Ported recent shell script changes to PHP tooling package.

[AlexSkrypnyk]

Summary

Ported recent shell script changes to the PHP tooling package, introducing multi-database index support across all download-db scripts, replacing Composer-based git-artifact installation with a direct binary download with SHA256 verification, adding a cache rebuild step after database updates in provision, and fixing the fallback profile installation to skip config import and enable Shield for protection.

Changes

Multi-database index support (download-db, download-db-acquia, download-db-container-registry, download-db-ftp, download-db-lagoon, download-db-s3, download-db-url)

• All download-db scripts now read VORTEX_DB_INDEX from the environment (defaults to empty string).
• All environment variable lookups use indexed variants first (e.g. VORTEX_DOWNLOAD_DB2_SOURCE) before falling back to the non-indexed variants, enabling multi-database setups.
• The container_registry source now skips the file existence check since the database is stored as a Docker image, not a file.
• download-db-lagoon gained an explicit VORTEX_DOWNLOAD_DB_SSH_FINGERPRINT variable (previously absent).

git-artifact binary download (deploy-artifact)

• Replaced composer global require drevops/git-artifact:~1.2 with a direct binary download from GitHub Releases.
• Added VORTEX_DEPLOY_ARTIFACT_GIT_ARTIFACT_VERSION (default 1.4.0) and VORTEX_DEPLOY_ARTIFACT_GIT_ARTIFACT_SHA256 env vars.
• Binary is downloaded via request() to $TMPDIR/git-artifact, verified with hash_file('sha256'), and made executable.
• A curl prerequisite check was added before the download attempt.

Provision improvements (provision)

• Added VORTEX_PROVISION_CACHE_REBUILD_AFTER_DB_UPDATE_SKIP flag; when unset a drush cache:rebuild is now executed immediately after drush updb.
• Fallback profile installation (when DB dump is unavailable) now passes $is_fallback = TRUE to provision_from_profile(), which:
  • Omits --existing-config from drush site:install.
  • Enables the Shield module to protect the freshly installed site.
  • Sets VORTEX_PROVISION_POST_OPERATIONS_SKIP=1 via putenv() to skip all post-provision operations.
• The post-provision skip flag is re-read from the environment after provision_from_profile() returns to pick up the putenv() change.

notify

• Fixed strict-mode comparison: in_array($event, [...]) now uses TRUE as the third argument.

Tests (DeployArtifactTest, ProvisionTest)

• DeployArtifactTest: replaced Composer install mocks with mockGitArtifactDownload() / mockRequest() helpers; added testGitArtifactDownloadFailure and testGitArtifactSha256Failure test cases; pre-creates dummy binary in setUp() with matching empty-file SHA256.
• ProvisionTest: updated all test cases to expect the new post-updb cache:rebuild step; added drush pm:install shield expectation and adjusted fallback tests to reflect skipped post-provision operations.

Before / After

git-artifact installation

Before:
  deploy-artifact
  └─ passthru: composer global require drevops/git-artifact:~1.2
     └─ binary at ~/.composer/vendor/bin/git-artifact

After:
  deploy-artifact
  ├─ command_must_exist('curl')
  ├─ request(github.com/.../git-artifact) ──> $TMPDIR/git-artifact
  ├─ hash_file('sha256') == $git_artifact_sha256  (verified)
  ├─ chmod 0755
  └─ binary at $TMPDIR/git-artifact

Provision fallback flow

Before:
  DB dump missing + fallback=1
  └─ provision_from_profile(... $has_config_files)
     ├─ drush site:install --existing-config   (if config files exist)
     └─ (continues post-provision operations)

After:
  DB dump missing + fallback=1
  └─ provision_from_profile(... $has_config_files, is_fallback=TRUE)
     ├─ drush site:install   (no --existing-config)
     ├─ drush pm:install shield
     ├─ putenv(VORTEX_PROVISION_POST_OPERATIONS_SKIP=1)
     └─ (post-provision operations skipped)

