Sync known-plugins.json to wp.org SVN assets daily

ilicfilip · claude · ilicfilip · commit 0e9a69f9c899 · 2026-05-07T17:02:26.000+02:00
Daily GitHub Action validates known-plugins.json and publishes it to
the plugin's wp.org /assets/ directory so installs can fetch updates
without waiting for a release. Validator rejects malformed JSON,
missing fields, and dangerously generic prefixes.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/sync-known-plugins.yml b/.github/workflows/sync-known-plugins.yml
@@ -0,0 +1,83 @@
+name: Sync known-plugins.json to wp.org SVN
+
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  push:
+    branches:
+      - develop
+      - main
+    paths:
+      - 'known-plugins/known-plugins.json'
+  workflow_dispatch:
+
+jobs:
+  sync:
+    name: Publish known-plugins.json to wp.org assets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+          coverage: none
+
+      - name: Validate known-plugins.json
+        run: php bin/validate-known-plugins.php
+
+      - name: Install Subversion
+        run: sudo apt-get update && sudo apt-get install -y subversion
+
+      - name: Sparse-checkout SVN assets
+        env:
+          SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
+          SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
+        run: |
+          svn checkout \
+            --depth immediates \
+            --username "$SVN_USERNAME" \
+            --password "$SVN_PASSWORD" \
+            --non-interactive \
+            --no-auth-cache \
+            https://plugins.svn.wordpress.org/aaa-option-optimizer/ svn-repo
+          svn update --set-depth infinity svn-repo/assets || svn mkdir --parents svn-repo/assets
+
+      - name: Copy JSON into assets and detect changes
+        id: diff
+        run: |
+          mkdir -p svn-repo/assets
+          cp known-plugins/known-plugins.json svn-repo/assets/known-plugins.json
+          cd svn-repo
+          # Add the file if it's new
+          if ! svn info assets/known-plugins.json >/dev/null 2>&1; then
+            svn add assets/known-plugins.json
+          fi
+          # Capture status; empty means nothing to commit
+          STATUS=$(svn status assets/known-plugins.json)
+          echo "svn-status: '$STATUS'"
+          if [ -z "$STATUS" ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit to SVN
+        if: steps.diff.outputs.changed == 'true'
+        env:
+          SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
+          SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
+        run: |
+          cd svn-repo
+          svn commit assets/known-plugins.json \
+            --username "$SVN_USERNAME" \
+            --password "$SVN_PASSWORD" \
+            --non-interactive \
+            --no-auth-cache \
+            -m "Update assets/known-plugins.json"
+
+      - name: No changes
+        if: steps.diff.outputs.changed != 'true'
+        run: echo "known-plugins.json on SVN is already up to date."
diff --git a/bin/validate-known-plugins.php b/bin/validate-known-plugins.php
@@ -0,0 +1,94 @@
+<?php
+/**
+ * Validate known-plugins/known-plugins.json before publishing.
+ *
+ * Exits non-zero on any problem so CI can fail.
+ *
+ * @package Progress_Planner\OptionOptimizer
+ */
+
+$file = dirname( __DIR__ ) . '/known-plugins/known-plugins.json';
+
+if ( ! file_exists( $file ) ) {
+	fwrite( STDERR, "Missing file: {$file}\n" );
+	exit( 1 );
+}
+
+$raw = file_get_contents( $file );
+if ( false === $raw || '' === trim( $raw ) ) {
+	fwrite( STDERR, "Empty file: {$file}\n" );
+	exit( 1 );
+}
+
+$data = json_decode( $raw, true );
+if ( JSON_ERROR_NONE !== json_last_error() ) {
+	fwrite( STDERR, 'Invalid JSON: ' . json_last_error_msg() . "\n" );
+	exit( 1 );
+}
+
+if ( ! is_array( $data ) || empty( $data ) ) {
+	fwrite( STDERR, "Top-level JSON must be a non-empty object.\n" );
+	exit( 1 );
+}
+
+$errors        = [];
+$warnings      = [];
+$seen_prefixes = [];
+
+foreach ( $data as $slug => $entry ) {
+	if ( ! is_string( $slug ) || '' === $slug ) {
+		$errors[] = 'Slug must be a non-empty string.';
+		continue;
+	}
+
+	if ( ! is_array( $entry ) ) {
+		$errors[] = "Entry for '{$slug}' must be an object.";
+		continue;
+	}
+
+	if ( empty( $entry['name'] ) || ! is_string( $entry['name'] ) ) {
+		$errors[] = "Entry '{$slug}' missing 'name' string.";
+	}
+
+	if ( empty( $entry['option_prefixes'] ) || ! is_array( $entry['option_prefixes'] ) ) {
+		$errors[] = "Entry '{$slug}' missing non-empty 'option_prefixes' array.";
+		continue;
+	}
+
+	foreach ( $entry['option_prefixes'] as $prefix ) {
+		if ( ! is_string( $prefix ) || '' === $prefix ) {
+			$errors[] = "Entry '{$slug}' has empty/non-string prefix.";
+			continue;
+		}
+
+		// Reject dangerously generic prefixes that would match thousands of options.
+		if ( strlen( $prefix ) < 3 ) {
+			$errors[] = "Entry '{$slug}' prefix '{$prefix}' is too short (<3 chars).";
+		}
+
+		if ( in_array( $prefix, [ 'wp_', 'option_', '_transient_' ], true ) ) {
+			$errors[] = "Entry '{$slug}' prefix '{$prefix}' is reserved/dangerous.";
+		}
+
+		if ( isset( $seen_prefixes[ $prefix ] ) && $seen_prefixes[ $prefix ] !== $slug ) {
+			$warnings[] = "Prefix '{$prefix}' claimed by both '{$seen_prefixes[ $prefix ]}' and '{$slug}'.";
+		}
+		$seen_prefixes[ $prefix ] = $slug;
+	}
+}
+
+foreach ( $warnings as $warn ) {
+	fwrite( STDERR, "WARNING: {$warn}\n" );
+}
+
+if ( ! empty( $errors ) ) {
+	fwrite( STDERR, "Validation failed:\n" );
+	foreach ( $errors as $err ) {
+		fwrite( STDERR, "  - {$err}\n" );
+	}
+	exit( 1 );
+}
+
+$count = count( $data );
+echo "OK: {$count} entries validated.\n";
+exit( 0 );
