workflows

Author: PDowney

.github/scripts/check-wordpress-tested-up-to.py

@@ -3,6 +3,7 @@
 
 from __future__ import annotations
 
+import argparse
 import json
 import os
 import re
@@ -32,6 +33,7 @@
 
 
 def main() -> int:
+    args = parse_args()
     latest_version = get_latest_wordpress_major_minor()
     excluded_dirs = get_excluded_dirs()
     findings = find_tested_up_to_entries(excluded_dirs)
@@ -42,41 +44,54 @@ def main() -> int:
         write_summary(latest_version, [], [message])
         return 1
 
-    failures = []
-    for finding in findings:
-        if finding["version"] is None:
-            failures.append(
-                f"{finding['path']}:{finding['line']}: Could not parse Tested up to version."
-            )
-            print_github_error(
-                "Could not parse Tested up to version.",
-                finding["path"],
-                finding["line"],
-            )
-            continue
+    failures = get_failures(latest_version, findings)
+    updated_paths = []
 
-        tested_version = normalize_major_minor(finding["version"])
-        if tested_version != latest_version:
-            message = (
-                f"Tested up to is {finding['version']}; expected {latest_version} "
-                "for the latest WordPress release."
-            )
-            failures.append(f"{finding['path']}:{finding['line']}: {message}")
-            print_github_error(message, finding["path"], finding["line"])
+    if args.fix and failures:
+        updated_paths = update_tested_up_to_entries(findings, latest_version)
+        findings = find_tested_up_to_entries(excluded_dirs)
+        failures = get_failures(latest_version, findings)
+
+    if failures:
+        for failure in failures:
+            print_github_error(failure["message"], failure["path"], failure["line"])
 
-    write_summary(latest_version, findings, failures)
+    write_summary(latest_version, findings, failures, updated_paths)
 
     if failures:
         entry_label = "entry" if len(failures) == 1 else "entries"
         print(f"Found {len(failures)} stale or invalid Tested up to {entry_label}.")
         for failure in failures:
-            print(f"- {failure}")
+            print(f"- {format_failure(failure)}")
         return 1
 
+    if updated_paths:
+        path_label = "file" if len(updated_paths) == 1 else "files"
+        print(
+            f"Updated Tested up to metadata to WordPress {latest_version} "
+            f"in {len(updated_paths)} {path_label}."
+        )
+        for path in updated_paths:
+            print(f"- {path}")
+        return 0
+
     print(f"All Tested up to entries match WordPress {latest_version}.")
     return 0
 
 
+def parse_args() -> argparse.Namespace:
+    parser = argparse.ArgumentParser(
+        description='Check WordPress "Tested up to" metadata against the latest release.'
+    )
+    parser.add_argument(
+        "--fix",
+        action="store_true",
+        help="Update stale or invalid Tested up to entries to the latest WordPress release.",
+    )
+
+    return parser.parse_args()
+
+
 def get_latest_wordpress_major_minor() -> str:
     if WORDPRESS_LATEST_VERSION:
         return normalize_major_minor(WORDPRESS_LATEST_VERSION)
@@ -175,10 +190,100 @@ def should_scan(path: Path, excluded_dirs: set[str]) -> bool:
     return not any(part in excluded_dirs for part in path.parts)
 
