Release: merge development into beta#72
Merged
rubenvdlinde merged 8 commits intobetafrom May 1, 2026
Merged
Conversation
…/nextcloud-vue (ADR-004) (#71) Two stragglers added by widget-add-edit-modal (#65/#68 runtime-shell) and widget-context-menu (#60) before ADR-004 landed via #34. Swap is mechanical: NcButton + NcEmptyContent are already exported by @conduction/nextcloud-vue and used elsewhere in the codebase (TileCard, WidgetRenderer, AdminSettings).
This was referenced May 1, 2026
…ADR-005) (#80) 12 sites in 3 controllers were forwarding `$e->getMessage()` from DoesNotExistException / InvalidArgumentException / generic Exception straight into the response body. Replaced each with a fixed safe string matching the HTTP status semantics: - 4 × `DoesNotExistException` → 404 → `'Dashboard not found'` - 4 × generic `Exception` → 403 → `'Forbidden'` - 3 × `InvalidArgumentException` → 400 → `'Invalid request'` - 1 × `InvalidArgumentException` (groups payload) → 400 → `'Invalid groups payload'` Kept 2 sites unchanged: `PersonalDashboardsDisabledException` returns its own `getErrorCode()` + a safe translated message designed for clients. Also kept logger->warning/error sites with `$e->getMessage()` — those are server-side log context, never reach the client. Affected files: - lib/Controller/AdminController.php - lib/Controller/DashboardApiController.php - lib/Controller/DashboardShareApiController.php
Contributor
Author
Quality Report — ConductionNL/mydash @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ❌ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 342/342 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-01 07:52 UTC
Download the full PDF report from the workflow artifacts.
The Commit SBOM step ran a direct `git push` on every push trigger. On protected branches (main / development / beta) the org ruleset rejects unbypassed pushes, so the workflow failed with `GH013: Repository rule violations` — visible as the red `SBOM Generation & Validation` check on every release PR. Split the post-build step in two: - Unprotected branches (feature/**, bugfix/**, hotfix/**) keep the fast direct-commit path — no protection, no friction. - Protected branches use peter-evans/create-pull-request to open (or update) `chore/sbom-update-<branch>` with the regenerated `sbom.cdx.json`, base'd on the same branch. A reviewer merges as with any other PR, so the org ruleset's "1 review" requirement is honoured. - pull_request events skip the commit step entirely. The SBOM is already validated by the preceding scan steps; once the PR merges, this same workflow re-runs against the target branch and goes down one of the two paths above. Adds explicit job-level `permissions: contents: write, pull-requests: write` so the bot can write commits / open PRs without relying on whatever the repo's default permissions happen to be.
… openspec (#74) * docs(openspec): scrub sendent name from image-widget + link-button proposals Replaces "Sendent-era code" / "Sendent UX bug" / "(Sendent, Grafana, ...)" phrasing with neutral wording ("an earlier prototype", "deliberate UX choice", "Grafana, Microsoft Power BI tiles, and similar"). The technical content is unchanged. * docs: add walkthrough findings + admin/customize panel screenshots Captures notes from a working session through the dashboard flows (mydash-walkthrough/findings.md) plus screenshots of the admin settings, customize-panel (dashboards + widgets), and template-create modal for inclusion in the docs site. * chore: update SBOM --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Contributor
Author
Quality Report — ConductionNL/mydash @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ❌ | ||||
| phpcs | ❌ | ||||
| phpmd | ❌ | ||||
| psalm | ⏭️ | ||||
| phpstan | ❌ | ||||
| phpmetrics | ❌ | ||||
| eslint | ❌ | ||||
| stylelint | ⏭️ | ||||
| composer | ⏭️ | ⏭️ | |||
| npm | ⏭️ | ❌ | |||
| PHPUnit | ❌ | ||||
| Newman | ❌ | ||||
| Playwright | ❌ |
Quality workflow — 2026-05-01 07:59 UTC
Download the full PDF report from the workflow artifacts.
rubenvdlinde
added a commit
that referenced
this pull request
May 1, 2026
…eHelper - Apply phpcbf autofix for parameter-name + type spacing alignment in the docblocks (17 violations). - Replace the inline ternary on PageController:101 with an explicit if-block; inline IF statements are blocked by the project sniffs and the line was 136 chars (over the 125 limit). Unblocks the release PR (#72) which was failing the `quality / PHP Quality (phpcs)` check.
…eHelper (#75) - Apply phpcbf autofix for parameter-name + type spacing alignment in the docblocks (17 violations). - Replace the inline ternary on PageController:101 with an explicit if-block; inline IF statements are blocked by the project sniffs and the line was 136 chars (over the 125 limit). Unblocks the release PR (#72) which was failing the `quality / PHP Quality (phpcs)` check.
Contributor
Author
Quality Report — ConductionNL/mydash @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ❌ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 342/342 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-01 08:01 UTC
Download the full PDF report from the workflow artifacts.
…reate (#77) DashboardFactoryTest::testCreateRespectsExplicitPermissionLevel was failing with "Unknown named parameter \$permissionLevel" because the factory hard-coded \$dashboard->setPermissionLevel(PERMISSION_FULL) and exposed no way for callers (or share / fork flows) to override it. Add the param, default to PERMISSION_FULL (preserving existing behaviour for the 9 other tests + every production caller, which are all positional), and pass it through to setPermissionLevel(). Tests: 354 / 354 passing.
