diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 3c9854dc9e16b..d393c31900018 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -107,6 +107,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml index d77e439b2964c..f9bf4aa1eb6d4 100644 --- a/.github/workflows/end-to-end-tests.yml +++ b/.github/workflows/end-to-end-tests.yml @@ -93,6 +93,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/failed-workflow.yml b/.github/workflows/failed-workflow.yml index 383800a3fc592..fb9b3e099809a 100644 --- a/.github/workflows/failed-workflow.yml +++ b/.github/workflows/failed-workflow.yml @@ -38,7 +38,7 @@ jobs: const workflow_run = await github.rest.actions.getWorkflowRun({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ inputs.run_id }}, + run_id: process.env.RUN_ID, }); // Only rerun after the first run attempt. @@ -49,6 +49,8 @@ jobs: const rerun = await github.rest.actions.reRunWorkflowFailedJobs({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ inputs.run_id }}, + run_id: process.env.RUN_ID, enable_debug_logging: true }); + env: + RUN_ID: ${{ inputs.run_id }} diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index f347958e8b4ae..1060010a84605 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -119,16 +119,20 @@ jobs: with: php-version: '${{ matrix.php }}' coverage: none - tools: wp-cli${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && ':2.4.0' || '' }} + tools: ${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && 'wp-cli:2.4.0' || 'wp-cli' }} - name: Download WordPress - run: wp core download ${{ inputs.wp-version && format( '--version={0}', inputs.wp-version ) || '--version=nightly' }} + run: wp core download --version="${WP_VERSION}" + env: + WP_VERSION: ${{ inputs.wp-version || 'nightly' }} - name: Create wp-config.php file - run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost=127.0.0.1:${{ job.services.database.ports['3306'] }} + run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost="127.0.0.1:${DB_PORT}" + env: + DB_PORT: ${{ job.services.database.ports['3306'] }} - name: Install WordPress - run: wp core ${{ matrix.multisite && 'multisite-' || '' }}install --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email + run: wp core ${{ matrix.multisite && 'multisite-install' || 'install' }} --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email slack-notifications: name: Slack Notifications @@ -175,6 +179,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/javascript-tests.yml b/.github/workflows/javascript-tests.yml index 5872bc5b166c0..b1e2018b6e002 100644 --- a/.github/workflows/javascript-tests.yml +++ b/.github/workflows/javascript-tests.yml @@ -97,6 +97,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/local-docker-environment.yml b/.github/workflows/local-docker-environment.yml index 09b212e90ead5..896f2abb11faa 100644 --- a/.github/workflows/local-docker-environment.yml +++ b/.github/workflows/local-docker-environment.yml @@ -104,7 +104,6 @@ jobs: db-type: 'mysql' db-version: ${{ matrix.db-version }} memcached: ${{ matrix.memcached }} - tests-domain: ${{ matrix.tests-domain }} slack-notifications: name: Slack Notifications @@ -151,6 +150,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index dbb672a30da39..6ee3d98db8a0f 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -93,6 +93,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/php-compatibility.yml b/.github/workflows/php-compatibility.yml index eb4163edf38d5..daa8998414438 100644 --- a/.github/workflows/php-compatibility.yml +++ b/.github/workflows/php-compatibility.yml @@ -94,6 +94,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index 3fe069b709fea..2cf3212ff6d83 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -144,7 +144,7 @@ jobs: multisite: ${{ matrix.multisite }} memcached: ${{ matrix.memcached }} phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }} - report: ${{ matrix.report || false }} + report: ${{ false }} # # Creates PHPUnit test jobs to test MariaDB and MySQL innovation releases. @@ -193,7 +193,7 @@ jobs: multisite: ${{ matrix.multisite }} memcached: ${{ matrix.memcached }} phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }} - report: ${{ matrix.report || false }} + report: ${{ false }} # # Runs specific individual test groups. @@ -263,6 +263,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/props-bot.yml b/.github/workflows/props-bot.yml index 548f9023a92e2..474213062e44f 100644 --- a/.github/workflows/props-bot.yml +++ b/.github/workflows/props-bot.yml @@ -85,6 +85,8 @@ jobs: github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, - issue_number: '${{ github.event.number }}', + issue_number: process.env.ISSUE_NUMBER, name: 'props-bot' }); + env: + ISSUE_NUMBER: ${{ github.event.number }} diff --git a/.github/workflows/pull-request-comments.yml b/.github/workflows/pull-request-comments.yml index ab7eba9ceffaa..df060fc657f1b 100644 --- a/.github/workflows/pull-request-comments.yml +++ b/.github/workflows/pull-request-comments.yml @@ -96,7 +96,7 @@ jobs: const artifacts = await github.rest.actions.listWorkflowRunArtifacts( { owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ github.event.workflow_run.id }}, + run_id: process.env.RUN_ID, } ); const matchArtifact = artifacts.data.artifacts.filter( ( artifact ) => { @@ -117,6 +117,8 @@ jobs: const fs = require( 'fs' ); fs.writeFileSync( '${{github.workspace}}/pr-number.zip', Buffer.from( download.data ) ) + env: + RUN_ID: ${{ github.event.workflow_run.id }} - name: Unzip the artifact containing the PR number run: unzip pr-number.zip diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index c63bab2d67751..8c49236782dd2 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -29,21 +29,19 @@ jobs: steps: - name: Find fixed ticket numbers id: trac-tickets + env: + COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | - COMMIT_MESSAGE=$(cat <<'EOF' | sed -n '/^Fixes #/,/\./p' - ${{ github.event.head_commit.message }} - EOF - ) - echo "fixed_list=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> $GITHUB_OUTPUT + COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '/^Fixes #/,/\./p')" + echo "fixed_list=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> "$GITHUB_OUTPUT" - name: Get the SVN revision id: git-svn-id + env: + COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | - COMMIT_MESSAGE=$(cat <<'EOF' | sed -n '$p' - ${{ github.event.head_commit.message }} - EOF - ) - echo "svn_revision_number=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> $GITHUB_OUTPUT + COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')" + echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> "$GITHUB_OUTPUT" - name: Find pull requests id: linked-prs