From 2e87b7794c0d1f0c089b637dedf5c2253b8f1a28 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 17:58:17 +0100 Subject: [PATCH 01/49] Use existing environment variables in place of GitHub Actions expressions in JavaScript steps. --- .github/workflows/coding-standards.yml | 2 +- .github/workflows/end-to-end-tests.yml | 2 +- .github/workflows/install-testing.yml | 2 +- .github/workflows/javascript-tests.yml | 2 +- .github/workflows/local-docker-environment.yml | 2 +- .github/workflows/performance.yml | 2 +- .github/workflows/php-compatibility.yml | 2 +- .github/workflows/phpunit-tests.yml | 2 +- .github/workflows/reusable-performance.yml | 14 +++++++++++--- .github/workflows/slack-notifications.yml | 8 ++++---- 10 files changed, 23 insertions(+), 15 deletions(-) diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 3c9854dc9e16b..d393c31900018 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -107,6 +107,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml index d77e439b2964c..f9bf4aa1eb6d4 100644 --- a/.github/workflows/end-to-end-tests.yml +++ b/.github/workflows/end-to-end-tests.yml @@ -93,6 +93,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index ca03ebd518a00..c85435e020e64 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -169,6 +169,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/javascript-tests.yml b/.github/workflows/javascript-tests.yml index 5872bc5b166c0..b1e2018b6e002 100644 --- a/.github/workflows/javascript-tests.yml +++ b/.github/workflows/javascript-tests.yml @@ -97,6 +97,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/local-docker-environment.yml b/.github/workflows/local-docker-environment.yml index 1e25c82ef1287..568d5e24b63af 100644 --- a/.github/workflows/local-docker-environment.yml +++ b/.github/workflows/local-docker-environment.yml @@ -149,6 +149,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index e4929763afa83..d9d807af2e2b6 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -91,6 +91,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/php-compatibility.yml b/.github/workflows/php-compatibility.yml index eb4163edf38d5..daa8998414438 100644 --- a/.github/workflows/php-compatibility.yml +++ b/.github/workflows/php-compatibility.yml @@ -94,6 +94,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index 62a7aa50f7718..16f8c434b2644 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -199,6 +199,6 @@ jobs: workflow_id: 'failed-workflow.yml', ref: 'trunk', inputs: { - run_id: '${{ github.run_id }}' + run_id: context.runId, } }); diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 68f4503d97259..7a4e462314d26 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -232,7 +232,7 @@ jobs: } ); const fs = require( 'fs' ); - fs.writeFileSync( '${{ github.workspace }}/before.zip', Buffer.from( download.data ) ) + fs.writeFileSync( process.env.GITHUB_WORKSPACE + '/before.zip', Buffer.from( download.data ) ) return true; @@ -307,7 +307,11 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const baseRef = await github.rest.git.getRef({ owner: context.repo.owner, repo: context.repo.repo, ref: 'tags/${{ env.BASE_TAG }}' }); + const baseRef = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: 'tags/' + process.env.BASE_TAG, + }); return baseRef.data.object.sha; - name: Set commit details @@ -318,7 +322,11 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const commit_details = await github.rest.git.getCommit({ owner: context.repo.owner, repo: context.repo.repo, commit_sha: context.sha }); + const commit_details = await github.rest.git.getCommit({ + owner: context.repo.owner, + repo: context.repo.repo, + commit_sha: context.sha, + }); return parseInt((new Date( commit_details.data.author.date ).getTime() / 1000).toFixed(0)) - name: Publish performance results diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 2f125aef7a0f4..82a2fc6e04e4c 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -68,7 +68,7 @@ jobs: const workflow_run = await github.rest.actions.getWorkflowRun({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ github.run_id }}, + run_id: context.runId, }); if ( '${{ inputs.calling_status }}' == 'failure' && workflow_run.data.run_attempt == 1 ) { @@ -82,7 +82,7 @@ jobs: const previous_run = await github.rest.actions.getWorkflowRunAttempt({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ github.run_id }}, + run_id: context.runId, attempt_number: workflow_run.data.run_attempt - 1 }); @@ -94,7 +94,7 @@ jobs: owner: context.repo.owner, repo: context.repo.repo, workflow_id: workflow_run.data.workflow_id, - branch: '${{ env.CURRENT_BRANCH }}', + branch: process.env.CURRENT_BRANCH, exclude_pull_requests: true, }); @@ -140,7 +140,7 @@ jobs: const commit_details = await github.rest.repos.getCommit({ owner: context.repo.owner, repo: context.repo.repo, - ref: '${{ github.sha }}' + ref: context.sha, }); return commit_details.data.commit.message; From 39026abcbcf96648d8b5b9448c857c02aadc2a24 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:00:08 +0100 Subject: [PATCH 02/49] Make more use of environment variables in JavaScript steps. --- .github/workflows/failed-workflow.yml | 6 ++++-- .github/workflows/props-bot.yml | 4 +++- .github/workflows/pull-request-comments.yml | 4 +++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/failed-workflow.yml b/.github/workflows/failed-workflow.yml index 383800a3fc592..fb9b3e099809a 100644 --- a/.github/workflows/failed-workflow.yml +++ b/.github/workflows/failed-workflow.yml @@ -38,7 +38,7 @@ jobs: const workflow_run = await github.rest.actions.getWorkflowRun({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ inputs.run_id }}, + run_id: process.env.RUN_ID, }); // Only rerun after the first run attempt. @@ -49,6 +49,8 @@ jobs: const rerun = await github.rest.actions.reRunWorkflowFailedJobs({ owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ inputs.run_id }}, + run_id: process.env.RUN_ID, enable_debug_logging: true }); + env: + RUN_ID: ${{ inputs.run_id }} diff --git a/.github/workflows/props-bot.yml b/.github/workflows/props-bot.yml index 548f9023a92e2..474213062e44f 100644 --- a/.github/workflows/props-bot.yml +++ b/.github/workflows/props-bot.yml @@ -85,6 +85,8 @@ jobs: github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, - issue_number: '${{ github.event.number }}', + issue_number: process.env.ISSUE_NUMBER, name: 'props-bot' }); + env: + ISSUE_NUMBER: ${{ github.event.number }} diff --git a/.github/workflows/pull-request-comments.yml b/.github/workflows/pull-request-comments.yml index ab7eba9ceffaa..df060fc657f1b 100644 --- a/.github/workflows/pull-request-comments.yml +++ b/.github/workflows/pull-request-comments.yml @@ -96,7 +96,7 @@ jobs: const artifacts = await github.rest.actions.listWorkflowRunArtifacts( { owner: context.repo.owner, repo: context.repo.repo, - run_id: ${{ github.event.workflow_run.id }}, + run_id: process.env.RUN_ID, } ); const matchArtifact = artifacts.data.artifacts.filter( ( artifact ) => { @@ -117,6 +117,8 @@ jobs: const fs = require( 'fs' ); fs.writeFileSync( '${{github.workspace}}/pr-number.zip', Buffer.from( download.data ) ) + env: + RUN_ID: ${{ github.event.workflow_run.id }} - name: Unzip the artifact containing the PR number run: unzip pr-number.zip From 1d1ee67a4aebb0832f59c6944f8bdc43f07bd18d Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:02:42 +0100 Subject: [PATCH 03/49] Prevent breaking out of environment variable assignment. --- .../reusable-coding-standards-php.yml | 2 +- .../workflows/reusable-end-to-end-tests.yml | 4 +-- .github/workflows/reusable-performance.yml | 6 ++-- .../workflows/reusable-php-compatibility.yml | 2 +- .../workflows/reusable-phpunit-tests-v1.yml | 4 +-- .../workflows/reusable-phpunit-tests-v2.yml | 6 ++-- .../workflows/reusable-phpunit-tests-v3.yml | 4 +-- .../reusable-support-json-reader-v1.yml | 28 +++++++++++-------- ...sable-test-local-docker-environment-v1.yml | 4 +-- .github/workflows/slack-notifications.yml | 2 +- 10 files changed, 34 insertions(+), 28 deletions(-) diff --git a/.github/workflows/reusable-coding-standards-php.yml b/.github/workflows/reusable-coding-standards-php.yml index b07203797eb3e..9c64477b9731f 100644 --- a/.github/workflows/reusable-coding-standards-php.yml +++ b/.github/workflows/reusable-coding-standards-php.yml @@ -57,7 +57,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT + run: echo date="$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT - name: Cache PHPCS scan cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 1d2273bd588d7..2982203fb743d 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -63,8 +63,8 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV + echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 7a4e462314d26..f00708a131825 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -107,8 +107,8 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV + echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -119,7 +119,7 @@ jobs: # The `workflow_dispatch` event is the only one missing the needed SHA to target. - name: Retrieve previous commit SHA (if necessary) if: ${{ github.event_name == 'workflow_dispatch' }} - run: echo "TARGET_SHA=$(git rev-parse HEAD^1)" >> $GITHUB_ENV + run: echo TARGET_SHA="$(git rev-parse HEAD^1)" >> $GITHUB_ENV - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-php-compatibility.yml b/.github/workflows/reusable-php-compatibility.yml index b68db051bf417..0e5fa93b3a3aa 100644 --- a/.github/workflows/reusable-php-compatibility.yml +++ b/.github/workflows/reusable-php-compatibility.yml @@ -55,7 +55,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT + run: echo date="$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT - name: Cache PHP compatibility scan cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index ad45726102dbe..4308f640cb500 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -86,8 +86,8 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV + echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/reusable-phpunit-tests-v2.yml b/.github/workflows/reusable-phpunit-tests-v2.yml index d96928e3f1a07..b1e9543f4345c 100644 --- a/.github/workflows/reusable-phpunit-tests-v2.yml +++ b/.github/workflows/reusable-phpunit-tests-v2.yml @@ -89,8 +89,8 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV + echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -108,7 +108,7 @@ jobs: - name: Get composer cache directory id: composer-cache - run: echo "composer_dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT + run: echo composer_dir="$(composer config cache-files-dir)" >> $GITHUB_OUTPUT - name: Cache Composer dependencies uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index fd21b3a9b48f5..74d48af871ef1 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -112,8 +112,8 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV + echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/reusable-support-json-reader-v1.yml b/.github/workflows/reusable-support-json-reader-v1.yml index ce574e4b2c3b7..5e7b177c7f876 100644 --- a/.github/workflows/reusable-support-json-reader-v1.yml +++ b/.github/workflows/reusable-support-json-reader-v1.yml @@ -52,13 +52,15 @@ jobs: - name: Determine the major WordPress version id: major-wp-version run: | - if [ "${{ inputs.wp-version }}" ] && [ "${{ inputs.wp-version }}" != "nightly" ] && [ "${{ inputs.wp-version }}" != "latest" ] && [ "${{ inputs.wp-version }}" != "trunk" ]; then - echo "version=$(echo "${{ inputs.wp-version }}" | tr '.' '-' | cut -d '-' -f1-2)" >> $GITHUB_OUTPUT - elif [ "${{ inputs.wp-version }}" ] && [ "${{ inputs.wp-version }}" != "trunk" ]; then - echo "version=$(echo "${{ inputs.wp-version }}")" >> $GITHUB_OUTPUT + if [ "${WP_VERSION}" ] && [ "${WP_VERSION}" != "nightly" ] && [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "trunk" ]; then + echo version="$(echo "${WP_VERSION}" | tr '.' '-' | cut -d '-' -f1-2)" >> $GITHUB_OUTPUT + elif [ "${WP_VERSION}" ] && [ "${WP_VERSION}" != "trunk" ]; then + echo version="${WP_VERSION}" >> $GITHUB_OUTPUT else - echo "version=nightly" >> $GITHUB_OUTPUT + echo version="nightly" >> $GITHUB_OUTPUT fi + env: + WP_VERSION: ${{ inputs.wp-version }} # Determines the versions of PHP supported for a version of WordPress. # @@ -87,11 +89,13 @@ jobs: - name: Get supported PHP versions id: php-versions run: | - if [ "${{ needs.major-wp-version.outputs.version }}" != "latest" ] && [ "${{ needs.major-wp-version.outputs.version }}" != "nightly" ]; then - echo "versions=$(jq -r '.["${{ needs.major-wp-version.outputs.version }}"] | @json' .version-support-php.json)" >> $GITHUB_OUTPUT + if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then + echo versions="$(jq -r '.["${WP_VERSION}"] | @json' .version-support-php.json)" >> $GITHUB_OUTPUT # @TODO finalise else - echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> $GITHUB_OUTPUT + echo versions="$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> $GITHUB_OUTPUT fi + env: + WP_VERSION: ${{ needs.major-wp-version.outputs.version }} # Determines the versions of MySQL supported for a version of WordPress. # @@ -120,8 +124,10 @@ jobs: - name: Get supported MySQL versions id: mysql-versions run: | - if [ "${{ needs.major-wp-version.outputs.version }}" != "latest" ] && [ "${{ needs.major-wp-version.outputs.version }}" != "nightly" ]; then - echo "versions=$(jq -r '.["${{ needs.major-wp-version.outputs.version }}"] | @json' .version-support-mysql.json)" >> $GITHUB_OUTPUT + if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then + echo versions="$(jq -r '.