539 improve gitlab ci

[tijsverkoyen]

https://next-app.activecollab.com/108877/projects/62/tasks/241559

Summary by Sourcery

Update GitLab CI configuration and code quality tooling while applying style and linting fixes across SCSS and Twig templates.

New Features:

• Introduce Twig CS Fixer and GitLab-compatible PHP_CodeSniffer reporting for improved Twig and PHP code quality feedback.
• Add separate CI stages and jobs to audit Composer dependencies and detect outdated NPM and PHP packages.

Enhancements:

• Refine SCSS, Twig, and editor styles to comply with stylelint and Twig coding standards, including minor layout and selector adjustments.
• Align phpstan and JavaScript linting jobs with GitLab code quality format and improve their CI behavior and visibility of failures.
• Relax MySQL SSL verification for test DB imports in CI to ensure reliable test database setup across environments.

Build:

• Rename and standardize static analysis configuration files such as phpstan.neon to phpstan.dist.neon and add Twig CS Fixer configuration.

CI:

• Restructure GitLab CI pipeline stages and jobs for code quality, dependency scanning, and outdated package checks, including new images, reports, and artifact formats.

[sourcery-ai]

Reviewer's Guide

This PR improves GitLab CI code-quality and dependency scanning integration (including new stylelint, Twig-CS-Fixer, and GitLab-native report formats), adds the necessary tooling dependencies and configs, and cleans up SCSS/Twig code style (with some minor layout tweaks) to satisfy the new linters.

Flow diagram for updated code-quality and scanning jobs

flowchart TD
  Start[Start pipeline] --> Build[Install dependencies and build assets]

  subgraph Code_quality
    direction TB
    CQ_phpcs[PHP_CodeSniffer
    gitlab report format
    phpcs gitlab] 
    CQ_phpstan[PHPStan
    gitlab error format]
    CQ_twigcs[Twig CS Fixer
    junit report]
    CQ_stylelint[Stylelint
    GitLab codequality formatter]
    CQ_standardjs[StandardJS
    standard gitlab wrapper]
  end

  subgraph Dependency_scanning
    direction TB
    DS_npm[NPM audit]
    DS_composer[Composer audit]
  end

  subgraph Outdated_packages
    direction TB
    OP_npm[NPM outdated]
    OP_composer[Composer outdated]
  end

  subgraph Test
    direction TB
    T_phpunit[PHPUnit tests]
  end

  Build --> CQ_phpcs
  Build --> CQ_phpstan
  Build --> CQ_twigcs
  Build --> CQ_stylelint
  Build --> CQ_standardjs

  Build --> DS_npm
  Build --> DS_composer

  Build --> OP_npm
  Build --> OP_composer

  Build --> T_phpunit

  %% Failure visibility re runs
  CQ_phpstan -->|on failure only rerun without gitlab format| CQ_phpstan_rerun[PHPStan rerun plain output]
  CQ_twigcs -->|on failure only rerun with color output| CQ_twigcs_rerun[Twig CS Fixer rerun]
  CQ_stylelint -->|on failure only rerun with color output| CQ_stylelint_rerun[Stylelint rerun]

  End[Pipeline end] 
  T_phpunit --> End
  OP_composer --> End
  OP_npm --> End
  DS_composer --> End
  DS_npm --> End
  CQ_standardjs --> End
  CQ_stylelint_rerun --> End
  CQ_twigcs_rerun --> End
  CQ_phpstan_rerun --> End
  CQ_phpcs --> End