 
+def get_failures(
+    latest_version: str,
+    findings: list[dict[str, str | int | None]],
+) -> list[dict[str, str | int]]:
+    failures = []
+
+    for finding in findings:
+        if finding["version"] is None:
+            failures.append(
+                {
+                    "path": str(finding["path"]),
+                    "line": int(finding["line"]),
+                    "message": "Could not parse Tested up to version.",
+                }
+            )
+            continue
+
+        tested_version = normalize_major_minor(str(finding["version"]))
+        if tested_version != latest_version:
+            failures.append(
+                {
+                    "path": str(finding["path"]),
+                    "line": int(finding["line"]),
+                    "message": (
+                        f"Tested up to is {finding['version']}; expected "
+                        f"{latest_version} for the latest WordPress release."
+                    ),
+                }
+            )
+
+    return failures
+
+
+def update_tested_up_to_entries(
+    findings: list[dict[str, str | int | None]],
+    latest_version: str,
+) -> list[str]:
+    paths_to_update = {
+        str(finding["path"])
+        for finding in findings
+        if finding["version"] is None
+        or normalize_major_minor(str(finding["version"])) != latest_version
+    }
+
+    for path_string in paths_to_update:
+        path_findings = [
+            finding for finding in findings if str(finding["path"]) == path_string
+        ]
+        path = Path(path_string)
+        lines = path.read_text(encoding="utf-8", errors="replace").splitlines(
+            keepends=True
+        )
+
+        for finding in path_findings:
+            line_index = int(finding["line"]) - 1
+            lines[line_index] = replace_tested_up_to_line(
+                lines[line_index], latest_version
+            )
+
+        path.write_text("".join(lines), encoding="utf-8")
+
+    return sorted(paths_to_update)
+
+
+def replace_tested_up_to_line(line: str, latest_version: str) -> str:
+    match = TESTED_UP_TO_PATTERN.search(line)
+    if match:
+        return f"{line[:match.start(1)]}{latest_version}{line[match.end(1):]}"
+
+    label_match = TESTED_UP_TO_LABEL_PATTERN.search(line)
+    if not label_match:
+        return line
+
+    line_ending = ""
+    content = line
+    if line.endswith("\r\n"):
+        content = line[:-2]
+        line_ending = "\r\n"
+    elif line.endswith("\n"):
+        content = line[:-1]
+        line_ending = "\n"
+
+    return f"{content[:label_match.end()]} {latest_version}{line_ending}"
+
+
+def format_failure(failure: dict[str, str | int]) -> str:
+    return f"{failure['path']}:{failure['line']}: {failure['message']}"
+
+
 def write_summary(
     latest_version: str,
     findings: list[dict[str, str | int | None]],
-    failures: list[str],
+    failures: list[dict[str, str | int] | str],
+    updated_paths: list[str] | None = None,
 ) -> None:
     summary_path = os.environ.get("GITHUB_STEP_SUMMARY")
     if not summary_path:
@@ -194,7 +299,14 @@ def write_summary(
 
     if failures:
         lines.append("## Failures")
-        lines.extend(f"- {failure}" for failure in failures)
+        lines.extend(
+            f"- {format_failure(failure) if isinstance(failure, dict) else failure}"
+            for failure in failures
+        )
+    elif updated_paths:
+        lines.append("## Updates")
+        lines.append(f"Updated Tested up to metadata in `{len(updated_paths)}` file(s).")
+        lines.extend(f"- `{path}`" for path in updated_paths)
     else:
         lines.append("All Tested up to entries are current.")
 

.github/workflows/branch-cleanup.yml

@@ -1,6 +1,6 @@
 # This workflow automatically deletes the branch associated with a pull request
 # after it has been merged, unless the branch is protected (e.g., main, dev, staging).
-# It helps keep the repository clean by removing merged feature or bugfix branches.
+# It helps keep the repository clean by removing merged feature or bug-fix branches.
 
 name: Branch Cleanup
 
@@ -12,16 +12,19 @@ permissions:
   contents: write
   pull-requests: read
 
+env:
+  PLUGIN_SLUG: enginescript-site-exporter
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
-    
+
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
-      
+
       - name: Delete merged branch
         if: github.event.pull_request.merged == true && github.event.pull_request.head.repo.full_name == github.repository
         env:
@@ -30,14 +33,14 @@ jobs:
           REPOSITORY: ${{ github.repository }}
         run: |
           echo "Checking branch: $BRANCH_NAME"
-          
-          # Protected branch check - using quotes to prevent injection
+
+          # Check protected branches. Quotes prevent injection.
           if [[ "$BRANCH_NAME" =~ ^(main|master|dev|develop|staging|production)$ ]]; then
             echo "::warning::Skipping deletion of protected branch: $BRANCH_NAME"
             exit 0
           fi
-          
-          # Attempt branch deletion - using quotes to prevent injection
+
+          # Attempt branch deletion. Quotes prevent injection.
           echo "Attempting to delete branch: $BRANCH_NAME"
           if git push origin --delete "$BRANCH_NAME" 2>/dev/null; then
             echo "::notice::Successfully deleted branch: $BRANCH_NAME"

.github/workflows/issue-management.yml

@@ -15,6 +15,9 @@ permissions:
   pull-requests: write
   issues: write
 
+env:
+  PLUGIN_SLUG: enginescript-site-exporter
+
 jobs:
   triage:
     runs-on: ubuntu-latest

.github/workflows/new-issue.yml

@@ -1,26 +1,46 @@
-# This workflow automatically posts a guidance comment on new issues.
-# It instructs users to run the `es.debug` command on their server and share the sanitized output,
-# helping maintainers get the information needed to troubleshoot and resolve issues efficiently.
+# This workflow automatically posts a guidance comment on new pull requests.
+# It welcomes contributors and provides a brief message to acknowledge their
+# contribution to EngineScript Site Exporter.
+# The workflow is triggered whenever a new pull request is opened.
 
