Make WordPress Core

Opened 4 months ago

Last modified 8 days ago

#59805 new task (blessed)

GitHub Actions updates and improvements for 6.5

Reported by: jorbin's profile jorbin Owned by:
Milestone: 6.5 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: has-patch
Focuses: Cc:

Description

This ticket is for various updates and improvements for Core's GitHub Actions workflows.

Previously:

Change History (21)

This ticket was mentioned in PR #5619 on WordPress/wordpress-develop by @ayeshrajans.


4 months ago
#1

  • Keywords has-patch added

#2 @ayeshrajans
4 months ago

Suggesting a small improve to add permissions: {} to all GHA yml files. Most of the CI workflows already have it, but I found four that did not.

This ticket was mentioned in PR #5625 on WordPress/wordpress-develop by @swissspidy.


4 months ago
#4

This is a follow-up to [56972] from core-58867

Turns out github.event.before is also "empty" containing all 00000 for the first commit in a new branch when opening a PR. That means when opening a PR performance tests don’t currently run until you add a second commit.

To avoid this scenario but still prevent an error when a new permanent branch like 6.4 is created, this changes the performance test workflow to simply skip the target comparison if there is no "before".

Trac ticket: https://core.trac.wordpress.org/ticket/59805

@swissspidy commented on PR #5625:


4 months ago
#5

Proof that the performance test ran for the very first commit in this PR, before I accidentally cancelled it by pushing another commit: https://github.com/WordPress/wordpress-develop/actions/runs/6771717029/job/18402712469?pr=5625

@desrosj commented on PR #5619:


4 months ago
#6

Thanks for this, @ayesh!

I did a little bit of digging, and this is explicitly noted in the Reusing Workflows documentation:

  • If jobs.<job_id>.permissions is not specified in the calling job, the called workflow will have the default permissions for the GITHUB_TOKEN.
  • The GITHUB_TOKEN permissions passed from the caller workflow can be only downgraded (not elevated) by the called workflow.

We are currently passing permissions to the callable workflows with contents: read in the calling workflows with a few exceptions in the upgrade-testing.yml file. It seems the first testing job only has permissions defined. We should add that.

I'm trying to think through scenarios where not having permissions in the callable workflow would be problematic if we're always explicitly passing permissions. Additionally, since the workflow is hard coded to use the version found within trunk (which can only be committed to through SVN), I'm not sure if we need to. I guess the scenario would need to be:

  • Create a PR changing the target branch for the called workflow.
  • Remove permissions within that branch in the calling workflow.
  • Change the called workflow to misuse/escalate $GITHUB_TOKEN.

However, I don't think that this would have any affect. The maximum access for pull requests from public forked repositories is `read` for all scopes. The attacker would need to use pull_request_target, and that does not work unless the workflow exists within the base branch with pull_request_target as well.

#7 @desrosj
4 months ago

In 57082:

Build/Test Tools: Add 6.3 to the Upgrade Testing workflow.

This adds WordPress 6.3 to the Upgrade Testing GitHub Actions workflow.

See #59805.

#8 @desrosj
4 months ago

In 57085:

Build/Test Tools: Use correct order of arguments for contains().

This corrects the order the arguments are passed to the contains() function in the Performance Testing workflow.

Because the arguments were passed incorrectly, the expression was not evaluating correctly.

Follow up to [56972].

Props hellofromTonya.
See #59805.

@desrosj commented on PR #5625:


4 months ago
#10

@swissspidy Went to reopen this but looks like the branch was deleted. Do you want to undelete and reopen, or open a fresh PR?

#11 @desrosj
3 months ago

In 57180:

Build/Test Tools: Group GitHub Action Dependabot updates.

This updates the Dependabot configuration file to make use of groups, configuring all third-party GitHub Action updates available into a single pull request to help reduce noise.

Props bradparbs.
See #59805.

#12 @desrosj
2 months ago

In 57197:

Build/Test Tools: Update third-party GitHub Actions.

