WordPress · justlevine · Nov 7, 2025 · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026
diff --git a/.github/workflows/php-static-analysis.yml b/.github/workflows/php-static-analysis.yml
@@ -0,0 +1,96 @@
+name: PHPStan Static Analysis
+
+on:
+  # PHPStan testing was introduced in @todo.
-  # PHPStan testing was introduced in @todo.
+  # Run PHPStan testing on pushes to the following branches and tags.
-  # PHPStan testing was introduced in @todo.
+  # Run PHPStan testing on pushes to the following branches and tags.
+  push:
+    branches:
+      - trunk
+      - '[7-9].[0-9]'
+    tags:
+      - '[7-9].[0-9]'
+      - '[7-9]+.[0-9].[0-9]+'
+  pull_request:
+    branches:
+      - trunk
+      - '[7-9].[0-9]'
+    paths:
+      # This workflow only scans PHP files.
+      - '**.php'
+      # These files configure Composer. Changes could affect the outcome.
+      - 'composer.*'
+      # These files configure PHPStan. Changes could affect the outcome.
+      - 'phpstan.neon.dist'
+      - 'tests/phpstan/base.neon'
+      # Confirm any changes to relevant workflow files.
+      - '.github/workflows/php-static-analysis.yml'
+      - '.github/workflows/reusable-php-static-analysis.yml'
+  workflow_dispatch:
+
+# Cancels all previous workflow runs for pull requests that have not completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name for pull requests
+  # or the commit hash for any other events.
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
+  cancel-in-progress: true
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  # Runs PHPStan Static Analysis.
+  phpstan:
+    name: PHP static analysis
+    uses: ./.github/workflows/reusable-php-static-analysis.yml
+    permissions:
+      contents: read
+    if: ${{ github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) }}
+
+  slack-notifications:
+    name: Slack Notifications
+    uses: ./.github/workflows/slack-notifications.yml
+    permissions:
+      actions: read
+      contents: read
+    needs: [ phpstan ]
+    if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event_name != 'pull_request' && always() }}
+    with:
+      calling_status: ${{ contains( needs.*.result, 'cancelled' ) && 'cancelled' || contains( needs.*.result, 'failure' ) && 'failure' || 'success' }}
+    secrets:
+      SLACK_GHA_SUCCESS_WEBHOOK: ${{ secrets.SLACK_GHA_SUCCESS_WEBHOOK }}
+      SLACK_GHA_CANCELLED_WEBHOOK: ${{ secrets.SLACK_GHA_CANCELLED_WEBHOOK }}
+      SLACK_GHA_FIXED_WEBHOOK: ${{ secrets.SLACK_GHA_FIXED_WEBHOOK }}
+      SLACK_GHA_FAILURE_WEBHOOK: ${{ secrets.SLACK_GHA_FAILURE_WEBHOOK }}
+
+  failed-workflow:
+    name: Failed workflow tasks
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+    needs: [ slack-notifications ]
+    if: |
+      always() &&
+      github.repository == 'WordPress/wordpress-develop' &&
+      github.event_name != 'pull_request' &&
+      github.run_attempt < 2 &&
+      (
+        contains( needs.*.result, 'cancelled' ) ||
+        contains( needs.*.result, 'failure' )
+      )
+
+    steps:
+      - name: Dispatch workflow run
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          retries: 2
+          retry-exempt-status-codes: 418
+          script: |
+            github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'failed-workflow.yml',
+              ref: 'trunk',
+              inputs: {
+                run_id: `${context.runId}`,
+              }
+            });
diff --git a/.github/workflows/reusable-php-static-analysis.yml b/.github/workflows/reusable-php-static-analysis.yml
@@ -0,0 +1,109 @@
+##
+# A reusable workflow that runs PHP Static Analysis tests.
+##
+name: PHP Static Analysis
+
+on:
+  workflow_call:
+    inputs:
+      php-version:
+        description: 'The PHP version to use.'
+        required: false
+        type: 'string'
+        default: 'latest'
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  # Runs PHP static analysis tests.
+  #
+  # Violations are reported inline with annotations.
+  #
+  # Performs the following steps:
+  # - Checks out the repository.
+  # - Sets up PHP.
+  # - Logs debug information.
+  # - Installs Composer dependencies.
+  # - Configures caching for PHP static analysis scans.
+  # - Make Composer packages available globally.
+  # - Runs PHPStan static analysis (with Pull Request annotations).
+  # - Saves the PHPStan result cache.
+  # - Ensures version-controlled files are not modified or deleted.
+  phpstan:
+    name: Run PHP static analysis
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
+
+      - name: Set up Node.js
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+
+      - name: Set up PHP
+        uses: shivammathur/setup-php@20529878ed81ef8e78ddf08b480401e6101a850f # v2.35.3
+        with:
+          php-version: ${{ inputs.php-version }}
+          coverage: none
+          tools: cs2pr
+
+      # This date is used to ensure that the Composer cache is cleared at least once every week.
+      # http://man7.org/linux/man-pages/man1/date.1.html
+      - name: "Get last Monday's date"
+        id: get-date
+        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
+
+      - name: General debug information
+        run: |
+          npm --version
+          node --version
+          composer --version
+
+      # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
+      # passing a custom cache suffix ensures that the cache is flushed at least once per week.
+      - name: Install Composer dependencies
+        uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # v3.1.1
+        with:
+          custom-cache-suffix: ${{ steps.get-date.outputs.date }}
+
+      - name: Make Composer packages available globally
+        run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH"
+
+      - name: Install npm dependencies
+        run: npm ci
+
+      - name: Build WordPress
+        run: npm run build:dev
+
+      - name: Cache PHP Static Analysis scan cache
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: .cache # This is defined in the base.neon file.
+          key: "phpstan-result-cache-${{ github.run_id }}"
+          restore-keys: |
+            phpstan-result-cache-
+
+      - name: Run PHP static analysis tests
+        id: phpstan
+        run: phpstan analyse -vvv --error-format=checkstyle | cs2pr
+
+      - name: "Save result cache"
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        if: ${{ !cancelled() }}
+        with:
+          path: .cache
+          key: "phpstan-result-cache-${{ github.run_id }}"
+
+      - name: Ensure version-controlled files are not modified or deleted
+        run: git diff --exit-code
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,7 @@ wp-tests-config.php
 /gutenberg
 /tests/phpunit/build
 /wp-cli.local.yml
+/phpstan.neon
 /jsdoc
 /composer.lock
 /vendor

