Merge branch 'trunk' into fix/major-publishing-actions

Author: Infinite-Null

.env.example

@@ -46,12 +46,12 @@ LOCAL_DB_TYPE=mysql
 ##
 # The database version to use.
 #
-# Defaults to 8.0 with the assumption that LOCAL_DB_TYPE is set to `mysql` above.
+# Defaults to 9.7 with the assumption that LOCAL_DB_TYPE is set to `mysql` above.
 #
 # When using `mysql`, see https://hub.docker.com/_/mysql for valid versions.
 # When using `mariadb`, see https://hub.docker.com/_/mariadb for valid versions.
 ##
-LOCAL_DB_VERSION=8.4
+LOCAL_DB_VERSION=9.7
 
 # Whether or not to enable multisite.
 LOCAL_MULTISITE=false

.github/workflows/commit-built-file-changes.yml

@@ -40,7 +40,9 @@ jobs:
     if: ${{ github.repository == 'wordpress/wordpress-develop' }}
     timeout-minutes: 10
     permissions:
-      contents: write
+      # The actual `git push` is authenticated via a dedicated GitHub App installation token
+      # generated below, so `GITHUB_TOKEN` only needs read access to the triggering workflow's artifacts.
+      actions: read # Required to list and download the artifact uploaded by the triggering workflow run.
     steps:
       - name: Download artifact
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -90,21 +92,18 @@ jobs:
         id: generate_token
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         env:
-          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }}
           GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }}
         run: |
-          echo "$GH_APP_PRIVATE_KEY" > private-key.pem
-
           # Generate JWT
           JWT=$(python3 - <<EOF
-          import jwt, time
-          private_key = open("private-key.pem", "r").read()
+          import jwt, time, os
           payload = {
               "iat": int(time.time()),
               "exp": int(time.time()) + 600,  # 10-minute expiration
-              "iss": $GH_APP_ID
+              "iss": int(os.environ["GH_APP_ID"]),
           }
-          print(jwt.encode(payload, private_key, algorithm="RS256"))
+          print(jwt.encode(payload, os.environ["GH_APP_PRIVATE_KEY"], algorithm="RS256"))
           EOF
           )
 
@@ -118,9 +117,7 @@ jobs:
             -H "Accept: application/vnd.github.v3+json" \
             "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
 
-          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
-
-          rm -f private-key.pem
+          echo "access-token=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT"
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -130,12 +127,13 @@ jobs:
           ref: ${{ github.event.workflow_run.head_branch }}
           path: 'pr-repo'
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
-          token: ${{ env.ACCESS_TOKEN }}
+          token: ${{ steps.generate_token.outputs.access-token }}
+          persist-credentials: true
 
       - name: Apply patch
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         working-directory: 'pr-repo'
-        run: git apply ${{ github.workspace }}/changes.diff
+        run: git apply "$GITHUB_WORKSPACE/changes.diff"
 
       - name: Display changes to versioned files
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
@@ -146,10 +144,10 @@ jobs:
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         working-directory: 'pr-repo'
         env:
-          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }}
         run: |
           git config user.name "wordpress-develop-pr-bot[bot]"
-          git config user.email ${{ env.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com
+          git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com"
 
       - name: Stage changes
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}

.github/workflows/end-to-end-tests.yml

@@ -53,7 +53,7 @@ permissions: {}
 
 env:
   LOCAL_DIR: build
-  PUPPETEER_SKIP_DOWNLOAD: ${{ true }}
+  PUPPETEER_SKIP_DOWNLOAD: true
 
 jobs:
   # Runs the end-to-end test suite.

.github/workflows/install-testing.yml

@@ -49,7 +49,6 @@ jobs:
     uses: ./.github/workflows/reusable-support-json-reader-v1.yml
     permissions:
       contents: read
-    secrets: inherit
     if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     with:
       wp-version: ${{ inputs.wp-version }}
@@ -95,11 +94,12 @@ jobs:
           - db-version: '9.3'
           - db-version: '9.4'
           - db-version: '9.5'
+          - db-version: '9.6'
           # MySQL 9.0+ will not work on PHP 7.2 & 7.3. See https://core.trac.wordpress.org/ticket/61218.
           - php: '7.2'
-            db-version: '9.6'
+            db-version: '9.7'
           - php: '7.3'
-            db-version: '9.6'
+            db-version: '9.7'
 
     services:
       database:
@@ -118,7 +118,7 @@ jobs:
 
     steps:
       - name: Set up PHP ${{ matrix.php }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: '${{ matrix.php }}'
           coverage: none

.github/workflows/local-docker-environment.yml

@@ -79,7 +79,6 @@ jobs:
     uses: ./.github/workflows/reusable-support-json-reader-v1.yml
     permissions:
       contents: read
-    secrets: inherit
     if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     with:
       wp-version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}
@@ -109,6 +108,7 @@ jobs:
           - db-version: '9.3'
           - db-version: '9.4'
           - db-version: '9.5'
+          - db-version: '9.6'
           # No PHP 8.5 + Memcached support yet.
           - php: '8.5'
             memcached: true

.github/workflows/phpunit-tests.yml

@@ -66,15 +66,17 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
       matrix:
         os: [ ubuntu-24.04 ]
         php: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5' ]
         db-type: [ 'mysql' ]
-        db-version: [ '5.7', '8.0', '8.4' ]
+        db-version: [ '5.7', '8.0', '8.4', '9.7' ]
         tests-domain: [ 'example.org' ]
         multisite: [ false, true ]
         memcached: [ false ]
@@ -143,7 +145,9 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
@@ -177,7 +181,7 @@ jobs:
       multisite: ${{ matrix.multisite }}
       memcached: ${{ matrix.memcached }}
       phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }}
-      report: ${{ false }}
+      report: false
 