Provision cache rebuild

Before:
  drush updb
  └─ (no cache rebuild)
  └─ drush config:import / post-provision
  └─ drush cache:rebuild  (once, at the end)

After:
  drush updb
  └─ drush cache:rebuild  (immediately after updb, unless SKIP flag set)
  └─ drush config:import / post-provision
  └─ drush cache:rebuild  (again at the end)

Multi-database index variable resolution

Before:
  $source = getenv_default('VORTEX_DOWNLOAD_DB_SOURCE', 'url')

After:
  $db_index = getenv_default('VORTEX_DB_INDEX', '')     // e.g. '' or '2'
  $source = getenv_default(
    'VORTEX_DOWNLOAD_DB{index}_SOURCE',   // indexed first
    'VORTEX_DOWNLOAD_DB_SOURCE',          // then base
    'url'                                 // then default
  )

Summary by CodeRabbit

• New Features

  • Support for multiple indexed database configurations across all DB sources (Acquia, S3, FTP, URL, Lagoon, container registry).
  • Configurable artifact binary version with SHA256 checksum verification and download preflight.
  • Option to skip cache rebuild immediately after database updates.
  • SSH fingerprint configuration for Lagoon DB downloads.

• Improvements

  • Security module installed during fallback provisioning.
  • Stricter event validation for more robust checks.

[coderabbitai]

Walkthrough

Adds index-aware database configuration support across download-db scripts, replaces Composer-based git-artifact install with a direct GitHub release binary download plus SHA256 verification, and introduces fallback-specific behavior in provisioning with related test updates.

Changes

Cohort / File(s)	Summary
Download DB index support .vortex/tooling/src/download-db, .vortex/tooling/src/download-db-acquia, .vortex/tooling/src/download-db-container-registry, .vortex/tooling/src/download-db-ftp, .vortex/tooling/src/download-db-lagoon, .vortex/tooling/src/download-db-s3, .vortex/tooling/src/download-db-url	Introduce VORTEX_DB_INDEX and resolve indexed env var variants first (e.g., VORTEX_DOWNLOAD_DB{index}_*) with fallbacks to non-indexed keys; container_registry source skips existing dump-file check.
Deploy artifact binary download .vortex/tooling/src/deploy-artifact	Replace Composer installation of drevops/git-artifact with direct GitHub Releases binary download. Add VORTEX_DEPLOY_ARTIFACT_GIT_ARTIFACT_VERSION and VORTEX_DEPLOY_ARTIFACT_GIT_ARTIFACT_SHA256, download into temp dir, perform curl preflight and SHA256 verification, chmod +x, and use the downloaded binary path.
Provision fallback behavior .vortex/tooling/src/provision	Add VORTEX_PROVISION_CACHE_REBUILD_AFTER_DB_UPDATE_SKIP. Extend provision_from_profile() signature with $is_fallback = FALSE; when fallback, omit --existing-config, install shield, and set VORTEX_PROVISION_POST_OPERATIONS_SKIP=1 to suppress post-operations; re-read env after completion.
Notify type check .vortex/tooling/src/notify	Tighten event validation by switching in_array() to strict mode (TRUE) so only exact string matches for pre_deployment and post_deployment are accepted.
Tests: deploy-artifact & provision .vortex/tooling/tests/Unit/DeployArtifactTest.php, .vortex/tooling/tests/Unit/ProvisionTest.php	Update DeployArtifact tests to mock binary download, add SHA256 pass/fail tests, adjust TMPDIR usage and expected binary path. Update Provision tests to expect pm:install shield, split cache-rebuild expectations, and adjust maintenance-mode/cache messaging assertions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Fixed DB download variables inconsistencies. #2360: Adds indexed database configuration support to download-db scripts (overlaps env var index logic and container_registry handling).
• [#2368] Switched git-artifact to download from GitHub Releases with SHA256 verification. #2370: Replaces Composer-based git-artifact install with GitHub Releases binary download and checksum verification (directly overlaps deploy-artifact changes).
• Fixed provision fallback to profile and added cache rebuild after DB updates. #2406: Modifies provisioning flow and flags related to cache-rebuild/post-operations behavior (closely related to provision fallback changes).