diff --git a/composer.json b/composer.json
@@ -23,6 +23,7 @@
 		"squizlabs/php_codesniffer": "3.13.5",
 		"wp-coding-standards/wpcs": "~3.3.0",
 		"phpcompatibility/phpcompatibility-wp": "~2.1.3",
+		"phpstan/phpstan": "~2.1.33",
-		"phpstan/phpstan": "~2.1.33",
+		"phpstan/phpstan": "~2.1.0",
-		"phpstan/phpstan": "~2.1.33",
+		"phpstan/phpstan": "~2.1.0",
 		"yoast/phpunit-polyfills": "^1.1.0"
 	},
 	"config": {
@@ -32,6 +33,7 @@
 		"lock": false
 	},
 	"scripts": {
+		"analyse": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
-		"analyse": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
+		"analyze": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
-		"analyse": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
+		"phpstan": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
-		"analyse": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
+		"analyze": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
-		"analyse": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
+		"phpstan": "@php ./vendor/bin/phpstan analyse --memory-limit=2G",
 		"compat": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcs --standard=phpcompat.xml.dist --report=summary,source",
 		"format": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcbf --report=summary,source",
 		"lint": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcs --report=summary,source",

diff --git a/package.json b/package.json
@@ -126,6 +126,7 @@
 		"env:logs": "node ./tools/local-env/scripts/docker.js logs",
 		"env:pull": "node ./tools/local-env/scripts/docker.js pull",
 		"test:performance": "wp-scripts test-playwright --config tests/performance/playwright.config.js",
+		"test:php:stan": "node ./tools/local-env/scripts/docker.js run --rm php ./vendor/bin/phpstan analyse --memory-limit=2G",
 		"test:php": "node ./tools/local-env/scripts/docker.js run --rm php ./vendor/bin/phpunit",
 		"test:coverage": "npm run test:php -- --coverage-html ./coverage/html/ --coverage-php ./coverage/php/report.php --coverage-text=./coverage/text/report.txt",
 		"test:e2e": "wp-scripts test-playwright --config tests/e2e/playwright.config.js",

diff --git a/phpcs.xml.dist b/phpcs.xml.dist
@@ -81,6 +81,9 @@
 	<exclude-pattern>/tests/phpunit/build*</exclude-pattern>
 	<exclude-pattern>/tests/phpunit/data/*</exclude-pattern>
 