   #
   # Creates PHPUnit test jobs to test MariaDB and MySQL innovation releases.
@@ -195,23 +199,23 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
       matrix:
         os: [ ubuntu-24.04 ]
         php: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4', '8.5' ]
         db-type: [ 'mysql', 'mariadb' ]
-        db-version: [ '9.6', '12.1' ]
+        db-version: [ '12.1' ]
         multisite: [ false, true ]
         memcached: [ false ]
         db-innovation: [ true ]
 
         exclude:
           # Exclude version combinations that don't exist.
-          - db-type: 'mariadb'
-            db-version: '9.6'
           - db-type: 'mysql'
             db-version: '12.1'
     with:
@@ -223,7 +227,7 @@ jobs:
       multisite: ${{ matrix.multisite }}
       memcached: ${{ matrix.memcached }}
       phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }}
-      report: ${{ false }}
+      report: false
 
   #
   # Runs the HTML API test group.
@@ -238,7 +242,9 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
@@ -267,20 +273,22 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ ! startsWith( github.repository, 'WordPress/' ) && github.event_name == 'pull_request' }}
     strategy:
       fail-fast: false
       matrix:
         php: [ '7.4', '8.4' ]
-        db-version: [ '8.4', '11.8' ]
+        db-version: [ '9.7', '11.8' ]
         db-type: [ 'mysql', 'mariadb' ]
         multisite: [ false ]
 
         include:
           # Include one multisite job for each database type.
           - php: '8.4'
-            db-version: '8.4'
+            db-version: '9.7'
             db-type: 'mysql'
             multisite: true
           - php: '8.4'
@@ -289,13 +297,13 @@ jobs:
             multisite: true
           # Test with memcached.
           - php: '8.4'
-            db-version: '8.4'
+            db-version: '9.7'
             db-type: 'mysql'
             multisite: true
             memcached: true
           # Run specific test groups once.
           - php: '8.4'
-            db-version: '8.4'
+            db-version: '9.7'
             db-type: 'mysql'
             phpunit-test-groups: 'html-api-html5lib-tests'
 
@@ -304,7 +312,7 @@ jobs:
           - db-type: 'mysql'
             db-version: '11.8'
           - db-type: 'mariadb'
-            db-version: '8.4'
+            db-version: '9.7'
 
     with:
       php: ${{ matrix.php }}

.github/workflows/reusable-build-package.yml

@@ -35,7 +35,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -53,7 +53,7 @@ jobs:
         run: zip -q -r develop.zip wordpress/.
 
       - name: Upload ZIP as a GitHub Actions artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: wordpress-develop
           path: develop.zip

.github/workflows/reusable-check-built-files.yml

@@ -40,9 +40,10 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -56,7 +57,7 @@ jobs:
       # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
       # passing a custom cache suffix ensures that the cache is flushed at least once per week.
       - name: Install Composer dependencies
-        uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # v4.0.0
+        uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0
         with:
           custom-cache-suffix: ${{ steps.get-date.outputs.date }}
 
@@ -103,7 +104,7 @@ jobs:
 
       # Uploads the diff file as an artifact.
       - name: Upload diff file as artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
         with:
           name: pr-built-file-changes

.github/workflows/reusable-cleanup-pull-requests.yml

@@ -19,7 +19,7 @@ jobs:
   # - Parse fixed ticket numbers from the commit message.
   # - Parse the SVN revision from the commit message.
   # - Searches for pull requests referencing any fixed tickets.
-  # - Leaves a comment on each PR before closing.
+# - Comments on pull requests referencing any fixed tickets before closing.
   close-prs:
     name: Find and close PRs
     runs-on: ubuntu-24.04
@@ -43,13 +43,17 @@ jobs:
           COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')"
           echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> "$GITHUB_OUTPUT"
 
-      - name: Find pull requests
-        id: linked-prs
+      - name: Find, comment on, and close pull requests
         if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }}
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          FIXED_LIST: ${{ steps.trac-tickets.outputs.fixed_list }}
+          SVN_REVISION_NUMBER: ${{ steps.git-svn-id.outputs.svn_revision_number }}
         with:
           script: |
-            const fixedList = "${{ steps.trac-tickets.outputs.fixed_list }}".split(' ').filter(Boolean);
+            const fixedList = process.env.FIXED_LIST.split(' ').filter(Boolean);
+            const svnRevisionNumber = process.env.SVN_REVISION_NUMBER;
+            const githubSha = process.env.GITHUB_SHA;
             let prNumbers = [];
 
             for (const ticket of fixedList) {
@@ -86,19 +90,10 @@ jobs:
               prNumbers.push(...matchingPRs);
             }
 
-            return prNumbers;
-
-      - name: Comment and close pull requests
-        if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: |
-            const prNumbers = ${{ steps.linked-prs.outputs.result }};
-
             const commentBody = `A commit was made that fixes the Trac ticket referenced in the description of this pull request.
 
-            SVN changeset: [${{ steps.git-svn-id.outputs.svn_revision_number }}](https://core.trac.wordpress.org/changeset/${{ steps.git-svn-id.outputs.svn_revision_number }})
-            GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${{ github.sha }}
+            SVN changeset: [${svnRevisionNumber}](https://core.trac.wordpress.org/changeset/${svnRevisionNumber})
+            GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${githubSha}
 
             This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.`;