["${WP_VERSION}"] | @json' .version-support-mysql.json)" >> $GITHUB_OUTPUT # @todo finalise else - echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> $GITHUB_OUTPUT + echo versions="$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> $GITHUB_OUTPUT fi + env: + WP_VERSION: ${{ needs.major-wp-version.outputs.version }} diff --git a/.github/workflows/reusable-test-local-docker-environment-v1.yml b/.github/workflows/reusable-test-local-docker-environment-v1.yml index 4dccd7ef3dccd..7b3e0dff57920 100644 --- a/.github/workflows/reusable-test-local-docker-environment-v1.yml +++ b/.github/workflows/reusable-test-local-docker-environment-v1.yml @@ -76,8 +76,8 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV - echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV + echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 82a2fc6e04e4c..74b4b5ad813c9 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -151,7 +151,7 @@ jobs: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && fromJson( steps.current-commit-message.outputs.result ) || github.event.head_commit.message }} EOF ) - echo "commit_message_escaped=${COMMIT_MESSAGE}" >> $GITHUB_OUTPUT + echo commit_message_escaped="${COMMIT_MESSAGE}" >> $GITHUB_OUTPUT - name: Construct payload and store as an output id: create-payload From 878b800a557f57ce638c546d381750956ca2bf55 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:09:40 +0100 Subject: [PATCH 04/49] Prevent breaking out of command arguments. --- .github/workflows/install-testing.yml | 6 ++- .../workflows/reusable-end-to-end-tests.yml | 8 +-- .github/workflows/reusable-performance.yml | 50 +++++++++---------- .../workflows/reusable-phpunit-tests-v1.yml | 12 ++--- .../workflows/reusable-phpunit-tests-v2.yml | 24 ++++----- .../workflows/reusable-phpunit-tests-v3.yml | 6 +-- .../reusable-test-core-build-process.yml | 4 +- ...sable-test-local-docker-environment-v1.yml | 2 +- .../workflows/reusable-upgrade-testing.yml | 8 ++- .../workflows/test-and-zip-default-themes.yml | 4 +- 10 files changed, 67 insertions(+), 57 deletions(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index c85435e020e64..56d23ae7d774a 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -116,10 +116,12 @@ jobs: tools: wp-cli${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && ':2.4.0' || '' }} - name: Download WordPress - run: wp core download ${{ inputs.wp-version && format( '--version={0}', inputs.wp-version ) || '--version=nightly' }} + run: wp core download ${{ inputs.wp-version && format( '--version="{0}"', inputs.wp-version ) || '--version=nightly' }} - name: Create wp-config.php file - run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost=127.0.0.1:${{ job.services.database.ports['3306'] }} + run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost="127.0.0.1:${DB_PORT}" + env: + DB_PORT: ${{ job.services.database.ports['3306'] }} - name: Install WordPress run: wp core ${{ matrix.multisite && 'multisite-' || '' }}install --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 2982203fb743d..2ccaff8cbe2bc 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -117,13 +117,13 @@ jobs: - name: Install Gutenberg if: ${{ inputs.install-gutenberg }} - run: npm run env:cli -- plugin install gutenberg${{ inputs.gutenberg-version && format( ' --version={0}', inputs.gutenberg-version ) || '' }} --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- plugin install gutenberg ${{ inputs.gutenberg-version && format( '--version="{0}"', inputs.gutenberg-version ) || '' }} --path="/var/www/${LOCAL_DIR}" - name: Install additional languages run: | - npm run env:cli -- language core install de_DE --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- language plugin install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- language theme install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- language core install de_DE --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- language plugin install de_DE --all --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- language theme install de_DE --all --path="/var/www/${LOCAL_DIR}" - name: Run E2E tests run: npm run test:e2e diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index f00708a131825..03116859c165b 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -167,41 +167,41 @@ jobs: run: npm run env:install - name: Install WordPress Importer plugin - run: npm run env:cli -- plugin install wordpress-importer --activate --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- plugin install wordpress-importer --activate --path="/var/www/${LOCAL_DIR}" - name: Import mock data run: | curl -O https://raw.githubusercontent.com/WordPress/theme-test-data/b9752e0533a5acbb876951a8cbb5bcc69a56474c/themeunittestdata.wordpress.xml - npm run env:cli -- import themeunittestdata.wordpress.xml --authors=create --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- import themeunittestdata.wordpress.xml --authors=create --path="/var/www/${LOCAL_DIR}" rm themeunittestdata.wordpress.xml - name: Deactivate WordPress Importer plugin - run: npm run env:cli -- plugin deactivate wordpress-importer --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- plugin deactivate wordpress-importer --path="/var/www/${LOCAL_DIR}" - name: Update permalink structure - run: npm run env:cli -- rewrite structure '/%year%/%monthnum%/%postname%/' --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- rewrite structure '/%year%/%monthnum%/%postname%/' --path="/var/www/${LOCAL_DIR}" - name: Install additional languages run: | - npm run env:cli -- language core install de_DE --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- language plugin install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- language theme install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- language core install de_DE --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- language plugin install de_DE --all --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- language theme install de_DE --all --path="/var/www/${LOCAL_DIR}" # Prevent background update checks from impacting test stability. - name: Disable external HTTP requests - run: npm run env:cli -- config set WP_HTTP_BLOCK_EXTERNAL true --raw --type=constant --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- config set WP_HTTP_BLOCK_EXTERNAL true --raw --type=constant --path="/var/www/${LOCAL_DIR}" # Prevent background tasks from impacting test stability. - name: Disable cron - run: npm run env:cli -- config set DISABLE_WP_CRON true --raw --type=constant --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- config set DISABLE_WP_CRON true --raw --type=constant --path="/var/www/${LOCAL_DIR}" - name: List defined constants - run: npm run env:cli -- config list --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- config list --path="/var/www/${LOCAL_DIR}" - name: Install MU plugin run: | - mkdir ./${{ env.LOCAL_DIR }}/wp-content/mu-plugins - cp ./tests/performance/wp-content/mu-plugins/server-timing.php ./${{ env.LOCAL_DIR }}/wp-content/mu-plugins/server-timing.php + mkdir "./${LOCAL_DIR}/wp-content/mu-plugins" + cp ./tests/performance/wp-content/mu-plugins/server-timing.php "./${LOCAL_DIR}/wp-content/mu-plugins/server-timing.php" - name: Run performance tests (current commit) run: npm run test:performance @@ -239,20 +239,20 @@ jobs: - name: Unzip the build if: ${{ steps.get-previous-build.outputs.result }} run: | - unzip ${{ github.workspace }}/before.zip - unzip -o ${{ github.workspace }}/wordpress.zip + unzip "${GITHUB_WORKSPACE}/before.zip" + unzip -o "${GITHUB_WORKSPACE}/wordpress.zip" - name: Run any database upgrades if: ${{ steps.get-previous-build.outputs.result }} - run: npm run env:cli -- core update-db --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- core update-db --path="/var/www/${LOCAL_DIR}" - name: Flush cache if: ${{ steps.get-previous-build.outputs.result }} - run: npm run env:cli -- cache flush --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- cache flush --path="/var/www/${LOCAL_DIR}" - name: Delete expired transients if: ${{ steps.get-previous-build.outputs.result }} - run: npm run env:cli -- transient delete --expired --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- transient delete --expired --path="/var/www/${LOCAL_DIR}" - name: Run target performance tests (previous/target commit) if: ${{ steps.get-previous-build.outputs.result }} @@ -263,20 +263,20 @@ jobs: - name: Set the environment to the baseline version if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} run: | - npm run env:cli -- core update --version=${{ env.BASE_TAG }} --force --path=/var/www/${{ env.LOCAL_DIR }} - npm run env:cli -- core version --path=/var/www/${{ env.LOCAL_DIR }} + npm run env:cli -- core update --version="${BASE_TAG}" --force --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- core version --path="/var/www/${LOCAL_DIR}" - name: Run any database upgrades if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} - run: npm run env:cli -- core update-db --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- core update-db --path="/var/www/${LOCAL_DIR}" - name: Flush cache if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} - run: npm run env:cli -- cache flush --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- cache flush --path="/var/www/${LOCAL_DIR}" - name: Delete expired transients if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} - run: npm run env:cli -- transient delete --expired --path=/var/www/${{ env.LOCAL_DIR }} + run: npm run env:cli -- transient delete --expired --path="/var/www/${LOCAL_DIR}" - name: Run baseline performance tests if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} @@ -294,10 +294,10 @@ jobs: include-hidden-files: true - name: Compare results - run: node ./tests/performance/compare-results.js ${{ runner.temp }}/summary.md + run: node ./tests/performance/compare-results.js "${RUNNER_TEMP}/summary.md" - name: Add workflow summary - run: cat ${{ runner.temp }}/summary.md >> $GITHUB_STEP_SUMMARY + run: cat "${RUNNER_TEMP}/summary.md" >> $GITHUB_STEP_SUMMARY - name: Set the base sha # Only needed when publishing results. @@ -342,7 +342,7 @@ jobs: echo "Performance results could not be published. 'CODEVITALS_PROJECT_TOKEN' is not set" >> $GITHUB_OUTPUT exit 1 fi - node ./tests/performance/log-results.js $CODEVITALS_PROJECT_TOKEN trunk $GITHUB_SHA $BASE_SHA $COMMITTED_AT $HOST_NAME + node ./tests/performance/log-results.js "$CODEVITALS_PROJECT_TOKEN" trunk "$GITHUB_SHA" "$BASE_SHA" "$COMMITTED_AT" "$HOST_NAME" - name: Ensure version-controlled files are not modified or deleted run: git diff --exit-code diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index 4308f640cb500..cbb360c2a7f96 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -161,24 +161,24 @@ jobs: - name: Run slow PHPUnit tests if: ${{ inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ${{ env.SLOW_TESTS }} + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group "${SLOW_TESTS}" - name: Run PHPUnit tests for single site excluding slow tests if: ${{ inputs.php < '7.0' && ! inputs.split_slow && ! inputs.multisite }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --exclude-group ${{ env.SLOW_TESTS }},ajax,ms-files,ms-required + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --exclude-group "${SLOW_TESTS},ajax,ms-files,ms-required" - name: Run PHPUnit tests for Multisite excluding slow tests if: ${{ inputs.php < '7.0' && ! inputs.split_slow && inputs.multisite }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --exclude-group ${{ env.SLOW_TESTS }},ajax,ms-files,ms-excluded,oembed-headers + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --exclude-group "${SLOW_TESTS},ajax,ms-files,ms-excluded,oembed-headers" - name: Run PHPUnit tests if: ${{ inputs.php >= '7.0' }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" - name: Run AJAX tests if: ${{ ! inputs.multisite && ! inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ajax + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group ajax - name: Run external HTTP tests if: ${{ ! inputs.multisite && ! inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c phpunit.xml.dist --group external-http + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c phpunit.xml.dist --group external-http diff --git a/.github/workflows/reusable-phpunit-tests-v2.yml b/.github/workflows/reusable-phpunit-tests-v2.yml index b1e9543f4345c..2b7cf2cbbe603 100644 --- a/.github/workflows/reusable-phpunit-tests-v2.yml +++ b/.github/workflows/reusable-phpunit-tests-v2.yml @@ -125,13 +125,13 @@ jobs: # The PHPUnit 7.x phar is not compatible with PHP 8 and won't be updated, # as PHPUnit 7 is no longer supported. The Composer-installed PHPUnit should be # used for PHP 8 testing instead. - if [ ${{ env.LOCAL_PHP }} == '8.0-fpm' ]; then + if [ "${LOCAL_PHP}" == '8.0-fpm' ]; then docker compose run --rm php composer install --ignore-platform-reqs - echo "PHPUNIT_SCRIPT=php-composer" >> $GITHUB_ENV - elif [ ${{ env.LOCAL_PHP }} == '7.1-fpm' ]; then + echo PHPUNIT_SCRIPT="php-composer" >> $GITHUB_ENV + elif [ "${LOCAL_PHP}" == '7.1-fpm' ]; then docker compose run --rm php composer update git checkout -- composer.lock - elif [[ ${{ env.LOCAL_PHP }} == '5.6-fpm' || ${{ env.LOCAL_PHP }} == '7.0-fpm' ]]; then + elif [[ "${LOCAL_PHP}" == '5.6-fpm' || "${LOCAL_PHP}" == '7.0-fpm' ]]; then docker compose run --rm php composer require --dev phpunit/phpunit:"^5.7" --update-with-dependencies git checkout -- composer.lock composer.json else @@ -170,36 +170,36 @@ jobs: - name: Run slow PHPUnit tests if: ${{ inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ${{ env.SLOW_TESTS }} + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group "${SLOW_TESTS}" - name: Run PHPUnit tests for single site excluding slow tests if: ${{ inputs.php < '7.0' && ! inputs.split_slow && ! inputs.multisite }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --exclude-group ${{ env.SLOW_TESTS }},ajax,ms-files,ms-required + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --exclude-group "${SLOW_TESTS},ajax,ms-files,ms-required" - name: Run PHPUnit tests for Multisite excluding slow tests if: ${{ inputs.php < '7.0' && ! inputs.split_slow && inputs.multisite }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --exclude-group ${{ env.SLOW_TESTS }},ajax,ms-files,ms-excluded,oembed-headers + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --exclude-group "${SLOW_TESTS},ajax,ms-files,ms-excluded,oembed-headers" - name: Run PHPUnit tests if: ${{ inputs.php >= '7.0' }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" - name: Run AJAX tests if: ${{ ! inputs.split_slow&& inputs.test_ajax }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ajax + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group ajax - name: Run ms-files tests as a multisite install if: ${{ inputs.multisite && ! inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ms-files + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c "${PHPUNIT_CONFIG}" --group ms-files - name: Run external HTTP tests if: ${{ ! inputs.multisite && ! inputs.split_slow }} - run: npm run test:${{ env.PHPUNIT_SCRIPT }} -- --verbose -c phpunit.xml.dist --group external-http + run: npm run "test:${PHPUNIT_SCRIPT}" -- --verbose -c phpunit.xml.dist --group external-http # __fakegroup__ is excluded to force PHPUnit to ignore the settings in phpunit.xml.dist. - name: Run (xDebug) tests if: ${{ ! inputs.split_slow }} - run: LOCAL_PHP_XDEBUG=true npm run test:${{ env.PHPUNIT_SCRIPT }} -- -v --group xdebug --exclude-group __fakegroup__ + run: LOCAL_PHP_XDEBUG=true npm run "test:${PHPUNIT_SCRIPT}" -- -v --group xdebug --exclude-group __fakegroup__ - name: Ensure version-controlled files are not modified or deleted run: git diff --exit-code diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index 74d48af871ef1..e2186b5fddf02 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -187,17 +187,17 @@ jobs: - name: Run AJAX tests if: ${{ ! inputs.phpunit-test-groups && ! inputs.coverage-report }} continue-on-error: ${{ inputs.allow-errors }} - run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ajax + run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c "${PHPUNIT_CONFIG}" --group ajax - name: Run ms-files tests as a multisite install if: ${{ inputs.multisite && ! inputs.phpunit-test-groups && ! inputs.coverage-report }} continue-on-error: ${{ inputs.allow-errors }} - run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c ${{ env.PHPUNIT_CONFIG }} --group ms-files + run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c "${PHPUNIT_CONFIG}" --group ms-files - name: Run external HTTP tests if: ${{ ! inputs.multisite && ! inputs.phpunit-test-groups && ! inputs.coverage-report }} continue-on-error: ${{ inputs.allow-errors }} - run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c ${{ env.PHPUNIT_CONFIG }} --group external-http + run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c "${PHPUNIT_CONFIG}" --group external-http # __fakegroup__ is excluded to force PHPUnit to ignore the settings in phpunit.xml.dist. - name: Run (Xdebug) tests diff --git a/.github/workflows/reusable-test-core-build-process.yml b/.github/workflows/reusable-test-core-build-process.yml index e2683961471c1..b16e8384bf1b1 100644 --- a/.github/workflows/reusable-test-core-build-process.yml +++ b/.github/workflows/reusable-test-core-build-process.yml @@ -112,7 +112,9 @@ jobs: if: ${{ inputs.prepare-playground }} run: | mkdir -p ./pr-number - echo ${{ github.event.number }} > ./pr-number/NR + echo "${EVENT_NUMBER}" > ./pr-number/NR + env: + EVENT_NUMBER: ${{ github.event.number }} # Uploads the PR number as an artifact for the Pull Request Commenting workflow to download and then # leave a comment detailing how to test the PR within WordPress Playground. diff --git a/.github/workflows/reusable-test-local-docker-environment-v1.yml b/.github/workflows/reusable-test-local-docker-environment-v1.yml index 7b3e0dff57920..884c6c5158980 100644 --- a/.github/workflows/reusable-test-local-docker-environment-v1.yml +++ b/.github/workflows/reusable-test-local-docker-environment-v1.yml @@ -135,7 +135,7 @@ jobs: - name: WordPress Docker container debug information run: | - docker compose run --rm mysql ${{ env.LOCAL_DB_TYPE }} --version + docker compose run --rm mysql "${LOCAL_DB_TYPE}" --version docker compose run --rm php php --version docker compose run --rm php php -m docker compose run --rm php php -i diff --git a/.github/workflows/reusable-upgrade-testing.yml b/.github/workflows/reusable-upgrade-testing.yml index 1d4f26f91ad2c..383cfc83db425 100644 --- a/.github/workflows/reusable-upgrade-testing.yml +++ b/.github/workflows/reusable-upgrade-testing.yml @@ -76,10 +76,14 @@ jobs: tools: wp-cli - name: Download WordPress ${{ inputs.wp }} - run: wp core download --version=${{ inputs.wp }} + run: wp core download --version="${WP_VERSION}" + env: + WP_VERSION: ${{ inputs.wp }} - name: Create wp-config.php file - run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost=127.0.0.1:${{ job.services.database.ports['3306'] }} + run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost="127.0.0.1:${DB_PORT}" + env: + DB_PORT: ${{ job.services.database.ports['3306'] }} - name: Install WordPress run: wp core ${{ inputs.multisite && 'multisite-' || '' }}install --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email diff --git a/.github/workflows/test-and-zip-default-themes.yml b/.github/workflows/test-and-zip-default-themes.yml index c7e7b3012f8f9..0c6dd432e18d9 100644 --- a/.github/workflows/test-and-zip-default-themes.yml +++ b/.github/workflows/test-and-zip-default-themes.yml @@ -94,7 +94,9 @@ jobs: - name: Check for zero-byte (empty) files run: | - [[ ! $(find src/wp-content/themes/${{ matrix.theme }} -empty) ]] + [[ ! $(find "src/wp-content/themes/${THEME}" -empty) ]] + env: + THEME: ${{ matrix.theme }} # Tests the build script for themes that have one. # From b2ace9192ba7a5ef3282dcff6e44f87588e6901f Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:14:18 +0100 Subject: [PATCH 05/49] Remove a redundant step. --- .github/workflows/slack-notifications.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 74b4b5ad813c9..7a56f9e710141 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -54,7 +54,7 @@ jobs: timeout-minutes: 5 if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event.workflow_run.event != 'pull_request' }} outputs: - previous_conclusion: ${{ steps.previous-conclusion.outputs.previous_conclusion }} + previous_conclusion: ${{ steps.previous-attempt-result.outputs.result }} payload: ${{ steps.create-payload.outputs.payload }} steps: @@ -125,10 +125,6 @@ jobs: // Can't determine previous workflow conclusion. return 'unknown'; - - name: Store previous conclusion as an output - id: previous-conclusion - run: echo "previous_conclusion=${{ steps.previous-attempt-result.outputs.result }}" >> $GITHUB_OUTPUT - - name: Get the commit message id: current-commit-message uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 From 47ba701e02882097c8ed0ebf6b44adb496f5d438 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:14:55 +0100 Subject: [PATCH 06/49] Use an environment variable in this JavaScript step. --- .github/workflows/slack-notifications.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 7a56f9e710141..280a88d192101 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -71,7 +71,7 @@ jobs: run_id: context.runId, }); - if ( '${{ inputs.calling_status }}' == 'failure' && workflow_run.data.run_attempt == 1 ) { + if ( process.env.CALLING_STATUS == 'failure' && workflow_run.data.run_attempt == 1 ) { return 'first-failure'; } @@ -124,6 +124,8 @@ jobs: // Can't determine previous workflow conclusion. return 'unknown'; + env: + CALLING_STATUS: ${{ inputs.calling_status }} - name: Get the commit message id: current-commit-message From fc746fb023c7c8ad77466ddb415056232e066829 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:16:46 +0100 Subject: [PATCH 07/49] Clearer formatting for these dynamic command arguments. --- .github/workflows/install-testing.yml | 2 +- .github/workflows/reusable-test-core-build-process.yml | 4 ++-- .github/workflows/reusable-test-gutenberg-build-process.yml | 2 +- .github/workflows/reusable-upgrade-testing.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index 56d23ae7d774a..a144d0edcac7e 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -124,7 +124,7 @@ jobs: DB_PORT: ${{ job.services.database.ports['3306'] }} - name: Install WordPress - run: wp core ${{ matrix.multisite && 'multisite-' || '' }}install --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email + run: wp core ${{ matrix.multisite && 'multisite-install' || 'install' }}' --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email slack-notifications: name: Slack Notifications diff --git a/.github/workflows/reusable-test-core-build-process.yml b/.github/workflows/reusable-test-core-build-process.yml index b16e8384bf1b1..3b05037e2ddb8 100644 --- a/.github/workflows/reusable-test-core-build-process.yml +++ b/.github/workflows/reusable-test-core-build-process.yml @@ -85,7 +85,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Build WordPress to run from ${{ inputs.directory }} - run: npm run build${{ inputs.directory == 'src' && ':dev' || '' }} + run: npm run ${{ inputs.directory == 'src' && 'build:dev' || 'build' }} - name: Ensure version-controlled files are not modified or deleted during building run: git diff --exit-code @@ -95,7 +95,7 @@ jobs: run: zip -r wordpress.zip build/. - name: Clean after building to run from ${{ inputs.directory }} - run: npm run grunt clean${{ inputs.directory == 'src' && ' -- --dev' || '' }} + run: npm run grunt ${{ inputs.directory == 'src' && 'clean -- --dev' || 'clean' }} - name: Ensure version-controlled files are not modified or deleted during cleaning run: git diff --exit-code diff --git a/.github/workflows/reusable-test-gutenberg-build-process.yml b/.github/workflows/reusable-test-gutenberg-build-process.yml index 86756a5043b55..44907872c25b0 100644 --- a/.github/workflows/reusable-test-gutenberg-build-process.yml +++ b/.github/workflows/reusable-test-gutenberg-build-process.yml @@ -82,7 +82,7 @@ jobs: working-directory: ${{ env.GUTENBERG_DIRECTORY }} - name: Build WordPress to run from ${{ inputs.directory }} - run: npm run build${{ inputs.directory == 'src' && ':dev' || '' }} + run: npm run ${{ inputs.directory == 'src' && 'build:dev' || 'build' }} - name: Run Gutenberg build script after building Core to run from ${{ inputs.directory }} run: npm run build diff --git a/.github/workflows/reusable-upgrade-testing.yml b/.github/workflows/reusable-upgrade-testing.yml index 383cfc83db425..8d2ad99997eab 100644 --- a/.github/workflows/reusable-upgrade-testing.yml +++ b/.github/workflows/reusable-upgrade-testing.yml @@ -86,7 +86,7 @@ jobs: DB_PORT: ${{ job.services.database.ports['3306'] }} - name: Install WordPress - run: wp core ${{ inputs.multisite && 'multisite-' || '' }}install --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email + run: wp core ${{ inputs.multisite && 'multisite-install' || 'install' }} --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email - name: Update to the latest minor version run: wp core update --minor From 5548281e237725042ee9f049754954e8e5046944 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:18:02 +0100 Subject: [PATCH 08/49] Replace manual construction of JSON with safe output from `jq`. --- .github/workflows/slack-notifications.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 280a88d192101..2ae3ccea8c986 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -153,7 +153,17 @@ jobs: - name: Construct payload and store as an output id: create-payload - run: echo "payload={\"workflow_name\":\"${{ github.workflow }}\",\"ref_name\":\"${{ env.CURRENT_BRANCH }}\",\"run_url\":\"https://github.com/WordPress/wordpress-develop/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}\",\"commit_message\":\"${{ steps.commit-message.outputs.commit_message_escaped }}\"}" >> $GITHUB_OUTPUT + run: | + echo payload="$( + jq -n + --arg workflow_name "${GITHUB_WORKFLOW}" \ + --arg ref_name "${CURRENT_BRANCH}" \ + --arg run_url "https://github.com/WordPress/wordpress-develop/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}" \ + --arg commit_message "${COMMIT_MSG}" \ + '{workflow_name: $workflow_name, ref_name: $ref_name, run_url: $run_url, commit_message: $commit_message}' + )" >> $GITHUB_OUTPUT + env: + COMMIT_MSG: ${{ steps.commit-message.outputs.commit_message_escaped }} # Posts notifications when a workflow fails. failure: From c0c49a1399980b2c8d9513f7dd10d7323b50588e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:26:58 +0100 Subject: [PATCH 09/49] Break this long line into multiple lines for clarity and replace GitHub Actions expressions with environment variables. --- .github/workflows/reusable-phpunit-tests-v3.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index e2186b5fddf02..b8e8a117a67c7 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -182,7 +182,16 @@ jobs: - name: Run PHPUnit tests${{ inputs.phpunit-test-groups && format( ' ({0} groups)', inputs.phpunit-test-groups ) || '' }}${{ inputs.coverage-report && ' with coverage report' || '' }} continue-on-error: ${{ inputs.allow-errors }} - run: node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --verbose -c ${{ env.PHPUNIT_CONFIG }}${{ inputs.phpunit-test-groups && format( ' --group {0}', inputs.phpunit-test-groups ) || '' }}${{ inputs.coverage-report && format( ' --coverage-clover wp-code-coverage-{0}-{1}.xml --coverage-html wp-code-coverage-{0}-{1}', ( inputs.multisite && 'multisite' || 'single' ), github.sha ) || '' }} + run: | + node ./tools/local-env/scripts/docker.js run \ + php ./vendor/bin/phpunit \ + --verbose \ + -c "${PHPUNIT_CONFIG}" \ + ${{ inputs.phpunit-test-groups && '--group "${TEST_GROUPS}"' || '' }} \ + ${{ inputs.coverage-report && '--coverage-clover "wp-code-coverage-${MULTISITE_FLAG}-${GITHUB_SHA}.xml" --coverage-html "wp-code-coverage-${MULTISITE_FLAG}-${GITHUB_SHA}"' || '' }} + env: + TEST_GROUPS: ${{ inputs.phpunit-test-groups }} + MULTISITE_FLAG: ${{ inputs.multisite && 'multisite' || 'single' }} - name: Run AJAX tests if: ${{ ! inputs.phpunit-test-groups && ! inputs.coverage-report }} From 1143dca0678f66728a9bb03b77c1dc06533a05a8 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 9 Dec 2024 18:32:52 +0100 Subject: [PATCH 10/49] Replace some more logic with environment variables. --- .github/workflows/reusable-phpunit-tests-v3.yml | 4 +++- .github/workflows/reusable-upgrade-testing.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index b8e8a117a67c7..c9c634e8e333b 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -171,11 +171,13 @@ jobs: - name: WordPress Docker container debug information run: | - docker compose run --rm mysql ${{ env.LOCAL_DB_TYPE == 'mariadb' && contains( fromJSON('["5.5", "10.0", "10.1", "10.2", "10.3"]'), env.LOCAL_DB_VERSION ) && 'mysql' || env.LOCAL_DB_TYPE }} --version + docker compose run --rm mysql "${LOCAL_DB_CMD}" --version docker compose run --rm php php --version docker compose run --rm php php -m docker compose run --rm php php -i docker compose run --rm php locale -a + env: + LOCAL_DB_CMD: ${{ env.LOCAL_DB_TYPE == 'mariadb' && contains( fromJSON('["5.5", "10.0", "10.1", "10.2", "10.3"]'), env.LOCAL_DB_VERSION ) && 'mysql' || env.LOCAL_DB_TYPE }} - name: Install WordPress run: npm run env:install diff --git a/.github/workflows/reusable-upgrade-testing.yml b/.github/workflows/reusable-upgrade-testing.yml index 8d2ad99997eab..e07e408c13548 100644 --- a/.github/workflows/reusable-upgrade-testing.yml +++ b/.github/workflows/reusable-upgrade-testing.yml @@ -93,4 +93,6 @@ jobs: - name: Upgrade to WordPress ${{ inputs.new-version }} run: | - wp core update${{ 'latest' != inputs.new-version && format( ' --version={0}', inputs.new-version ) || '' }} + wp core update ${{ 'latest' != inputs.new-version && '--version="${WP_VERSION}"' || '' }} + env: + WP_VERSION: ${{ inputs.new-version }} From 896fee19103cde1f854d3d09b6bc192382a5bedd Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 10 Dec 2024 10:45:31 +0100 Subject: [PATCH 11/49] More formatting for readability. --- .github/workflows/install-testing.yml | 2 +- .github/workflows/reusable-upgrade-testing.yml | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index a144d0edcac7e..ef51d29d7749a 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -113,7 +113,7 @@ jobs: with: php-version: '${{ matrix.php }}' coverage: none - tools: wp-cli${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && ':2.4.0' || '' }} + tools: ${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && 'wp-cli:2.4.0' || 'wp-cli' }} - name: Download WordPress run: wp core download ${{ inputs.wp-version && format( '--version="{0}"', inputs.wp-version ) || '--version=nightly' }} diff --git a/.github/workflows/reusable-upgrade-testing.yml b/.github/workflows/reusable-upgrade-testing.yml index e07e408c13548..799ba1a9c2fdc 100644 --- a/.github/workflows/reusable-upgrade-testing.yml +++ b/.github/workflows/reusable-upgrade-testing.yml @@ -86,7 +86,10 @@ jobs: DB_PORT: ${{ job.services.database.ports['3306'] }} - name: Install WordPress - run: wp core ${{ inputs.multisite && 'multisite-install' || 'install' }} --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email + run: | + wp core ${{ inputs.multisite && 'multisite-install' || 'install' }} \ + --url=http://localhost/ --title="Upgrade Test" --admin_user=admin \ + --admin_password=password --admin_email=me@example.org --skip-email - name: Update to the latest minor version run: wp core update --minor From 32146c2f04c980f7717619e79b43df060ce39fc3 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 10 Dec 2024 10:46:29 +0100 Subject: [PATCH 12/49] Replace more GitHub Actions expressions with environment variables. --- .github/workflows/install-testing.yml | 6 +++++- .github/workflows/reusable-end-to-end-tests.yml | 7 ++++++- .github/workflows/slack-notifications.yml | 7 +++---- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index ef51d29d7749a..ab73f0dc67ea9 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -116,7 +116,11 @@ jobs: tools: ${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && 'wp-cli:2.4.0' || 'wp-cli' }} - name: Download WordPress - run: wp core download ${{ inputs.wp-version && format( '--version="{0}"', inputs.wp-version ) || '--version=nightly' }} + run: | + wp core download \ + ${{ inputs.wp-version && '--version="${WP_VERSION}"' || '--version=nightly' }} + env: + WP_VERSION: ${{ inputs.wp-version }} - name: Create wp-config.php file run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost="127.0.0.1:${DB_PORT}" diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 2ccaff8cbe2bc..8c7c17767222f 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -117,7 +117,12 @@ jobs: - name: Install Gutenberg if: ${{ inputs.install-gutenberg }} - run: npm run env:cli -- plugin install gutenberg ${{ inputs.gutenberg-version && format( '--version="{0}"', inputs.gutenberg-version ) || '' }} --path="/var/www/${LOCAL_DIR}" + run: | + npm run env:cli -- plugin install gutenberg \ + ${{ inputs.gutenberg-version && '--version="${GUTENBERG_VERSION}"' || '' }} \ + --path="/var/www/${LOCAL_DIR}" + env: + GUTENBERG_VERSION: ${{ inputs.gutenberg-version }} - name: Install additional languages run: | diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 2ae3ccea8c986..907e8cc3e719a 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -145,11 +145,10 @@ jobs: - name: Prepare commit message. id: commit-message run: | - COMMIT_MESSAGE=$(cat <<'EOF' | awk 'NR==1' | sed 's/`/\\`/g' | sed 's/\"/\\\\\\"/g' | sed 's/\$/\\$/g' - ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && fromJson( steps.current-commit-message.outputs.result ) || github.event.head_commit.message }} - EOF - ) + COMMIT_MESSAGE="$(echo "${COMMIT_MSG_RAW}" | awk 'NR==1' | sed 's/`/\\`/g' | sed 's/\"/\\\\\\"/g' | sed 's/\$/\\$/g')" echo commit_message_escaped="${COMMIT_MESSAGE}" >> $GITHUB_OUTPUT + env: + COMMIT_MSG_RAW: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && fromJson( steps.current-commit-message.outputs.result ) || github.event.head_commit.message }} - name: Construct payload and store as an output id: create-payload From e869cb82235be5cfd7c937de01ac8e838f154cc0 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 12:30:09 +0000 Subject: [PATCH 13/49] Disable permissions for all available scopes by default. --- .../workflows/reusable-coding-standards-javascript.yml | 4 ++++ .github/workflows/reusable-coding-standards-php.yml | 4 ++++ .github/workflows/reusable-end-to-end-tests.yml | 4 ++++ .github/workflows/reusable-javascript-tests.yml | 4 ++++ .github/workflows/reusable-performance.yml | 4 ++++ .github/workflows/reusable-php-compatibility.yml | 4 ++++ .github/workflows/reusable-phpunit-tests-v1.yml | 4 ++++ .github/workflows/reusable-phpunit-tests-v2.yml | 4 ++++ .github/workflows/reusable-phpunit-tests-v3.yml | 4 ++++ .github/workflows/reusable-support-json-reader-v1.yml | 10 ++++++++++ .github/workflows/reusable-test-core-build-process.yml | 6 ++++++ .../reusable-test-gutenberg-build-process.yml | 6 ++++++ .../reusable-test-local-docker-environment-v1.yml | 6 ++++++ .github/workflows/reusable-upgrade-testing.yml | 5 +++++ .github/workflows/slack-notifications.yml | 4 ++++ 15 files changed, 73 insertions(+) diff --git a/.github/workflows/reusable-coding-standards-javascript.yml b/.github/workflows/reusable-coding-standards-javascript.yml index 156c201bc8f48..471c887338603 100644 --- a/.github/workflows/reusable-coding-standards-javascript.yml +++ b/.github/workflows/reusable-coding-standards-javascript.yml @@ -9,6 +9,10 @@ on: env: PUPPETEER_SKIP_DOWNLOAD: ${{ true }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the JavaScript coding standards checks. # diff --git a/.github/workflows/reusable-coding-standards-php.yml b/.github/workflows/reusable-coding-standards-php.yml index 9c64477b9731f..3146e81ea9c98 100644 --- a/.github/workflows/reusable-coding-standards-php.yml +++ b/.github/workflows/reusable-coding-standards-php.yml @@ -17,6 +17,10 @@ on: type: 'boolean' default: false +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the PHP coding standards checks. # diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 8c7c17767222f..9e462a6737bd3 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -33,6 +33,10 @@ env: LOCAL_DIR: build LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the end-to-end test suite. # diff --git a/.github/workflows/reusable-javascript-tests.yml b/.github/workflows/reusable-javascript-tests.yml index 842bb034352ed..1f44936f575d6 100644 --- a/.github/workflows/reusable-javascript-tests.yml +++ b/.github/workflows/reusable-javascript-tests.yml @@ -6,6 +6,10 @@ name: JavaScript tests on: workflow_call: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the QUnit test suite. # diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 03116859c165b..214746f06e266 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -54,6 +54,10 @@ env: LOCAL_PHP_MEMCACHED: ${{ inputs.memcached }} LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Performs the following steps: # - Configure environment variables. diff --git a/.github/workflows/reusable-php-compatibility.yml b/.github/workflows/reusable-php-compatibility.yml index 0e5fa93b3a3aa..d48c0adf599ac 100644 --- a/.github/workflows/reusable-php-compatibility.yml +++ b/.github/workflows/reusable-php-compatibility.yml @@ -12,6 +12,10 @@ on: type: 'string' default: 'latest' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs PHP compatibility tests. # diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index cbb360c2a7f96..71e0aef7dfc11 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -58,6 +58,10 @@ env: PUPPETEER_SKIP_DOWNLOAD: ${{ true }} SLOW_TESTS: 'external-http,media' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the PHPUnit tests for WordPress. # diff --git a/.github/workflows/reusable-phpunit-tests-v2.yml b/.github/workflows/reusable-phpunit-tests-v2.yml index 2b7cf2cbbe603..3ae624b6d47c0 100644 --- a/.github/workflows/reusable-phpunit-tests-v2.yml +++ b/.github/workflows/reusable-phpunit-tests-v2.yml @@ -63,6 +63,10 @@ env: PHPUNIT_SCRIPT: php SLOW_TESTS: 'external-http,media' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the PHPUnit tests for WordPress. # diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index c9c634e8e333b..fee04598f7984 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -82,6 +82,10 @@ env: PHPUNIT_CONFIG: ${{ inputs.phpunit-config }} PUPPETEER_SKIP_DOWNLOAD: ${{ true }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the PHPUnit tests for WordPress. # diff --git a/.github/workflows/reusable-support-json-reader-v1.yml b/.github/workflows/reusable-support-json-reader-v1.yml index 5e7b177c7f876..fddbd7ac4e76d 100644 --- a/.github/workflows/reusable-support-json-reader-v1.yml +++ b/.github/workflows/reusable-support-json-reader-v1.yml @@ -26,6 +26,10 @@ on: description: "The MySQL versions to test for the given wp-version" value: ${{ jobs.mysql-versions.outputs.versions }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Determines the major version of WordPress being tested. # @@ -36,6 +40,8 @@ jobs: # - Returns the major WordPress version as an output based on the value passed to the wp-version input. major-wp-version: name: Determine major WordPress version + permissions: + contents: read runs-on: ubuntu-latest if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} timeout-minutes: 5 @@ -70,6 +76,8 @@ jobs: # .version-support-php.json file and returning the values in that version's index. php-versions: name: Determine PHP versions + permissions: + contents: read runs-on: ubuntu-latest if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} needs: [ major-wp-version ] @@ -105,6 +113,8 @@ jobs: # .version-support-mysql.json file and returning the values in that version's index. mysql-versions: name: Determine MySQL versions + permissions: + contents: read runs-on: ubuntu-latest if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} needs: [ major-wp-version ] diff --git a/.github/workflows/reusable-test-core-build-process.yml b/.github/workflows/reusable-test-core-build-process.yml index 3b05037e2ddb8..6b9e1eb98a1d4 100644 --- a/.github/workflows/reusable-test-core-build-process.yml +++ b/.github/workflows/reusable-test-core-build-process.yml @@ -35,6 +35,10 @@ on: env: PUPPETEER_SKIP_DOWNLOAD: ${{ true }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Verifies that installing npm dependencies and building WordPress works as expected. # @@ -53,6 +57,8 @@ jobs: # - Uploads the pull request number as an artifact. build-process-tests: name: Core running from ${{ inputs.directory }} / ${{ contains( inputs.os, 'macos-' ) && 'MacOS' || contains( inputs.os, 'windows-' ) && 'Windows' || 'Linux' }} + permissions: + contents: read runs-on: ${{ inputs.os }} timeout-minutes: 20 diff --git a/.github/workflows/reusable-test-gutenberg-build-process.yml b/.github/workflows/reusable-test-gutenberg-build-process.yml index 44907872c25b0..0cd3c5a7d5a53 100644 --- a/.github/workflows/reusable-test-gutenberg-build-process.yml +++ b/.github/workflows/reusable-test-gutenberg-build-process.yml @@ -22,6 +22,10 @@ env: PUPPETEER_SKIP_DOWNLOAD: ${{ true }} NODE_OPTIONS: '--max-old-space-size=8192' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Verifies that installing npm dependencies and building the Gutenberg plugin works as expected. # @@ -38,6 +42,8 @@ jobs: # - Ensures version-controlled files are not modified or deleted. build-process-tests: name: Gutenberg running from ${{ inputs.directory }} / ${{ contains( inputs.os, 'macos-' ) && 'MacOS' || contains( inputs.os, 'windows-' ) && 'Windows' || 'Linux' }} + permissions: + contents: read runs-on: ${{ inputs.os }} timeout-minutes: 30 diff --git a/.github/workflows/reusable-test-local-docker-environment-v1.yml b/.github/workflows/reusable-test-local-docker-environment-v1.yml index 884c6c5158980..658da39859226 100644 --- a/.github/workflows/reusable-test-local-docker-environment-v1.yml +++ b/.github/workflows/reusable-test-local-docker-environment-v1.yml @@ -47,6 +47,10 @@ env: LOCAL_WP_TESTS_DOMAIN: ${{ inputs.tests-domain }} PUPPETEER_SKIP_DOWNLOAD: ${{ true }} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Tests the local Docker environment. # @@ -70,6 +74,8 @@ jobs: # - Ensures version-controlled files are not modified or deleted. local-docker-environment-tests: name: PHP ${{ inputs.php }} / ${{ 'mariadb' == inputs.db-type && 'MariaDB' || 'MySQL' }} ${{ inputs.db-version }}${{ inputs.memcached && ' with memcached' || '' }}${{ 'example.org' != inputs.tests-domain && format( ' {0}', inputs.tests-domain ) || '' }} + permissions: + contents: read runs-on: ${{ inputs.os }} timeout-minutes: 20 diff --git a/.github/workflows/reusable-upgrade-testing.yml b/.github/workflows/reusable-upgrade-testing.yml index 799ba1a9c2fdc..ca071a3db3f5c 100644 --- a/.github/workflows/reusable-upgrade-testing.yml +++ b/.github/workflows/reusable-upgrade-testing.yml @@ -37,6 +37,10 @@ on: type: 'string' default: '5.7' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs upgrade tests on a build of WordPress. # @@ -49,6 +53,7 @@ jobs: # - Updates to the version of WordPress being tested. upgrade-tests: name: ${{ inputs.wp }} to ${{ inputs.new-version }} / PHP ${{ inputs.php }} with ${{ 'mariadb' == inputs.db-type && 'MariaDB' || 'MySQL' }} ${{ inputs.db-version }}${{ inputs.multisite && ' multisite' || '' }} + permissions: {} runs-on: ${{ inputs.os }} timeout-minutes: 20 diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 907e8cc3e719a..d589f17690d81 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -167,6 +167,7 @@ jobs: # Posts notifications when a workflow fails. failure: name: Failure notifications + permissions: {} runs-on: ubuntu-latest continue-on-error: true timeout-minutes: 5 @@ -184,6 +185,7 @@ jobs: # Posts notifications the first time a workflow run succeeds after previously failing. fixed: name: Fixed notifications + permissions: {} runs-on: ubuntu-latest continue-on-error: true timeout-minutes: 5 @@ -201,6 +203,7 @@ jobs: # Posts notifications when a workflow is successful. success: name: Success notifications + permissions: {} runs-on: ubuntu-latest continue-on-error: true timeout-minutes: 5 @@ -218,6 +221,7 @@ jobs: # Posts notifications when a workflow is cancelled. cancelled: name: Cancelled notifications + permissions: {} runs-on: ubuntu-latest continue-on-error: true timeout-minutes: 5 From 5ea1b0dd241ed57bcf949360a33947d646ae3e74 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:02:28 +0000 Subject: [PATCH 14/49] Add a linting workflow while we continue working on workflow hardening. --- .github/workflows/lint.yml | 103 +++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000000000..f60a0f987daa1 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,103 @@ +name: Lint GitHub Actions + +on: + push: + branches: + - trunk + - '[0-9].[0-9]' + tags: + - '[0-9]+.[0-9]' + - '[0-9]+.[0-9].[0-9]+' + paths: + # Only run when changes are made to workflow files. + - '.github/workflows/**' + pull_request: + branches: + - trunk + - '[0-9].[0-9]' + paths: + # Only run when changes are made to workflow files. + - '.github/workflows/**' + workflow_dispatch: + +# Cancels all previous workflow runs for pull requests that have not completed. +concurrency: + # The concurrency group contains the workflow name and the branch name for pull requests + # or the commit hash for any other events. + group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} + cancel-in-progress: true + +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + +jobs: + actionlint: + name: Actionlint + runs-on: ubuntu-latest + permissions: + contents: read + timeout-minutes: 5 + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Run actionlint + uses: docker://rhysd/actionlint:1.7.4 + with: + args: "-color -verbose=" + + octoscan: + name: Octoscan + runs-on: ubuntu-24.04 + permissions: + contents: read + timeout-minutes: 10 + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Checkout Octoscan + uses: actions/checkout@v4 + with: + repository: synacktiv/octoscan + path: octoscan + persist-credentials: false + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.21' + + - name: Install and build Octoscan + run: | #shell + cd octoscan + go mod tidy + go build + + - name: Run Octoscan + run: | #shell + ./octoscan/octoscan scan . + + zizmor: + name: Zizmor + runs-on: ubuntu-24.04 + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v4 + + - name: Run zizmor + run: uvx zizmor . + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 9a6c8332d7b7ea3de3847fa764a5f2e36e1b5889 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:07:13 +0000 Subject: [PATCH 15/49] Correct this flag. --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f60a0f987daa1..3e78b2b51e810 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -45,7 +45,7 @@ jobs: - name: Run actionlint uses: docker://rhysd/actionlint:1.7.4 with: - args: "-color -verbose=" + args: "-color -verbose" octoscan: name: Octoscan From 127221aa0b4e7392330153ff43c4f712d4b122b2 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:11:27 +0000 Subject: [PATCH 16/49] None of the checkouts need credentials to be persisted. --- .github/workflows/lint.yml | 2 ++ .github/workflows/reusable-coding-standards-javascript.yml | 1 + .github/workflows/reusable-coding-standards-php.yml | 1 + .github/workflows/reusable-end-to-end-tests.yml | 1 + .github/workflows/reusable-javascript-tests.yml | 1 + .github/workflows/reusable-performance.yml | 1 + .github/workflows/reusable-php-compatibility.yml | 1 + .github/workflows/reusable-phpunit-tests-v1.yml | 1 + .github/workflows/reusable-phpunit-tests-v2.yml | 1 + .github/workflows/reusable-phpunit-tests-v3.yml | 2 ++ .github/workflows/reusable-support-json-reader-v1.yml | 3 +++ .github/workflows/reusable-test-core-build-process.yml | 1 + .github/workflows/reusable-test-gutenberg-build-process.yml | 2 ++ .../workflows/reusable-test-local-docker-environment-v1.yml | 1 + .github/workflows/test-and-zip-default-themes.yml | 3 +++ 15 files changed, 22 insertions(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 3e78b2b51e810..0099c22c0bc8a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Run