Make WordPress Core

Opened 8 months ago

Closed 4 months ago

Last modified 2 weeks ago

#59805 closed task (blessed) (fixed)

GitHub Actions updates and improvements for 6.5

Reported by: jorbin's profile jorbin Owned by:
Milestone: 6.5 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: has-patch
Focuses: Cc:

Description

This ticket is for various updates and improvements for Core's GitHub Actions workflows.

Previously:

Change History (32)

This ticket was mentioned in PR #5619 on WordPress/wordpress-develop by @ayeshrajans.


8 months ago
#1

  • Keywords has-patch added

#2 @ayeshrajans
8 months ago

Suggesting a small improve to add permissions: {} to all GHA yml files. Most of the CI workflows already have it, but I found four that did not.

This ticket was mentioned in PR #5625 on WordPress/wordpress-develop by @swissspidy.


8 months ago
#4

This is a follow-up to [56972] from core-58867

Turns out github.event.before is also "empty" containing all 00000 for the first commit in a new branch when opening a PR. That means when opening a PR performance tests don’t currently run until you add a second commit.

To avoid this scenario but still prevent an error when a new permanent branch like 6.4 is created, this changes the performance test workflow to simply skip the target comparison if there is no "before".

Trac ticket: https://core.trac.wordpress.org/ticket/59805

@swissspidy commented on PR #5625:


8 months ago
#5

Proof that the performance test ran for the very first commit in this PR, before I accidentally cancelled it by pushing another commit: https://github.com/WordPress/wordpress-develop/actions/runs/6771717029/job/18402712469?pr=5625

@desrosj commented on PR #5619:


8 months ago
#6

Thanks for this, @ayesh!

I did a little bit of digging, and this is explicitly noted in the Reusing Workflows documentation:

  • If jobs.<job_id>.permissions is not specified in the calling job, the called workflow will have the default permissions for the GITHUB_TOKEN.
  • The GITHUB_TOKEN permissions passed from the caller workflow can be only downgraded (not elevated) by the called workflow.

We are currently passing permissions to the callable workflows with contents: read in the calling workflows with a few exceptions in the upgrade-testing.yml file. It seems the first testing job only has permissions defined. We should add that.

I'm trying to think through scenarios where not having permissions in the callable workflow would be problematic if we're always explicitly passing permissions. Additionally, since the workflow is hard coded to use the version found within trunk (which can only be committed to through SVN), I'm not sure if we need to. I guess the scenario would need to be:

  • Create a PR changing the target branch for the called workflow.
  • Remove permissions within that branch in the calling workflow.
  • Change the called workflow to misuse/escalate $GITHUB_TOKEN.

However, I don't think that this would have any affect. The maximum access for pull requests from public forked repositories is `read` for all scopes. The attacker would need to use pull_request_target, and that does not work unless the workflow exists within the base branch with pull_request_target as well.

#7 @desrosj
8 months ago

In 57082:

Build/Test Tools: Add 6.3 to the Upgrade Testing workflow.

This adds WordPress 6.3 to the Upgrade Testing GitHub Actions workflow.

See #59805.

#8 @desrosj
8 months ago

In 57085:

Build/Test Tools: Use correct order of arguments for contains().

This corrects the order the arguments are passed to the contains() function in the Performance Testing workflow.

Because the arguments were passed incorrectly, the expression was not evaluating correctly.

Follow up to [56972].

Props hellofromTonya.
See #59805.

@desrosj commented on PR #5625:


7 months ago
#10

@swissspidy Went to reopen this but looks like the branch was deleted. Do you want to undelete and reopen, or open a fresh PR?

#11 @desrosj
6 months ago

In 57180:

Build/Test Tools: Group GitHub Action Dependabot updates.

This updates the Dependabot configuration file to make use of groups, configuring all third-party GitHub Action updates available into a single pull request to help reduce noise.

Props bradparbs.
See #59805.

#12 @desrosj
6 months ago

In 57197:

Build/Test Tools: Update third-party GitHub Actions.

This updates the following GitHub Actions to their latest versions:

  • actions/checkout
  • actions/setup-node
  • actions/upload-artifact
  • actions/cache
  • actions/github-script
  • shivammathur/setup-php

See #59805.

#13 @desrosj
6 months ago

In 57203:

Build/Test Tools: Add more context to artifact names.

This adds a bit more context to the E2E workflow artifact names in order to avoid duplicates being uploaded.

