chore: [SITE-5205] PHP 8.5 changelog, test fix, contributor update#365
Conversation
Add PHP 8.5 compatibility note to changelog in both readme.txt and README.md under the 1.4.6-dev heading.
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
Change cleanup step from always() to success() so the multidev environment is preserved when tests fail, allowing debugging.
Update vendor test package to pick up fix for behat cache clear test (changed .updated to .notice-success selector).
|
Composer Changes
|
Add metasim to contributors in both README.md and readme.txt.
This reverts commit 1d453eb.
| "pantheon-systems/wpunit-helpers": true | ||
| }, | ||
| "audit": { | ||
| "block-insecure": false |
There was a problem hiding this comment.
because the tests were failing, this is what we decided to do
https://getpantheon.atlassian.net/browse/SITE-5205?focusedCommentId=350154
There was a problem hiding this comment.
its worth including in the p.r description
This reverts commit a1479b2.
…g-standards in dev - Add scoped audit.ignore for PKSA-5r1g-c7b7-y1zg (symfony/dom-crawler via behat test deps); dev-only, no prod exposure - Add --dev to PHP 7.4 coding-standards require so it stays in require-dev
The initial audit.ignore only covered symfony/dom-crawler, leaving 5 advisories active so composer audit still failed. Plugin has zero production dependencies; all flagged packages are transitive of the behat/phpunit dev test stack with no runtime exposure. Ignore the remaining advisories with per-ID justification. - PKSA-dwsq-ppd2-mb1x symfony/polyfill-intl-idn (CVE-2026-46644, low) - PKSA-v5yj-8nmz-sk2q symfony/yaml (CVE-2026-45304, low) - PKSA-ft77-7h5f-p3r6 symfony/yaml (CVE-2026-45305, low) - PKSA-b14r-zh1d-vdrc symfony/yaml (CVE-2026-45133, low) - PKSA-z3gr-8qht-p93v phpunit/phpunit (CVE-2026-24765, high; dev test runner)
CI fixture credentials were rotated via the secret-manager provisioning script, which stores the bot's SSH private key under the secret name SSH_PRIVATE_KEY. Update the Behat workflow's ssh-agent step to reference the new name (was SITE_OWNER_SSH_PRIVATE_KEY). The TERMINUS_TOKEN secret already matched the provisioned name and needs no change.
v1.0.0 (and all v1.1.x) run an internal `composer install` against the action's own bundled deps, whose composer.json never defined allow-plugins. Modern composer on the runner refuses to run the bundled phpcs-installer plugin, failing the WP.org Plugin Validation step with an allow-plugins error unrelated to this repo. v2.0.0 was rearchitected to wrap wordpress/plugin-check-action and no longer runs that composer install.
…4 resolve Composer 2.9+ blocks advisory-affected package versions during update/ require. The PHP 7.4 test job downgrades pantheon-wp-coding-standards to ^2 and runs `composer update`, which re-resolves the behat upstream-test chain (fabpot/goutte -> guzzle 6 -> guzzlehttp/psr7 ^1.9). psr7 <2.10.2 carries advisories and cannot be upgraded (guzzle 6 pins ^1.9), so the resolve failed with "could not be resolved to an installable set". Re-audited the locked set (composer audit --locked): all 6 pre-existing ignores still fire and are kept; added the 3 guzzlehttp/psr7 advisories (CVE-2026-48998, CVE-2026-49214, plus PKSA-hn62-zkx4-1y5q). All are dev-only behat test transitive deps with no production exposure; this plugin ships no runtime composer dependencies.
This reverts commit 0f4c2eb.
|
The WP.org Plugin Validation check is red here, but it's out of scope for this PR and not caused by these changes. Migration off the deprecated action (mirroring wp-redis SITE-5390) is handled separately in #370. |
Summary
readme.txtandREADME.mdcomposer auditpasses without disabling audit globallyguzzlehttp/psr7advisories that blocked the PHP 7.4composer updatere-resolve--devto the PHP 7.4pantheon-wp-coding-standardsrequire so it stays inrequire-devpantheon-wordpress-upstream-teststo fix the behat cache-clear test (.updatedchanged to.notice-successupstream)SSH_PRIVATE_KEYsecret (wasSITE_OWNER_SSH_PRIVATE_KEY)README.mdandreadme.txtContext
SITE-5205
PHP 8.5 was added to the test matrix in PR #362. This PR adds the corresponding changelog entry per the WP plugin release convention, plus the CI dependency fixes needed to get the matrix green.
Composer audit was blocking on advisories pulled transitively by the behat/phpunit dev test stack (
symfony/dom-crawler,symfony/polyfill-intl-idn,symfony/yaml,phpunit/phpunit). The plugin ships zero production dependencies (requireis empty), so none of these reach runtime. Rather than the heavier dependency replacement tracked in SITE-5774, they are suppressed via scopedconfig.audit.ignoreentries, each with a per-advisory justification. This replaces the earlier bluntaudit.block-insecure: falseworkaround (reverted), so real production advisories would still fail audit.Separately, the PHP 7.4 test job downgrades
pantheon-wp-coding-standardsto^2and runscomposer update. Composer 2.9+ blocks advisory-affected versions duringupdate/require(distinct fromcomposer audit), and the behat chain (fabpot/goutte->guzzlehttp/guzzle6 ->guzzlehttp/psr7^1.9) could not resolve becausepsr7 <2.10.2carries advisories and cannot be upgraded (guzzle 6 pins^1.9). The threeguzzlehttp/psr7advisories are added to the same ignore list. Before adding them the locked set was re-audited (composer audit --locked): all six pre-existing ignores still fire and were kept verbatim.Ignored advisories (all dev-only, no prod exposure):
The remaining abandoned-package notices (
behat/mink-goutte-driver, etc.) are a separate concern tracked in SITE-5774, not vulnerabilities.The deprecated
pantheon-systems/action-wporg-validator(WP.org Plugin Validation job) is broken upstream and is out of scope here; its migration towordpress/plugin-check-actionis tracked separately.Test plan
composer updateresolves (psr7 advisories no longer block)composer auditclears all vulnerability advisories locally (verified; abandoned-package notices remain, tracked in SITE-5774)readme.txtandREADME.mdSSH_PRIVATE_KEY/TERMINUS_TOKENsecrets being present on the repo)