actionlint uses: docker://rhysd/actionlint:1.7.4 diff --git a/.github/workflows/reusable-coding-standards-javascript.yml b/.github/workflows/reusable-coding-standards-javascript.yml index 471c887338603..23c0be570bac7 100644 --- a/.github/workflows/reusable-coding-standards-javascript.yml +++ b/.github/workflows/reusable-coding-standards-javascript.yml @@ -37,6 +37,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-coding-standards-php.yml b/.github/workflows/reusable-coding-standards-php.yml index 3146e81ea9c98..0d3c846f2dbe3 100644 --- a/.github/workflows/reusable-coding-standards-php.yml +++ b/.github/workflows/reusable-coding-standards-php.yml @@ -49,6 +49,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up PHP uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 9e462a6737bd3..3209c7e5222cc 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -74,6 +74,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-javascript-tests.yml b/.github/workflows/reusable-javascript-tests.yml index 1f44936f575d6..7ee42415e6818 100644 --- a/.github/workflows/reusable-javascript-tests.yml +++ b/.github/workflows/reusable-javascript-tests.yml @@ -32,6 +32,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 214746f06e266..04e2e1f20094c 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -119,6 +119,7 @@ jobs: with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} fetch-depth: ${{ github.event_name == 'workflow_dispatch' && '2' || '1' }} + persist-credentials: false # The `workflow_dispatch` event is the only one missing the needed SHA to target. - name: Retrieve previous commit SHA (if necessary) diff --git a/.github/workflows/reusable-php-compatibility.yml b/.github/workflows/reusable-php-compatibility.yml index d48c0adf599ac..404b3327ab996 100644 --- a/.github/workflows/reusable-php-compatibility.yml +++ b/.github/workflows/reusable-php-compatibility.yml @@ -43,6 +43,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up PHP uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index 71e0aef7dfc11..9141b508bd67a 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -97,6 +97,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-phpunit-tests-v2.yml b/.github/workflows/reusable-phpunit-tests-v2.yml index 3ae624b6d47c0..392f11d662a81 100644 --- a/.github/workflows/reusable-phpunit-tests-v2.yml +++ b/.github/workflows/reusable-phpunit-tests-v2.yml @@ -100,6 +100,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Install Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index fee04598f7984..3a77705bcf06e 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -123,6 +123,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -247,6 +248,7 @@ jobs: repository: 'WordPress/phpunit-test-runner' path: 'test-runner' show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Submit test results to the WordPress.org host test results if: ${{ github.repository == 'WordPress/wordpress-develop' && github.ref == 'refs/heads/trunk' && inputs.report }} diff --git a/.github/workflows/reusable-support-json-reader-v1.yml b/.github/workflows/reusable-support-json-reader-v1.yml index fddbd7ac4e76d..2a93b7bda89cb 100644 --- a/.github/workflows/reusable-support-json-reader-v1.yml +++ b/.github/workflows/reusable-support-json-reader-v1.yml @@ -54,6 +54,7 @@ jobs: with: repository: ${{ inputs.repository }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Determine the major WordPress version id: major-wp-version @@ -91,6 +92,7 @@ jobs: with: repository: ${{ inputs.repository }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false # Look up the major version's specific PHP support policy when a version is provided. # Otherwise, use the current PHP support policy. @@ -128,6 +130,7 @@ jobs: with: repository: ${{ inputs.repository }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false # Look up the major version's specific MySQL support policy when a version is provided. # Otherwise, use the current MySQL support policy. diff --git a/.github/workflows/reusable-test-core-build-process.yml b/.github/workflows/reusable-test-core-build-process.yml index 6b9e1eb98a1d4..eb5dc34c715f8 100644 --- a/.github/workflows/reusable-test-core-build-process.yml +++ b/.github/workflows/reusable-test-core-build-process.yml @@ -67,6 +67,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-test-gutenberg-build-process.yml b/.github/workflows/reusable-test-gutenberg-build-process.yml index 0cd3c5a7d5a53..32e91af42fd20 100644 --- a/.github/workflows/reusable-test-gutenberg-build-process.yml +++ b/.github/workflows/reusable-test-gutenberg-build-process.yml @@ -52,6 +52,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Checkout Gutenberg plugin uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -59,6 +60,7 @@ jobs: repository: 'WordPress/gutenberg' path: ${{ env.GUTENBERG_DIRECTORY }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-test-local-docker-environment-v1.yml b/.github/workflows/reusable-test-local-docker-environment-v1.yml index 658da39859226..ad1f032c1e7ce 100644 --- a/.github/workflows/reusable-test-local-docker-environment-v1.yml +++ b/.github/workflows/reusable-test-local-docker-environment-v1.yml @@ -89,6 +89,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 diff --git a/.github/workflows/test-and-zip-default-themes.yml b/.github/workflows/test-and-zip-default-themes.yml index 0c6dd432e18d9..22bc229a6b7c4 100644 --- a/.github/workflows/test-and-zip-default-themes.yml +++ b/.github/workflows/test-and-zip-default-themes.yml @@ -91,6 +91,7 @@ jobs: with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.branch || github.ref }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Check for zero-byte (empty) files run: | @@ -132,6 +133,7 @@ jobs: with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.branch || github.ref }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -189,6 +191,7 @@ jobs: with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.branch || github.ref }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Upload theme ZIP as an artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 From 7f038d8c58eff59dc2721f23ad6fa8d49b6ef032 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:14:26 +0000 Subject: [PATCH 17/49] Disable false positive shellcheck errors for these `jq` inputs. --- .github/workflows/slack-notifications.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index d589f17690d81..2fc16a9b3ac5e 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -159,6 +159,7 @@ jobs: --arg ref_name "${CURRENT_BRANCH}" \ --arg run_url "https://github.com/WordPress/wordpress-develop/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}" \ --arg commit_message "${COMMIT_MSG}" \ + # shellcheck disable=SC2016,SC2086 '{workflow_name: $workflow_name, ref_name: $ref_name, run_url: $run_url, commit_message: $commit_message}' )" >> $GITHUB_OUTPUT env: From 8b78bb1d8b00ba5841495e9af2ce7c34bf435067 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:21:16 +0000 Subject: [PATCH 18/49] Fix a syntax error. --- .github/workflows/install-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index ab73f0dc67ea9..87f29ee2d5657 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -128,7 +128,7 @@ jobs: DB_PORT: ${{ job.services.database.ports['3306'] }} - name: Install WordPress - run: wp core ${{ matrix.multisite && 'multisite-install' || 'install' }}' --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email + run: wp core ${{ matrix.multisite && 'multisite-install' || 'install' }} --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password --admin_email=me@example.org --skip-email slack-notifications: name: Slack Notifications From b5c65174aa8a9d0dee793aa4017192594e6076d0 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:47:38 +0000 Subject: [PATCH 19/49] Pretty sure this isn't needed. --- .github/workflows/install-testing.yml | 2 +- .github/workflows/reusable-upgrade-testing.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index 87f29ee2d5657..926072780c69d 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -104,7 +104,7 @@ jobs: --health-retries="5" -e MYSQL_ROOT_PASSWORD="root" -e MYSQL_DATABASE="test_db" - --entrypoint sh ${{ matrix.db-type }}:${{ matrix.db-version }} + --entrypoint sh -c "exec docker-entrypoint.sh mysqld${{ matrix.db-type == 'mysql' && contains( fromJSON('["7.2", "7.3"]'), matrix.php ) && ' --default-authentication-plugin=mysql_native_password' || '' }}" steps: diff --git a/.github/workflows/reusable-upgrade-testing.yml b/.github/workflows/reusable-upgrade-testing.yml index ca071a3db3f5c..49952acb28318 100644 --- a/.github/workflows/reusable-upgrade-testing.yml +++ b/.github/workflows/reusable-upgrade-testing.yml @@ -69,7 +69,7 @@ jobs: --health-retries="5" -e MYSQL_ROOT_PASSWORD="root" -e MYSQL_DATABASE="test_db" - --entrypoint sh ${{ inputs.db-type }}:${{ inputs.db-version }} + --entrypoint sh -c "exec docker-entrypoint.sh mysqld${{ inputs.db-type == 'mysql' && contains( fromJSON('["7.2", "7.3"]'), inputs.php ) && ' --default-authentication-plugin=mysql_native_password' || '' }}" steps: From 4727f5278876a2dc1fc08c02cd1278b80065e5b1 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:52:46 +0000 Subject: [PATCH 20/49] Quote all the GitHub file paths. --- .../workflows/reusable-coding-standards-php.yml | 4 ++-- .github/workflows/reusable-end-to-end-tests.yml | 4 ++-- .github/workflows/reusable-performance.yml | 8 ++++---- .github/workflows/reusable-php-compatibility.yml | 4 ++-- .github/workflows/reusable-phpunit-tests-v1.yml | 4 ++-- .github/workflows/reusable-phpunit-tests-v2.yml | 8 ++++---- .github/workflows/reusable-phpunit-tests-v3.yml | 4 ++-- .../workflows/reusable-support-json-reader-v1.yml | 14 +++++++------- .../reusable-test-local-docker-environment-v1.yml | 4 ++-- .github/workflows/slack-notifications.yml | 4 ++-- 10 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/reusable-coding-standards-php.yml b/.github/workflows/reusable-coding-standards-php.yml index 0d3c846f2dbe3..9d55436c733b3 100644 --- a/.github/workflows/reusable-coding-standards-php.yml +++ b/.github/workflows/reusable-coding-standards-php.yml @@ -62,7 +62,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo date="$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT + run: echo date="$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" - name: Cache PHPCS scan cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 @@ -80,7 +80,7 @@ jobs: custom-cache-suffix: ${{ steps.get-date.outputs.date }} - name: Make Composer packages available globally - run: echo "${PWD}/vendor/bin" >> $GITHUB_PATH + run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH" - name: Run PHPCS on all Core files id: phpcs-core diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 3209c7e5222cc..8018def5da40f 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -67,8 +67,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV - echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_PATH" + echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 04e2e1f20094c..6f88da2eb6d5c 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -111,8 +111,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV - echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" + echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -124,7 +124,7 @@ jobs: # The `workflow_dispatch` event is the only one missing the needed SHA to target. - name: Retrieve previous commit SHA (if necessary) if: ${{ github.event_name == 'workflow_dispatch' }} - run: echo TARGET_SHA="$(git rev-parse HEAD^1)" >> $GITHUB_ENV + run: echo TARGET_SHA="$(git rev-parse HEAD^1)" >> "$GITHUB_ENV" - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 @@ -302,7 +302,7 @@ jobs: run: node ./tests/performance/compare-results.js "${RUNNER_TEMP}/summary.md" - name: Add workflow summary - run: cat "${RUNNER_TEMP}/summary.md" >> $GITHUB_STEP_SUMMARY + run: cat "${RUNNER_TEMP}/summary.md" >> "$GITHUB_STEP_SUMMARY" - name: Set the base sha # Only needed when publishing results. diff --git a/.github/workflows/reusable-php-compatibility.yml b/.github/workflows/reusable-php-compatibility.yml index 404b3327ab996..05d0346f4271c 100644 --- a/.github/workflows/reusable-php-compatibility.yml +++ b/.github/workflows/reusable-php-compatibility.yml @@ -60,7 +60,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo date="$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT + run: echo date="$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" - name: Cache PHP compatibility scan cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 @@ -76,7 +76,7 @@ jobs: custom-cache-suffix: ${{ steps.get-date.outputs.date }} - name: Make Composer packages available globally - run: echo "${PWD}/vendor/bin" >> $GITHUB_PATH + run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH" - name: Run PHP compatibility tests id: phpcs diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index 9141b508bd67a..31122c11b55f4 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -90,8 +90,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV - echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" + echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/reusable-phpunit-tests-v2.yml b/.github/workflows/reusable-phpunit-tests-v2.yml index 392f11d662a81..6153d32c7f747 100644 --- a/.github/workflows/reusable-phpunit-tests-v2.yml +++ b/.github/workflows/reusable-phpunit-tests-v2.yml @@ -93,8 +93,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV - echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" + echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -113,7 +113,7 @@ jobs: - name: Get composer cache directory id: composer-cache - run: echo composer_dir="$(composer config cache-files-dir)" >> $GITHUB_OUTPUT + run: echo composer_dir="$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" - name: Cache Composer dependencies uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 @@ -132,7 +132,7 @@ jobs: # used for PHP 8 testing instead. if [ "${LOCAL_PHP}" == '8.0-fpm' ]; then docker compose run --rm php composer install --ignore-platform-reqs - echo PHPUNIT_SCRIPT="php-composer" >> $GITHUB_ENV + echo PHPUNIT_SCRIPT="php-composer" >> "$GITHUB_ENV" elif [ "${LOCAL_PHP}" == '7.1-fpm' ]; then docker compose run --rm php composer update git checkout -- composer.lock diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index 3a77705bcf06e..06607712d6ec6 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -116,8 +116,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV - echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" + echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/reusable-support-json-reader-v1.yml b/.github/workflows/reusable-support-json-reader-v1.yml index 2a93b7bda89cb..796134ea685be 100644 --- a/.github/workflows/reusable-support-json-reader-v1.yml +++ b/.github/workflows/reusable-support-json-reader-v1.yml @@ -60,11 +60,11 @@ jobs: id: major-wp-version run: | if [ "${WP_VERSION}" ] && [ "${WP_VERSION}" != "nightly" ] && [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "trunk" ]; then - echo version="$(echo "${WP_VERSION}" | tr '.' '-' | cut -d '-' -f1-2)" >> $GITHUB_OUTPUT + echo version="$(echo "${WP_VERSION}" | tr '.' '-' | cut -d '-' -f1-2)" >> "$GITHUB_OUTPUT" elif [ "${WP_VERSION}" ] && [ "${WP_VERSION}" != "trunk" ]; then - echo version="${WP_VERSION}" >> $GITHUB_OUTPUT + echo version="${WP_VERSION}" >> "$GITHUB_OUTPUT" else - echo version="nightly" >> $GITHUB_OUTPUT + echo version="nightly" >> "$GITHUB_OUTPUT" fi env: WP_VERSION: ${{ inputs.wp-version }} @@ -100,9 +100,9 @@ jobs: id: php-versions run: | if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then - echo versions="$(jq -r '.