Hi from your friendly robot! 🤖 I fixed PHPCS issues with phpcbf on ec1586a. Please review the changes.

Suggestions for this PR

I've pushed two commits with the following changes:

1. Error logging and docblock for network-only users (2735cbe)

When wp_saml_auth_auto_add_to_blog returns false, the wp_saml_auth_new_user_authenticated action will now receive a user with no role on the current site. Existing hooks on this action may assume $user->roles is non-empty — this change breaks that contract.

To give hook consumers visibility, I added:

• An error_log() message when a network-only user is created, so admins can identify why a user has no role.
• An updated docblock on the wp_saml_auth_new_user_authenticated action noting that since 2.3.1, the user may have empty roles in multisite.

2. Documentation update (2a43974)

• Added a note in the filter documentation (both README.md and readme.txt) warning developers that wp_saml_auth_new_user_authenticated may receive a user with empty roles, with a code example showing how to handle it.
• Updated the changelog to call out this breaking change.

A note on tests

The new behavior is guarded by is_multisite(), which means it can only be properly tested in a multisite test environment. The current test suite runs on a single-site WordPress install. Setting up a multisite test configuration (with WP_TESTS_MULTISITE=1 and CI changes) would be significant overhead for this feature. The existing tests already cover role assignment on single-site (test_default_behavior_saml_login_no_existing_user, test_saml_login_auto_provision_custom_role), so single-site behavior is verified. Multisite-specific test coverage could be added later if a multisite test suite is set up for the project.

Hey @scottbuscemi — this PR is blocked because some commits don't have verified signatures, and our branch protection requires all commits to be verified before merging.

Here's how to set up commit signing so your commits show as "Verified" on GitHub:

Option 1: SSH signing (easiest if you already use SSH for GitHub)

1. Configure Git to sign commits with your SSH key:

   git config --global gpg.format ssh
   git config --global user.signingkey ~/.ssh/id_ed25519
   git config --global commit.gpgsign true
   

   (Replace ~/.ssh/id_ed25519 with the path to your actual SSH private key if different.)

2. Add your SSH public key as a Signing Key on GitHub:

   • Go to https://github.com/settings/keys
   • Click New SSH Key
   • Set Key type to Signing Key
   • Paste your public key (cat ~/.ssh/id_ed25519.pub)
   • Save

Option 2: GPG signing

1. Generate a GPG key: gpg --full-generate-key (use the same email as your GitHub account)
2. Get your key ID: gpg --list-secret-keys --keyid-format=long
3. Configure Git:

   git config --global user.signingkey YOUR_KEY_ID
   git config --global commit.gpgsign true
   

4. Export and add your GPG public key to GitHub:

   gpg --armor --export YOUR_KEY_ID
   

   Add it at https://github.com/settings/keys under GPG keys.

Once signing is set up

We'll need to close this PR and create a new one with signed commits. You can squash everything into a single signed commit like this:

git checkout main && git pull
git checkout -b feat-req-default-user-v2
git merge --squash feat-req-default-user
git commit -m "Add wp_saml_auth_auto_add_to_blog filter"
git push -u origin feat-req-default-user-v2

Then open a new PR from feat-req-default-user-v2.

Full GitHub docs: https://docs.github.com/en/authentication/managing-commit-signature-verification