Merge branch 'trunk' into 62221-hardening

# Conflicts:
#	.github/workflows/reusable-performance.yml

.env.example

@@ -51,7 +51,7 @@ LOCAL_DB_TYPE=mysql
 # When using `mysql`, see https://hub.docker.com/_/mysql for valid versions.
 # When using `mariadb`, see https://hub.docker.com/_/mariadb for valid versions.
 ##
-LOCAL_DB_VERSION=8.0
+LOCAL_DB_VERSION=8.4
 
 # Whether or not to enable multisite.
 LOCAL_MULTISITE=false

.github/workflows/cleanup-pull-requests.yml

@@ -0,0 +1,28 @@
+name: Cleanup Pull Requests
+
+on:
+  push:
+    branches:
+      - trunk
+      - '4.[1-9]'
+      - '[5-9].[0-9]'
+
+# Cancels all previous workflow runs for pull requests that have not completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name for pull requests
+  # or the commit hash for any other events.
+  group: ${{ github.workflow }}-${{ github.sha }}
+  cancel-in-progress: true
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  # Runs pull request cleanup.
+  close-prs:
+    name: Clean up pull requests
+    permissions:
+      pull-requests: write
+    if: ${{ github.repository == 'WordPress/wordpress-develop' }}
+    uses: ./.github/workflows/reusable-cleanup-pull-requests.yml

.github/workflows/install-testing.yml

@@ -78,19 +78,25 @@ jobs:
 
         # Exclude some PHP and MySQL versions that cannot currently be tested with Docker containers.
         exclude:
+          # There are no local WordPress Docker environment containers for PHP <= 5.3.
           - php: '5.2'
           - php: '5.3'
+          # MySQL containers <= 5.5 do not exist or fail to start properly.
           - db-version: '5.0'
           - db-version: '5.1'
           - db-version: '5.5'
+          # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218.
           - php: '7.2'
             db-version: '8.4'
           - php: '7.3'
             db-version: '8.4'
+          # Only test the latest innovation release.
+          - db-version: '9.0'
+          # MySQL 9.0+ will not work on PHP 7.2 & 7.3. See https://core.trac.wordpress.org/ticket/61218.
           - php: '7.2'
-            db-version: '9.0'
+            db-version: '9.1'
           - php: '7.3'
-            db-version: '9.0'
+            db-version: '9.1'
 
     services:
       database:

.github/workflows/local-docker-environment.yml

@@ -88,13 +88,15 @@ jobs:
         db-version: ${{ fromJSON( needs.build-test-matrix.outputs.mysql-versions ) }}
 
         exclude:
-          # The MySQL 5.5 containers will not start.
+          # MySQL containers <= 5.5 do not exist or fail to start properly.
           - db-version: '5.5'
-          # MySQL 9.0+ will not work on PHP 7.2 & 7.3
+          # Only test the latest innovation release.
+          - db-version: '9.0'
+          # MySQL 9.0+ will not work on PHP 7.2 & 7.3. See https://core.trac.wordpress.org/ticket/61218.
           - php: '7.2'
-            db-version: '9.0'
+            db-version: '9.1'
           - php: '7.3'
-            db-version: '9.0'
+            db-version: '9.1'
 
     with:
       os: ${{ matrix.os }}

.github/workflows/performance.yml

@@ -32,17 +32,19 @@ permissions: {}
 jobs:
   # Runs the performance test suite.
   performance:
-    name: Performance tests ${{ matrix.memcached && '(with memcached)' || '' }}
+    name: ${{ matrix.multisite && 'Multisite' || 'Single site' }}
     uses: WordPress/wordpress-develop/.github/workflows/reusable-performance.yml@trunk
     permissions:
       contents: read
-    if: ${{ ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) && ! contains( github.event.before, '00000000' ) }}
+    if: ${{ ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
       matrix:
         memcached: [ true, false ]
+        multisite: [ true, false ]
     with:
       memcached: ${{ matrix.memcached }}
+      multisite: ${{ matrix.multisite }}
     secrets:
       CODEVITALS_PROJECT_TOKEN: ${{ secrets.CODEVITALS_PROJECT_TOKEN }}
 

