Merge branch 'main' into copilot/add-delete-old-core-files

Author: swissspidy

.github/workflows/code-quality.yml

@@ -6,6 +6,8 @@ on:
     branches:
       - main
       - master
+  schedule:
+     - cron: '17 2 * * *' # Run every day on a seemly random time.
 
 jobs:
   code-quality:

.github/workflows/copilot-setup-steps.yml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Check existence of composer.json file
         id: check_composer_file

.typos.toml

@@ -0,0 +1,6 @@
+[default]
+extend-ignore-re = [
+	"(?Rm)^.*(#|//)\\s*spellchecker:disable-line$",
+	"(?s)(#|//)\\s*spellchecker:off.*?\\n\\s*(#|//)\\s*spellchecker:on",
+	"(#|//)\\s*spellchecker:ignore-next-line\\n.*"
+]

README.md

@@ -239,6 +239,8 @@ Transforms an existing single-site installation into a multisite installation.
 wp core multisite-convert [--title=<network-title>] [--base=<url-path>] [--subdomains] [--skip-config]
 ~~~
 
+**Alias:** `install-network`
+
 Creates the multisite database tables, and adds the multisite constants
 to wp-config.php.
 
@@ -344,6 +346,8 @@ Updates WordPress to a newer version.
 wp core update [<zip>] [--minor] [--version=<version>] [--force] [--locale=<locale>] [--format=<format>] [--insecure]
 ~~~
 
+**Alias:** `upgrade`
+
 Defaults to updating WordPress to the latest version.
 
 If you see "Error: Another update is currently in progress.", you may

composer.json

@@ -13,7 +13,7 @@
     ],
     "require": {
         "composer/semver": "^1.4 || ^2 || ^3",
-        "wp-cli/wp-cli": "^2.12"
+        "wp-cli/wp-cli": "^2.13"
     },
     "require-dev": {
         "wp-cli/checksum-command": "^1 || ^2",

features/core-check-update.feature

@@ -70,3 +70,19 @@ Feature: Check for more recent versions
       """
       ---
       """
+
+  Scenario: Check update shows warning when version check API fails
+    Given a WP install
+    And that HTTP requests to https://api.wordpress.org/core/version-check/1.7/ will respond with:
+      """
+      HTTP/1.1 500 Internal Server Error
+      Content-Type: text/plain
+
+      <Error body>
+      """
+
+    When I try `wp core check-update --force-check`
+    Then STDERR should contain:
+      """
+      Warning: Failed to check for updates
+      """

features/core-update.feature

@@ -167,7 +167,7 @@ Feature: Update WordPress core
     When I run `wp core update`
     Then STDOUT should contain:
       """
-      WordPress is up to date
+      WordPress is up to date at version
       """
     And STDOUT should not contain:
       """
@@ -504,3 +504,57 @@ Feature: Update WordPress core
     # Verify files from $_old_files were removed
     And the wp-includes/blocks/post-author/editor.css file should not exist
     And the wp-includes/blocks/post-author/editor.min.css file should not exist
+
+  @require-php-7.0 @require-wp-6.1
+  Scenario: Attempting to downgrade without --force shows helpful message
+    Given a WP install
+
+    When I run `wp core version`
+    Then save STDOUT as {WP_CURRENT_VERSION}
+
+    When I try `wp core update --version=6.0`
+    Then STDOUT should contain:
+      """
+      WordPress is up to date at version
+      """
+    And STDOUT should contain:
+      """
+      is older than the current version
+      """
+    And STDOUT should contain:
+      """
+      Use --force to update anyway
+      """
+    And STDOUT should not contain:
+      """
+      Success:
+      """
+    And the return code should be 0
+
+    When I run `wp core update --version=6.0 --force`
+    Then STDOUT should contain:
+      """
+      Updating to version 6.0
+      """
+    And STDOUT should contain:
+      """
+      Success: WordPress updated successfully.
+      """
+
+  Scenario: Show helpful tip when update is locked
+    Given a WP install
+
+    When I run `wp option update core_updater.lock 100000000000000`
+    And I try `wp core update --version=trunk`
+    Then STDERR should contain:
+      """
+      Another update is currently in progress. You may need to run `wp option delete core_updater.lock` after verifying another update isn't actually running.
+      """
+    And the return code should be 1
+
+    # Clean up the lock
+    When I run `wp option delete core_updater.lock`
+    Then STDOUT should contain:
+      """
+      Success:
+      """

src/Core_Command.php

@@ -28,9 +28,18 @@
  *     4.5.2
  *
  * @package wp-cli
+ *
+ * @phpstan-type HTTP_Response array{headers: array<string, string>, body: string, response: array{code:false|int, message: false|string}, cookies: array<string, string>, http_response: mixed}
  */
 class Core_Command extends WP_CLI_Command {
 
