From afad533b3f21e3e203a2f8101bf6ed1037841374 Mon Sep 17 00:00:00 2001
From: Pierre Tondereau <pierre.tondereau@protonmail.com>
Date: Wed, 13 May 2026 19:04:05 +0200
Subject: [PATCH 1/2] ci: add PHP debug build job to catch refcount and leak
 bugs

The debug PHP build runs Zend's refcount invariants and a leak detector
at shutdown. Release builds silently let those bugs through, as we just
saw with the #[php(prop)] String getter leak on Exception::getMessage.

continue-on-error is on during initial rollout so unrelated PHP-internal
asserts on bleeding-edge versions do not block PRs. Will flip to false
once we have a few clean runs.
---
 .github/workflows/tests.yml | 40 +++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 95d769a..ae26276 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -64,3 +64,43 @@ jobs:
 
       - name: "Run PHPUnit"
         run: php -dextension=./target/release/libbiscuit_php.so vendor/bin/phpunit
+
+  tests-debug:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+
+    name: Build extension and run tests (PHP debug)
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Cache Cargo registry
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: ${{ runner.os }}-cargo-debug-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-debug-
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - name: "Install PHP (debug build)"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "8.5"
+          coverage: "none"
+          ini-values: "memory_limit=-1"
+          extensions: mbstring
+          tools: composer:v2.9.7
+        env:
+          debug: true
+
+      - name: Build
+        run: cargo build --release --all-features
+
+      - name: "Install dependencies (Composer)"
+        uses: "ramsey/composer-install@v3"
+
+      - name: "Run PHPUnit"
+        run: php -dextension=./target/release/libbiscuit_php.so vendor/bin/phpunit

From d1050b15b5cfdceaa89b8e19430309bc1b259e8c Mon Sep 17 00:00:00 2001
From: Pierre Tondereau <ptondereau@users.noreply.github.com>
Date: Wed, 13 May 2026 19:08:43 +0200
Subject: [PATCH 2/2] Potential fix for pull request finding 'CodeQL / Workflow
 does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/tests.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index ae26276..9e2ddf7 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always