This updates the following GitHub Actions to their latest versions:

  • actions/checkout
  • actions/setup-node
  • actions/upload-artifact
  • actions/cache
  • actions/github-script
  • shivammathur/setup-php

See #59805.

#13 @desrosj
2 months ago

In 57203:

Build/Test Tools: Add more context to artifact names.

This adds a bit more context to the E2E workflow artifact names in order to avoid duplicates being uploaded.

With the update to v4 of actions/upload-artifact in [57197], artifacts are now uploaded on a per job basis. Multiple jobs cannot upload the same artifact.

Props johnbillion.
See #59805.

#14 @desrosj
7 weeks ago

In 57249:

Build/Test Tools: Remove svn debug command.

SVN support has officially been sunset by GitHub. While SVN was not has not been utilized in GitHub Action workflows, the version of SVN being used has been output for debugging purposes.

This removes those debug lines to prevent encountering failures as new versions of test runners are pushed out without svn installed.

See https://github.blog/changelog/2024-01-08-subversion-has-been-sunset/.

See #59805.

#15 @desrosj
7 weeks ago

In 57250:

Build/Test Tools: Increase the max old space size in Node.

The Test Build Processes workflow started failing recently on MacOS runners due to “JavaScript heap out of memory” errors (see https://github.com/WordPress/wordpress-develop/actions/runs/7421385568/job/20209241826#step:8:82).

This increases the maximum memory size of the old memory section in Node from the default of 4GB to 8GB (specified in megabytes) to avoid unnecessary failures while ways to optimize the Gutenberg build process are explored.

Props dmsnell, joemcgill, hellofromTonya, isabel_brison.
See #59805.

#16 follow-up: @swissspidy
5 weeks ago

@desrosj actions/cache was just updated to v4 last week which updates the action to use Node 20. Would be nice to make that bump to get rid of the dozens of "Node.js 16 actions are deprecated" warnings in the logs.

#17 in reply to: ↑ 16 @desrosj
4 weeks ago

Replying to swissspidy:

@desrosj actions/cache was just updated to v4 last week which updates the action to use Node 20. Would be nice to make that bump to get rid of the dozens of "Node.js 16 actions are deprecated" warnings in the logs.

Looks like the latest Dependabot PR should take care of these.

I wish that GitHub surfaced these in some sort of notifications screen. They do announce these things ahead of time on their (WordPress 🎉) blog, but unless you're looking at the workflow encountering the notices you'd never know when they actually implement the changes.

#18 @desrosj
4 weeks ago

In 57362:

Build/Test Tools: Update third-party GitHub Actions.

This updates the following third-party GitHub Actions to their latest versions:

  • actions/setup-node from 3.8.1 to 4.0.1
  • actions/upload-artifact from 3.1.2 to 4.3.0
  • shivammathur/setup-php from 2.28.0 to 2.29.0
  • actions/cache from 3.3.2 to 4.0.0
  • codecov/codecov-action from 3.1.4 to 3.1.5

Most notably, these updates silence newly encountered notices as a result of GitHub beginning to transition away from Node.js 16 to Node.js 20 (see https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/).

Props swissspidy.
See #59805.

#19 @desrosj
4 weeks ago

Looks like we're still seeing some of those Node.js notices, most seem due to the setup-php action needing to be updated. The change has been made upstream, but a release has not yet been published.

#20 @desrosj
4 weeks ago

In 57376:

Build/Test Tools: Update third-party Slack action.

This updates the slackapi/slack-github-action from 1.24.0 to 1.25.0. This fixes more GitHub Action deprecated notices.

Follow up to [57362].

See #59805.

#21 @swissspidy
8 days ago

In 57655:

Build/Test Tools: Update third-party GitHub Actions.

This updates the following third-party GitHub Actions to their latest versions:

  • Updates actions/setup-node from 4.0.1 to 4.0.2
  • Updates actions/upload-artifact from 4.3.0 to 4.3.1

Props desrosj, thelovekesh.
See #59805.

Note: See TracTickets for help on using tickets.