+	/**
+	 * Stores HTTP API errors encountered during version check.
+	 *
+	 * @var \WP_Error|null
+	 */
+	private $version_check_error = null;
+
 	/**
 	 * Checks for WordPress updates via Version Check API.
 	 *
@@ -92,6 +101,14 @@ public function check_update( $args, $assoc_args ) {
 				[ 'version', 'update_type', 'package_url' ]
 			);
 			$formatter->display_items( $updates );
+		} elseif ( $this->version_check_error ) {
+			// If there was an HTTP error during version check, show a warning
+			WP_CLI::warning(
+				sprintf(
+					'Failed to check for updates: %s',
+					$this->version_check_error->get_error_message()
+				)
+			);
 		} else {
 			WP_CLI::success( 'WordPress is at the latest version.' );
 		}
@@ -644,6 +661,10 @@ private static function set_multisite_defaults( $assoc_args ) {
 	}
 
 	private function do_install( $assoc_args ) {
+		/**
+		 * @var \wpdb $wpdb
+		 */
+		global $wpdb;
 		if ( is_blog_installed() ) {
 			return false;
 		}
@@ -695,7 +716,7 @@ function wp_new_blog_notification() {
 			$args['locale']
 		);
 
-		if ( ! empty( $GLOBALS['wpdb']->last_error ) ) {
+		if ( ! empty( $wpdb->last_error ) ) {
 			WP_CLI::error( 'Installation produced database errors, and may have partially or completely failed.' );
 		}
 
@@ -1243,7 +1264,12 @@ static function () {
 			if ( is_wp_error( $result ) ) {
 				$message = WP_CLI::error_to_string( $result );
 				if ( 'up_to_date' !== $result->get_error_code() ) {
-					WP_CLI::error( $message );
+					// Check if the error is related to the core_updater.lock
+					if ( self::is_lock_error( $result ) ) {
+						WP_CLI::error( rtrim( $message, '.' ) . '. You may need to run `wp option delete core_updater.lock` after verifying another update isn\'t actually running.' );
+					} else {
+						WP_CLI::error( $message );
+					}
 				} else {
 					WP_CLI::success( $message );
 				}
@@ -1278,8 +1304,14 @@ static function () {
 
 				WP_CLI::success( 'WordPress updated successfully.' );
 			}
+			// Check if user attempted to downgrade without --force
+		} elseif ( ! empty( Utils\get_flag_value( $assoc_args, 'version' ) ) && version_compare( Utils\get_flag_value( $assoc_args, 'version' ), $wp_version, '<' ) ) {
+			// Requested version is older than current (downgrade attempt)
+			WP_CLI::log( "WordPress is up to date at version {$wp_version}." );
+			WP_CLI::log( 'The version you requested (' . Utils\get_flag_value( $assoc_args, 'version' ) . ") is older than the current version ({$wp_version})." );
+			WP_CLI::log( 'Use --force to update anyway (e.g., to downgrade to version ' . Utils\get_flag_value( $assoc_args, 'version' ) . ').' );
 		} else {
-			WP_CLI::success( 'WordPress is up to date.' );
+			WP_CLI::success( "WordPress is up to date at version {$wp_version}." );
 		}
 	}
 
@@ -1448,7 +1480,25 @@ private function get_download_url( $version, $locale = 'en_US', $file_type = 'zi
 	 */
 	private function get_updates( $assoc_args ) {
 		$force_check = Utils\get_flag_value( $assoc_args, 'force-check' );
-		wp_version_check( [], $force_check );
+
+		// Reset error tracking
+		$this->version_check_error = null;
+
+		// Hook into pre_http_request with max priority to capture errors during version check
+		// This is necessary because tests and plugins may use pre_http_request to mock responses
+		add_filter( 'pre_http_request', [ $this, 'capture_version_check_error' ], PHP_INT_MAX, 3 );
+
+		// Also hook into http_api_debug to capture errors from real HTTP requests
+		// This fires when pre_http_request doesn't short-circuit the request
+		add_action( 'http_api_debug', [ $this, 'capture_version_check_error_from_response' ], 10, 5 );
+
+		try {
+			wp_version_check( [], $force_check );
+		} finally {
+			// Ensure the hooks are always removed, even if wp_version_check() throws an exception
+			remove_filter( 'pre_http_request', [ $this, 'capture_version_check_error' ], PHP_INT_MAX );
+			remove_action( 'http_api_debug', [ $this, 'capture_version_check_error_from_response' ], 10 );
+		}
 
 		/**
 		 * @var object{updates: array<object{version: string, locale: string, packages: object{partial?: string, full: string}}>}|false $from_api
@@ -1458,6 +1508,10 @@ private function get_updates( $assoc_args ) {
 			return [];
 		}
 
+		/**
+		 * @var array{wp_version: string} $GLOBALS
+		 */
+
 		$compare_version = str_replace( '-src', '', $GLOBALS['wp_version'] );
 