Loading

File-Level Changes

Change	Details	Files
Modernize GitLab CI pipeline for code quality, dependency and outdated-package scanning, and improve PHP tooling integration.	Added a new outdated packages stage and moved NPM/composer outdated checks into it. Updated the DB import step to disable MySQL SSL server-cert verification for CI tests. Reworked the PHPCS job to use the GitLab formatter, produce JSON report artifacts, and simplified its configuration (no MySQL service or test before_script). Adjusted the PHPStan job to use the analyse command with GitLab output, write JSON artifacts, and only rerun on failure while keeping MySQL setup via shared variables. Replaced the previous StandardJS-to-JUnit conversion with separate Twig-CS-Fixer, Stylelint, and StandardJS jobs that emit GitLab junit/codequality reports, with appropriate images and allow_failure flags. Simplified NPM audit to a straight npm audit --production job marked as allow_failure and added a composer audit job under dependency scanning.	.gitlab-ci.yml
Introduce additional tooling dependencies and configuration for code style and static analysis.	Added micheh/phpcs-gitlab and vincentlanglet/twig-cs-fixer as dev dependencies to support GitLab-formatted PHPCS reports and Twig linting. Renamed the PHPStan config file from phpstan.neon to phpstan.dist.neon to follow distribution-config conventions. Introduced a .twig-cs-fixer.dist.php config that aggregates the TwigCsFixer, Symfony, and Twig standards. Added/updated stylelint configuration and ignore files, and adjusted .gitignore (details in diff).	composer.json .gitignore .stylelintignore .stylelintrc phpstan.neon phpstan.dist.neon .twig-cs-fixer.dist.php
Normalize Bootstrap SCSS variables and base styles to a consistent code style and align with stylelint expectations, with minor behavioral tweaks.	Reformatted the large Bootstrap variables file to use consistent spacing, indentation, and removed most scss-docs/fusv comments while keeping variable values aligned with Bootstrap defaults where possible. Updated some color and layout variables to use consistent function syntax (e.g., rgba/rgb), maps, and transition definitions; reviewers should double-check any rgba→rgb changes for unintended behavior. Adjusted the privacy consent dialog to use the inset shorthand instead of separate top/right/bottom/left and unified modal paddings. Cleaned up various base SCSS files (fonts, gradients, editor-content) to follow a uniform comment style and added necessary stylelint-disable comments for legacy patterns and third‑party selectors. Fixed indentation and structure in the navbar languages and Splide plugin SCSS, including explicit stylelint suppressions for BEM-incompatible selector patterns.	src/Frontend/Themes/Bootstrap/src/Layout/Sass/_bootstrap-variables.scss src/Frontend/Themes/Bootstrap/src/Layout/Sass/base/_gradients.scss src/Frontend/Themes/Bootstrap/src/Layout/Sass/base/_editor-content.scss src/Frontend/Themes/Bootstrap/src/Layout/Sass/base/_fonts.scss src/Frontend/Themes/Bootstrap/src/Layout/Sass/components/_privacyConsentDialog.scss src/Frontend/Themes/Bootstrap/src/Layout/Sass/components/_navbar-languages.scss src/Frontend/Themes/Bootstrap/src/Layout/Sass/components/_navbar-toggler.scss src/Frontend/Themes/Bootstrap/src/Layout/Sass/plugins/_splide.scss src/Frontend/Core/Layout/Sass/editor_content.scss
Bring Twig templates in line with Symfony/Twig coding standards and simplify includes.	Switched template extends/includes and most string literals to single quotes for consistency. Normalized spacing inside Twig filters and hash arguments (e.g., {'key': 'value'}) and around `	rawusage.</li><li>Replaced{% include %}toolbar items with{{ include() }}` calls where appropriate, passing parameters as named arguments. Minor normalization of form widget calls in installer templates to consistent attribute syntax.
Align Bootstrap SCSS import stack and comments with local conventions and tooling.	Commented Bootstrap functions/variables imports with a consistent style rather than scss-docs markers. Removed now-unnecessary scss-docs-start/end comments and tightened the import list in the Bootstrap imports file.	src/Frontend/Themes/Bootstrap/src/Layout/Sass/_bootstrap-imports.scss

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The changes from rgba(...) to rgb(...) with four arguments in _bootstrap-variables.scss (e.g. $navbar-light-color, $toast-background-color, form validation focus box-shadow, etc.) produce invalid CSS; these should remain rgba(...) when an alpha channel is used.
• The PHP_CodeSniffer and PHPStan jobs now generate GitLab-style JSON reports but are still declared under artifacts: reports: junit:; to have GitLab interpret them correctly, switch these to the appropriate report type (e.g. codequality:) or revert to JUnit-compatible formats.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The changes from `rgba(...)` to `rgb(...)` with four arguments in `_bootstrap-variables.scss` (e.g. `$navbar-light-color`, `$toast-background-color`, form validation focus box-shadow, etc.) produce invalid CSS; these should remain `rgba(...)` when an alpha channel is used.
- The PHP_CodeSniffer and PHPStan jobs now generate GitLab-style JSON reports but are still declared under `artifacts: reports: junit:`; to have GitLab interpret them correctly, switch these to the appropriate report type (e.g. `codequality:`) or revert to JUnit-compatible formats.

## Individual Comments

### Comment 1
<location> `src/Frontend/Themes/Bootstrap/src/Layout/Sass/_bootstrap-variables.scss:922-931` </location>
<code_context>
+$navbar-light-color: rgb(var(--#{$prefix}emphasis-color-rgb), .65);
</code_context>

<issue_to_address>
**issue (bug_risk):** Using `rgb()` instead of `rgba()` with `*-rgb` CSS variables and an alpha parameter will generate invalid CSS.

Several variables that used `rgba(var(--…-rgb), alpha)` were changed to `rgb(var(--…-rgb), alpha)` (e.g. `$navbar-light-color`, `$navbar-light-hover-color`, `$navbar-light-active-color`, `$navbar-light-disabled-color`, `$dropdown-dark-link-hover-bg`, `$card-cap-bg`, `$toast-background-color`, `$toast-header-background-color`). This `rgb()` form is invalid and will likely be ignored by browsers. To preserve the semi‑transparent effect and browser compatibility, keep these as `rgba(var(--#{$prefix}…-rgb), <alpha>)` or adopt the `rgb(r g b / a)` syntax consistently instead.
</issue_to_address>

