AT-1709 add property id validation #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: opencode-review | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| concurrency: | |
| group: opencode-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| review: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: write | |
| issues: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Run OpenCode Review | |
| uses: anomalyco/opencode/github@latest | |
| timeout-minutes: 20 | |
| env: | |
| OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} | |
| with: | |
| model: openai/gpt-5.4 | |
| prompt: | | |
| You are reviewing a pull request for the `wordpress-plugins` repository. | |
| Focus on correctness, regressions, security, and repository-specific conventions. | |
| Do not nitpick formatting or suggest broad rewrites that are unrelated to the diff. | |
| ## Repo Context | |
| - The repo contains two classic WordPress plugins: | |
| - `anytrack-affiliate-link-manager/trunk` | |
| - `anytrack-for-woocommerce/trunk` | |
| - Plugins use WordPress.org SVN-style layout: `trunk/` for code, `assets/` for wp.org assets. | |
| - Architecture is legacy WordPress PHP: procedural functions, small bootstrap classes, `include`-based module loading, hooks, AJAX actions, and direct use of WordPress/WooCommerce APIs. | |
| - Admin UI is often assembled as concatenated HTML strings in PHP helper classes. | |
| - JavaScript is plain jQuery enqueued via WordPress; there is no React, TypeScript, bundler, or modern frontend build. | |
| - There is no Composer, PHPUnit, ESLint, or package-based build/test pipeline in this repo. | |
| ## Repo Conventions To Enforce | |
| - Prefer minimal changes that fit the current plugin architecture; avoid broad modernization unless the diff explicitly calls for it. | |
| - Follow existing prefixes and naming: | |
| - `anytrack_for_woocommerce_*` for WooCommerce plugin functions | |
| - `aalm_*` for Affiliate Link Manager functions | |
| - New modules should be wired through the plugin bootstrap include list rather than through autoloading. | |
| - Prefer WordPress and WooCommerce APIs over raw PHP when an equivalent helper already exists. | |
| - Match the touched file's existing formatting style; do not flag minor spacing or brace inconsistencies unless they cause a real bug. | |
| ## Review Priorities | |
| - Start with real behavioral regressions, data loss risks, access-control mistakes, security issues, and broken WordPress/WooCommerce hooks. | |
| - Be especially careful in redirect logic, AJAX handlers, order hooks, settings save handlers, and admin delete flows. | |
| - Check nonce validation, capability checks, sanitization of `$_POST` / `$_GET`, escaping of rendered output, and safe redirects. | |
| - Watch for misuse of WooCommerce objects and getters, incorrect hook signatures, duplicate tracking, and changes that can fire on the wrong page or multiple times. | |
| - Flag unsafe direct superglobal usage, missing `isset` guards, and broken assumptions around options, post meta, cookies, and request payloads. | |
| - Do not suggest adding frameworks, dependency injection, namespaces, or type-heavy refactors unless the PR is already moving in that direction. | |
| ## Testing Expectations | |
| - There is no automated test suite in this repo, so do not require PHPUnit or JS tests that do not exist. | |
| - Prefer validation suggestions that match the repo: | |
| - `php -l` for changed PHP files | |
| - narrow manual verification in a local WordPress or WooCommerce flow | |
| - `bash generate-zips.sh` when packaging behavior is affected | |
| - If the diff changes runtime behavior but lacks any realistic validation path, mention that as residual risk. | |
| ## Review Output Format | |
| - Report only actual findings from the diff. Do not praise the PR or restate the implementation. | |
| - Order findings by severity and include file or symbol references plus concise reasoning and impact. | |
| - Use this structure: | |
| 1. 🚨 **Critical** - Must fix before merge (security, data loss, breaking changes) | |
| 2. ⚠️ **Major** - Should be addressed (bugs, performance, best practices) | |
| 3. 💡 **Minor** - Suggestions for improvement, very short description is enough | |
| - If there are no findings, say that explicitly and mention any residual risk or missing validation. | |
| - Append each finding with: *Re-check this finding against the exact changed lines and fix it only if the issue is confirmed in the diff.* | |
| - Only report actual issues from the diff. Do not invent findings about missing build, typecheck, or linter steps that this repo does not have. |