.github/workflows/phpunit-tests.yml

@@ -47,7 +47,7 @@ jobs:
         os: [ ubuntu-latest ]
         php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
         db-type: [ 'mysql' ]
-        db-version: [ '5.7', '8.0', '8.4', '9.0' ]
+        db-version: [ '5.7', '8.0', '8.4' ]
         tests-domain: [ 'example.org' ]
         multisite: [ false, true ]
         memcached: [ false ]
@@ -91,14 +91,6 @@ jobs:
             multisite: false
             memcached: false
             report: true
-
-        exclude:
-          # MySQL 9.0+ will not work on PHP 7.2 & 7.3
-          - php: '7.2'
-            db-version: '9.0'
-          - php: '7.3'
-            db-version: '9.0'
-
     with:
       os: ${{ matrix.os }}
       php: ${{ matrix.php }}
@@ -126,7 +118,7 @@ jobs:
         os: [ ubuntu-latest ]
         php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
         db-type: [ 'mariadb' ]
-        db-version: [ '10.4', '10.6', '10.11', '11.2' ]
+        db-version: [ '5.5', '10.3', '10.4', '10.5', '10.6', '10.11', '11.4' ]
         multisite: [ false, true ]
         memcached: [ false ]
 
@@ -135,13 +127,13 @@ jobs:
         - os: ubuntu-latest
           php: '8.3'
           db-type: 'mariadb'
-          db-version: '11.2'
+          db-version: '11.4'
           multisite: false
           memcached: true
         - os: ubuntu-latest
           php: '8.3'
           db-type: 'mariadb'
-          db-version: '11.2'
+          db-version: '11.4'
           multisite: true
           memcached: true
     with:
@@ -154,13 +146,85 @@ jobs:
       phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }}
       report: ${{ matrix.report || false }}
 
+  #
+  # Creates PHPUnit test jobs to test MariaDB and MySQL innovation releases.
+  #
+  # Though innovation releases are deemed "production grade" and never receive LTS status, they include new features
+  # and updates that will be included in the next LTS version.
+  #
+  # Because upstream support for innovation releases gets dropped when a new one is released, only the most recent
+  # innovation version is tested.
+  #
+  test-innovation-releases:
+    name: PHP ${{ matrix.php }}
+    uses: WordPress/wordpress-develop/.github/workflows/reusable-phpunit-tests-v3.yml@trunk
+    permissions:
+      contents: read
+    secrets: inherit
+    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest ]
+        php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
+        db-type: [ 'mysql', 'mariadb' ]
+        db-version: [ '9.1', '11.6' ]
+        multisite: [ false, true ]
+        memcached: [ false ]
+        db-innovation: [ true ]
+
+        exclude:
+          # MySQL 9.0+ will not work on PHP <= 7.3 because mysql_native_password was removed. See https://core.trac.wordpress.org/ticket/61218.
+          - php: '7.2'
+            db-version: '9.1'
+          - php: '7.3'
+            db-version: '9.1'
+          # Exclude version combinations that don't exist.
+          - db-type: 'mariadb'
+            db-version: '9.1'
+          - db-type: 'mysql'
+            db-version: '11.6'
+    with:
+      os: ${{ matrix.os }}
+      php: ${{ matrix.php }}
+      db-type: ${{ matrix.db-type }}
+      db-version: ${{ matrix.db-version }}
+      db-innovation: ${{ matrix.db-innovation }}
+      multisite: ${{ matrix.multisite }}
+      memcached: ${{ matrix.memcached }}
+      phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }}
+      report: ${{ matrix.report || false }}
+
+  #
+  # Runs specific individual test groups.
+  #
+  specific-test-groups:
+    name: ${{ matrix.phpunit-test-groups }}
+    uses: WordPress/wordpress-develop/.github/workflows/reusable-phpunit-tests-v3.yml@trunk
+    permissions:
+      contents: read
+    secrets: inherit
+    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        php: [ '7.2', '7.4', '8.0', '8.4' ]
+        db-type: [ 'mysql' ]
+        db-version: [ '8.4' ]
+        phpunit-test-groups: [ 'html-api-html5lib-tests' ]
+    with:
+      php: ${{ matrix.php }}
+      db-type: ${{ matrix.db-type }}
+      db-version: ${{ matrix.db-version }}
+      phpunit-test-groups: ${{ matrix.phpunit-test-groups }}
+
   slack-notifications:
     name: Slack Notifications
     uses: WordPress/wordpress-develop/.github/workflows/slack-notifications.yml@trunk
     permissions:
       actions: read
       contents: read
-    needs: [ test-with-mysql, test-with-mariadb ]
+    needs: [ test-with-mysql, test-with-mariadb, test-innovation-releases, specific-test-groups ]
     if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event_name != 'pull_request' && always() }}
     with:
       calling_status: ${{ contains( needs.*.result, 'cancelled' ) && 'cancelled' || contains( needs.*.result, 'failure' ) && 'failure' || 'success' }}

