Merge branch 'trunk' into fix-63029/align-revision-buttons

Author: yogeshbhutkar

.github/workflows/check-built-files.yml

@@ -0,0 +1,51 @@
+# Checks for uncommitted changes to built files and pushes changes back.
+name: Check built files
+
+on:
+  # Because all commits happen through SVN and should always be manually reviewed by a committer, this workflow only
+  # runs for pull requests.
+  #
+  # Other workflows that run on push will detect changes to versioned files and fail.
+  pull_request_target:
+    branches:
+      - trunk
+      - '6.[8-9]'
+      - '[7-9].[0-9]'
+    paths:
+      # Any change to a CSS, JavaScript, JSON, or SASS file should run checks.
+      - '**.css'
+      - '**.js'
+      - '**.json'
+      - '**.sass'
+      # These files configure npm and the task runner. Changes could affect the outcome.
+      - 'package*.json'
+      - 'Gruntfile.js'
+      - 'webpack.config.js'
+      - 'tools/webpack/**'
+      # These files configure Composer. Changes could affect the outcome.
+      - 'composer.*'
+      # Confirm any changes to relevant workflow files.
+      - '.github/workflows/check-built-files.yml'
+
+# Cancels all previous workflow runs for pull requests that have not completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name for pull requests
+  # or the commit hash for any other events.
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.sha }}
+  cancel-in-progress: true
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  update-built-files:
+    name: Update built files
+    permissions:
+      contents: write
+    if: ${{ github.repository == 'WordPress/wordpress-develop' }}
+    # This should always reference a version of the workflow committed through SVN and never a local reference.
+    uses: WordPress/wordpress-develop/.github/workflows/reusable-check-built-files.yml@trunk
+    secrets:
+      GH_APP_ID: ${{ secrets.GH_PR_MANAGEMENT_APP_ID }}
+      GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_MANAGEMENT_APP_PRIVATE_KEY }}

.github/workflows/end-to-end-tests.yml

@@ -33,7 +33,7 @@ on:
       - 'tests/e2e/**'
       # Confirm any changes to relevant workflow files.
       - '.github/workflows/end-to-end-tests.yml'
-      - '.github/workflows/reusable-end-to-end-tests-*.yml'
+      - '.github/workflows/reusable-end-to-end-tests*.yml'
   workflow_dispatch:
 
 # Cancels all previous workflow runs for pull requests that have not completed.

.github/workflows/reusable-build-package.yml

@@ -35,7 +35,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -53,7 +53,7 @@ jobs:
         run: zip -q -r develop.zip wordpress/.
 
       - name: Upload ZIP as a GitHub Actions artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: wordpress-develop
           path: develop.zip

.github/workflows/reusable-check-built-files.yml

@@ -0,0 +1,164 @@
+name: Lint GitHub Actions workflows
+on:
+  workflow_call:
+    secrets:
+      GH_APP_ID:
+        description: 'A GitHub App ID.'
+        required: true
+      GH_APP_PRIVATE_KEY:
+        description: 'A GitHub App private key.'
+        required: true
+
+permissions: {}
+
+jobs:
+  # Checks a PR for uncommitted changes to built files.
+  #
+  # This job uses a GitHub App instead of $GITHUB_TOKEN because Dependabot pull requests are only granted
+  # read-only access.
+  #
+  # Performs the following steps:
+  # - Generates a token for authenticating with the GitHub App.
+  # - Checks out the repository.
+  # - Sets up Node.js.
+  # - Configures caching for Composer.
+  # - Installs Composer dependencies.
+  # - Logs general debug information about the runner.
+  # - Installs npm dependencies.
+  # - Builds CSS file using SASS.
+  # - Builds Emoji files.
+  # - Builds bundled Root Certificate files.
+  # - Builds WordPress.
+  # - Checks for changes to versioned files.
+  # - Displays the result of git diff for debugging purposes.
+  # - Configures the Git author.
+  # - Stages changes.
+  # - Commits changes.
+  # - Pushes changes.
+  update-built-files:
+    name: Check and update built files
+    runs-on: ubuntu-24.04
+    # This prevents an unnecessary second run after changes are committed back because Dependabot always rebases
+    # updates and force pushes.
+    if: ${{ github.actor != 'dependabot[bot]' || github.event.commits < 2 }}
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+      - name: Generate Installation Token
+        id: generate_token
+        env:
+          GH_APP_ID: ${{ secrets.GH_APP_ID }}
+          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
+        run: |
+          echo "$GH_APP_PRIVATE_KEY" > private-key.pem
+
+          # Generate JWT
+          JWT=$(python3 - <<EOF
+          import jwt, time
+          private_key = open("private-key.pem", "r").read()
+          payload = {
+              "iat": int(time.time()),
+              "exp": int(time.time()) + 600,  # 10-minute expiration
+              "iss": $GH_APP_ID
+          }
+          print(jwt.encode(payload, private_key, algorithm="RS256"))
+          EOF
+          )
+
+          # Get Installation ID
+          INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/app/installations | jq -r '.[0].id')
+
+          # Request Installation Access Token
+          ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
+
+          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
+
+          rm -f private-key.pem
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+          show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          token: ${{ env.ACCESS_TOKEN }}
+
+      - name: Set up Node.js
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+
+      # This date is used to ensure that the PHPCS cache is cleared at least once every week.
+      # http://man7.org/linux/man-pages/man1/date.1.html
+      - name: "Get last Monday's date"
+        id: get-date
+        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
+
+      # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
+      # passing a custom cache suffix ensures that the cache is flushed at least once per week.
+      - name: Install Composer dependencies
+        uses: ramsey/composer-install@a2636af0004d1c0499ffca16ac0b4cc94df70565 # v3.1.0
+        with:
+          custom-cache-suffix: ${{ steps.get-date.outputs.date }}
+
+      - name: Log debug information
+        run: |
+          npm --version
+          node --version
+          curl --version
+          git --version
+
+      - name: Install npm Dependencies
+        run: npm ci
+
+      - name: Run SASS precommit tasks
+        run: npm run grunt precommit:css
+
+      - name: Run Emoji precommit task
+        run: npm run grunt precommit:emoji
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run certificate tasks
+        run: npm run grunt copy:certificates
+
+      - name: Build WordPress
+        run: npm run build:dev
+
+      - name: Check for changes to versioned files
+        id: built-file-check
+        run: |
+          if git diff --quiet; then
+            echo "uncommitted_changes=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "uncommitted_changes=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Display changes to versioned files
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
+        run: git diff
+
+      - name: Configure git user name and email
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
+        run: |
+          git config user.name "wordpress-develop-pr-bot[bot]"
+          git config user.email ${{ secrets.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com
+
+      - name: Stage changes
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
+        run: git add .
+
+      - name: Commit changes
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
+        run: |
+          git commit -m "Automation: Updating built files with changes. [dependabot skip]"
+
+      - name: Push changes
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
+        run: git push