["${WP_VERSION}"] | @json' .version-support-php.json)" >> $GITHUB_OUTPUT # @TODO finalise + echo versions="$(jq -r '.["${WP_VERSION}"] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" # @TODO finalise else - echo versions="$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> $GITHUB_OUTPUT + echo versions="$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" fi env: WP_VERSION: ${{ needs.major-wp-version.outputs.version }} @@ -138,9 +138,9 @@ jobs: id: mysql-versions run: | if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then - echo versions="$(jq -r '.["${WP_VERSION}"] | @json' .version-support-mysql.json)" >> $GITHUB_OUTPUT # @todo finalise + echo versions="$(jq -r '.["${WP_VERSION}"] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" # @todo finalise else - echo versions="$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> $GITHUB_OUTPUT + echo versions="$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" fi env: WP_VERSION: ${{ needs.major-wp-version.outputs.version }} diff --git a/.github/workflows/reusable-test-local-docker-environment-v1.yml b/.github/workflows/reusable-test-local-docker-environment-v1.yml index ad1f032c1e7ce..274d0c236a9f6 100644 --- a/.github/workflows/reusable-test-local-docker-environment-v1.yml +++ b/.github/workflows/reusable-test-local-docker-environment-v1.yml @@ -82,8 +82,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> $GITHUB_ENV - echo PHP_FPM_GID="$(id -g)" >> $GITHUB_ENV + echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" + echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 2fc16a9b3ac5e..e0e79a3d2a911 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -146,7 +146,7 @@ jobs: id: commit-message run: | COMMIT_MESSAGE="$(echo "${COMMIT_MSG_RAW}" | awk 'NR==1' | sed 's/`/\\`/g' | sed 's/\"/\\\\\\"/g' | sed 's/\$/\\$/g')" - echo commit_message_escaped="${COMMIT_MESSAGE}" >> $GITHUB_OUTPUT + echo commit_message_escaped="${COMMIT_MESSAGE}" >> "$GITHUB_OUTPUT" env: COMMIT_MSG_RAW: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && fromJson( steps.current-commit-message.outputs.result ) || github.event.head_commit.message }} @@ -161,7 +161,7 @@ jobs: --arg commit_message "${COMMIT_MSG}" \ # shellcheck disable=SC2016,SC2086 '{workflow_name: $workflow_name, ref_name: $ref_name, run_url: $run_url, commit_message: $commit_message}' - )" >> $GITHUB_OUTPUT + )" >> "$GITHUB_OUTPUT" env: COMMIT_MSG: ${{ steps.commit-message.outputs.commit_message_escaped }} From 02d49e25ebed47b75471795cc699d605ca383571 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:52:55 +0000 Subject: [PATCH 21/49] This isn't needed. --- .github/workflows/reusable-performance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 6f88da2eb6d5c..3709b97838880 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -344,7 +344,7 @@ jobs: HOST_NAME: "www.codevitals.run" run: | if [ -z "$CODEVITALS_PROJECT_TOKEN" ]; then - echo "Performance results could not be published. 'CODEVITALS_PROJECT_TOKEN' is not set" >> $GITHUB_OUTPUT + echo "Performance results could not be published. 'CODEVITALS_PROJECT_TOKEN' is not set" exit 1 fi node ./tests/performance/log-results.js "$CODEVITALS_PROJECT_TOKEN" trunk "$GITHUB_SHA" "$BASE_SHA" "$COMMITTED_AT" "$HOST_NAME" From 7a009267a14f1d83f5b8602c47b2323a955aa966 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 13:57:24 +0000 Subject: [PATCH 22/49] Disable shellcheck in Actionlint as it gets duplicated in Octoscan. --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0099c22c0bc8a..61606d14795a8 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -47,7 +47,7 @@ jobs: - name: Run actionlint uses: docker://rhysd/actionlint:1.7.4 with: - args: "-color -verbose" + args: "-color -verbose -shellcheck=" octoscan: name: Octoscan From 150c8c20176433effb638988cd28b1f515078389 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 16 Dec 2024 14:10:18 +0000 Subject: [PATCH 23/49] Fix this up. --- .github/workflows/slack-notifications.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index e0e79a3d2a911..4e0d8f934249f 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -153,8 +153,8 @@ jobs: - name: Construct payload and store as an output id: create-payload run: | - echo payload="$( - jq -n + echo payload="$( jq \ + -n \ --arg workflow_name "${GITHUB_WORKFLOW}" \ --arg ref_name "${CURRENT_BRANCH}" \ --arg run_url "https://github.com/WordPress/wordpress-develop/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}" \ From 8662aac23b936e9d3b9c7c797c99e16821b8c528 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 11:22:12 +0000 Subject: [PATCH 24/49] Switch to a reusable workflow file. --- .github/workflows/lint.yml | 72 +------------- .github/workflows/reusable-workflow-lint.yml | 99 ++++++++++++++++++++ 2 files changed, 103 insertions(+), 68 deletions(-) create mode 100644 .github/workflows/reusable-workflow-lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 61606d14795a8..9da3bbe99e0d4 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,4 +1,4 @@ -name: Lint GitHub Actions +name: Lint GitHub Actions workflow files on: push: @@ -32,74 +32,10 @@ concurrency: permissions: {} jobs: - actionlint: - name: Actionlint - runs-on: ubuntu-latest - permissions: - contents: read - timeout-minutes: 5 - steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Run actionlint - uses: docker://rhysd/actionlint:1.7.4 - with: - args: "-color -verbose -shellcheck=" - - octoscan: - name: Octoscan - runs-on: ubuntu-24.04 - permissions: - contents: read - timeout-minutes: 10 - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Checkout Octoscan - uses: actions/checkout@v4 - with: - repository: synacktiv/octoscan - path: octoscan - persist-credentials: false - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.21' - - - name: Install and build Octoscan - run: | #shell - cd octoscan - go mod tidy - go build - - - name: Run Octoscan - run: | #shell - ./octoscan/octoscan scan . - - zizmor: - name: Zizmor - runs-on: ubuntu-24.04 + lint: + name: Lint permissions: security-events: write actions: read contents: read - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Install the latest version of uv - uses: astral-sh/setup-uv@v4 - - - name: Run zizmor - run: uvx zizmor . - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: ./.github/workflows/reusable-workflow-lint.yml diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml new file mode 100644 index 0000000000000..9031a7db00660 --- /dev/null +++ b/.github/workflows/reusable-workflow-lint.yml @@ -0,0 +1,99 @@ +name: Lint GitHub Actions workflows +on: + workflow_call: + +permissions: {} + +jobs: + actionlint: + name: Actionlint + runs-on: ubuntu-latest + permissions: + contents: read + timeout-minutes: 1 + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + # https://github.com/rhysd/actionlint + - name: Run actionlint + uses: docker://rhysd/actionlint:1.7.6 + with: + args: "-color -verbose" + + octoscan: + name: Octoscan + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + timeout-minutes: 10 + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + - name: Run octoscan + id: octoscan + uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1 + with: + filter_triggers: '' + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3 + with: + sarif_file: ${{steps.octoscan.outputs.sarif_output}} + category: octoscan + + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4 + + # https://github.com/woodruffw/zizmor + - name: Run zizmor + run: uvx zizmor@1.1.1 --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3 + with: + sarif_file: results.sarif + category: zizmor + + poutine: + name: Poutine + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + - name: Run Poutine + uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3 + with: + sarif_file: results.sarif + category: poutine From 3f2729b0cab575e766a08a0373f2e6941e2822a0 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 11:27:30 +0000 Subject: [PATCH 25/49] These matrix keys don't exist. --- .github/workflows/local-docker-environment.yml | 1 - .github/workflows/phpunit-tests.yml | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/local-docker-environment.yml b/.github/workflows/local-docker-environment.yml index 5f1b9dd0be32b..896f2abb11faa 100644 --- a/.github/workflows/local-docker-environment.yml +++ b/.github/workflows/local-docker-environment.yml @@ -104,7 +104,6 @@ jobs: db-type: 'mysql' db-version: ${{ matrix.db-version }} memcached: ${{ matrix.memcached }} - tests-domain: ${{ matrix.tests-domain }} slack-notifications: name: Slack Notifications diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index 11a7fc8ae5e41..2cf3212ff6d83 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -144,7 +144,7 @@ jobs: multisite: ${{ matrix.multisite }} memcached: ${{ matrix.memcached }} phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }} - report: ${{ matrix.report || false }} + report: ${{ false }} # # Creates PHPUnit test jobs to test MariaDB and MySQL innovation releases. @@ -193,7 +193,7 @@ jobs: multisite: ${{ matrix.multisite }} memcached: ${{ matrix.memcached }} phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }} - report: ${{ matrix.report || false }} + report: ${{ false }} # # Runs specific individual test groups. From 7630d7271e876e62ab20e8cfc08cd824bef3c8e1 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 11:27:58 +0000 Subject: [PATCH 26/49] Declare use of this secret. --- .github/workflows/reusable-phpunit-tests-v3.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index de40f81170ac0..bc402fb4337bc 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -76,6 +76,10 @@ on: CODECOV_TOKEN: description: 'The Codecov token required for uploading reports.' required: false + WPT_REPORT_API_KEY: + description: 'The WordPress.org Hosting Tests API key.' + required: false + env: LOCAL_PHP: ${{ inputs.php }}-fpm LOCAL_PHP_XDEBUG: ${{ inputs.coverage-report || false }} From 566d5cfa8cf29b369b961db6ed9ec5ec986194cb Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 11:28:45 +0000 Subject: [PATCH 27/49] Add a missing step. --- .github/workflows/reusable-phpunit-tests-v1.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index a1aab8107da45..1c6e5a55052d7 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -50,6 +50,7 @@ on: type: boolean default: false env: + COMPOSER_INSTALL: ${{ false }} LOCAL_PHP: ${{ inputs.php }}-fpm LOCAL_PHPUNIT: ${{ inputs.phpunit && inputs.phpunit || inputs.php }}-fpm LOCAL_PHP_MEMCACHED: ${{ inputs.memcached }} @@ -111,6 +112,11 @@ jobs: - name: Build WordPress run: npm run build + - name: Get composer cache directory + if: ${{ env.COMPOSER_INSTALL == true }} + id: composer-cache + run: echo composer_dir="$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" + - name: Cache Composer dependencies if: ${{ env.COMPOSER_INSTALL == true }} uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 From c71d3a2b7f0d04163b56df5da6b5e1b72df63809 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 11:38:31 +0000 Subject: [PATCH 28/49] This is needed. --- .github/workflows/install-testing.yml | 2 +- .github/workflows/reusable-upgrade-testing.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index 28ef8fd4be350..0bfa1de60c986 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -110,7 +110,7 @@ jobs: --health-retries="5" -e MYSQL_ROOT_PASSWORD="root" -e MYSQL_DATABASE="test_db" - --entrypoint sh + --entrypoint sh ${{ matrix.db-type }}:${{ matrix.db-version }} -c "exec docker-entrypoint.sh mysqld${{ matrix.db-type == 'mysql' && contains( fromJSON('["7.2", "7.3"]'), matrix.php ) && ' --default-authentication-plugin=mysql_native_password' || '' }}" steps: diff --git a/.github/workflows/reusable-upgrade-testing.yml b/.github/workflows/reusable-upgrade-testing.yml index 49952acb28318..ca071a3db3f5c 100644 --- a/.github/workflows/reusable-upgrade-testing.yml +++ b/.github/workflows/reusable-upgrade-testing.yml @@ -69,7 +69,7 @@ jobs: --health-retries="5" -e MYSQL_ROOT_PASSWORD="root" -e MYSQL_DATABASE="test_db" - --entrypoint sh + --entrypoint sh ${{ inputs.db-type }}:${{ inputs.db-version }} -c "exec docker-entrypoint.sh mysqld${{ inputs.db-type == 'mysql' && contains( fromJSON('["7.2", "7.3"]'), inputs.php ) && ' --default-authentication-plugin=mysql_native_password' || '' }}" steps: From e1116d182380499fe47478e75cddc8b2f79b9ee2 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 11:40:22 +0000 Subject: [PATCH 29/49] Make more use of environment variables. --- .../workflows/reusable-cleanup-pull-requests.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index c63bab2d67751..6b92378b325b4 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -29,20 +29,18 @@ jobs: steps: - name: Find fixed ticket numbers id: trac-tickets + env: + COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | - COMMIT_MESSAGE=$(cat <<'EOF' | sed -n '/^Fixes #/,/\./p' - ${{ github.event.head_commit.message }} - EOF - ) + COMMIT_MESSAGE=$(echo "$COMMIT_MSG_RAW" | sed -n '/^Fixes #/,/\./p') echo "fixed_list=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> $GITHUB_OUTPUT - name: Get the SVN revision id: git-svn-id + env: + COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | - COMMIT_MESSAGE=$(cat <<'EOF' | sed -n '$p' - ${{ github.event.head_commit.message }} - EOF - ) + COMMIT_MESSAGE=$(echo "$COMMIT_MSG_RAW" | sed -n '$p') echo "svn_revision_number=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> $GITHUB_OUTPUT - name: Find pull requests From bbd44697087ec2a5d0be997365ba521177aae7af Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 12:04:46 +0000 Subject: [PATCH 30/49] Fix some more environment variable usage. --- .github/workflows/reusable-cleanup-pull-requests.yml | 4 ++-- .github/workflows/reusable-performance.yml | 7 +------ .github/workflows/reusable-phpunit-tests-v1.yml | 3 ++- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index 6b92378b325b4..cccbff9970489 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -33,7 +33,7 @@ jobs: COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | COMMIT_MESSAGE=$(echo "$COMMIT_MSG_RAW" | sed -n '/^Fixes #/,/\./p') - echo "fixed_list=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> $GITHUB_OUTPUT + echo "fixed_list=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> $GITHUB_OUTPUT - name: Get the SVN revision id: git-svn-id @@ -41,7 +41,7 @@ jobs: COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | COMMIT_MESSAGE=$(echo "$COMMIT_MSG_RAW" | sed -n '$p') - echo "svn_revision_number=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> $GITHUB_OUTPUT + echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> $GITHUB_OUTPUT - name: Find pull requests id: linked-prs diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 154973ae24b0d..8e413a9700a68 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -337,12 +337,6 @@ jobs: }); return baseRef.data.object.sha; - - name: Set commit details - # Only needed when publishing results. - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' && ! inputs.memcached && ! inputs.multisite }} - # Write to an environment variable to have the output available in later steps of the job. - run: echo "COMMITTED_AT=$(git show -s $GITHUB_SHA --format='%cI')" >> $GITHUB_ENV - - name: Publish performance results # Only publish results on pushes to trunk. if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' && ! inputs.memcached && ! inputs.multisite }} @@ -355,6 +349,7 @@ jobs: echo "Performance results could not be published. 