diff --git a/.github/workflows/reusable-coding-standards-javascript.yml b/.github/workflows/reusable-coding-standards-javascript.yml index 156c201bc8f48..23c0be570bac7 100644 --- a/.github/workflows/reusable-coding-standards-javascript.yml +++ b/.github/workflows/reusable-coding-standards-javascript.yml @@ -9,6 +9,10 @@ on: env: PUPPETEER_SKIP_DOWNLOAD: ${{ true }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the JavaScript coding standards checks. # @@ -33,6 +37,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-coding-standards-php.yml b/.github/workflows/reusable-coding-standards-php.yml index b07203797eb3e..28c09a42d1121 100644 --- a/.github/workflows/reusable-coding-standards-php.yml +++ b/.github/workflows/reusable-coding-standards-php.yml @@ -17,6 +17,10 @@ on: type: 'boolean' default: false +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the PHP coding standards checks. # @@ -45,6 +49,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up PHP uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 @@ -57,7 +62,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT + run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" - name: Cache PHPCS scan cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 @@ -75,7 +80,7 @@ jobs: custom-cache-suffix: ${{ steps.get-date.outputs.date }} - name: Make Composer packages available globally - run: echo "${PWD}/vendor/bin" >> $GITHUB_PATH + run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH" - name: Run PHPCS on all Core files id: phpcs-core diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 1d2273bd588d7..823c9005955fe 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -33,6 +33,10 @@ env: LOCAL_DIR: build LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the end-to-end test suite. # @@ -63,13 +67,14 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_PATH" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -117,13 +122,18 @@ jobs: - name: Install Gutenberg if: ${{ inputs.install-gutenberg }} - run: npm run env:cli -- plugin install gutenberg${{ inputs.gutenberg-version && format( ' --version={0}', inputs.gutenberg-version ) || '' }} --path=/var/www/${{ env.LOCAL_DIR }} + run: | + npm run env:cli -- plugin install gutenberg \ + ${{ inputs.gutenberg-version && '--version="${GUTENBERG_VERSION}"' || '' }} \ + --path="/var/www/${LOCAL_DIR}" + env: + GUTENBERG_VERSION: ${{ inputs.gutenberg-version }} - name: Install additional languages run: | - npm run env:cli -- language core install de_DE --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- language plugin install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- language theme install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- language core install de_DE --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- language plugin install de_DE --all --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- language theme install de_DE --all --path="/var/www/${LOCAL_DIR}" - name: Run E2E tests run: npm run test:e2e diff --git a/.github/workflows/reusable-javascript-tests.yml b/.github/workflows/reusable-javascript-tests.yml index e88f510cdfdf3..944833d8ff550 100644 --- a/.github/workflows/reusable-javascript-tests.yml +++ b/.github/workflows/reusable-javascript-tests.yml @@ -12,6 +12,10 @@ on: type: 'boolean' default: false +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the QUnit test suite. # @@ -34,6 +38,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 0c2c61aafc7a5..e467d9ce850fe 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -64,6 +64,10 @@ env: LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }} LOCAL_MULTISITE: ${{ inputs.multisite }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Performs the following steps: # - Configure environment variables. @@ -119,19 +123,20 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} fetch-depth: ${{ github.event_name == 'workflow_dispatch' && '2' || '1' }} + persist-credentials: false # The `workflow_dispatch` event is the only one missing the needed SHA to target. - name: Retrieve previous commit SHA (if necessary) if: ${{ github.event_name == 'workflow_dispatch' }} - run: echo "TARGET_SHA=$(git rev-parse HEAD^1)" >> $GITHUB_ENV + run: echo "TARGET_SHA=$(git rev-parse HEAD^1)" >> "$GITHUB_ENV" - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -181,47 +186,47 @@ jobs: - name: Enable themes on Multisite if: ${{ inputs.multisite }} run: | - npm run env:cli -- theme enable twentytwentyone --network --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- theme enable twentytwentythree --network --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- theme enable twentytwentyfour --network --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- theme enable twentytwentyfive --network --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- theme enable twentytwentyone --network --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- theme enable twentytwentythree --network --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- theme enable twentytwentyfour --network --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- theme enable twentytwentyfive --network --path="/var/www/${LOCAL_DIR}" - name: Install WordPress Importer plugin - run: npm run env:cli -- plugin install wordpress-importer --activate --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- plugin install wordpress-importer --activate --path="/var/www/${LOCAL_DIR}" - name: Import mock data run: | curl -O https://raw.githubusercontent.com/WordPress/theme-test-data/b9752e0533a5acbb876951a8cbb5bcc69a56474c/themeunittestdata.wordpress.xml - npm run env:cli -- import themeunittestdata.wordpress.xml --authors=create --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- import themeunittestdata.wordpress.xml --authors=create --path="/var/www/${LOCAL_DIR}" rm themeunittestdata.wordpress.xml - name: Deactivate WordPress Importer plugin - run: npm run env:cli -- plugin deactivate wordpress-importer --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- plugin deactivate wordpress-importer --path="/var/www/${LOCAL_DIR}" - name: Update permalink structure - run: npm run env:cli -- rewrite structure '/%year%/%monthnum%/%postname%/' --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- rewrite structure '/%year%/%monthnum%/%postname%/' --path="/var/www/${LOCAL_DIR}" - name: Install additional languages run: | - npm run env:cli -- language core install de_DE --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- language plugin install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- language theme install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- language core install de_DE --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- language plugin install de_DE --all --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- language theme install de_DE --all --path="/var/www/${LOCAL_DIR}" # Prevent background update checks from impacting test stability. - name: Disable external HTTP requests - run: npm run env:cli -- config set WP_HTTP_BLOCK_EXTERNAL true --raw --type=constant --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- config set WP_HTTP_BLOCK_EXTERNAL true --raw --type=constant --path="/var/www/${LOCAL_DIR}" # Prevent background tasks from impacting test stability. - name: Disable cron - run: npm run env:cli -- config set DISABLE_WP_CRON true --raw --type=constant --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- config set DISABLE_WP_CRON true --raw --type=constant --path="/var/www/${LOCAL_DIR}" - name: List defined constants - run: npm run env:cli -- config list --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- config list --path="/var/www/${LOCAL_DIR}" - name: Install MU plugin run: | - mkdir ./${{ env.LOCAL_DIR }}/wp-content/mu-plugins - cp ./tests/performance/wp-content/mu-plugins/server-timing.php ./${{ env.LOCAL_DIR }}/wp-content/mu-plugins/server-timing.php + mkdir "./${LOCAL_DIR}/wp-content/mu-plugins" + cp ./tests/performance/wp-content/mu-plugins/server-timing.php "./${LOCAL_DIR}/wp-content/mu-plugins/server-timing.php" - name: Run performance tests (current commit) run: npm run test:performance @@ -252,27 +257,27 @@ jobs: } ); const fs = require( 'fs' ); - fs.writeFileSync( '${{ github.workspace }}/before.zip', Buffer.from( download.data ) ) + fs.writeFileSync( process.env.GITHUB_WORKSPACE + '/before.zip', Buffer.from( download.data ) ) return true; - name: Unzip the build if: ${{ steps.get-previous-build.outputs.result }} run: | - unzip ${{ github.workspace }}/before.zip - unzip -o ${{ github.workspace }}/wordpress.zip + unzip "${GITHUB_WORKSPACE}/before.zip" + unzip -o "${GITHUB_WORKSPACE}/wordpress.zip" - name: Run any database upgrades if: ${{ steps.get-previous-build.outputs.result }} - run: npm run env:cli -- core update-db --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- core update-db --path="/var/www/${LOCAL_DIR}" - name: Flush cache if: ${{ steps.get-previous-build.outputs.result }} - run: npm run env:cli -- cache flush --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- cache flush --path="/var/www/${LOCAL_DIR}" - name: Delete expired transients if: ${{ steps.get-previous-build.outputs.result }} - run: npm run env:cli -- transient delete --expired --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- transient delete --expired --path="/var/www/${LOCAL_DIR}" - name: Run target performance tests (previous/target commit) if: ${{ steps.get-previous-build.outputs.result }} @@ -283,22 +288,22 @@ jobs: - name: Set the environment to the baseline version if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} run: | - VERSION="${{ env.BASE_TAG }}" + VERSION="${BASE_TAG}" VERSION="${VERSION%.0}" - npm run env:cli -- core update --version=$VERSION --force --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- core version --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- core update --version="$VERSION" --force --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- core version --path="/var/www/${LOCAL_DIR}" - name: Run any database upgrades if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} - run: npm run env:cli -- core update-db --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- core update-db --path="/var/www/${LOCAL_DIR}" - name: Flush cache if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} - run: npm run env:cli -- cache flush --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- cache flush --path="/var/www/${LOCAL_DIR}" - name: Delete expired transients if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} - run: npm run env:cli -- transient delete --expired --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- transient delete --expired --path="/var/www/${LOCAL_DIR}" - name: Run baseline performance tests if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} @@ -316,10 +321,10 @@ jobs: include-hidden-files: true - name: Compare results - run: node ./tests/performance/compare-results.js ${{ runner.temp }}/summary.md + run: node ./tests/performance/compare-results.js "${RUNNER_TEMP}/summary.md" - name: Add workflow summary - run: cat ${{ runner.temp }}/summary.md >> $GITHUB_STEP_SUMMARY + run: cat "${RUNNER_TEMP}/summary.md" >> "$GITHUB_STEP_SUMMARY" - name: Set the base sha # Only needed when publishing results. @@ -329,15 +334,13 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const baseRef = await github.rest.git.getRef({ owner: context.repo.owner, repo: context.repo.repo, ref: 'tags/${{ env.BASE_TAG }}' }); + const baseRef = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: 'tags/' + process.env.BASE_TAG, + }); return baseRef.data.object.sha; - - name: Set commit details - # Only needed when publishing results. - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' && ! inputs.memcached && ! inputs.multisite }} - # Write to an environment variable to have the output available in later steps of the job. - run: echo "COMMITTED_AT=$(git show -s $GITHUB_SHA --format='%cI')" >> $GITHUB_ENV - - name: Publish performance results # Only publish results on pushes to trunk. if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' && ! inputs.memcached && ! inputs.multisite }} @@ -347,10 +350,11 @@ jobs: HOST_NAME: "www.codevitals.run" run: | if [ -z "$CODEVITALS_PROJECT_TOKEN" ]; then - echo "Performance results could not be published. 'CODEVITALS_PROJECT_TOKEN' is not set" >> $GITHUB_OUTPUT + echo "Performance results could not be published. 