 		$updates = [
@@ -1505,6 +1559,87 @@ private function get_updates( $assoc_args ) {
 		return array_values( $updates );
 	}
 
+	/**
+	 * Sets or clears the version check error property based on an HTTP response.
+	 *
+	 * @param mixed|\WP_Error $response The HTTP response (WP_Error, array, or other).
+	 *
+	 * @phpstan-param HTTP_Response|WP_Error $response
+	 */
+	private function set_version_check_error( $response ) {
+		if ( is_wp_error( $response ) ) {
+			$this->version_check_error = $response;
+		} elseif ( is_array( $response ) && isset( $response['response']['code'] ) && $response['response']['code'] >= 400 ) {
+			// HTTP error status code (4xx or 5xx) - convert to WP_Error for consistency
+			$this->version_check_error = new \WP_Error(
+				'http_request_failed',
+				sprintf(
+					'HTTP request failed with status %d: %s',
+					$response['response']['code'],
+					isset( $response['response']['message'] ) ? $response['response']['message'] : 'Unknown error'
+				)
+			);
+		} else {
+			// Clear any previous error if we got a successful response.
+			$this->version_check_error = null;
+		}
+	}
+
+	/**
+	 * Handles the pre_http_request filter to capture HTTP errors during version check.
+	 *
+	 * This method signature matches the pre_http_request filter signature.
+	 * Uses PHP_INT_MAX priority to run after test mocking and plugin modifications.
+	 *
+	 * @param false|array|WP_Error $response A preemptive return value of an HTTP request.
+	 * @param array                $args     HTTP request arguments.
+	 * @param string               $url      The request URL.
+	 * @return false|array|WP_Error The response, unmodified.
+	 *
+	 * @phpstan-param HTTP_Response|WP_Error|false $response
+	 */
+	public function capture_version_check_error( $response, $args, $url ) {
+		if ( false === strpos( $url, 'api.wordpress.org/core/version-check' ) ) {
+			return $response;
+		}
+
+		// A `false` response means the request is not being preempted.
+		// In this case, we don't want to change the error status, as the subsequent
+		// `http_api_debug` hook will handle the actual response.
+		if ( false !== $response ) {
+			$this->set_version_check_error( $response );
+		}
+
+		return $response;
+	}
+
+	/**
+	 * Handles the http_api_debug action to capture HTTP errors from real requests.
+	 *
+	 * This fires when pre_http_request doesn't short-circuit the request.
+	 * Uses the http_api_debug action hook signature.
+	 *
+	 * @param array|WP_Error $response HTTP response or WP_Error object.
+	 * @param string         $context  Context of the HTTP request.
+	 * @param string         $_class   HTTP transport class name (unused).
+	 * @param array          $_args    HTTP request arguments (unused).
+	 * @param string         $url      URL being requested.
+	 *
+	 * @phpstan-param HTTP_Response|WP_Error $response
+	 */
+	public function capture_version_check_error_from_response( $response, $context, $_class, $_args, $url ) {
+		if ( false === strpos( $url, 'api.wordpress.org/core/version-check' ) ) {
+			return;
+		}
+
+		// Only capture on response, not pre_response
+		if ( 'response' !== $context ) {
+			return;
+		}
+
+		$this->set_version_check_error( $response );
+	}
+
 	/**
 	 * Clean up extra files.
 	 *
@@ -1904,4 +2039,21 @@ function () use ( $new_zip_file ) {
 			WP_CLI::error( 'ZipArchive failed to open ZIP file.' );
 		}
 	}
+
+	/**
+	 * Checks if a WP_Error is related to the core_updater.lock.
+	 *
+	 * @param \WP_Error $error The error object to check.
+	 * @return bool True if the error is related to the lock, false otherwise.
+	 */
+	private static function is_lock_error( $error ) {
+		// Check for the 'locked' error code used by WordPress Core
+		if ( 'locked' === $error->get_error_code() ) {
+			return true;
+		}
+
+		// Also check if the error message contains the lock text as a fallback
+		$message = WP_CLI::error_to_string( $error );
+		return false !== stripos( $message, 'another update is currently in progress' );
+	}
 }

src/WP_CLI/Core/CoreUpgrader.php

@@ -67,11 +67,8 @@ public function download_package( $package, $check_signatures = false, $hook_ext
 			$hook_extra
 		);
 
-		/**
-		 * @var false|string|\WP_Error $reply
-		 */
-
 		if ( false !== $reply ) {
+			// @phpstan-ignore return.type
 			return $reply;
 		}
 
@@ -96,7 +93,11 @@ function () use ( $temp ) {
 			}
 		);
 
-		$cache     = WP_CLI::get_cache();
+		$cache = WP_CLI::get_cache();
+
+		/**
+		 * @var object{locale: string} $update
+		 */
 		$update    = $GLOBALS['wpcli_core_update_obj'];
 		$cache_key = "core/{$filename}-{$update->locale}.{$extension}";