No actionable comments were generated in the recent review. 🎉

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Security Scan Results for PR

Docker Image Scan Results

Source Code Scan Results

🎉 No vulnerabilities found!

Greptile Summary

This PR removes Docker-based composer:2.8 and node:24-alpine wrappers in the CI workflow and replaces them with native shivammathur/setup-php@v2 and actions/setup-node@v4 actions. Two new dedicated jobs are introduced: Checks / Composer (runs composer validate + composer audit) and Checks / Locale (runs the locale key-consistency script). The locale script itself correctly uses import.meta.url-relative path resolution, so the change from cd /app/.../ && node index.js to node .github/workflows/static-analysis/locale/index.js from the repo root is functionally equivalent.

Key observations:

• The locale job uses actions/setup-node@v4 with Node.js 24, which conflicts with the team's preference to use Bun instead of Node.js. The locale script has no external npm dependencies and uses only Node.js built-ins that Bun supports natively, so the migration to Bun would be straightforward.
• Composer is now installed as composer:v2 (latest 2.x) rather than the previously pinned composer:2.8. This slightly reduces build reproducibility, as a new Composer release could silently change behaviour.
• The composer job has no if: github.event_name == 'pull_request' guard (consistent with the pre-existing format and analyze jobs), so it will also run on workflow_dispatch events — this appears intentional.

Confidence Score: 4/5

• This PR is safe to merge; the CI refactoring is low-risk and functionally equivalent to the previous Docker-based approach.
• The changes are a straightforward CI migration with no impact on application code. The locale script uses __dirname-relative paths so path resolution is unaffected by the working-directory change. One style concern (Node.js instead of Bun) and one minor reproducibility concern (unpinned Composer version) prevent a perfect score.
• No files require special attention beyond the two inline comments on .github/workflows/ci.yml.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    PR[Pull Request / workflow_dispatch] --> DEP[Checks / Dependencies\npull_request only]
    PR --> SEC[Checks / Image\npull_request only]
    PR --> COMP[Checks / Composer\ncomposer validate + audit]
    PR --> FMT[Checks / Format\ncomposer lint on HEAD^2]
    PR --> ANA[Checks / Analyze\nPHPStan via composer check]
    PR --> LOC[Checks / Locale\nnode locale/index.js]
    PR --> MATRIX[Tests / Matrix\ngenerate DB × mode matrix]
    PR --> BUILD[Build\nDocker image]

    BUILD --> UNIT[Tests / Unit]
    BUILD --> E2E_GEN[Tests / E2E / General]
    BUILD --> E2E_SVC[Tests / E2E / Service matrix]
    BUILD --> E2E_ABUSE[Tests / E2E / Abuse]
    BUILD --> E2E_SS[Tests / E2E / Screenshots]
    BUILD --> BENCH[Benchmark]

    MATRIX --> E2E_SVC
    MATRIX --> E2E_ABUSE
    MATRIX --> E2E_SS

    COMP:::new
    LOC:::new
    classDef new fill:#d4edda,stroke:#28a745

_{Last reviewed commit: bc2a0d5}

🔄 PHP-Retry Summary

Flaky tests detected across commits:

✨ Benchmark results

• Requests per second: 1,715
• Requests with 200 status code: 308,668
• P99 latency: 0.099333533

⚡ Benchmark Comparison