'CODEVITALS_PROJECT_TOKEN' is not set" exit 1 fi - node ./tests/performance/log-results.js $CODEVITALS_PROJECT_TOKEN trunk $GITHUB_SHA $BASE_SHA $COMMITTED_AT $HOST_NAME + COMMITTED_AT="$(git show -s "$GITHUB_SHA" --format='%cI')" + node ./tests/performance/log-results.js "$CODEVITALS_PROJECT_TOKEN" trunk "$GITHUB_SHA" "$BASE_SHA" "$COMMITTED_AT" "$HOST_NAME" - name: Ensure version-controlled files are not modified or deleted run: git diff --exit-code diff --git a/.github/workflows/reusable-php-compatibility.yml b/.github/workflows/reusable-php-compatibility.yml index b68db051bf417..f07e68cf5e32c 100644 --- a/.github/workflows/reusable-php-compatibility.yml +++ b/.github/workflows/reusable-php-compatibility.yml @@ -12,6 +12,10 @@ on: type: 'string' default: 'latest' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs PHP compatibility tests. # @@ -39,6 +43,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up PHP uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 @@ -55,7 +60,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT + run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" - name: Cache PHP compatibility scan cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 @@ -71,7 +76,7 @@ jobs: custom-cache-suffix: ${{ steps.get-date.outputs.date }} - name: Make Composer packages available globally - run: echo "${PWD}/vendor/bin" >> $GITHUB_PATH + run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH" - name: Run PHP compatibility tests id: phpcs diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index e02a890a6debf..1b08f69c15069 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -50,6 +50,7 @@ on: type: boolean default: false env: + COMPOSER_INSTALL: ${{ false }} LOCAL_PHP: ${{ inputs.php }}-fpm LOCAL_PHPUNIT: ${{ inputs.phpunit && inputs.phpunit || inputs.php }}-fpm LOCAL_PHP_MEMCACHED: ${{ inputs.memcached }} @@ -58,6 +59,10 @@ env: PUPPETEER_SKIP_DOWNLOAD: ${{ true }} SLOW_TESTS: 'external-http,media' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the PHPUnit tests for WordPress. # @@ -86,13 +91,14 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -106,6 +112,11 @@ jobs: - name: Build WordPress run: npm run build + - name: Get composer cache directory + if: ${{ env.COMPOSER_INSTALL == true }} + id: composer-cache + run: echo "composer_dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" + - name: Cache Composer dependencies if: ${{ env.COMPOSER_INSTALL == true }} uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 @@ -135,7 +146,8 @@ jobs: if: ${{ inputs.memcached }} run: | cp tests/phpunit/includes/object-cache.php build/wp-content/object-cache.php - docker run --name memcached --net $(basename "$PWD")_wpdevnet -d memcached + BASE=$(basename "$PWD") + docker run --name memcached --net "${BASE}_wpdevnet" -d memcached - name: General debug information run: | @@ -160,24 +172,24 @@ jobs: - name: Run slow PHPUnit tests if: ${{ inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ${{ env.SLOW_TESTS }} + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group "${SLOW_TESTS}" - name: Run PHPUnit tests for single site excluding slow tests if: ${{ inputs.php < '7.0' && ! inputs.split_slow && ! inputs.multisite }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --exclude-group ${{ env.SLOW_TESTS }},ajax,ms-files,ms-required + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --exclude-group "${SLOW_TESTS},ajax,ms-files,ms-required" - name: Run PHPUnit tests for Multisite excluding slow tests if: ${{ inputs.php < '7.0' && ! inputs.split_slow && inputs.multisite }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --exclude-group ${{ env.SLOW_TESTS }},ajax,ms-files,ms-excluded,oembed-headers + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --exclude-group "${SLOW_TESTS},ajax,ms-files,ms-excluded,oembed-headers" - name: Run PHPUnit tests if: ${{ inputs.php >= '7.0' }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" - name: Run AJAX tests if: ${{ ! inputs.multisite && ! inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ajax + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group ajax - name: Run external HTTP tests if: ${{ ! inputs.multisite && ! inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c phpunit.xml.dist --group external-http + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c phpunit.xml.dist --group external-http diff --git a/.github/workflows/reusable-phpunit-tests-v2.yml b/.github/workflows/reusable-phpunit-tests-v2.yml index d96928e3f1a07..eea607c3f45b8 100644 --- a/.github/workflows/reusable-phpunit-tests-v2.yml +++ b/.github/workflows/reusable-phpunit-tests-v2.yml @@ -63,6 +63,10 @@ env: PHPUNIT_SCRIPT: php SLOW_TESTS: 'external-http,media' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the PHPUnit tests for WordPress. # @@ -89,13 +93,14 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Install Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -108,7 +113,7 @@ jobs: - name: Get composer cache directory id: composer-cache - run: echo "composer_dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT + run: echo "composer_dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" - name: Cache Composer dependencies uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 @@ -125,13 +130,13 @@ jobs: # The PHPUnit 7.x phar is not compatible with PHP 8 and won't be updated, # as PHPUnit 7 is no longer supported. The Composer-installed PHPUnit should be # used for PHP 8 testing instead. - if [ ${{ env.LOCAL_PHP }} == '8.0-fpm' ]; then + if [ "${LOCAL_PHP}" == '8.0-fpm' ]; then docker compose run --rm php composer install --ignore-platform-reqs - echo "PHPUNIT_SCRIPT=php-composer" >> $GITHUB_ENV - elif [ ${{ env.LOCAL_PHP }} == '7.1-fpm' ]; then + echo "PHPUNIT_SCRIPT=php-composer" >> "$GITHUB_ENV" + elif [ "${LOCAL_PHP}" == '7.1-fpm' ]; then docker compose run --rm php composer update git checkout -- composer.lock - elif [[ ${{ env.LOCAL_PHP }} == '5.6-fpm' || ${{ env.LOCAL_PHP }} == '7.0-fpm' ]]; then + elif [[ "${LOCAL_PHP}" == '5.6-fpm' || "${LOCAL_PHP}" == '7.0-fpm' ]]; then docker compose run --rm php composer require --dev phpunit/phpunit:"^5.7" --update-with-dependencies git checkout -- composer.lock composer.json else @@ -170,36 +175,36 @@ jobs: - name: Run slow PHPUnit tests if: ${{ inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ${{ env.SLOW_TESTS }} + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group "${SLOW_TESTS}" - name: Run PHPUnit tests for single site excluding slow tests if: ${{ inputs.php < '7.0' && ! inputs.split_slow && ! inputs.multisite }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --exclude-group ${{ env.SLOW_TESTS }},ajax,ms-files,ms-required + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --exclude-group "${SLOW_TESTS},ajax,ms-files,ms-required" - name: Run PHPUnit tests for Multisite excluding slow tests if: ${{ inputs.php < '7.0' && ! inputs.split_slow && inputs.multisite }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --exclude-group ${{ env.SLOW_TESTS }},ajax,ms-files,ms-excluded,oembed-headers + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --exclude-group "${SLOW_TESTS},ajax,ms-files,ms-excluded,oembed-headers" - name: Run PHPUnit tests if: ${{ inputs.php >= '7.0' }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" - name: Run AJAX tests if: ${{ ! inputs.split_slow&& inputs.test_ajax }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ajax + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group ajax - name: Run ms-files tests as a multisite install if: ${{ inputs.multisite && ! inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ms-files + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group ms-files - name: Run external HTTP tests if: ${{ ! inputs.multisite && ! inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c phpunit.xml.dist --group external-http + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c phpunit.xml.dist --group external-http # __fakegroup__ is excluded to force PHPUnit to ignore the settings in phpunit.xml.dist. - name: Run (xDebug) tests if: ${{ ! inputs.split_slow }} - run: LOCAL_PHP_XDEBUG=true npm run test:${{ env.PHPUNIT_SCRIPT }} -- -v --group xdebug --exclude-group __fakegroup__ + run: LOCAL_PHP_XDEBUG=true npm run "test:${PHPUNIT_SCRIPT}" -- -v --group xdebug --exclude-group __fakegroup__ - name: Ensure version-controlled files are not modified or deleted run: git diff --exit-code diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index 3d26efa7026b2..d889eacb26eb2 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -76,6 +76,10 @@ on: CODECOV_TOKEN: description: 'The Codecov token required for uploading reports.' required: false + WPT_REPORT_API_KEY: + description: 'The WordPress.org Hosting Tests API key.' + required: false + env: LOCAL_PHP: ${{ inputs.php }}-fpm LOCAL_PHP_XDEBUG: ${{ inputs.coverage-report || false }} @@ -87,6 +91,10 @@ env: PHPUNIT_CONFIG: ${{ inputs.phpunit-config }} PUPPETEER_SKIP_DOWNLOAD: ${{ true }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the PHPUnit tests for WordPress. # @@ -117,13 +125,14 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -176,33 +185,44 @@ jobs: - name: WordPress Docker container debug information run: | - docker compose run --rm mysql ${{ env.LOCAL_DB_TYPE == 'mariadb' && contains( fromJSON('["5.5", "10.0", "10.1", "10.2", "10.3"]'), env.LOCAL_DB_VERSION ) && 'mysql' || env.LOCAL_DB_TYPE }} --version + docker compose run --rm mysql "${LOCAL_DB_CMD}" --version docker compose run --rm php php --version docker compose run --rm php php -m docker compose run --rm php php -i docker compose run --rm php locale -a + env: + LOCAL_DB_CMD: ${{ env.LOCAL_DB_TYPE == 'mariadb' && contains( fromJSON('["5.5", "10.0", "10.1", "10.2", "10.3"]'), env.LOCAL_DB_VERSION ) && 'mysql' || env.LOCAL_DB_TYPE }} - name: Install WordPress run: npm run env:install - name: Run PHPUnit tests${{ inputs.phpunit-test-groups && format( ' ({0} groups)', inputs.phpunit-test-groups ) || '' }}${{ inputs.coverage-report && ' with coverage report' || '' }} continue-on-error: ${{ inputs.allow-errors }} - run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c ${{ env.PHPUNIT_CONFIG }}${{ inputs.phpunit-test-groups && format( ' --group {0}', inputs.phpunit-test-groups ) || '' }}${{ inputs.coverage-report && format( ' --coverage-clover wp-code-coverage-{0}-{1}.xml --coverage-html wp-code-coverage-{0}-{1}', ( inputs.multisite && 'multisite' || 'single' ), github.sha ) || '' }} + run: | + node ./tools/local-env/scripts/docker.js run \ + php ./vendor/bin/phpunit \ + --verbose \ + -c "${PHPUNIT_CONFIG}" \ + ${{ inputs.phpunit-test-groups && '--group "${TEST_GROUPS}"' || '' }} \ + ${{ inputs.coverage-report && '--coverage-clover "wp-code-coverage-${MULTISITE_FLAG}-${GITHUB_SHA}.xml" --coverage-html "wp-code-coverage-${MULTISITE_FLAG}-${GITHUB_SHA}"' || '' }} + env: + TEST_GROUPS: ${{ inputs.phpunit-test-groups }} + MULTISITE_FLAG: ${{ inputs.multisite && 'multisite' || 'single' }} - name: Run AJAX tests if: ${{ ! inputs.phpunit-test-groups && ! inputs.coverage-report }} continue-on-error: ${{ inputs.allow-errors }} - run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ajax + run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c "${PHPUNIT_CONFIG}" --group ajax - name: Run ms-files tests as a multisite install if: ${{ inputs.multisite && ! inputs.phpunit-test-groups && ! inputs.coverage-report }} continue-on-error: ${{ inputs.allow-errors }} - run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ms-files + run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c "${PHPUNIT_CONFIG}" --group ms-files - name: Run external HTTP tests if: ${{ ! inputs.multisite && ! inputs.phpunit-test-groups && ! inputs.coverage-report }} continue-on-error: ${{ inputs.allow-errors }} - run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c ${{ env.PHPUNIT_CONFIG }} --group external-http + run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c "${PHPUNIT_CONFIG}" --group external-http # __fakegroup__ is excluded to force PHPUnit to ignore the settings in phpunit.xml.dist. - name: Run (Xdebug) tests @@ -237,6 +257,7 @@ jobs: repository: 'WordPress/phpunit-test-runner' path: 'test-runner' show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Submit test results to the WordPress.org host test results if: ${{ github.ref == 'refs/heads/trunk' && inputs.report }} diff --git a/.github/workflows/reusable-support-json-reader-v1.yml b/.github/workflows/reusable-support-json-reader-v1.yml index f351b716fadb6..02adfb07e70bd 100644 --- a/.github/workflows/reusable-support-json-reader-v1.yml +++ b/.github/workflows/reusable-support-json-reader-v1.yml @@ -26,6 +26,10 @@ on: description: "The MySQL versions to test for the given wp-version" value: ${{ jobs.mysql-versions.outputs.versions }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Determines the major version of WordPress being tested. # @@ -36,6 +40,8 @@ jobs: # - Returns the major WordPress version as an output based on the value passed to the wp-version input. major-wp-version: name: Determine major WordPress version + permissions: + contents: read runs-on: ubuntu-latest timeout-minutes: 5 outputs: @@ -47,17 +53,20 @@ jobs: with: repository: ${{ inputs.repository }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Determine the major WordPress version id: major-wp-version run: | - if [ "${{ inputs.wp-version }}" ] && [ "${{ inputs.wp-version }}" != "nightly" ] && [ "${{ inputs.wp-version }}" != "latest" ] && [ "${{ inputs.wp-version }}" != "trunk" ]; then - echo "version=$(echo "${{ inputs.wp-version }}" | tr '.' '-' | cut -d '-' -f1-2)" >> $GITHUB_OUTPUT - elif [ "${{ inputs.wp-version }}" ] && [ "${{ inputs.wp-version }}" != "trunk" ]; then - echo "version=$(echo "${{ inputs.wp-version }}")" >> $GITHUB_OUTPUT + if [ "${WP_VERSION}" ] && [ "${WP_VERSION}" != "nightly" ] && [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "trunk" ]; then + echo "version=$(echo "${WP_VERSION}" | tr '.' '-' | cut -d '-' -f1-2)" >> "$GITHUB_OUTPUT" + elif [ "${WP_VERSION}" ] && [ "${WP_VERSION}" != "trunk" ]; then + echo "version=${WP_VERSION}" >> "$GITHUB_OUTPUT" else - echo "version=nightly" >> $GITHUB_OUTPUT + echo "version=nightly" >> "$GITHUB_OUTPUT" fi + env: + WP_VERSION: ${{ inputs.wp-version }} # Determines the versions of PHP supported for a version of WordPress. # @@ -67,6 +76,8 @@ jobs: # .version-support-php.json file and returning the values in that version's index. php-versions: name: Determine PHP versions + permissions: + contents: read runs-on: ubuntu-latest needs: [ major-wp-version ] timeout-minutes: 5 @@ -79,17 +90,26 @@ jobs: with: repository: ${{ inputs.repository }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false # Look up the major version's specific PHP support policy when a version is provided. # Otherwise, use the current PHP support policy. - name: Get supported PHP versions id: php-versions run: | - if [ "${{ needs.major-wp-version.outputs.version }}" != "latest" ] && [ "${{ needs.major-wp-version.outputs.version }}" != "nightly" ]; then - echo "versions=$(jq -r '.