Skip to content

Add support for checksum verification of must-use plugins #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Add support for checksum verification of must-use plugins #145

Copilot wants to merge 11 commits into from
+243 −20

Conversation

Copy link

Copilot AI commented Jan 7, 2026
edited
Loading

Plan: Add Must-Use Plugin Checksum Verification

  • Explore repository structure and understand current implementation
  • Understand how plugin checksum verification currently works
  • Create detailed implementation plan
  • Add --exclude-mu-plugins flag to command synopsis
  • Modify Checksum_Plugin_Command::__invoke() to fetch and verify MU plugins
  • Add logic to identify plugin slug from MU plugin path
  • Add MU plugin verification logic (verify_mu_plugin)
  • Add warning messages for single-file MU plugins without matching checksums
  • Add warning messages for custom MU plugin files
  • Add helper methods for MU plugin file handling
  • Pass linting and static analysis checks
  • Add new Behat test scenarios for MU plugin verification
  • Address code review feedback (round 1)
  • Address code review feedback (round 2) - optimize duplicate calls
  • Address code review feedback (round 3) - fix critical bugs and refactor
  • Address code review feedback (round 4) - eliminate code duplication
  • Address code review feedback (round 5) - refactor error handling
  • Address code review feedback (round 6) - remove redundant basename call
  • Address code review feedback (round 7) - use get_plugins for subdirectories
  • Run security checks with CodeQL
  • Final verification and completion
Original prompt

This section details on the original issue you should resolve

<issue_title>Add support for checksum verification of must-use plugins</issue_title>
<issue_description>As discussed in #26 (comment) , the plugin checksum verification currently ignores must-use plugins.

Should these be checked by default? ... or only through an additional flag?

I think I'd prefer to have them be included in the checks by default, with a flag to omit them if they should cause trouble.</issue_description>

Comments on the Issue (you are @copilot in this section)

@schlessera The plugin header file can be checked to retrieve the plugin slug.

This works well for normal plugins that were moved into the mu-plugins folder and an MU-loader system like the one from Bedrock or WP-Starter takes care of actually loading them.

It won't work so well for:

  1. Individual plugin files that were put there just to trigger the loading of a subfolder plugin.
  2. Individual plugin files that contain custom logic for that site.

For now, we should throw warnings when 1. or 2. are found, as erroring out would make MU-plugins mostly unusable in terms of checksum verification.</comment_new>

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Add support for checksum verification of must-use plugins Add support for checksum verification of must-use plugins Jan 7, 2026
Copilot AI requested a review from swissspidy January 7, 2026 17:38
@swissspidy swissspidy requested a review from Copilot January 9, 2026 10:03

This comment was marked as resolved.

Sign in to view

swissspidy
swissspidy reviewed Jan 9, 2026
View reviewed changes
swissspidy
swissspidy reviewed Jan 9, 2026
View reviewed changes
@swissspidy

This comment was marked as resolved.

Sign in to view
@swissspidy
Address review comments - refactor and fix path bug
b56dd04 
- Remove get_mu_plugin_list() wrapper, use get_mu_plugins() directly
- Rename get_plugin_slug_from_header() to get_plugin_slug_from_path() and remove unused parameter
- Extract version retrieval into get_plugin_version_for_verification() method
- Fix critical bug: create check_mu_file_checksum() to properly handle WPMU_PLUGIN_DIR paths

Co-authored-by: swissspidy <[email protected]>

This comment was marked as resolved.

Sign in to view
Copilot AI requested a review from swissspidy January 9, 2026 10:27
@swissspidy swissspidy requested a review from Copilot January 10, 2026 10:52

This comment was marked as resolved.

Sign in to view

@swissspidy
Eliminate code duplication by refactoring checksum methods
0f5e8b3 
- Add optional base_dir parameter to check_file_checksum() and get_absolute_path()
- Remove duplicate check_mu_file_checksum() method
- Update verify_mu_plugin() to use unified check_file_checksum() with WPMU_PLUGIN_DIR
- Reduces code duplication and improves maintainability

Co-authored-by: swissspidy <[email protected]>
@github-actions

This comment was marked as resolved.

Sign in to view
@swissspidy swissspidy requested a review from Copilot January 10, 2026 16:00

This comment was marked as resolved.

Sign in to view

@swissspidy

This comment was marked as resolved.

Sign in to view
gemini-code-assist[bot]

This comment was marked as resolved.

Sign in to view

@swissspidy

This comment was marked as resolved.

Sign in to view

This comment was marked as resolved.

Sign in to view
swissspidy
swissspidy reviewed Jan 11, 2026
View reviewed changes
swissspidy
swissspidy reviewed Jan 11, 2026
View reviewed changes
@swissspidy
Refactor error handling to eliminate duplication in verify_mu_plugin
c808afc 
- Throw exception when checksums retrieval returns false
- Centralize error handling in single catch block
- Remove duplicate logic for single-file MU plugin warnings
- Improves code maintainability

Co-authored-by: swissspidy <[email protected]>
Copilot AI requested a review from swissspidy January 11, 2026 17:48
@swissspidy
Remove redundant basename() call in get_mu_plugin_files
1ad3502 
When strpos() returns false, $mu_file has no '/' character, meaning it's already just a filename without a directory path. The basename() call is redundant in this case.

Co-authored-by: swissspidy <[email protected]>
swissspidy
swissspidy reviewed Jan 11, 2026
View reviewed changes
@swissspidy
Use get_plugins() to retrieve all MU plugins including subdirectories
f2d0e80 
Changed from get_mu_plugins() to get_plugins('/../mu-plugins') to include both single files in the base mu-plugins directory and plugins in subdirectories. get_mu_plugins() only returns single files in the base directory.

Co-authored-by: swissspidy <[email protected]>
Copilot AI requested a review from swissspidy January 11, 2026 20:30
@codecov
Copy link

codecov bot commented Jan 11, 2026

Codecov Report

❌ Patch coverage is 87.14286% with 9 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/Checksum_Plugin_Command.php 87.14% 9 Missing ⚠️

📢 Thoughts on this report? Let us know!

@swissspidy swissspidy marked this pull request as ready for review January 11, 2026 21:21
@swissspidy swissspidy requested a review from a team as a code owner January 11, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@swissspidy swissspidy Awaiting requested review from swissspidy

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@swissspidy swissspidy

Copilot code review Copilot

Labels

command:plugin-verify-checksums scope:testing state:unconfirmed

Projects

None yet

Milestone

2.3.3

Development

Successfully merging this pull request may close these issues.

Add support for checksum verification of must-use plugins

2 participants

@swissspidy