+	<!-- PHPStan bootstrap, stubs, and baseline. -->
+	<exclude-pattern>/tests/phpstan/*</exclude-pattern>
+
 	<exclude-pattern>/tools/*</exclude-pattern>
 
 	<!-- Drop-in plugins. -->

diff --git a/phpstan.neon.dist b/phpstan.neon.dist
@@ -0,0 +1,36 @@
+# PHPStan configuration for WordPress Core.
+#
+# To overload this configuration, copy this file to phpstan.neon and adjust as needed.
+#
+# https://phpstan.org/config-reference
+
+includes:
+	# The base configuration file for using PHPStan with the WordPress core codebase.
+	- tests/phpstan/base.neon
+
+	# The baseline file includes preexisting errors in the codebase that should be ignored.
+	# https://phpstan.org/user-guide/baseline
+	- tests/phpstan/baseline.php
+
+parameters:
+	# https://phpstan.org/user-guide/rule-levels
+	level: 0
+	reportUnmatchedIgnoredErrors: true
+
+	ignoreErrors:
+		# Level 0:
+		- # Inner functions aren't supported by PHPStan.
+			message: '#Function wxr_[a-z_]+ not found#'
+			path: src/wp-admin/includes/export.php
+		-
+			identifier: function.inner
+			path: src/wp-admin/includes/export.php
+			count: 13
+		-
+			identifier: function.inner
+			path: src/wp-admin/includes/file.php
+			count: 1
+		-
+			identifier: function.inner
+			path: src/wp-includes/canonical.php
+			count: 1
diff --git a/src/wp-admin/includes/class-wp-filesystem-ssh2.php b/src/wp-admin/includes/class-wp-filesystem-ssh2.php
@@ -672,6 +672,7 @@ public function size( $file ) {
 	 *                      Default 0.
 	 */
 	public function touch( $file, $time = 0, $atime = 0 ) {
+		// @phpstan-ignore-next-line
 		// Not implemented.
 	}
 

diff --git a/src/wp-admin/press-this.php b/src/wp-admin/press-this.php
@@ -22,8 +22,8 @@ function wp_load_press_this() {
 			403
 		);
 	} elseif ( is_plugin_active( $plugin_file ) ) {
-		include WP_PLUGIN_DIR . '/press-this/class-wp-press-this-plugin.php';
-		$wp_press_this = new WP_Press_This_Plugin();
+		include WP_PLUGIN_DIR . '/press-this/class-wp-press-this-plugin.php'; // @phpstan-ignore include.fileNotFound
+		$wp_press_this = new WP_Press_This_Plugin(); // @phpstan-ignore class.notFound
 		$wp_press_this->html();
 	} elseif ( current_user_can( 'activate_plugins' ) ) {
 		if ( file_exists( WP_PLUGIN_DIR . '/' . $plugin_file ) ) {

diff --git a/src/wp-includes/class-wp-scripts.php b/src/wp-includes/class-wp-scripts.php
@@ -1186,7 +1186,7 @@ private function get_highest_fetchpriority_with_dependents( string $handle, arra
 				}
 			}
 		}
-		$stored_results[ $handle ] = $priorities[ $highest_priority_index ]; // @phpstan-ignore parameterByRef.type (We know the index is valid and that this will be a string.)
+		$stored_results[ $handle ] = $priorities[ $highest_priority_index ];
 		return $priorities[ $highest_priority_index ];
 	}
 

diff --git a/src/wp-includes/class-wp-theme-json.php b/src/wp-includes/class-wp-theme-json.php
@@ -3481,7 +3481,7 @@ public function get_svg_filters( $origins ) {
 	 * @param array      $theme_json The theme.json like structure to inspect.
 	 * @param array      $path       Path to inspect.
 	 * @param bool|array $override   Data to compute whether to override the preset.
-	 * @return bool
+	 * @return bool|null True if the preset should override the defaults, false if not. Null if the override parameter is invalid.
 	 */
 	protected static function should_override_preset( $theme_json, $path, $override ) {
 		_deprecated_function( __METHOD__, '6.0.0', 'get_metadata_boolean' );
@@ -3516,6 +3516,8 @@ protected static function should_override_preset( $theme_json, $path, $override
 