### Comment 2
<location> `src/Frontend/Themes/Bootstrap/src/Layout/Sass/_bootstrap-variables.scss:1107-1116` </location>
<code_context>
+$form-invalid-border-color: $form-feedback-invalid-color;
 $form-validation-states: (
-    "valid": (
-        "color": var(--#{$prefix}form-valid-color),
-        "icon": $form-feedback-icon-valid,
-        "tooltip-color": #fff,
-        "tooltip-bg-color": var(--#{$prefix}success),
-        "focus-box-shadow": 0 0 $input-btn-focus-blur $input-focus-width rgba(var(--#{$prefix}success-rgb), $input-btn-focus-color-opacity),
-        "border-color": var(--#{$prefix}form-valid-border-color),
-    ),
-    "invalid": (
-        "color": var(--#{$prefix}form-invalid-color),
-        "icon": $form-feedback-icon-invalid,
-        "tooltip-color": #fff,
-        "tooltip-bg-color": var(--#{$prefix}danger),
-        "focus-box-shadow": 0 0 $input-btn-focus-blur $input-focus-width rgba(var(--#{$prefix}danger-rgb), $input-btn-focus-color-opacity),
-        "border-color": var(--#{$prefix}form-invalid-border-color),
-    )
+  "valid": (
</code_context>

<issue_to_address>
**issue (bug_risk):** The `focus-box-shadow` entries in `form-validation-states` also use `rgb()` with an alpha argument and should stay `rgba()`.

Both the `"valid"` and `"invalid"` entries currently use:

```scss
"focus-box-shadow": 0 0 $input-btn-focus-blur $input-focus-width rgb(var(--#{$prefix}success-rgb), $input-btn-focus-color-opacity),
```
(and the danger equivalent). `rgb()` with four arguments is invalid, so the focus box-shadow color won’t render. Please switch these back to `rgba(var(--#{$prefix}…-rgb), $input-btn-focus-color-opacity)` (or the `rgb(r g b / a)` form) to preserve the intended focus style.
</issue_to_address>

### Comment 3
<location> `.gitlab-ci.yml:67-70` </location>
<code_context>
-        - *before_script_test_configuration
     script:
-        - php bin/phpcs --report-full --report-junit=phpcs-report.xml
+        - php bin/phpcs --colors --report-full --report-\\Micheh\\PhpCodeSniffer\\Report\\Gitlab=phpcs-report.json
     artifacts:
         expire_in: 1 week
         reports:
-            junit: phpcs-report.xml
+            junit: phpcs-report.json
</code_context>

<issue_to_address>
**issue (bug_risk):** The PHPCS report configuration mixes a GitLab JSON formatter with a JUnit artifact type and the report CLI option looks unusual.

This job generates a GitLab PHPCS JSON report (`phpcs-report.json`) but publishes it as a `junit` artifact, which must be XML, so GitLab is unlikely to parse it correctly.

Consider:
1. If this is for GitLab Code Quality, publish `phpcs-report.json` under `codequality:` instead of `junit:`.
2. Adjust the PHPCS CLI to the more standard form: `--report=\Micheh\PhpCodeSniffer\Report\Gitlab --report-file=phpcs-report.json` rather than embedding the filename in the `--report` option.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Using rgb() instead of rgba() with *-rgb CSS variables and an alpha parameter will generate invalid CSS.

Several variables that used rgba(var(--…-rgb), alpha) were changed to rgb(var(--…-rgb), alpha) (e.g. $navbar-light-color, $navbar-light-hover-color, $navbar-light-active-color, $navbar-light-disabled-color, $dropdown-dark-link-hover-bg, $card-cap-bg, $toast-background-color, $toast-header-background-color). This rgb() form is invalid and will likely be ignored by browsers. To preserve the semi‑transparent effect and browser compatibility, keep these as rgba(var(--#{$prefix}…-rgb), <alpha>) or adopt the rgb(r g b / a) syntax consistently instead.

[sourcery-ai]

issue (bug_risk): The focus-box-shadow entries in form-validation-states also use rgb() with an alpha argument and should stay rgba().

Both the "valid" and "invalid" entries currently use:

"focus-box-shadow": 0 0 $input-btn-focus-blur $input-focus-width rgb(var(--#{$prefix}success-rgb), $input-btn-focus-color-opacity),

(and the danger equivalent). rgb() with four arguments is invalid, so the focus box-shadow color won’t render. Please switch these back to rgba(var(--#{$prefix}…-rgb), $input-btn-focus-color-opacity) (or the rgb(r g b / a) form) to preserve the intended focus style.

[sourcery-ai]

issue (bug_risk): The PHPCS report configuration mixes a GitLab JSON formatter with a JUnit artifact type and the report CLI option looks unusual.

This job generates a GitLab PHPCS JSON report (phpcs-report.json) but publishes it as a junit artifact, which must be XML, so GitLab is unlikely to parse it correctly.

Consider:

1. If this is for GitLab Code Quality, publish phpcs-report.json under codequality: instead of junit:.
2. Adjust the PHPCS CLI to the more standard form: --report=\Micheh\PhpCodeSniffer\Report\Gitlab --report-file=phpcs-report.json rather than embedding the filename in the --report option.