'CODEVITALS_PROJECT_TOKEN' is not set" exit 1 fi + COMMITTED_AT="$(git show -s "$GITHUB_SHA" --format='%cI')" node ./tests/performance/log-results.js "$CODEVITALS_PROJECT_TOKEN" trunk "$GITHUB_SHA" "$BASE_SHA" "$COMMITTED_AT" "$HOST_NAME" - name: Ensure version-controlled files are not modified or deleted diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index 1c6e5a55052d7..4aa5b41b216e3 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -146,7 +146,8 @@ jobs: if: ${{ inputs.memcached }} run: | cp tests/phpunit/includes/object-cache.php build/wp-content/object-cache.php - docker run --name memcached --net $(basename "$PWD")_wpdevnet -d memcached + BASE=$(basename "$PWD") + docker run --name memcached --net "${BASE}_wpdevnet" -d memcached - name: General debug information run: | From bea13d48f9e0f92db194199d2f06feabb9da767e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 12:09:10 +0000 Subject: [PATCH 31/49] None of these exclusions match a matrix combination. --- .github/workflows/upgrade-testing.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/upgrade-testing.yml b/.github/workflows/upgrade-testing.yml index 9ee2665b0bd6b..2faca2c77933b 100644 --- a/.github/workflows/upgrade-testing.yml +++ b/.github/workflows/upgrade-testing.yml @@ -112,8 +112,6 @@ jobs: # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218. - php: '7.2' db-version: '8.4' - - php: '7.3' - db-version: '8.4' with: os: ${{ matrix.os }} php: ${{ matrix.php }} @@ -142,8 +140,6 @@ jobs: # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218. - php: '7.2' db-version: '8.4' - - php: '7.3' - db-version: '8.4' with: os: ${{ matrix.os }} php: ${{ matrix.php }} @@ -201,8 +197,6 @@ jobs: # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218. - php: '7.2' db-version: '8.4' - - php: '7.3' - db-version: '8.4' with: os: ${{ matrix.os }} php: ${{ matrix.php }} From 81d299345e3b39e0505c667664e27636a179ce89 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 12:25:46 +0000 Subject: [PATCH 32/49] Consistently use a map for environment variables in the Docker compose config. --- docker-compose.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index ec462c8a24c5c..5328d1e0e1499 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -38,13 +38,13 @@ services: - wpdevnet environment: - - LOCAL_PHP_XDEBUG=${LOCAL_PHP_XDEBUG-false} - - XDEBUG_MODE=${LOCAL_PHP_XDEBUG_MODE-develop,debug} - - LOCAL_PHP_MEMCACHED=${LOCAL_PHP_MEMCACHED-false} - - PHP_FPM_UID=${PHP_FPM_UID-1000} - - PHP_FPM_GID=${PHP_FPM_GID-1000} - - GITHUB_REF=${GITHUB_REF-false} - - GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME-false} + LOCAL_PHP_XDEBUG: ${LOCAL_PHP_XDEBUG-false} + XDEBUG_MODE: ${LOCAL_PHP_XDEBUG_MODE-develop,debug} + LOCAL_PHP_MEMCACHED: ${LOCAL_PHP_MEMCACHED-false} + PHP_FPM_UID: ${PHP_FPM_UID-1000} + PHP_FPM_GID: ${PHP_FPM_GID-1000} + GITHUB_REF: ${GITHUB_REF-false} + GITHUB_EVENT_NAME: ${GITHUB_EVENT_NAME-false} volumes: - ./tools/local-env/php-config.ini:/usr/local/etc/php/conf.d/php-config.ini @@ -97,10 +97,10 @@ services: - wpdevnet environment: - - LOCAL_PHP_XDEBUG=${LOCAL_PHP_XDEBUG-false} - - LOCAL_PHP_MEMCACHED=${LOCAL_PHP_MEMCACHED-false} - - PHP_FPM_UID=${PHP_FPM_UID-1000} - - PHP_FPM_GID=${PHP_FPM_GID-1000} + LOCAL_PHP_XDEBUG: ${LOCAL_PHP_XDEBUG-false} + LOCAL_PHP_MEMCACHED: ${LOCAL_PHP_MEMCACHED-false} + PHP_FPM_UID: ${PHP_FPM_UID-1000} + PHP_FPM_GID: ${PHP_FPM_GID-1000} volumes: - ./:/var/www From 2fe76332816bd38cb4d8721be406f717dae01625 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 12:33:55 +0000 Subject: [PATCH 33/49] Simplify this. --- .github/workflows/install-testing.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index 0bfa1de60c986..1060010a84605 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -122,11 +122,9 @@ jobs: tools: ${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && 'wp-cli:2.4.0' || 'wp-cli' }} - name: Download WordPress - run: | - wp core download \ - ${{ inputs.wp-version && '--version="${WP_VERSION}"' || '--version=nightly' }} + run: wp core download --version="${WP_VERSION}" env: - WP_VERSION: ${{ inputs.wp-version }} + WP_VERSION: ${{ inputs.wp-version || 'nightly' }} - name: Create wp-config.php file run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost="127.0.0.1:${DB_PORT}" From 693aa4c4e6cafaa6809d1f494936cba4fc6fc995 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 12:47:30 +0000 Subject: [PATCH 34/49] This syntax is misleading because it gives the impression that the value benefits from the double quote encapsulation, which is not true. Revert to the prior syntax. --- .../workflows/reusable-cleanup-pull-requests.yml | 4 ++-- .../workflows/reusable-coding-standards-php.yml | 2 +- .github/workflows/reusable-end-to-end-tests.yml | 4 ++-- .github/workflows/reusable-performance.yml | 2 +- .github/workflows/reusable-php-compatibility.yml | 2 +- .github/workflows/reusable-phpunit-tests-v1.yml | 6 +++--- .github/workflows/reusable-phpunit-tests-v2.yml | 6 +++--- .github/workflows/reusable-phpunit-tests-v3.yml | 4 ++-- .../workflows/reusable-support-json-reader-v1.yml | 14 +++++++------- .../reusable-test-local-docker-environment-v1.yml | 4 ++-- 10 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index cccbff9970489..615aa4e487d7b 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -32,7 +32,7 @@ jobs: env: COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | - COMMIT_MESSAGE=$(echo "$COMMIT_MSG_RAW" | sed -n '/^Fixes #/,/\./p') + COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '/^Fixes #/,/\./p')" echo "fixed_list=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> $GITHUB_OUTPUT - name: Get the SVN revision @@ -40,7 +40,7 @@ jobs: env: COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | - COMMIT_MESSAGE=$(echo "$COMMIT_MSG_RAW" | sed -n '$p') + COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')" echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> $GITHUB_OUTPUT - name: Find pull requests diff --git a/.github/workflows/reusable-coding-standards-php.yml b/.github/workflows/reusable-coding-standards-php.yml index 9d55436c733b3..28c09a42d1121 100644 --- a/.github/workflows/reusable-coding-standards-php.yml +++ b/.github/workflows/reusable-coding-standards-php.yml @@ -62,7 +62,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo date="$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" + run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" - name: Cache PHPCS scan cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 8018def5da40f..823c9005955fe 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -67,8 +67,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_PATH" - echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_PATH" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 8e413a9700a68..0a53afe1d4c1b 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -132,7 +132,7 @@ jobs: # The `workflow_dispatch` event is the only one missing the needed SHA to target. - name: Retrieve previous commit SHA (if necessary) if: ${{ github.event_name == 'workflow_dispatch' }} - run: echo TARGET_SHA="$(git rev-parse HEAD^1)" >> "$GITHUB_ENV" + run: echo "TARGET_SHA=$(git rev-parse HEAD^1)" >> "$GITHUB_ENV" - name: Set up Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 diff --git a/.github/workflows/reusable-php-compatibility.yml b/.github/workflows/reusable-php-compatibility.yml index 05d0346f4271c..f07e68cf5e32c 100644 --- a/.github/workflows/reusable-php-compatibility.yml +++ b/.github/workflows/reusable-php-compatibility.yml @@ -60,7 +60,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo date="$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" + run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" - name: Cache PHP compatibility scan cache uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 diff --git a/.github/workflows/reusable-phpunit-tests-v1.yml b/.github/workflows/reusable-phpunit-tests-v1.yml index 4aa5b41b216e3..1b08f69c15069 100644 --- a/.github/workflows/reusable-phpunit-tests-v1.yml +++ b/.github/workflows/reusable-phpunit-tests-v1.yml @@ -91,8 +91,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" - echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -115,7 +115,7 @@ jobs: - name: Get composer cache directory if: ${{ env.COMPOSER_INSTALL == true }} id: composer-cache - run: echo composer_dir="$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" + run: echo "composer_dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" - name: Cache Composer dependencies if: ${{ env.COMPOSER_INSTALL == true }} diff --git a/.github/workflows/reusable-phpunit-tests-v2.yml b/.github/workflows/reusable-phpunit-tests-v2.yml index 6153d32c7f747..4f899cf572071 100644 --- a/.github/workflows/reusable-phpunit-tests-v2.yml +++ b/.github/workflows/reusable-phpunit-tests-v2.yml @@ -93,8 +93,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" - echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -113,7 +113,7 @@ jobs: - name: Get composer cache directory id: composer-cache - run: echo composer_dir="$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" + run: echo "composer_dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT" - name: Cache Composer dependencies uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index bc402fb4337bc..d889eacb26eb2 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -125,8 +125,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" - echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/reusable-support-json-reader-v1.yml b/.github/workflows/reusable-support-json-reader-v1.yml index 24097b148e4d5..7b1bbd05d6aaf 100644 --- a/.github/workflows/reusable-support-json-reader-v1.yml +++ b/.github/workflows/reusable-support-json-reader-v1.yml @@ -59,11 +59,11 @@ jobs: id: major-wp-version run: | if [ "${WP_VERSION}" ] && [ "${WP_VERSION}" != "nightly" ] && [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "trunk" ]; then - echo version="$(echo "${WP_VERSION}" | tr '.' '-' | cut -d '-' -f1-2)" >> "$GITHUB_OUTPUT" + echo "version=$(echo "${WP_VERSION}" | tr '.' '-' | cut -d '-' -f1-2)" >> "$GITHUB_OUTPUT" elif [ "${WP_VERSION}" ] && [ "${WP_VERSION}" != "trunk" ]; then - echo version="${WP_VERSION}" >> "$GITHUB_OUTPUT" + echo "version=${WP_VERSION}" >> "$GITHUB_OUTPUT" else - echo version="nightly" >> "$GITHUB_OUTPUT" + echo "version=nightly" >> "$GITHUB_OUTPUT" fi env: WP_VERSION: ${{ inputs.wp-version }} @@ -98,9 +98,9 @@ jobs: id: php-versions run: | if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then - echo versions="$(jq -r '.["${WP_VERSION}"] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" # @TODO finalise + echo "versions=$(jq -r '.["${WP_VERSION}"] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" # @TODO finalise else - echo versions="$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" + echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" fi env: WP_VERSION: ${{ needs.major-wp-version.outputs.version }} @@ -135,9 +135,9 @@ jobs: id: mysql-versions run: | if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then - echo versions="$(jq -r '.["${WP_VERSION}"] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" # @todo finalise + echo "versions=$(jq -r '.["${WP_VERSION}"] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" # @todo finalise else - echo versions="$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" + echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" fi env: WP_VERSION: ${{ needs.major-wp-version.outputs.version }} diff --git a/.github/workflows/reusable-test-local-docker-environment-v1.yml b/.github/workflows/reusable-test-local-docker-environment-v1.yml index 6f22c0a9bc103..98fb645533d59 100644 --- a/.github/workflows/reusable-test-local-docker-environment-v1.yml +++ b/.github/workflows/reusable-test-local-docker-environment-v1.yml @@ -82,8 +82,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" - echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 From 476187fbcb029239880c95f355d7e4900db58f6e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 12:47:42 +0000 Subject: [PATCH 35/49] Make this more readable. --- .github/workflows/slack-notifications.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index c40f286bef0ad..080df63767c32 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -153,15 +153,16 @@ jobs: - name: Construct payload and store as an output id: create-payload run: | - echo payload="$( jq \ + PAYLOAD="$( jq \ -n \ --arg workflow_name "${GITHUB_WORKFLOW}" \ --arg ref_name "${CURRENT_BRANCH}" \ --arg run_url "https://github.com/WordPress/wordpress-develop/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}" \ --arg commit_message "${COMMIT_MSG}" \ - # shellcheck disable=SC2016,SC2086 + # shellcheck disable=SC2016,SC2086 \ '{workflow_name: $workflow_name, ref_name: $ref_name, run_url: $run_url, commit_message: $commit_message}' - )" >> "$GITHUB_OUTPUT" + )" + echo "payload=$PAYLOAD" >> "$GITHUB_OUTPUT" env: COMMIT_MSG: ${{ steps.commit-message.outputs.commit_message_escaped }} From 4a205bf1c35e0abec4e16530d3c1a59f265582f0 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 12:48:30 +0000 Subject: [PATCH 36/49] Remove the last lot of inline actions expressions. --- .github/workflows/reusable-performance.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 0a53afe1d4c1b..920db7877d7ad 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -284,10 +284,10 @@ jobs: - name: Set the environment to the baseline version if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} run: | - VERSION="${{ env.BASE_TAG }}" + VERSION="${BASE_TAG}" VERSION="${VERSION%.0}" - npm run env:cli -- core update --version=$VERSION --force --path="/var/www/${{ env.LOCAL_DIR }}" - npm run env:cli -- core version --path="/var/www/${{ env.LOCAL_DIR }}" + npm run env:cli -- core update --version="$VERSION" --force --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- core version --path="/var/www/${LOCAL_DIR}" - name: Run any database upgrades if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' }} From 95f9b6f9ff0da9cfcfda764e7b6de19c6bdb0380 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 12:52:57 +0000 Subject: [PATCH 37/49] Replace unnecessary double quotes with single quotes. --- docker-compose.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 5328d1e0e1499..37f3f1c03a685 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -82,7 +82,10 @@ services: command: ${LOCAL_DB_AUTH_OPTION-} healthcheck: - test: [ "CMD-SHELL", "if [ \"$LOCAL_DB_TYPE\" = \"mariadb\" ]; then case \"$LOCAL_DB_VERSION\" in 5.5|10.0|10.1|10.2|10.3) mysqladmin ping -h localhost || exit $$?;; *) mariadb-admin ping -h localhost || exit $$?;; esac; else mysqladmin ping -h localhost || exit $$?; fi" ] + test: [ + 'CMD-SHELL', + 'if [ "$LOCAL_DB_TYPE" = "mariadb" ]; then case "$LOCAL_DB_VERSION" in 5.5|10.0|10.1|10.2|10.3) mysqladmin ping -h localhost || exit $$?;; *) mariadb-admin ping -h localhost || exit $$?;; esac; else mysqladmin ping -h localhost || exit $$?; fi' + ] timeout: 5s interval: 5s retries: 10 From a870ff0d4ba095361f015d65d5aa36e4ec467d09 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Jan 2025 13:02:12 +0000 Subject: [PATCH 38/49] Will this ever end? --- .github/workflows/reusable-cleanup-pull-requests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index 615aa4e487d7b..8c49236782dd2 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -33,7 +33,7 @@ jobs: COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '/^Fixes #/,/\./p')" - echo "fixed_list=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> $GITHUB_OUTPUT + echo "fixed_list=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> "$GITHUB_OUTPUT" - name: Get the SVN revision id: git-svn-id @@ -41,7 +41,7 @@ jobs: COMMIT_MSG_RAW: ${{ github.event.head_commit.message }} run: | COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')" - echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> $GITHUB_OUTPUT + echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> "$GITHUB_OUTPUT" - name: Find pull requests id: linked-prs From 3068d16ea6203de8d722d19099f4af03c6dcb659 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Jan 2025 10:33:26 +0000 Subject: [PATCH 39/49] Remove further actions expressions. --- .github/workflows/reusable-performance.