["${{ needs.major-wp-version.outputs.version }}"] | @json' .version-support-php.json)" >> $GITHUB_OUTPUT + if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then + VERSIONS="$( jq \ + -r \ + --arg wp_version "${WP_VERSION}" \ + '.[$wp_version] | @json' \ + .version-support-php.json + )" + echo "versions=$VERSIONS" >> "$GITHUB_OUTPUT" else - echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> $GITHUB_OUTPUT + echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" fi + env: + WP_VERSION: ${{ needs.major-wp-version.outputs.version }} # Determines the versions of MySQL supported for a version of WordPress. # @@ -99,6 +119,8 @@ jobs: # .version-support-mysql.json file and returning the values in that version's index. mysql-versions: name: Determine MySQL versions + permissions: + contents: read runs-on: ubuntu-latest needs: [ major-wp-version ] timeout-minutes: 5 @@ -111,14 +133,23 @@ jobs: with: repository: ${{ inputs.repository }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false # Look up the major version's specific MySQL support policy when a version is provided. # Otherwise, use the current MySQL support policy. - name: Get supported MySQL versions id: mysql-versions run: | - if [ "${{ needs.major-wp-version.outputs.version }}" != "latest" ] && [ "${{ needs.major-wp-version.outputs.version }}" != "nightly" ]; then - echo "versions=$(jq -r '.["${{ needs.major-wp-version.outputs.version }}"] | @json' .version-support-mysql.json)" >> $GITHUB_OUTPUT + if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then + VERSIONS="$( jq \ + -r \ + --arg wp_version "${WP_VERSION}" \ + '.[$wp_version] | @json' \ + .version-support-mysql.json + )" + echo "versions=$VERSIONS" >> "$GITHUB_OUTPUT" else - echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> $GITHUB_OUTPUT + echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" fi + env: + WP_VERSION: ${{ needs.major-wp-version.outputs.version }} diff --git a/.github/workflows/reusable-test-core-build-process.yml b/.github/workflows/reusable-test-core-build-process.yml index e2683961471c1..eb5dc34c715f8 100644 --- a/.github/workflows/reusable-test-core-build-process.yml +++ b/.github/workflows/reusable-test-core-build-process.yml @@ -35,6 +35,10 @@ on: env: PUPPETEER_SKIP_DOWNLOAD: ${{ true }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Verifies that installing npm dependencies and building WordPress works as expected. # @@ -53,6 +57,8 @@ jobs: # - Uploads the pull request number as an artifact. build-process-tests: name: Core running from ${{ inputs.directory }} / ${{ contains( inputs.os, 'macos-' ) && 'MacOS' || contains( inputs.os, 'windows-' ) && 'Windows' || 'Linux' }} + permissions: + contents: read runs-on: ${{ inputs.os }} timeout-minutes: 20 @@ -61,6 +67,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -85,7 +92,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Build WordPress to run from ${{ inputs.directory }} - run: npm run build${{ inputs.directory == 'src' && ':dev' || '' }} + run: npm run ${{ inputs.directory == 'src' && 'build:dev' || 'build' }} - name: Ensure version-controlled files are not modified or deleted during building run: git diff --exit-code @@ -95,7 +102,7 @@ jobs: run: zip -r wordpress.zip build/. - name: Clean after building to run from ${{ inputs.directory }} - run: npm run grunt clean${{ inputs.directory == 'src' && ' -- --dev' || '' }} + run: npm run grunt ${{ inputs.directory == 'src' && 'clean -- --dev' || 'clean' }} - name: Ensure version-controlled files are not modified or deleted during cleaning run: git diff --exit-code @@ -112,7 +119,9 @@ jobs: if: ${{ inputs.prepare-playground }} run: | mkdir -p ./pr-number - echo ${{ github.event.number }} > ./pr-number/NR + echo "${EVENT_NUMBER}" > ./pr-number/NR + env: + EVENT_NUMBER: ${{ github.event.number }} # Uploads the PR number as an artifact for the Pull Request Commenting workflow to download and then # leave a comment detailing how to test the PR within WordPress Playground. diff --git a/.github/workflows/reusable-test-gutenberg-build-process.yml b/.github/workflows/reusable-test-gutenberg-build-process.yml index 86756a5043b55..32e91af42fd20 100644 --- a/.github/workflows/reusable-test-gutenberg-build-process.yml +++ b/.github/workflows/reusable-test-gutenberg-build-process.yml @@ -22,6 +22,10 @@ env: PUPPETEER_SKIP_DOWNLOAD: ${{ true }} NODE_OPTIONS: '--max-old-space-size=8192' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Verifies that installing npm dependencies and building the Gutenberg plugin works as expected. # @@ -38,6 +42,8 @@ jobs: # - Ensures version-controlled files are not modified or deleted. build-process-tests: name: Gutenberg running from ${{ inputs.directory }} / ${{ contains( inputs.os, 'macos-' ) && 'MacOS' || contains( inputs.os, 'windows-' ) && 'Windows' || 'Linux' }} + permissions: + contents: read runs-on: ${{ inputs.os }} timeout-minutes: 30 @@ -46,6 +52,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Checkout Gutenberg plugin uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -53,6 +60,7 @@ jobs: repository: 'WordPress/gutenberg' path: ${{ env.GUTENBERG_DIRECTORY }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -82,7 +90,7 @@ jobs: working-directory: ${{ env.GUTENBERG_DIRECTORY }} - name: Build WordPress to run from ${{ inputs.directory }} - run: npm run build${{ inputs.directory == 'src' && ':dev' || '' }} + run: npm run ${{ inputs.directory == 'src' && 'build:dev' || 'build' }} - name: Run Gutenberg build script after building Core to run from ${{ inputs.directory }} run: npm run build diff --git a/.github/workflows/reusable-test-local-docker-environment-v1.yml b/.github/workflows/reusable-test-local-docker-environment-v1.yml index 6e521de70dfa6..98fb645533d59 100644 --- a/.github/workflows/reusable-test-local-docker-environment-v1.yml +++ b/.github/workflows/reusable-test-local-docker-environment-v1.yml @@ -47,6 +47,10 @@ env: LOCAL_WP_TESTS_DOMAIN: ${{ inputs.tests-domain }} PUPPETEER_SKIP_DOWNLOAD: ${{ true }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Tests the local Docker environment. # @@ -70,19 +74,22 @@ jobs: # - Ensures version-controlled files are not modified or deleted. local-docker-environment-tests: name: PHP ${{ inputs.php }} / ${{ 'mariadb' == inputs.db-type && 'MariaDB' || 'MySQL' }} ${{ inputs.db-version }}${{ inputs.memcached && ' with memcached' || '' }}${{ 'example.org' != inputs.tests-domain && format( ' {0}', inputs.tests-domain ) || '' }} + permissions: + contents: read runs-on: ${{ inputs.os }} timeout-minutes: 20 steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 @@ -135,7 +142,7 @@ jobs: - name: WordPress Docker container debug information run: | - docker compose run --rm mysql ${{ env.LOCAL_DB_TYPE }} --version + docker compose run --rm mysql "${LOCAL_DB_TYPE}" --version docker compose run --rm php php --version docker compose run --rm php php -m docker compose run --rm php php -i diff --git a/.github/workflows/reusable-upgrade-testing.yml b/.github/workflows/reusable-upgrade-testing.yml index 1d4f26f91ad2c..ca071a3db3f5c 100644 --- a/.github/workflows/reusable-upgrade-testing.yml +++ b/.github/workflows/reusable-upgrade-testing.yml @@ -37,6 +37,10 @@ on: type: 'string' default: '5.7' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs upgrade tests on a build of WordPress. # @@ -49,6 +53,7 @@ jobs: # - Updates to the version of WordPress being tested. upgrade-tests: name: ${{ inputs.wp }} to ${{ inputs.new-version }} / PHP ${{ inputs.php }} with ${{ 'mariadb' == inputs.db-type && 'MariaDB' || 'MySQL' }} ${{ inputs.db-version }}${{ inputs.multisite && ' multisite' || '' }} + permissions: {} runs-on: ${{ inputs.os }} timeout-minutes: 20 @@ -76,17 +81,26 @@ jobs: tools: wp-cli - name: Download WordPress ${{ inputs.wp }} - run: wp core download --version=${{ inputs.wp }} + run: wp core download --version="${WP_VERSION}" + env: + WP_VERSION: ${{ inputs.wp }} - name: Create wp-config.php file - run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost=127.0.0.1:${{ job.services.database.ports['3306'] }} + run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost="127.0.0.1:${DB_PORT}" + env: + DB_PORT: ${{ job.services.database.ports['3306'] }} - name: Install WordPress - run: wp core ${{ inputs.multisite && 'multisite-' || '' }}install --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email + run: | + wp core ${{ inputs.multisite && 'multisite-install' || 'install' }} \ + --url=http://localhost/ --title="Upgrade Test" --admin_user=admin \ + --admin_password=password --admin_email=me@example.org --skip-email - name: Update to the latest minor version run: wp core update --minor - name: Upgrade to WordPress ${{ inputs.new-version }} run: | - wp core update${{ 'latest' != inputs.new-version && format( ' --version={0}', inputs.new-version ) || '' }} + wp core update ${{ 'latest' != inputs.new-version && '--version="${WP_VERSION}"' || '' }} + env: + WP_VERSION: ${{ inputs.new-version }} diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml new file mode 100644 index 0000000000000..d1de3936b897f --- /dev/null +++ b/.github/workflows/reusable-workflow-lint.yml @@ -0,0 +1,24 @@ +name: Lint GitHub Actions workflows +on: + workflow_call: + +permissions: {} + +jobs: + actionlint: + name: Actionlint + runs-on: ubuntu-latest + permissions: + contents: read + timeout-minutes: 1 + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + # https://github.com/rhysd/actionlint + - name: Run actionlint + uses: docker://rhysd/actionlint:1.7.7 + with: + args: "-color -verbose" diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index cbd1e94427ba8..5d50f89032978 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -54,7 +54,7 @@ jobs: timeout-minutes: 5 if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event.workflow_run.event != 'pull_request' }} outputs: - previous_conclusion: ${{ steps.previous-conclusion.outputs.previous_conclusion }} + previous_conclusion: ${{ steps.previous-attempt-result.outputs.result }} payload: ${{ steps.create-payload.outputs.payload }} steps: @@ -68,10 +68,10 @@ jobs: const workflow_run = await github.rest.actions.getWorkflowRun({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ github.run_id }}, + run_id: context.runId, }); - if ( '${{ inputs.calling_status }}' == 'failure' && workflow_run.data.run_attempt == 1 ) { + if ( process.env.CALLING_STATUS == 'failure' && workflow_run.data.run_attempt == 1 ) { return 'first-failure'; } @@ -82,7 +82,7 @@ jobs: const previous_run = await github.rest.actions.getWorkflowRunAttempt({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ github.run_id }}, + run_id: context.runId, attempt_number: workflow_run.data.run_attempt - 1 }); @@ -94,7 +94,7 @@ jobs: owner: context.repo.owner, repo: context.repo.repo, workflow_id: workflow_run.data.workflow_id, - branch: '${{ env.CURRENT_BRANCH }}', + branch: process.env.CURRENT_BRANCH, exclude_pull_requests: true, }); @@ -124,10 +124,8 @@ jobs: // Can't determine previous workflow conclusion. return 'unknown'; - - - name: Store previous conclusion as an output - id: previous-conclusion - run: echo "previous_conclusion=${{ steps.previous-attempt-result.outputs.result }}" >> $GITHUB_OUTPUT + env: + CALLING_STATUS: ${{ inputs.calling_status }} - name: Get the commit message id: current-commit-message @@ -140,26 +138,38 @@ jobs: const commit_details = await github.rest.repos.getCommit({ owner: context.repo.owner, repo: context.repo.repo, - ref: '${{ github.sha }}' + ref: context.sha, }); return commit_details.data.commit.message; - name: Prepare commit message. id: commit-message run: | - COMMIT_MESSAGE=$(cat <<'EOF' | awk 'NR==1' | sed 's/`/\\`/g' | sed 's/\"/\\\\\\"/g' | sed 's/\$/\\$/g' - ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && fromJson( steps.current-commit-message.outputs.result ) || github.event.head_commit.message }} - EOF - ) - echo "commit_message_escaped=${COMMIT_MESSAGE}" >> $GITHUB_OUTPUT + # shellcheck disable=SC2016 + COMMIT_MESSAGE="$(echo "${COMMIT_MSG_RAW}" | awk 'NR==1' | sed 's/`/\\`/g' | sed 's/\"/\\\\\\"/g' | sed 's/\$/\\$/g')" + echo "commit_message_escaped=${COMMIT_MESSAGE}" >> "$GITHUB_OUTPUT" + env: + COMMIT_MSG_RAW: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && fromJson( steps.current-commit-message.outputs.result ) || github.event.head_commit.message }} - name: Construct payload and store as an output id: create-payload - run: echo "payload={\"workflow_name\":\"${{ github.workflow }}\",\"ref_name\":\"${{ env.CURRENT_BRANCH }}\",\"run_url\":\"https://github.com/WordPress/wordpress-develop/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}\",\"commit_message\":\"${{ steps.commit-message.outputs.commit_message_escaped }}\"}" >> $GITHUB_OUTPUT + run: | + PAYLOAD="$( jq \ + -n \ + --arg workflow_name "${GITHUB_WORKFLOW}" \ + --arg ref_name "${CURRENT_BRANCH}" \ + --arg run_url "https://github.com/WordPress/wordpress-develop/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}" \ + --arg commit_message "${COMMIT_MSG}" \ + '{workflow_name: $workflow_name, ref_name: $ref_name, run_url: $run_url, commit_message: $commit_message}' + )" + echo "payload=$PAYLOAD" >> "$GITHUB_OUTPUT" + env: + COMMIT_MSG: ${{ steps.commit-message.outputs.commit_message_escaped }} # Posts notifications when a workflow fails. failure: name: Failure notifications + permissions: {} runs-on: ubuntu-latest timeout-minutes: 10 needs: [ prepare ] @@ -176,6 +186,7 @@ jobs: # Posts notifications the first time a workflow run succeeds after previously failing. fixed: name: Fixed notifications + permissions: {} runs-on: ubuntu-latest timeout-minutes: 10 needs: [ prepare ] @@ -192,6 +203,7 @@ jobs: # Posts notifications when a workflow is successful. success: name: Success notifications + permissions: {} runs-on: ubuntu-latest timeout-minutes: 10 needs: [ prepare ] @@ -208,6 +220,7 @@ jobs: # Posts notifications when a workflow is cancelled. cancelled: name: Cancelled notifications + permissions: {} runs-on: ubuntu-latest timeout-minutes: 10 needs: [ prepare ] diff --git a/.github/workflows/test-and-zip-default-themes.yml b/.github/workflows/test-and-zip-default-themes.yml index c7e7b3012f8f9..22bc229a6b7c4 100644 --- a/.github/workflows/test-and-zip-default-themes.yml +++ b/.github/workflows/test-and-zip-default-themes.yml @@ -91,10 +91,13 @@ jobs: with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.branch || github.ref }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Check for zero-byte (empty) files run: | - [[ ! $(find src/wp-content/themes/${{ matrix.theme }} -empty) ]] + [[ ! $(find "src/wp-content/themes/${THEME}" -empty) ]] + env: + THEME: ${{ matrix.theme }} # Tests the build script for themes that have one. # @@ -130,6 +133,7 @@ jobs: with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.branch || github.ref }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -187,6 +191,7 @@ jobs: with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.branch || github.ref }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Upload theme ZIP as an artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 diff --git a/.github/workflows/upgrade-testing.yml b/.github/workflows/upgrade-testing.yml index 9ee2665b0bd6b..2faca2c77933b 100644 --- a/.github/workflows/upgrade-testing.yml +++ b/.github/workflows/upgrade-testing.yml @@ -112,8 +112,6 @@ jobs: # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218. - php: '7.2' db-version: '8.4' - - php: '7.3' - db-version: '8.4' with: os: ${{ matrix.os }} php: ${{ matrix.php }} @@ -142,8 +140,6 @@ jobs: # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218. - php: '7.2' db-version: '8.4' - - php: '7.3' - db-version: '8.4' with: os: ${{ matrix.os }} php: ${{ matrix.php }} @@ -201,8 +197,6 @@ jobs: # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218. - php: '7.2' db-version: '8.4' - - php: '7.3' - db-version: '8.4' with: os: ${{ matrix.os }} php: ${{ matrix.php }} diff --git a/.github/workflows/workflow-lint.yml b/.github/workflows/workflow-lint.yml new file mode 100644 index 0000000000000..9da3bbe99e0d4 --- /dev/null +++ b/.github/workflows/workflow-lint.yml @@ -0,0 +1,41 @@ +name: Lint GitHub Actions workflow files + +on: + push: + branches: + - trunk + - '[0-9].[0-9]' + tags: + - '[0-9]+.[0-9]' + - '[0-9]+.[0-9].[0-9]+' + paths: + # Only run when changes are made to workflow files. + - '.github/workflows/**' + pull_request: + branches: + - trunk + - '[0-9].[0-9]' + paths: + # Only run when changes are made to workflow files. + - '.github/workflows/**' + workflow_dispatch: + +# Cancels all previous workflow runs for pull requests that have not completed. +concurrency: + # The concurrency group contains the workflow name and the branch name for pull requests + # or the commit hash for any other events. + group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} + cancel-in-progress: true + +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + +jobs: + lint: + name: Lint + permissions: + security-events: write + actions: read + contents: read + uses: ./.github/workflows/reusable-workflow-lint.yml diff --git a/docker-compose.yml b/docker-compose.yml index 7465f022e1299..48f3abc607b03 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -38,14 +38,14 @@ services: - wpdevnet environment: - - LOCAL_PHP_XDEBUG=${LOCAL_PHP_XDEBUG-false} - - XDEBUG_MODE=${LOCAL_PHP_XDEBUG_MODE-develop,debug} - - LOCAL_PHP_MEMCACHED=${LOCAL_PHP_MEMCACHED-false} - - PHP_FPM_UID=${PHP_FPM_UID-1000} - - PHP_FPM_GID=${PHP_FPM_GID-1000} - - GITHUB_REF=${GITHUB_REF-false} - - GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME-false} - - HOST_PATH=${PWD-}/${LOCAL_DIR-src} + LOCAL_PHP_XDEBUG: ${LOCAL_PHP_XDEBUG-false} + XDEBUG_MODE: ${LOCAL_PHP_XDEBUG_MODE-develop,debug} + LOCAL_PHP_MEMCACHED: ${LOCAL_PHP_MEMCACHED-false} + PHP_FPM_UID: ${PHP_FPM_UID-1000} + PHP_FPM_GID: ${PHP_FPM_GID-1000} + GITHUB_REF: ${GITHUB_REF-false} + GITHUB_EVENT_NAME: ${GITHUB_EVENT_NAME-false} + HOST_PATH: ${PWD-}/${LOCAL_DIR-src} volumes: - ./tools/local-env/php-config.ini:/usr/local/etc/php/conf.d/php-config.ini @@ -83,7 +83,10 @@ services: command: ${LOCAL_DB_AUTH_OPTION-} healthcheck: - test: [ "CMD-SHELL", "if [ \"$LOCAL_DB_TYPE\" = \"mariadb\" ]; then case \"$LOCAL_DB_VERSION\" in 5.5|10.0|10.1|10.2|10.3) mysqladmin ping -h localhost || exit $$?;; *) mariadb-admin ping -h localhost || exit $$?;; esac; else mysqladmin ping -h localhost || exit $$?; fi" ] + test: [ + 'CMD-SHELL', + 'if [ "$LOCAL_DB_TYPE" = "mariadb" ]; then case "$LOCAL_DB_VERSION" in 5.5|10.0|10.1|10.2|10.3) mysqladmin ping -h localhost || exit $$?;; *) mariadb-admin ping -h localhost || exit $$?;; esac; else mysqladmin ping -h localhost || exit $$?; fi' + ] timeout: 5s interval: 5s retries: 10 @@ -98,11 +101,11 @@ services: - wpdevnet environment: - - LOCAL_PHP_XDEBUG=${LOCAL_PHP_XDEBUG-false} - - LOCAL_PHP_MEMCACHED=${LOCAL_PHP_MEMCACHED-false} - - PHP_FPM_UID=${PHP_FPM_UID-1000} - - PHP_FPM_GID=${PHP_FPM_GID-1000} - - HOST_PATH=${PWD-}/${LOCAL_DIR-src} + LOCAL_PHP_XDEBUG: ${LOCAL_PHP_XDEBUG-false} + LOCAL_PHP_MEMCACHED: ${LOCAL_PHP_MEMCACHED-false} + PHP_FPM_UID: ${PHP_FPM_UID-1000} + PHP_FPM_GID: ${PHP_FPM_GID-1000} + HOST_PATH: ${PWD-}/${LOCAL_DIR-src} volumes: - ./:/var/www