Contributor
Author
Quality Report — ConductionNL/mydash @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ❌ | ||||
| phpcs | ✅ | ||||
| phpmd | ❌ | ||||
| psalm | ❌ | ||||
| phpstan | ❌ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ❌ | ❌ | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ❌ | ||||
| Newman | ❌ | ||||
| Playwright | ❌ |
Quality workflow — 2026-05-01 08:02 UTC
Download the full PDF report from the workflow artifacts.
…ame (#78) PHPStan was silently passing on CI (the composer phpstan script swallows its exit code via `|| echo 'PHPStan not installed, skipping...'`), so two real bugs in Notifier.php had been sitting unflagged: 1. The L10N type-hints / docblocks referenced `\OCP\L10N\IL10N`, but that class doesn't exist — the actual interface lives at `\OCP\IL10N` (lib/public/IL10N.php in the server). Wrong type-hint meant DI would have failed at runtime as soon as a `dashboard_shared` notification was rendered. 6 occurrences fixed (2 sites × {docblock, signature} plus permissionLabel). 2. Two `setParsedMessage(subject: $x)` calls used the wrong named argument — INotification::setParsedMessage's parameter is `$message`, not `$subject`. Same wrong-named-arg pattern PHP's strict mode rejects with "Unknown named parameter". After the fix, `phpstan analyse lib/Notification/Notifier.php` is clean (was 4 errors), and the full-repo phpstan count drops 47 → 26 because the IL10N typo was poisoning every `$l->t(...)` callsite downstream. phpcbf-autofixed the docblock alignment that shifted as a side effect of shortening `\OCP\L10N\IL10N` → `\OCP\IL10N` (5 chars narrower).
Contributor
Author
Quality Report — ConductionNL/mydash @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ❌ | ||||
| phpcs | ❌ | ||||
| phpmd | ❌ | ||||
| psalm | ⏭️ | ||||
| phpstan | ❌ | ||||
| phpmetrics | ❌ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ❌ | ❌ | |||
| npm | ⏭️ | ❌ | |||
| PHPUnit | ❌ | ||||
| Newman | ❌ | ||||
| Playwright | ❌ |
Quality workflow — 2026-05-01 08:03 UTC
Download the full PDF report from the workflow artifacts.
Contributor
Author
Quality Report — ConductionNL/mydash @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 342/342 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-01 08:04 UTC
Download the full PDF report from the workflow artifacts.
PR #78 dropped phpstan from 47 → 26 by fixing the IL10N namespace typo. This batch clears the rest in four contained groups and removes the `|| echo` swallow from the composer script so future regressions actually fail CI. DashboardShareApiController (21): swap `DataResponse` → `JSONResponse` throughout the controller, matching the pattern used by every other passing controller in the app (DashboardApiController, ResponseHelper). The two classes are wire-compatible (both extend Response, same constructor signature, both serialise to JSON), but phpstan can resolve the JSONResponse generics from the existing docblocks while the bare DataResponse type was forcing it to infer T = `array<string, string>` and reject the call. AdminSettingMapper (2): the entity's setUpdatedAt() expects `?string`, but setSetting() was passing a `DateTime` object. Format to `Y-m-d H:i:s` to match the convention from DashboardFactory::create(). AdminTemplateService (1): replace `Ramsey\Uuid\Uuid::uuid4()` with the same `random_bytes`-based generator used by DashboardFactory. Ramsey UUID is not a declared composer dep, so the previous code would have crashed at runtime — this surfaced because phpstan correctly couldn't resolve the class. FileService (2): two `Node::nodeExists()` / `Node::newFile()` / `Node::putContent()` calls were made on results of `Folder::get()`, which returns the `Node` interface. Type-narrow with explicit `instanceof Folder` / `instanceof File` checks (throwing `RuntimeException` on the impossible-but-typed branch) so phpstan can verify the methods exist. Side benefit: removes a stale `@phpstan-ignore-next-line` that was silencing a real downstream error. composer.json: drop the `|| echo 'PHPStan not installed, skipping...'` from the `phpstan` script. The `||` made every phpstan run exit 0, so the CI quality job was reporting green even when phpstan failed — exactly how the IL10N typo and the Ramsey-UUID call slipped through review. Now `composer phpstan` propagates the real exit code. Verified locally: phpstan `[OK] No errors`, phpcs clean across 49 files, phpunit 354/354 (the one pre-existing DashboardFactoryTest::testCreateRespectsExplicitPermissionLevel failure is fixed by PR #77 and out of scope here).
Contributor
Author
Quality Report — ConductionNL/mydash @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ❌ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ❌ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 342/342 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-01 08:05 UTC
Download the full PDF report from the workflow artifacts.
rubenvdlinde
added a commit
that referenced
this pull request
May 3, 2026
…eHelper (#75) - Apply phpcbf autofix for parameter-name + type spacing alignment in the docblocks (17 violations). - Replace the inline ternary on PageController:101 with an explicit if-block; inline IF statements are blocked by the project sniffs and the line was 136 chars (over the 125 limit). Unblocks the release PR (#72) which was failing the `quality / PHP Quality (phpcs)` check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated PR to sync development changes to beta for beta release.
Merging this PR will trigger the beta release workflow.