 			return true;
 		}
+
+		return null;
 	}
 
 	/**

diff --git a/src/wp-includes/customize/class-wp-customize-background-image-setting.php b/src/wp-includes/customize/class-wp-customize-background-image-setting.php
@@ -28,6 +28,7 @@ final class WP_Customize_Background_Image_Setting extends WP_Customize_Setting {
 	 * @since 3.4.0
 	 *
 	 * @param mixed $value The value to update. Not used.
+	 * @return bool|void Nothing is returned.
-	 * @return bool|void Nothing is returned.
+	 * @return bool Always returns true.
-	 * @return bool|void Nothing is returned.
+	 * @return bool Always returns true.
 	 */
 	public function update( $value ) {
 		remove_theme_mod( 'background_image_thumb' );
-		remove_theme_mod( 'background_image_thumb' );
+		remove_theme_mod( 'background_image_thumb' );
+		return true;
-		remove_theme_mod( 'background_image_thumb' );
+		remove_theme_mod( 'background_image_thumb' );
+		return true;

diff --git a/src/wp-includes/customize/class-wp-customize-filter-setting.php b/src/wp-includes/customize/class-wp-customize-filter-setting.php
@@ -24,6 +24,7 @@ class WP_Customize_Filter_Setting extends WP_Customize_Setting {
 	 * @since 3.4.0
 	 *
 	 * @param mixed $value The value to update.
+	 * @return bool|void Nothing is returned.
-	 * @return bool|void Nothing is returned.
+	 * @return bool Always returns true.
-	 * @return bool|void Nothing is returned.
+	 * @return bool Always returns true.
 	 */
 	public function update( $value ) {}
-	public function update( $value ) {}
+	public function update( $value ) {
+		return true;
+	}
-	public function update( $value ) {}
+	public function update( $value ) {
+		return true;
+	}
 }
diff --git a/src/wp-includes/customize/class-wp-customize-header-image-setting.php b/src/wp-includes/customize/class-wp-customize-header-image-setting.php
@@ -32,6 +32,7 @@ final class WP_Customize_Header_Image_Setting extends WP_Customize_Setting {
 	 * @global Custom_Image_Header $custom_image_header
 	 *
 	 * @param mixed $value The value to update.
+	 * @return bool|void Nothing is returned.
-	 * @return bool|void Nothing is returned.
+	 * @return bool Always returns true.
-	 * @return bool|void Nothing is returned.
+	 * @return bool Always returns true.
 	 */
 	public function update( $value ) {
 		global $custom_image_header;

diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
@@ -3765,6 +3765,10 @@ function wp_nonce_ays( $action ) {
  *                                  is a WP_Error.
  *     @type bool   $exit           Whether to exit the process after completion. Default true.
  * }
+ *
+ * @return never|void Returns false if `$args['exit']` is false, otherwise exits.
+ *
+ * @phpstan-return ($args['exit'] is false ? void : never)
  */
 function wp_die( $message = '', $title = '', $args = array() ) {
 	global $wp_query;

diff --git a/src/wp-includes/media.php b/src/wp-includes/media.php
@@ -4116,7 +4116,7 @@ function get_taxonomies_for_attachments( $output = 'names' ) {
  *              false otherwise.
  */
 function is_gd_image( $image ) {
-	if ( $image instanceof GdImage
+	if ( $image instanceof GdImage // @phpstan-ignore class.notFound (Only available with PHP8+.)
 		|| is_resource( $image ) && 'gd' === get_resource_type( $image )
 	) {
 		return true;

diff --git a/src/wp-includes/style-engine/class-wp-style-engine-css-rules-store.php b/src/wp-includes/style-engine/class-wp-style-engine-css-rules-store.php
@@ -13,6 +13,8 @@
  * Holds, sanitizes, processes, and prints CSS declarations for the style engine.
  *
  * @since 6.1.0
+ *
+ * @phpstan-consistent-constructor
  */
 #[AllowDynamicProperties]
 class WP_Style_Engine_CSS_Rules_Store {
-Original file line number
+Diff line change
@@ Expand Up @@
     				}
     			}
     		}
-    		$stored_results[ $handle ] = $priorities[ $highest_priority_index ]; // @phpstan-ignore parameterByRef.type (We know the index is valid and that this will be a string.)
+    		$stored_results[ $handle ] = $priorities[ $highest_priority_index ];
     		return $priorities[ $highest_priority_index ];
     	}
@@ Expand Down @@