Proper Static Analysis of PHP code in your Continuous Integration process
One simple fix can harden your code and prevent bugs in the future.
Long story short: exclude the dev-dependencies before running the analysis.
Lately, I have been analyzing one of my company’s microservice code and its CI process. We’re using the Psalm tool extensively. However as it turned out, the analyzer was run on the code containing dev-dependencies.
The project has quite a few dev-dependencies with each coming with its own set of dev-dependencies. To name a few:
- phpunit
- psalm
- behat
- selenium
- selenium drivers
- panther browser
This poses a slight risk of using dependencies that will be removed during the installation of production dependencies.
During the build in the CI, the code might return valid, yet it will be invalid in the runtime.
To correctly test the code we’ve modified the pipeline to:
- install the Composer with dev-dependencies to install the Psalm phar tool
- move the Psalm phar to
/bin/psalm.phar
- remove dev-dependencies using the
--no-dev
flag - finally run the analyzer with
php /bin/psalm.phar
It even turned out that the code was using the wrong assertion library in some parts of the code, but fortunately, the code did never break because the assertion was inside a condition that did not evaluate yet since it was added.
Quick question: was this story of any value to you? Please support my work by leaving a clap as a token of appreciation. Thank you.