Modern cloud-native WordPress boilerplate

.dockerignore

@@ -0,0 +1,18 @@
+.git
+.github
+helm
+
+.env
+.env.*
+
+node_modules
+
+# Local/IDE noise
+.idea
+.vscode
+.DS_Store
+
+# Composer install output (built inside Docker)
+vendor
+web/wp
+

.editorconfig

@@ -0,0 +1,16 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.php]
+indent_size = 4
+
+[*.md]
+trim_trailing_whitespace = false
+

.env.example

@@ -0,0 +1,67 @@
+# -----------------------------------------------------------------------------
+# Bedrock / WordPress configuration (safe example)
+# -----------------------------------------------------------------------------
+
+WP_ENV=development
+WP_HOME=http://localhost:8080
+# Keep WP_SITEURL explicit for compatibility with tooling that does not
+# interpolate variables inside env files.
+WP_SITEURL=http://localhost:8080/wp
+
+# Optional TLS dev endpoint:
+# WP_HOME=https://wp.localhost:8443
+# WP_SITEURL=https://wp.localhost:8443/wp
+
+# -----------------------------------------------------------------------------
+# Database (local dev defaults)
+# -----------------------------------------------------------------------------
+
+DB_NAME=wordpress
+DB_USER=wordpress
+DB_PASSWORD=wordpress
+DB_HOST=db
+DB_PREFIX=wp_
+DB_ROOT_PASSWORD=root
+
+# -----------------------------------------------------------------------------
+# Authentication Keys and Salts
+# Generate new values for real environments:
+#   https://roots.io/salts.html
+# -----------------------------------------------------------------------------
+
+AUTH_KEY='generateme'
+SECURE_AUTH_KEY='generateme'
+LOGGED_IN_KEY='generateme'
+NONCE_KEY='generateme'
+AUTH_SALT='generateme'
+SECURE_AUTH_SALT='generateme'
+LOGGED_IN_SALT='generateme'
+NONCE_SALT='generateme'
+
+# -----------------------------------------------------------------------------
+# WordPress hardening / behavior
+# -----------------------------------------------------------------------------
+
+DISABLE_WP_CRON=false
+WP_POST_REVISIONS=25
+
+# -----------------------------------------------------------------------------
+# Redis object cache (optional; requires a Redis cache plugin)
+# -----------------------------------------------------------------------------
+
+WP_CACHE=false
+WP_REDIS_HOST=redis
+WP_REDIS_PORT=6379
+
+# Optional: set the default theme (committed placeholder theme is `starter-theme`)
+WP_DEFAULT_THEME=starter-theme
+
+# -----------------------------------------------------------------------------
+# Docker dev ergonomics
+# -----------------------------------------------------------------------------
+#
+# Used to build the php-dev image with a UID/GID matching your host user so
+# bind-mounts and generated files are writable without manual chmod/chown.
+APP_UID=1000
+APP_GID=1000
+

.gitattributes

@@ -0,0 +1,4 @@
+/.editorconfig export-ignore
+/.gitattributes export-ignore
+/.github export-ignore
+

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+

.github/workflows/ci.yml

@@ -0,0 +1,120 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: ["main"]
+
+permissions:
+  contents: read
+
+jobs:
+  php:
+    name: Composer validate / lint / audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.3"
+          tools: composer:v2
+          coverage: none
+          extensions: intl, mbstring, curl, zip
+          ini-values: memory_limit=512M
+
+      - name: Composer validate
+        run: composer validate --strict
+
+      - name: Composer install (dev)
+        run: composer install --no-interaction --no-progress
+
+      - name: Lint (Pint)
+        run: composer lint
+
+      - name: Composer audit
+        run: composer audit
+
+  local-smoke:
+    name: Local stack smoke (Docker Compose)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Prepare local .env for CI
+        run: |
+          cp .env.example .env
+          echo "APP_UID=$(id -u)" >> .env
+          echo "APP_GID=$(id -g)" >> .env
+          echo "WP_ADMIN_PASSWORD=ci-smoke-password" >> .env
+
+      - name: Docker versions
+        run: |
+          docker version
+          docker compose version
+
+      - name: Doctor preflight
+        run: make doctor
+
+      - name: Bootstrap stack
+        run: make bootstrap
+
+      - name: Smoke checks
+        run: make smoke
+
+      - name: Compose status/logs on failure
+        if: failure()
+        run: |
+          docker compose ps
+          docker compose logs --no-color --tail=200
+
+      - name: Teardown
+        if: always()
+        run: docker compose down -v --remove-orphans
+
+  helm:
+    name: Helm lint / template
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+
+      - name: Helm lint
+        run: >
+          helm lint helm/wp-boilerplate
+          --set image.php.tag=ci
+          --set image.web.tag=ci
+
+      - name: Helm template (render)
+        run: >
+          helm template wp helm/wp-boilerplate
+          --namespace wp
+          --set image.php.tag=ci
+          --set image.web.tag=ci
+          > /tmp/wp-boilerplate.rendered.yaml
+
+      - name: Install kubeconform
+        run: |
+          set -euo pipefail
+          KUBECONFORM_VERSION="v0.7.0"
+          curl -fsSLo kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz"
+          tar -xzf kubeconform.tar.gz kubeconform
+          sudo mv kubeconform /usr/local/bin/kubeconform
+
+      - name: Kubeconform validate rendered manifests
+        run: |
+          set -euo pipefail
+          kubeconform \
+            -strict \
+            -summary \
+            -ignore-missing-schemas \
+            -kubernetes-version 1.29.0 \
+            /tmp/wp-boilerplate.rendered.yaml
+

.github/workflows/codeql.yml

@@ -0,0 +1,38 @@
+name: CodeQL
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+  schedule:
+    - cron: "23 3 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["php"]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+