Suggested labels

Requires more work

Poem

🐇 I hopped through envs with index and cheer,
Downloaded a binary — checksum clear,
Fallbacks set shield and quiet the post,
Multiple DBs now, I boast the most! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Ported recent shell script changes to PHP tooling package' accurately summarizes the main change—porting shell script modifications across multiple download-db scripts, deploy-artifact, provision, and notify components to the PHP tooling package.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/2.x-udpate-scripts-mar26

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.93%. Comparing base (4162a2c) to head (9b47e3e).
⚠️ Report is 1 commits behind head on project/2.x.

Additional details and impacted files

@@             Coverage Diff              @@
##           project/2.x    #2415   +/-   ##
============================================
  Coverage        78.93%   78.93%           
============================================
  Files              119      119           
  Lines             6565     6565           
============================================
  Hits              5182     5182           
  Misses            1383     1383           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.vortex/tooling/src/download-db-container-registry:
- Around line 20-41: The fallback ordering for image selection in the
getenv_required call for $image (function getenv_required with the combined keys
for VORTEX_DOWNLOAD_DB..._CONTAINER_REGISTRY_IMAGE,
VORTEX_DOWNLOAD_DB_CONTAINER_REGISTRY_IMAGE, VORTEX_DB{$db_index}_IMAGE,
VORTEX_DB_IMAGE) and for $image_base (getenv_default with the combined keys for
VORTEX_DOWNLOAD_DB..._CONTAINER_REGISTRY_IMAGE_BASE,
VORTEX_DOWNLOAD_DB_CONTAINER_REGISTRY_IMAGE_BASE,
VORTEX_DB{$db_index}_IMAGE_BASE, VORTEX_DB_IMAGE_BASE) is wrong: move the
indexed keys 'VORTEX_DB' . $db_index . '_IMAGE' and 'VORTEX_DB' . $db_index .
'_IMAGE_BASE' earlier in each array so they are checked before the legacy
VORTEX_DOWNLOAD_DB_CONTAINER_REGISTRY_* vars, ensuring per-index overrides win;
update the array_values(array_unique([...])) arguments for $image and
$image_base accordingly.

In @.vortex/tooling/src/download-db-lagoon:
- Around line 50-51: The code reads $ssh_fingerprint via getenv_default but
never uses it, while the SSH invocation still forces
UserKnownHostsFile=/dev/null and StrictHostKeyChecking=no, so indexed
fingerprints are a no-op; fix by honoring $ssh_fingerprint in the SSH flow: if
$ssh_fingerprint (from getenv_default) is set, create a temporary known_hosts
file containing that fingerprint and update the SSH/scp command options to use
-o UserKnownHostsFile=/path/to/tmp_known_hosts and -o StrictHostKeyChecking=yes
(otherwise keep the current /dev/null + no checking behavior), and ensure the
temp file is cleaned up after use so the indexed
VORTEX_DOWNLOAD_DB{index}_SSH_FINGERPRINT actually affects host verification.

In @.vortex/tooling/src/provision:
- Around line 465-467: The current use of the Elvis operator with
getenv('VORTEX_PROVISION_POST_OPERATIONS_SKIP') incorrectly treats the string
'0' as falsy and falls back to $provision_post_operations_skip; change the
assignment to explicitly detect getenv() returning false and use the environment
value when it is any string (including '0') — e.g. fetch
getenv('VORTEX_PROVISION_POST_OPERATIONS_SKIP') into a temporary, check !==
false, and assign that value to $provision_post_operations_skip if present; this
touches the getenv call and the $provision_post_operations_skip assignment and
ensures provision_from_profile() semantics are preserved.

In @.vortex/tooling/tests/Unit/DeployArtifactTest.php:
- Around line 395-410: The mock in mockGitArtifactDownload() hardcodes the
git-artifact version "1.4.0" which can drift from the real default; extract that
literal into a shared class constant (e.g., DEFAULT_GIT_ARTIFACT_VERSION) and
use that constant in mockGitArtifactDownload() when building the download URL
and anywhere else (createDummyGitArtifactBinary or related tests) that needs the
version so the test remains in sync with the production default; alternatively
read the default from the same production constant/source and reference it in
mockGitArtifactDownload() and createDummyGitArtifactBinary().

