --exclude-dir=vendor \
+              . 2>/dev/null
+          }
 
           # Check for potential SQL injection patterns
-          if grep -r "mysql_query\|mysqli_query" --include="*.php" --exclude-dir=.github --exclude-dir=.vscode . 2>/dev/null; then
-            echo "Warning: Direct database queries found. Ensure proper sanitization."
+          if grep_php "mysql_query\|mysqli_query"; then
+            echo "::error::Direct database queries found. Ensure proper sanitization."
+            security_findings=1
           fi
 
           # Check for potential XSS vulnerabilities (missing escaping)
-          if grep -r "echo \$_\|print \$_" --include="*.php" --exclude-dir=.github --exclude-dir=.vscode . 2>/dev/null; then
-            echo "Warning: Potential XSS vulnerability found. Ensure output is escaped."
+          if grep_php "echo \$_\|print \$_"; then
+            echo "::error::Potential XSS vulnerability found. Ensure output is escaped."
+            security_findings=1
           fi
 
           # Check for file inclusion vulnerabilities
-          if grep -r "include.*\$_\|require.*\$_" --include="*.php" --exclude-dir=.github --exclude-dir=.vscode . 2>/dev/null; then
-            echo "Warning: Potential file inclusion vulnerability found."
+          if grep_php "include.*\$_\|require.*\$_"; then
+            echo "::error::Potential file inclusion vulnerability found."
+            security_findings=1
           fi
 
           # Check for eval() usage (security risk)
-          if grep -r "eval(" --include="*.php" --exclude-dir=.github --exclude-dir=.vscode . 2>/dev/null; then
-            echo "Warning: eval() function usage detected. This is a security risk."
+          if grep_php "eval("; then
+            echo "::error::eval() function usage detected. This is a security risk."
+            security_findings=1
           fi
 
           # Check for proper nonce usage
-          if grep -r "wp_nonce_field\|wp_verify_nonce\|settings_fields" --include="*.php" --exclude-dir=.github --exclude-dir=.vscode . >/dev/null 2>&1; then
+          if grep_php "wp_nonce_field\|wp_verify_nonce\|settings_fields" >/dev/null 2>&1; then
             echo "WordPress nonce usage detected."
           else
             echo "Info: Consider adding WordPress nonces for form security."
           fi
 
           # Check for proper sanitization functions
-          if grep -r "sanitize_\|esc_" --include="*.php" --exclude-dir=.github --exclude-dir=.vscode . >/dev/null 2>&1; then
+          if grep_php "sanitize_\|esc_" >/dev/null 2>&1; then
             echo "WordPress sanitization functions detected."
           else
-            echo "Warning: Limited use of WordPress sanitization functions."
+            echo "::error::Limited use of WordPress sanitization functions."
+            security_findings=1
           fi
 
           # Check for capability checks
-          if grep -r "current_user_can\|user_can" --include="*.php" --exclude-dir=.github --exclude-dir=.vscode . >/dev/null 2>&1; then
+          if grep_php "current_user_can\|user_can" >/dev/null 2>&1; then
             echo "WordPress capability checks detected."
           else
             echo "Info: Consider adding user capability checks where appropriate."
           fi
 
+          if [ "$security_findings" -ne 0 ]; then
+            echo "::error::WordPress security scan found blocking findings."
+            exit 1
+          fi
+
           echo "WordPress security scan completed."
 
       - name: Create issue on security vulnerability

tests/unit/DomainValidationTest.php

@@ -16,9 +16,9 @@ final class DomainValidationTest extends TestCase {
 	 * Reset options between tests.
 	 */
 	protected function setUp(): void {
-		parent::setUp();
-
 		$this->resetTestState();
+
+		parent::setUp();
 	}
 
 	/**
@@ -207,6 +207,7 @@ public function test_resource_hints_use_wordpress_filter_contract(): void {
 
 		$this->assertContains( array( 'href' => 'https://fonts.gstatic.com', 'crossorigin' => 'anonymous' ), $preconnect_hints );
 		$this->assertIsArray( $cdn_hint );
+		$this->assertSame( 'https://cdn.example.com', $cdn_hint['href'] );
 		$this->assertArrayNotHasKey( 'crossorigin', $cdn_hint );
 		$this->assertContains( 'https://static.example.com', $dns_prefetch_urls );
 	}