.github/workflows/reusable-coding-standards-javascript.yml

@@ -40,7 +40,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version-file: '.nvmrc'
           cache: npm

.github/workflows/reusable-coding-standards-php.yml

@@ -65,7 +65,7 @@ jobs:
         run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
 
       - name: Cache PHPCS scan cache
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
         with:
           path: |
             .cache/phpcs-src.json
@@ -75,7 +75,7 @@ jobs:
       # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
       # passing a custom cache suffix ensures that the cache is flushed at least once per week.
       - name: Install Composer dependencies
-        uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # v3.0.0
+        uses: ramsey/composer-install@a2636af0004d1c0499ffca16ac0b4cc94df70565 # v3.1.0
         with:
           custom-cache-suffix: ${{ steps.get-date.outputs.date }}
 

.github/workflows/reusable-end-to-end-tests.yml

@@ -28,6 +28,11 @@ on:
         description: 'A specific version of Gutenberg to install.'
         required: false
         type: 'string'
+      install-playwright:
+        description: 'Whether to install Playwright browsers.'
+        required: false
+        type: 'boolean'
+        default: true
 
 env:
   LOCAL_DIR: build
@@ -77,7 +82,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -94,6 +99,7 @@ jobs:
         run: npm ci
 
       - name: Install Playwright browsers
+        if: ${{ inputs.install-playwright }}
         run: npx playwright install --with-deps
 
       - name: Build WordPress
@@ -139,7 +145,7 @@ jobs:
         run: npm run test:e2e
 
       - name: Archive debug artifacts (screenshots, HTML snapshots)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         if: always()
         with:
           name: failures-artifacts${{ inputs.LOCAL_SCRIPT_DEBUG && '-SCRIPT_DEBUG' || '' }}-${{ github.run_id }}

.github/workflows/reusable-javascript-tests.yml

@@ -41,7 +41,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version-file: '.nvmrc'
           cache: npm

.github/workflows/reusable-performance-report-v2.yml

@@ -62,13 +62,13 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
 
       - name: Download artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           pattern: performance-${{ inputs.multisite && 'multisite' || 'single' }}-${{ inputs.memcached && 'memcached' || 'default' }}-*
           path: artifacts

.github/workflows/reusable-performance-test-v2.yml

@@ -122,7 +122,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -258,7 +258,7 @@ jobs:
           TEST_RESULTS_PREFIX: ${{ inputs.subject != 'current' && inputs.subject || '' }}
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         if: always()
         with:
           name: performance-${{ inputs.multisite && 'multisite' || 'single' }}-${{ inputs.memcached && 'memcached' || 'default' }}-${{ inputs.subject }}

.github/workflows/reusable-performance.yml

@@ -139,7 +139,7 @@ jobs:
         run: echo "TARGET_SHA=$(git rev-parse HEAD^1)" >> "$GITHUB_ENV"
 
       - name: Set up Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -312,7 +312,7 @@ jobs:
         run: npm run test:performance
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         if: always()
         with:
           name: performance-artifacts${{ inputs.multisite && '-multisite' || '' }}${{ inputs.memcached && '-memcached' || '' }}-${{ github.run_id }}

.github/workflows/reusable-php-compatibility.yml

@@ -63,15 +63,15 @@ jobs:
         run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
 
       - name: Cache PHP compatibility scan cache
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
         with:
           path: .cache/phpcompat.json
           key: ${{ runner.os }}-date-${{ steps.get-date.outputs.date }}-php-${{ inputs.php-version }}-phpcompat-cache-${{ hashFiles('**/composer.json', 'phpcompat.xml.dist') }}
 
       # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
       # passing a custom cache suffix ensures that the cache is flushed at least once per week.
       - name: Install Composer dependencies
-        uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # v3.0.0
+        uses: ramsey/composer-install@a2636af0004d1c0499ffca16ac0b4cc94df70565 # v3.1.0
         with:
           custom-cache-suffix: ${{ steps.get-date.outputs.date }}