security: strip PolinRider --no-security-blocking CI bypass

[arifulhoque7]

Summary

• The PolinRider supply-chain attack (partially cleaned via PR security: strip PolinRider supply-chain payload + tamper marker #1866 and related strip commits) also tampered the e2e CI workflow to bypass composer security checks.
• This PR restores .github/workflows/e2e-wpuf.yml to its pre-attack state from commit 50ab902: the legitimate composer i --no-dev -o followed by composer update --no-dev -o, instead of the attacker-inserted single line ending in --no-security-blocking.
• Cleans up the artifacts left by attacker commits 13f1a39, 31abf3e, 54a6971, 705275b — all of which used innocent-looking messages to disguise the tamper.

Why this matters

--no-security-blocking is not a real composer flag. It was added to suppress composer audit output during CI and make a future malicious dependency easier to ship without alerts.

Test plan

• CI build runs composer i cleanly on both wpuf-pro and wpuf-lite build steps
• No "unknown option" errors from composer
• E2E suite still passes

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated build and deployment workflow configuration to enhance consistency across project repositories.

[coderabbitai]

Walkthrough

Updates CI/CD workflow build commands for wpuf-pro and wpuf-lite repositories. wpuf-pro now runs composer install, composer update, npm install with legacy peer deps flag, and grunt. wpuf-lite adds composer update step and removes security-blocking flag.

Changes

E2E Workflow Build Steps

Layer / File(s)	Summary
Build step updates for wpuf-pro and wpuf-lite .github/workflows/e2e-wpuf.yml	wpuf-pro build step now runs composer i and composer update --no-dev -o, installs npm dependencies with --legacy-peer-deps, and executes grunt --force. wpuf-lite build step adds composer update --no-dev -o alongside existing composer i and removes the prior --no-security-blocking flag.

Estimated Code Review Effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly Related PRs

• weDevsOfficial/wp-user-frontend#1543: Both PRs modify the same .github/workflows/e2e-wpuf.yml test workflow build steps—this PR updates wpuf-pro and wpuf-lite composer/npm/grunt commands (including grunt --force), while the related PR changes wpuf-lite grunt release command to use --force.

Suggested Labels

Ready to Merge

Poem

🐰 A workflow refined with care and finesse,
Composer and grunt now do their best,
Legacy peers dance with npm's might,
Security flags fade into the night,
Build steps stronger, the process takes flight! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'security: strip PolinRider --no-security-blocking CI bypass' directly addresses the main change: removing the malicious --no-security-blocking flag from the CI workflow to restore security.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-wpuf.yml:
- Around line 61-62: After the composer install/update steps (the lines running
"composer i --no-dev -o" and "composer update --no-dev -o"), add a step that
runs "composer audit --no-interaction" to scan installed packages for known
vulnerabilities and fail the job on issues; update the workflow job that
contains those commands to invoke composer audit immediately after the update
command so the CI build will detect and fail on vulnerable dependencies.
- Around line 69-70: Add a Composer security audit step immediately after the
dependency install/update commands (after the existing "composer i --no-dev -o"
and "composer update --no-dev -o") so the workflow runs "composer audit" (e.g.,
with --no-interaction) and fails the job on detected vulnerabilities; update the
CI step that runs those commands to invoke composer audit and ensure non-zero
exit codes surface to the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 93e68a90-3bb9-4b59-a5e9-63e1fa921a80

📥 Commits

Reviewing files that changed from the base of the PR and between 8685d90 and 466939e.

📒 Files selected for processing (1)

• .github/workflows/e2e-wpuf.yml

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add composer audit after dependency installation for defense-in-depth.

Given the recent supply chain attack documented in this PR, consider adding composer audit after the composer update step to check installed packages against known vulnerabilities:

 composer i --no-dev -o
 composer update --no-dev -o
+composer audit --no-dev
 npm i --legacy-peer-deps

This provides an additional security layer by failing the build if compromised dependencies are detected.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	composer i --no-dev -o
	composer update --no-dev -o
	composer i --no-dev -o
	composer update --no-dev -o
	composer audit --no-dev
	npm i --legacy-peer-deps

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-wpuf.yml around lines 61 - 62, After the composer
install/update steps (the lines running "composer i --no-dev -o" and "composer
update --no-dev -o"), add a step that runs "composer audit --no-interaction" to
scan installed packages for known vulnerabilities and fail the job on issues;
update the workflow job that contains those commands to invoke composer audit
immediately after the update command so the CI build will detect and fail on
vulnerable dependencies.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add composer audit after dependency installation for defense-in-depth.

Given the recent supply chain attack documented in this PR, consider adding composer audit after the composer update step to check installed packages against known vulnerabilities:

 composer i --no-dev -o
 composer update --no-dev -o
+composer audit --no-dev
 npm i

This provides an additional security layer by failing the build if compromised dependencies are detected.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	composer i --no-dev -o
	composer update --no-dev -o
	composer i --no-dev -o
	composer update --no-dev -o
	composer audit --no-dev

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-wpuf.yml around lines 69 - 70, Add a Composer security
audit step immediately after the dependency install/update commands (after the
existing "composer i --no-dev -o" and "composer update --no-dev -o") so the
workflow runs "composer audit" (e.g., with --no-interaction) and fails the job
on detected vulnerabilities; update the CI step that runs those commands to
invoke composer audit and ensure non-zero exit codes surface to the workflow.