Merge remote-tracking branch 'origin/trunk' into add/heic-canvas-fallback

# Conflicts:
#	src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

Author: adamsilverstein

.env.example

@@ -46,12 +46,12 @@ LOCAL_DB_TYPE=mysql
 ##
 # The database version to use.
 #
-# Defaults to 8.0 with the assumption that LOCAL_DB_TYPE is set to `mysql` above.
+# Defaults to 9.7 with the assumption that LOCAL_DB_TYPE is set to `mysql` above.
 #
 # When using `mysql`, see https://hub.docker.com/_/mysql for valid versions.
 # When using `mariadb`, see https://hub.docker.com/_/mariadb for valid versions.
 ##
-LOCAL_DB_VERSION=8.4
+LOCAL_DB_VERSION=9.7
 
 # Whether or not to enable multisite.
 LOCAL_MULTISITE=false

.github/workflows/commit-built-file-changes.yml

@@ -40,7 +40,9 @@ jobs:
     if: ${{ github.repository == 'wordpress/wordpress-develop' }}
     timeout-minutes: 10
     permissions:
-      contents: write
+      # The actual `git push` is authenticated via a dedicated GitHub App installation token
+      # generated below, so `GITHUB_TOKEN` only needs read access to the triggering workflow's artifacts.
+      actions: read # Required to list and download the artifact uploaded by the triggering workflow run.
     steps:
       - name: Download artifact
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -90,21 +92,18 @@ jobs:
         id: generate_token
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         env:
-          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }}
           GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }}
         run: |
-          echo "$GH_APP_PRIVATE_KEY" > private-key.pem
-
           # Generate JWT
           JWT=$(python3 - <<EOF
-          import jwt, time
-          private_key = open("private-key.pem", "r").read()
+          import jwt, time, os
           payload = {
               "iat": int(time.time()),
               "exp": int(time.time()) + 600,  # 10-minute expiration
-              "iss": $GH_APP_ID
+              "iss": int(os.environ["GH_APP_ID"]),
           }
-          print(jwt.encode(payload, private_key, algorithm="RS256"))
+          print(jwt.encode(payload, os.environ["GH_APP_PRIVATE_KEY"], algorithm="RS256"))
           EOF
           )
 
@@ -118,9 +117,7 @@ jobs:
             -H "Accept: application/vnd.github.v3+json" \
             "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
 
-          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
-
-          rm -f private-key.pem
+          echo "access-token=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT"
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -130,7 +127,7 @@ jobs:
           ref: ${{ github.event.workflow_run.head_branch }}
           path: 'pr-repo'
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
-          token: ${{ env.ACCESS_TOKEN }}
+          token: ${{ steps.generate_token.outputs.access-token }}
           persist-credentials: true
 
       - name: Apply patch
@@ -147,7 +144,7 @@ jobs:
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         working-directory: 'pr-repo'
         env:
-          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }}
         run: |
           git config user.name "wordpress-develop-pr-bot[bot]"
           git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com"

.github/workflows/install-testing.yml

@@ -94,11 +94,12 @@ jobs:
           - db-version: '9.3'
           - db-version: '9.4'
           - db-version: '9.5'
+          - db-version: '9.6'
           # MySQL 9.0+ will not work on PHP 7.2 & 7.3. See https://core.trac.wordpress.org/ticket/61218.
           - php: '7.2'
-            db-version: '9.6'
+            db-version: '9.7'
           - php: '7.3'
-            db-version: '9.6'
+            db-version: '9.7'
 
     services:
       database:
@@ -117,7 +118,7 @@ jobs:
 
     steps:
       - name: Set up PHP ${{ matrix.php }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: '${{ matrix.php }}'
           coverage: none

.github/workflows/local-docker-environment.yml

@@ -108,6 +108,7 @@ jobs:
           - db-version: '9.3'
           - db-version: '9.4'
           - db-version: '9.5'
+          - db-version: '9.6'
           # No PHP 8.5 + Memcached support yet.
           - php: '8.5'
             memcached: true

.github/workflows/phpunit-tests.yml

@@ -76,7 +76,7 @@ jobs:
         os: [ ubuntu-24.04 ]
         php: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5' ]
         db-type: [ 'mysql' ]
-        db-version: [ '5.7', '8.0', '8.4' ]
+        db-version: [ '5.7', '8.0', '8.4', '9.7' ]
         tests-domain: [ 'example.org' ]
         multisite: [ false, true ]
         memcached: [ false ]
@@ -209,15 +209,13 @@ jobs:
         os: [ ubuntu-24.04 ]
         php: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5' ]
         db-type: [ 'mysql', 'mariadb' ]
-        db-version: [ '9.6', '12.1' ]
+        db-version: [ '12.1' ]
         multisite: [ false, true ]
         memcached: [ false ]
         db-innovation: [ true ]
 
         exclude:
           # Exclude version combinations that don't exist.
-          - db-type: 'mariadb'
-            db-version: '9.6'
           - db-type: 'mysql'
             db-version: '12.1'
     with:
@@ -283,14 +281,14 @@ jobs:
       fail-fast: false
       matrix:
         php: [ '7.4', '8.4' ]
-        db-version: [ '8.4', '11.8' ]
+        db-version: [ '9.7', '11.8' ]
         db-type: [ 'mysql', 'mariadb' ]
         multisite: [ false ]
 
         include:
           # Include one multisite job for each database type.
           - php: '8.4'
-            db-version: '8.4'
+            db-version: '9.7'
             db-type: 'mysql'
             multisite: true
           - php: '8.4'
@@ -299,13 +297,13 @@ jobs:
             multisite: true
           # Test with memcached.
           - php: '8.4'
-            db-version: '8.4'
+            db-version: '9.7'
             db-type: 'mysql'
             multisite: true
             memcached: true
           # Run specific test groups once.
           - php: '8.4'
-            db-version: '8.4'
+            db-version: '9.7'
             db-type: 'mysql'
             phpunit-test-groups: 'html-api-html5lib-tests'
 
@@ -314,7 +312,7 @@ jobs:
           - db-type: 'mysql'
             db-version: '11.8'
           - db-type: 'mariadb'
-            db-version: '8.4'
+            db-version: '9.7'
 
     with:
       php: ${{ matrix.php }}

.github/workflows/reusable-build-package.yml

@@ -35,7 +35,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -53,7 +53,7 @@ jobs:
         run: zip -q -r develop.zip wordpress/.
 
       - name: Upload ZIP as a GitHub Actions artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: wordpress-develop
           path: develop.zip

.github/workflows/reusable-check-built-files.yml

@@ -43,7 +43,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -104,7 +104,7 @@ jobs:
 
       # Uploads the diff file as an artifact.
       - name: Upload diff file as artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
         with:
           name: pr-built-file-changes

.github/workflows/reusable-coding-standards-javascript.yml

@@ -40,7 +40,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: '.nvmrc'
           cache: npm

.github/workflows/reusable-coding-standards-php.yml

@@ -52,7 +52,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up PHP
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: ${{ inputs.php-version }}
           coverage: none
@@ -65,7 +65,7 @@ jobs:
         run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
 
       - name: Cache PHPCS scan cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: |
             .cache/phpcs-src.json

.github/workflows/reusable-end-to-end-tests.yml

@@ -82,7 +82,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -145,7 +145,7 @@ jobs:
         run: npm run test:e2e
 
       - name: Archive debug artifacts (screenshots, HTML snapshots)
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: failures-artifacts${{ inputs.LOCAL_SCRIPT_DEBUG && '-SCRIPT_DEBUG' || '' }}-${{ github.run_id }}