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2aac9fed-f341-475b-b556-b8847db7e3bf

📥 Commits

Reviewing files that changed from the base of the PR and between 4162a2c and 36096a1.

📒 Files selected for processing (12)

• .vortex/tooling/src/deploy-artifact
• .vortex/tooling/src/download-db
• .vortex/tooling/src/download-db-acquia
• .vortex/tooling/src/download-db-container-registry
• .vortex/tooling/src/download-db-ftp
• .vortex/tooling/src/download-db-lagoon
• .vortex/tooling/src/download-db-s3
• .vortex/tooling/src/download-db-url
• .vortex/tooling/src/notify
• .vortex/tooling/src/provision
• .vortex/tooling/tests/Unit/DeployArtifactTest.php
• .vortex/tooling/tests/Unit/ProvisionTest.php

[coderabbitai]

⚠️ Potential issue | 🟠 Major

VORTEX_DOWNLOAD_DB{index}_SSH_FINGERPRINT is a no-op here.

$ssh_fingerprint is never consumed after Line 51, and the later SSH call still uses UserKnownHostsFile=/dev/null plus StrictHostKeyChecking=no. As written, an indexed fingerprint cannot affect host verification, so this new config path does not work.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tooling/src/download-db-lagoon around lines 50 - 51, The code reads
$ssh_fingerprint via getenv_default but never uses it, while the SSH invocation
still forces UserKnownHostsFile=/dev/null and StrictHostKeyChecking=no, so
indexed fingerprints are a no-op; fix by honoring $ssh_fingerprint in the SSH
flow: if $ssh_fingerprint (from getenv_default) is set, create a temporary
known_hosts file containing that fingerprint and update the SSH/scp command
options to use -o UserKnownHostsFile=/path/to/tmp_known_hosts and -o
StrictHostKeyChecking=yes (otherwise keep the current /dev/null + no checking
behavior), and ensure the temp file is cleaned up after use so the indexed
VORTEX_DOWNLOAD_DB{index}_SSH_FINGERPRINT actually affects host verification.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider extracting hardcoded version to a class constant.

The version 1.4.0 is hardcoded in mockGitArtifactDownload() (line 406) and matches the script's default. If the default version changes, this test mock will silently fail to match. Consider extracting to a shared constant or reading from the same default.

♻️ Suggested improvement

+  protected const GIT_ARTIFACT_VERSION = '1.4.0';
+
   protected function createDummyGitArtifactBinary(): void {
     $bin_path = $this->getGitArtifactBinPath();
     file_put_contents($bin_path, '');
     $this->envSet('VORTEX_DEPLOY_ARTIFACT_GIT_ARTIFACT_SHA256', 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855');
   }