.github/workflows/reusable-cleanup-pull-requests.yml

@@ -0,0 +1,98 @@
+##
+# A reusable workflow that finds and closes any pull requests that are linked to Trac
+# tickets that are referenced as fixed in commit messages.
+#
+# More info about using GitHub pull requests for contributing to WordPress can be found in the handbook: https://make.wordpress.org/core/handbook/contribute/git/github-pull-requests-for-code-review/.
+##
+name: Run pull request cleanup
+
+on:
+  workflow_call:
+
+jobs:
+  # Finds and closes pull requests referencing fixed Trac tickets in commit messages using the
+  # documented expected format
+  #
+  # Commit message format is documented in the Core handbook: https://make.wordpress.org/core/handbook/best-practices/commit-messages/.
+  #
+  # Performs the following steps:
+  # - Parse fixed ticket numbers from the commit message.
+  # - Parse the SVN revision from the commit message.
+  # - Searches for pull requests referencing any fixed tickets.
+  # - Leaves a comment on each PR before closing.
+  close-prs:
+    name: Find and close PRs
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+
+    steps:
+      - name: Find fixed ticket numbers
+        id: trac-tickets
+        run: |
+          COMMIT_MESSAGE=$(cat <<'EOF' | sed -n '/^Fixes #/,/\./p'
+          ${{ github.event.head_commit.message }}
+          EOF
+          )
+          echo "fixed_list=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> $GITHUB_OUTPUT
+
+      - name: Get the SVN revision
+        id: git-svn-id
+        run: |
+          COMMIT_MESSAGE=$(cat <<'EOF' | sed -n '$p'
+          ${{ github.event.head_commit.message }}
+          EOF
+          )
+          echo "svn_revision_number=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> $GITHUB_OUTPUT
+
+      - name: Find pull requests
+        id: linked-prs
+        if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }}
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const fixedList = "${{ steps.trac-tickets.outputs.fixed_list }}".split(' ').filter(Boolean);
+
+            let prNumbers = [];
+
+            for (const ticket of fixedList) {
+              const query = 'is:pr is:open repo:' + context.repo.owner + '/' + context.repo.repo + ' in:body https://core.trac.wordpress.org/ticket/' + ticket;
+              const result = await github.rest.search.issuesAndPullRequests({ q: query });
+
+              prNumbers = prNumbers.concat(result.data.items.map(pr => pr.number));
+            }
+
+            return prNumbers;
+
+      - name: Comment and close pull requests
+        if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }}
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const prNumbers = ${{ steps.linked-prs.outputs.result }};
+
+            const commentBody = `A commit was made that fixes the Trac ticket referenced in the description of this pull request.
+
+            SVN changeset: [${{ steps.git-svn-id.outputs.svn_revision_number }}](https://core.trac.wordpress.org/changeset/${{ steps.git-svn-id.outputs.svn_revision_number }})
+            GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${{ github.sha }}
+
+            This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.`;
+
+            // Update all matched pull requests.
+            for (const prNumber of prNumbers) {
+              // Comment on the pull request with details.
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: commentBody
+              });
+
+              // Close the pull request.
+              await github.rest.pulls.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: prNumber,
+                state: 'closed'
+              });
+            }

.github/workflows/reusable-javascript-tests.yml

@@ -5,6 +5,12 @@ name: JavaScript tests
 
 on:
   workflow_call:
+    inputs:
+      disable-apparmor:
+        description: 'Whether to disable AppArmor.'
+        required: false
+        type: 'boolean'
+        default: false
 
 # Disable permissions for all available scopes by default.
 # Any needed permissions should be configured at the job level.
@@ -49,6 +55,15 @@ jobs:
       - name: Install npm Dependencies
         run: npm ci
 
+      # Older branches using outdated versions of Puppeteer fail on newer versions of the `ubuntu-24` image.
+      # This disables AppArmor in order to work around those failures.
+      #
+      # See https://issues.chromium.org/issues/373753919
+      # and https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+      - name: Disable AppArmor
+        if: ${{ inputs.disable-apparmor }}
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
+
       - name: Run QUnit tests
         run: npm run grunt qunit:compiled