-name: Issue Guidance
+name: New Pull Request Guidance
 
 on:
-  issues:
+  # pull_request_target is used only so the workflow can post this static
+  # guidance comment on forked PRs. Do not add checkout, build, or script steps
+  # here because this event has access to repository-scoped credentials.
+  pull_request_target:
     types: [opened]
 
-permissions:
-  contents: write
-  issues: write
+permissions: read-all
+
+env:
+  PLUGIN_SLUG: enginescript-site-exporter
 
 jobs:
   guide:
     runs-on: ubuntu-latest
+    # Explicitly define permissions required by the job
+    permissions:
+      pull-requests: write
     steps:
-      - name: Post guidance comment
+      - name: Post guidance comment on new PR
         uses: peter-evans/create-or-update-comment@v5
         with:
-          issue-number: ${{ github.event.issue.number }}
+          issue-number: ${{ github.event.pull_request.number }}
           body: |
-            Thanks for opening an issue. Please provide a detailed description of the problem you're facing. If you have error messages or logs, please include them as well.
+            Thanks for contributing to EngineScript Site Exporter!
+
+            **Before we review:**
+            - [ ] Have you tested your changes with WordPress 6.8+?
+            - [ ] Are your changes compatible with PHP 8.2+?
+            - [ ] Have you followed WordPress coding standards?
+            - [ ] Did you update the CHANGELOG.md if needed?
+
+            **Security Reminder**
+            This plugin creates site export archives, so please ensure:
+            - All user input is properly sanitized
+            - All output is properly escaped
+            - No security vulnerabilities are introduced
 
-            If you're server was configured with the main EngineScript application, you can run a detailed log by running the command `es.debug` in your server console. This will generate a detailed log of the current state of the server, which can help us understand the issue better.
+            We'll review your PR soon.

.github/workflows/new-pull-request.yml

@@ -1,13 +1,22 @@
 # This workflow automatically posts a guidance comment on new pull requests.
-# It encourages contributors to include sanitized output from `es.debug` if relevant,
-# helping maintainers review and test changes more efficiently.
+# It welcomes contributors and provides a brief message to acknowledge their
+# contribution to EngineScript Site Exporter.
+# The workflow is triggered whenever a new pull request is opened.
 
 name: New Pull Request Guidance
 
 on:
+  # pull_request_target is used only so the workflow can post this static
+  # guidance comment on forked PRs. Do not add checkout, build, or script steps
+  # here because this event has access to repository-scoped credentials.
   pull_request_target:
     types: [opened]
 
+permissions: read-all
+
+env:
+  PLUGIN_SLUG: enginescript-site-exporter
+
 jobs:
   guide:
     runs-on: ubuntu-latest
@@ -20,18 +29,18 @@ jobs:
         with:
           issue-number: ${{ github.event.pull_request.number }}
           body: |
-            Thanks for contributing to EngineScript Site Exporter! 🎉
+            Thanks for contributing to EngineScript Site Exporter!
 
             **Before we review:**
             - [ ] Have you tested your changes with WordPress 6.8+?
             - [ ] Are your changes compatible with PHP 8.2+?
             - [ ] Have you followed WordPress coding standards?
             - [ ] Did you update the CHANGELOG.md if needed?
-            
-            **Security Reminder:**
-            This plugin handles sensitive site databases, so please ensure:
-            - All user inputs are properly sanitized
-            - All outputs are properly escaped
+
+            **Security Reminder**
+            This plugin creates site export archives, so please ensure:
+            - All user input is properly sanitized
+            - All output is properly escaped
             - No security vulnerabilities are introduced
-            
-            We'll review your PR soon! 🚀
+
+            We'll review your PR soon.