   protected function mockGitArtifactDownload(): void {
     $this->mockRequest(
-      'https://github.com/drevops/git-artifact/releases/download/1.4.0/git-artifact',
+      sprintf('https://github.com/drevops/git-artifact/releases/download/%s/git-artifact', self::GIT_ARTIFACT_VERSION),
       ['method' => 'GET'],
       ['ok' => TRUE, 'status' => 200, 'body' => ''],
     );
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	protected function createDummyGitArtifactBinary(): void {
	$bin_path = $this->getGitArtifactBinPath();
	file_put_contents($bin_path, '');
	$this->envSet('VORTEX_DEPLOY_ARTIFACT_GIT_ARTIFACT_SHA256', 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855');
	}
	/**
	* Mock the git-artifact download request.
	*/
	protected function mockGitArtifactDownload(): void {
	$this->mockRequest(
	'https://github.com/drevops/git-artifact/releases/download/1.4.0/git-artifact',
	['method' => 'GET'],
	['ok' => TRUE, 'status' => 200, 'body' => ''],
	);
	}
	protected const GIT_ARTIFACT_VERSION = '1.4.0';
	protected function createDummyGitArtifactBinary(): void {
	$bin_path = $this->getGitArtifactBinPath();
	file_put_contents($bin_path, '');
	$this->envSet('VORTEX_DEPLOY_ARTIFACT_GIT_ARTIFACT_SHA256', 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855');
	}
	/**
	* Mock the git-artifact download request.
	*/
	protected function mockGitArtifactDownload(): void {
	$this->mockRequest(
	sprintf('https://github.com/drevops/git-artifact/releases/download/%s/git-artifact', self::GIT_ARTIFACT_VERSION),
	['method' => 'GET'],
	['ok' => TRUE, 'status' => 200, 'body' => ''],
	);
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tooling/tests/Unit/DeployArtifactTest.php around lines 395 - 410,
The mock in mockGitArtifactDownload() hardcodes the git-artifact version "1.4.0"
which can drift from the real default; extract that literal into a shared class
constant (e.g., DEFAULT_GIT_ARTIFACT_VERSION) and use that constant in
mockGitArtifactDownload() when building the download URL and anywhere else
(createDummyGitArtifactBinary or related tests) that needs the version so the
test remains in sync with the production default; alternatively read the default
from the same production constant/source and reference it in
mockGitArtifactDownload() and createDummyGitArtifactBinary().

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.vortex/tooling/src/provision:
- Around line 533-542: The log wording is inconsistent with the actual command:
when $provision_cache_rebuild_after_db_update_skip !== '1' the script runs
drush('cache:rebuild') but the messages use "Clearing cache" and "Cache was
cleared"; change those strings to "Rebuilding cache" and "Cache was rebuilt"
(matching the later block) so task(...), pass(...) messages accurately reflect
using drush('cache:rebuild') and remain consistent across the script.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5c4e2f59-60a2-4ea6-a0c7-269dcd272902

📥 Commits

Reviewing files that changed from the base of the PR and between 36096a1 and 9b47e3e.

📒 Files selected for processing (2)

• .vortex/tooling/src/download-db-container-registry
• .vortex/tooling/src/provision

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider consistent terminology: "rebuild" vs "clear".

The message says "Clearing cache" (line 534) and "Cache was cleared" (line 536), but the command is drush('cache:rebuild'). Later in the script (lines 564-566), similar code says "Rebuilding cache" and "Cache was rebuilt" which is more accurate. Consider aligning the terminology for consistency.

✏️ Suggested terminology fix

 if ($provision_cache_rebuild_after_db_update_skip !== '1') {
-  task('Clearing cache after database updates.');
+  task('Rebuilding cache after database updates.');
   drush('cache:rebuild');
-  pass('Cache was cleared.');
+  pass('Cache was rebuilt.');
   echo PHP_EOL;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ($provision_cache_rebuild_after_db_update_skip !== '1') {
	task('Clearing cache after database updates.');
	drush('cache:rebuild');
	pass('Cache was cleared.');
	echo PHP_EOL;
	}
	else {
	pass('Skipped cache rebuild after database updates.');
	echo PHP_EOL;
	}
	if ($provision_cache_rebuild_after_db_update_skip !== '1') {
	task('Rebuilding cache after database updates.');
	drush('cache:rebuild');
	pass('Cache was rebuilt.');
	echo PHP_EOL;
	}
	else {
	pass('Skipped cache rebuild after database updates.');
	echo PHP_EOL;
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tooling/src/provision around lines 533 - 542, The log wording is
inconsistent with the actual command: when
$provision_cache_rebuild_after_db_update_skip !== '1' the script runs
drush('cache:rebuild') but the messages use "Clearing cache" and "Cache was
cleared"; change those strings to "Rebuilding cache" and "Cache was rebuilt"
(matching the later block) so task(...), pass(...) messages accurately reflect
using drush('cache:rebuild') and remain consistent across the script.

[github-actions]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   100.00% (189/189)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

[AlexSkrypnyk]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   100.00% (189/189)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)