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 471f6dbb883c6..3de9d807ecae3 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -186,10 +186,10 @@ jobs: - name: Enable themes on Multisite if: ${{ inputs.multisite }} run: | - npm run env:cli -- theme enable twentytwentyone --network --path="/var/www/${{ env.LOCAL_DIR }}" - npm run env:cli -- theme enable twentytwentythree --network --path="/var/www/${{ env.LOCAL_DIR }}" - npm run env:cli -- theme enable twentytwentyfour --network --path="/var/www/${{ env.LOCAL_DIR }}" - npm run env:cli -- theme enable twentytwentyfive --network --path="/var/www/${{ env.LOCAL_DIR }}" + npm run env:cli -- theme enable twentytwentyone --network --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- theme enable twentytwentythree --network --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- theme enable twentytwentyfour --network --path="/var/www/${LOCAL_DIR}" + npm run env:cli -- theme enable twentytwentyfive --network --path="/var/www/${LOCAL_DIR}" - name: Install WordPress Importer plugin run: npm run env:cli -- plugin install wordpress-importer --activate --path="/var/www/${LOCAL_DIR}" From cbb859888f9635419914aec5e0beabdb419c93ea Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Jan 2025 11:00:58 +0000 Subject: [PATCH 40/49] Bring these annotations up to date. --- .github/workflows/slack-notifications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 080df63767c32..520d77630b7b7 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -145,6 +145,7 @@ jobs: - name: Prepare commit message. id: commit-message run: | + # shellcheck disable=SC2016 COMMIT_MESSAGE="$(echo "${COMMIT_MSG_RAW}" | awk 'NR==1' | sed 's/`/\\`/g' | sed 's/\"/\\\\\\"/g' | sed 's/\$/\\$/g')" echo commit_message_escaped="${COMMIT_MESSAGE}" >> "$GITHUB_OUTPUT" env: @@ -159,7 +160,6 @@ jobs: --arg ref_name "${CURRENT_BRANCH}" \ --arg run_url "https://github.com/WordPress/wordpress-develop/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}" \ --arg commit_message "${COMMIT_MSG}" \ - # shellcheck disable=SC2016,SC2086 \ '{workflow_name: $workflow_name, ref_name: $ref_name, run_url: $run_url, commit_message: $commit_message}' )" echo "payload=$PAYLOAD" >> "$GITHUB_OUTPUT" From 52bf13fe326b8852ea54d86303a931099e650fdf Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Jan 2025 11:32:13 +0000 Subject: [PATCH 41/49] Last round of standardising the quotes around variables saved to the environment or the output. --- .github/workflows/reusable-performance.yml | 4 ++-- .github/workflows/reusable-phpunit-tests-v2.yml | 2 +- .github/workflows/slack-notifications.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/reusable-performance.yml b/.github/workflows/reusable-performance.yml index 3de9d807ecae3..e467d9ce850fe 100644 --- a/.github/workflows/reusable-performance.yml +++ b/.github/workflows/reusable-performance.yml @@ -123,8 +123,8 @@ jobs: steps: - name: Configure environment variables run: | - echo PHP_FPM_UID="$(id -u)" >> "$GITHUB_ENV" - echo PHP_FPM_GID="$(id -g)" >> "$GITHUB_ENV" + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" + echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/reusable-phpunit-tests-v2.yml b/.github/workflows/reusable-phpunit-tests-v2.yml index 4f899cf572071..eea607c3f45b8 100644 --- a/.github/workflows/reusable-phpunit-tests-v2.yml +++ b/.github/workflows/reusable-phpunit-tests-v2.yml @@ -132,7 +132,7 @@ jobs: # used for PHP 8 testing instead. if [ "${LOCAL_PHP}" == '8.0-fpm' ]; then docker compose run --rm php composer install --ignore-platform-reqs - echo PHPUNIT_SCRIPT="php-composer" >> "$GITHUB_ENV" + echo "PHPUNIT_SCRIPT=php-composer" >> "$GITHUB_ENV" elif [ "${LOCAL_PHP}" == '7.1-fpm' ]; then docker compose run --rm php composer update git checkout -- composer.lock diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index 520d77630b7b7..5d50f89032978 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -147,7 +147,7 @@ jobs: run: | # shellcheck disable=SC2016 COMMIT_MESSAGE="$(echo "${COMMIT_MSG_RAW}" | awk 'NR==1' | sed 's/`/\\`/g' | sed 's/\"/\\\\\\"/g' | sed 's/\$/\\$/g')" - echo commit_message_escaped="${COMMIT_MESSAGE}" >> "$GITHUB_OUTPUT" + echo "commit_message_escaped=${COMMIT_MESSAGE}" >> "$GITHUB_OUTPUT" env: COMMIT_MSG_RAW: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && fromJson( steps.current-commit-message.outputs.result ) || github.event.head_commit.message }} From 944f28c219c8599506fcf6aac450e997f4fb95cd Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Jan 2025 11:53:11 +0000 Subject: [PATCH 42/49] Update all the new actions. --- .github/workflows/reusable-workflow-lint.yml | 22 +++++++++---------- .../workflows/{lint.yml => workflow-lint.yml} | 0 2 files changed, 11 insertions(+), 11 deletions(-) rename .github/workflows/{lint.yml => workflow-lint.yml} (100%) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 9031a7db00660..0bb2e6c3f9c65 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -13,13 +13,13 @@ jobs: timeout-minutes: 1 steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false # https://github.com/rhysd/actionlint - name: Run actionlint - uses: docker://rhysd/actionlint:1.7.6 + uses: docker://rhysd/actionlint:1.7.7 with: args: "-color -verbose" @@ -33,18 +33,18 @@ jobs: timeout-minutes: 10 steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Run octoscan id: octoscan - uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1 + uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 with: filter_triggers: '' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3 + uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 with: sarif_file: ${{steps.octoscan.outputs.sarif_output}} category: octoscan @@ -58,21 +58,21 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4 + uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1 # https://github.com/woodruffw/zizmor - name: Run zizmor - run: uvx zizmor@1.1.1 --format sarif . > results.sarif + run: uvx zizmor@1.2.2 --format sarif . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3 + uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 with: sarif_file: results.sarif category: zizmor @@ -85,7 +85,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -93,7 +93,7 @@ jobs: uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3 + uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 with: sarif_file: results.sarif category: poutine diff --git a/.github/workflows/lint.yml b/.github/workflows/workflow-lint.yml similarity index 100% rename from .github/workflows/lint.yml rename to .github/workflows/workflow-lint.yml From 36d4ab5929c03f7d6ffa0cffcfff7907fd3f0be5 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Jan 2025 12:15:14 +0000 Subject: [PATCH 43/49] Finalise these. --- .../reusable-support-json-reader-v1.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-support-json-reader-v1.yml b/.github/workflows/reusable-support-json-reader-v1.yml index 7b1bbd05d6aaf..02adfb07e70bd 100644 --- a/.github/workflows/reusable-support-json-reader-v1.yml +++ b/.github/workflows/reusable-support-json-reader-v1.yml @@ -98,7 +98,13 @@ jobs: id: php-versions run: | if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then - echo "versions=$(jq -r '.["${WP_VERSION}"] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" # @TODO finalise + VERSIONS="$( jq \ + -r \ + --arg wp_version "${WP_VERSION}" \ + '.[$wp_version] | @json' \ + .version-support-php.json + )" + echo "versions=$VERSIONS" >> "$GITHUB_OUTPUT" else echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-php.json)" >> "$GITHUB_OUTPUT" fi @@ -135,7 +141,13 @@ jobs: id: mysql-versions run: | if [ "${WP_VERSION}" != "latest" ] && [ "${WP_VERSION}" != "nightly" ]; then - echo "versions=$(jq -r '.["${WP_VERSION}"] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" # @todo finalise + VERSIONS="$( jq \ + -r \ + --arg wp_version "${WP_VERSION}" \ + '.[$wp_version] | @json' \ + .version-support-mysql.json + )" + echo "versions=$VERSIONS" >> "$GITHUB_OUTPUT" else echo "versions=$(jq -r '.[ (keys[-1]) ] | @json' .version-support-mysql.json)" >> "$GITHUB_OUTPUT" fi From 0ee00f97f7488ab8c20af69895328776ba2f2db2 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Jan 2025 12:27:48 +0000 Subject: [PATCH 44/49] Remove Octoscan, Zizmor, and Poutine. --- .github/workflows/reusable-workflow-lint.yml | 75 -------------------- 1 file changed, 75 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 0bb2e6c3f9c65..d1de3936b897f 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -22,78 +22,3 @@ jobs: uses: docker://rhysd/actionlint:1.7.7 with: args: "-color -verbose" - - octoscan: - name: Octoscan - runs-on: ubuntu-latest - permissions: - security-events: write - actions: read - contents: read - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Run octoscan - id: octoscan - uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 - with: - filter_triggers: '' - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 - with: - sarif_file: ${{steps.octoscan.outputs.sarif_output}} - category: octoscan - - zizmor: - name: Zizmor - runs-on: ubuntu-latest - permissions: - security-events: write - actions: read - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Install the latest version of uv - uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1 - - # https://github.com/woodruffw/zizmor - - name: Run zizmor - run: uvx zizmor@1.2.2 --format sarif . > results.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 - with: - sarif_file: results.sarif - category: zizmor - - poutine: - name: Poutine - runs-on: ubuntu-latest - permissions: - security-events: write - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Run Poutine - uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 - with: - sarif_file: results.sarif - category: poutine From 8d6d83ab3768536de7afd52933b1e337fc88645e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 22 Jan 2025 12:24:17 +0000 Subject: [PATCH 45/49] Apply suggestions from code review Co-authored-by: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> --- .github/workflows/reusable-workflow-lint.yml | 14 ++++++++++++-- .github/workflows/workflow-lint.yml | 5 +++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index d1de3936b897f..41c57bd14fbf3 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -5,8 +5,16 @@ on: permissions: {} jobs: + # Runs the actionlint GitHub Action workflow file linter. + # + # This helps guard against common mistakes including strong type checking for expressions (${{ }}), security checks, + # `run:` script checking, glob syntax validation, and more. + # + # Performs the following steps: + # - Checks out the repository. + # - Runs actionlint. actionlint: - name: Actionlint + name: Run actionlint runs-on: ubuntu-latest permissions: contents: read @@ -16,8 +24,10 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false + show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} - # https://github.com/rhysd/actionlint + # actionlint is static checker for GitHub Actions workflow files. + # See https://github.com/rhysd/actionlint. - name: Run actionlint uses: docker://rhysd/actionlint:1.7.7 with: diff --git a/.github/workflows/workflow-lint.yml b/.github/workflows/workflow-lint.yml index 9da3bbe99e0d4..7dd33385e9350 100644 --- a/.github/workflows/workflow-lint.yml +++ b/.github/workflows/workflow-lint.yml @@ -4,7 +4,8 @@ on: push: branches: - trunk - - '[0-9].[0-9]' + - '6.[8-9]' + - '[7-9].[0-9]' tags: - '[0-9]+.[0-9]' - '[0-9]+.[0-9].[0-9]+' @@ -33,7 +34,7 @@ permissions: {} jobs: lint: - name: Lint + name: Lint GitHub Action files permissions: security-events: write actions: read From ba4bb24e1561cb5e9addaedd18f3009c6507ab4c Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 22 Jan 2025 12:25:43 +0000 Subject: [PATCH 46/49] These permissions are not needed. --- .github/workflows/upgrade-testing.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/upgrade-testing.yml b/.github/workflows/upgrade-testing.yml index 2faca2c77933b..2dd3c5e91b038 100644 --- a/.github/workflows/upgrade-testing.yml +++ b/.github/workflows/upgrade-testing.yml @@ -59,8 +59,6 @@ jobs: name: ${{ matrix.wp }} to ${{ inputs.new-version && inputs.new-version || 'latest' }} uses: WordPress/wordpress-develop/.github/workflows/reusable-upgrade-testing.yml@trunk if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} - permissions: - contents: read strategy: fail-fast: false matrix: @@ -96,8 +94,6 @@ jobs: name: ${{ matrix.wp }} to ${{ inputs.new-version && inputs.new-version || 'latest' }} uses: WordPress/wordpress-develop/.github/workflows/reusable-upgrade-testing.yml@trunk if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} - permissions: - contents: read strategy: fail-fast: false matrix: From 6bf77142ba4ed554d0c69fc2bca4553ca35ba93e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 22 Jan 2025 12:25:51 +0000 Subject: [PATCH 47/49] Don't lint the workflow files when tagging. --- .github/workflows/workflow-lint.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/workflow-lint.yml b/.github/workflows/workflow-lint.yml index 7dd33385e9350..2aabdf09e2641 100644 --- a/.github/workflows/workflow-lint.yml +++ b/.github/workflows/workflow-lint.yml @@ -6,9 +6,6 @@ on: - trunk - '6.[8-9]' - '[7-9].[0-9]' - tags: - - '[0-9]+.[0-9]' - - '[0-9]+.[0-9].[0-9]+' paths: # Only run when changes are made to workflow files. - '.github/workflows/**' From 30090af946c2ebda5a9ae8364b8dcef00c1da7f5 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 22 Jan 2025 12:26:49 +0000 Subject: [PATCH 48/49] Be a bit more generous with this timeout. --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 41c57bd14fbf3..352a1eb65e5d8 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - timeout-minutes: 1 + timeout-minutes: 5 steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 1d28bda789d89e97f6b66e2a5e525d7270c6e19c Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 22 Jan 2025 14:03:22 +0000 Subject: [PATCH 49/49] Fix a PEBKAC issue. --- .github/workflows/reusable-end-to-end-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml index 823c9005955fe..38c8e93af7202 100644 --- a/.github/workflows/reusable-end-to-end-tests.yml +++ b/.github/workflows/reusable-end-to-end-tests.yml @@ -67,7 +67,7 @@ jobs: steps: - name: Configure environment variables run: | - echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_PATH" + echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV" echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV" - name: Checkout repository