Toolkit

Components

In the QA Website, you can find the components being controlled by our CI/CD.

Components

Mandatory module check

Ensure that packages marked as Mandatory in the QA website inventory are being used by the project.

You can check the list of mandatory modules.

  • It is not possible to bypass this check.

Recommended module check

Ensure that packages marked as Recommended in the QA website inventory are being used by the project.

You can check the list of recommended modules.

  • This step is in reporting mode.

Insecure module check

Uses the command composer audit command.

  • It is possible to bypass this check using the environment variable QA_SKIP_INSECURE=true or by using the

token [SKIP_INSECURE] in the commit message.

Outdated module check

Uses the composer outdated command.

  • It is possible to bypass this check using the token [SKIP_OUTDATED] in the commit message or by configuration

toolkit.components.outdated.check: false .

  • It is also possible to bypass specific package in a specific version, example:
toolkit:
  components:
    outdated:
      ignores:
        - name: drupal/webform
          version: 1.1.1

Abandoned module check

Uses the composer outdated command.

  • It is possible to bypass this check using the configuration toolkit.components.abandoned.check: false .

Unsupported module check

Uses the update_available_releases() in combination with update_calculate_project_data() functions.

  • It is possible to bypass this check using the configuration toolkit.components.unsupported.check: false .

Evaluation module check

Uses the Quality Assurance packages inventory to validate the used components if they are whitelisted or blacklisted.

Using a set of vendors configured in the endpoint to validate the packages, it is possible to restrict the use of packages by project-id, type of project or profile.

All metapackages and local packages are ignored.

Development module check

Uses the Quality Assurance packages inventory to validate that no development packages are used in the production environment.

Composer validation check

Performs a series of checks in the composer.json file.

Ensures that packages are not used in dev branches (like: ^dev-* or *-dev$ ).

Enforce the setting extra.enable-patching to be false .

Enforce the setting extra.composer-exit-on-patch-failure to be true .

Validate existing patches, by default only local and Drupal.org patches are allowed.

  • It is possible to block remote patches from Drupal.org by using configuration toolkit.components.composer.drupal_patches: false .

Search results