Add mago as composer dependency

[Crabcyborg]

Installing composer dependencies seems significantly slower, but the old way is failing now without the --no-verify which seems like a bad idea.

Summary by CodeRabbit

• Chores
  • Added code quality and analysis tools to development dependencies
  • Refactored deployment workflow to leverage Composer-managed development binaries for code analysis

[coderabbitai]

Warning

Rate limit exceeded

@Crabcyborg has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 45 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 58052a4b-725d-4fe0-b788-2193b96308da

📥 Commits

Reviewing files that changed from the base of the PR and between 0a69e9a and 20a01f2.

📒 Files selected for processing (2)

• .github/workflows/mago.yml
• .github/workflows/phpstan.yml

📝 Walkthrough

Walkthrough

Mago static analysis tool is migrated from manual shell-script installation to a Composer-managed dev dependency. The workflow steps for linting and analysis are simplified by removing custom installation logic and invoking Mago through Composer's vendor binary directory after standard dependency installation.

Changes

Mago Composer Integration

Layer / File(s)	Summary
Dev Dependencies composer.json	carthage-software/mago (^1.26) and kubawerlos/php-cs-fixer-custom-fixers (^3.36) are added to require-dev.
Workflow Execution .github/workflows/mago.yml	The "⚡ Install Mago" step that downloaded Mago via shell script is removed. Lint and analyze steps now invoke vendor/bin/mago after Composer dependency installation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A hop and a composer tune,
Mago now joins the dependency croon!
No more scripts from the web to fetch,
Just vendor binaries, a clean sketch.
Tests and lints now run so fast,
Automation improved at last! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: adding mago as a Composer dependency in composer.json, which is the main focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add_mago_as_composer_dependency

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[deepsource-io]

DeepSource Code Review

We reviewed changes in 0efeb5d...20a01f2 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
PHP		May 7, 2026 12:53p.m.	Review ↗
JavaScript		May 7, 2026 12:53p.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/mago.yml:
- Around line 17-21: The "✅ Mago Lint" step calls vendor/bin/mago lint and can
hit GitHub anonymous rate limits when downloading the pre-built binary; update
that step to export the workflow token (e.g. set GITHUB_TOKEN: ${{
secrets.GITHUB_TOKEN }} or GH_TOKEN) for the first vendor/bin/mago invocation so
the download is authenticated and subsequent "🔎 Mago Analyze" calls reuse the
cached binary without failures.
- Line 15: The workflow step currently uses the deprecated flag in the run
command "composer install --dev --prefer-dist --no-progress"; remove the
obsolete --dev option so the command reads "composer install --prefer-dist
--no-progress" (only add --no-dev when you explicitly intend to skip dev
dependencies). Update the run value accordingly to eliminate the Composer
deprecation warning.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1a704d48-71ed-4e3b-ab61-6aad86e82518

📥 Commits

Reviewing files that changed from the base of the PR and between 0efeb5d and 0a69e9a.

📒 Files selected for processing (2)

• .github/workflows/mago.yml
• composer.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pass GITHUB_TOKEN to the first vendor/bin/mago invocation to avoid anonymous rate-limit failures

The Composer package is a thin wrapper: the first vendor/bin/mago invocation downloads the matching pre-built binary from the GitHub release and caches it; later calls reuse the cache and make no HTTP requests. If GitHub's anonymous rate limit blocks the download (common on shared CI runners), set GITHUB_TOKEN or GH_TOKEN on the first mago call; in GitHub Actions the token isn't exported automatically, so pass it explicitly.

Without this, the "✅ Mago Lint" step can intermittently fail on ubuntu-latest runners due to shared-IP rate limiting, before any PHP is even analysed.

🔧 Proposed fix — expose the token on the lint step (first mago invocation)

      - name: "✅ Mago Lint"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: vendor/bin/mago lint

      - name: "🔎 Mago Analyze"
        run: vendor/bin/mago analyze

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mago.yml around lines 17 - 21, The "✅ Mago Lint" step
calls vendor/bin/mago lint and can hit GitHub anonymous rate limits when
downloading the pre-built binary; update that step to export the workflow token
(e.g. set GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} or GH_TOKEN) for the first
vendor/bin/mago invocation so the download is authenticated and subsequent "🔎
Mago Analyze" calls reuse the cached binary without failures.