With the update to v4 of actions/upload-artifact in [57197], artifacts are now uploaded on a per job basis. Multiple jobs cannot upload the same artifact.

Props johnbillion.
See #59805.

#14 @desrosj
5 months ago

In 57249:

Build/Test Tools: Remove svn debug command.

SVN support has officially been sunset by GitHub. While SVN was not has not been utilized in GitHub Action workflows, the version of SVN being used has been output for debugging purposes.

This removes those debug lines to prevent encountering failures as new versions of test runners are pushed out without svn installed.

See https://github.blog/changelog/2024-01-08-subversion-has-been-sunset/.

See #59805.

#15 @desrosj
5 months ago

In 57250:

Build/Test Tools: Increase the max old space size in Node.

The Test Build Processes workflow started failing recently on MacOS runners due to “JavaScript heap out of memory” errors (see https://github.com/WordPress/wordpress-develop/actions/runs/7421385568/job/20209241826#step:8:82).

This increases the maximum memory size of the old memory section in Node from the default of 4GB to 8GB (specified in megabytes) to avoid unnecessary failures while ways to optimize the Gutenberg build process are explored.

Props dmsnell, joemcgill, hellofromTonya, isabel_brison.
See #59805.

#16 follow-up: @swissspidy
5 months ago

@desrosj actions/cache was just updated to v4 last week which updates the action to use Node 20. Would be nice to make that bump to get rid of the dozens of "Node.js 16 actions are deprecated" warnings in the logs.

#17 in reply to: ↑ 16 @desrosj
5 months ago

Replying to swissspidy:

@desrosj actions/cache was just updated to v4 last week which updates the action to use Node 20. Would be nice to make that bump to get rid of the dozens of "Node.js 16 actions are deprecated" warnings in the logs.

Looks like the latest Dependabot PR should take care of these.

I wish that GitHub surfaced these in some sort of notifications screen. They do announce these things ahead of time on their (WordPress 🎉) blog, but unless you're looking at the workflow encountering the notices you'd never know when they actually implement the changes.

#18 @desrosj
5 months ago

In 57362:

Build/Test Tools: Update third-party GitHub Actions.

This updates the following third-party GitHub Actions to their latest versions:

  • actions/setup-node from 3.8.1 to 4.0.1
  • actions/upload-artifact from 3.1.2 to 4.3.0
  • shivammathur/setup-php from 2.28.0 to 2.29.0
  • actions/cache from 3.3.2 to 4.0.0
  • codecov/codecov-action from 3.1.4 to 3.1.5

Most notably, these updates silence newly encountered notices as a result of GitHub beginning to transition away from Node.js 16 to Node.js 20 (see https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/).

Props swissspidy.
See #59805.

#19 @desrosj
5 months ago

Looks like we're still seeing some of those Node.js notices, most seem due to the setup-php action needing to be updated. The change has been made upstream, but a release has not yet been published.

#20 @desrosj
5 months ago

In 57376:

Build/Test Tools: Update third-party Slack action.

This updates the slackapi/slack-github-action from 1.24.0 to 1.25.0. This fixes more GitHub Action deprecated notices.

Follow up to [57362].

See #59805.

#21 @swissspidy
4 months ago

In 57655:

Build/Test Tools: Update third-party GitHub Actions.

This updates the following third-party GitHub Actions to their latest versions:

  • Updates actions/setup-node from 4.0.1 to 4.0.2
  • Updates actions/upload-artifact from 4.3.0 to 4.3.1

Props desrosj, thelovekesh.
See #59805.

This ticket was mentioned in Slack in #core by chaion07. View the logs.


4 months ago

#23 @desrosj
4 months ago

In 57757:

Build/Test Tools: Update 3rd-party GitHub Actions.

This updates the following GitHub Actions to their latest versions:

  • shivammathur/setup-php from 2.29.0 to 2.30.0
  • actions/cache from 4.0.0 to 4.0.1
  • ramsey/composer-install from 2.2.0 to 3.0.0
  • codecov/codecov-action from 4.0.1 to 4.1.0

This should address the remaining notices caused by running Node.js 16.x on GitHub Actions runner machines in trunk.

Follow up to [57197], [57362], [57655].

See #59805.

#24 @swissspidy
4 months ago

  • Resolution set to fixed
  • Status changed from new to closed

Closing for now since 6.5 has been branched, so any new updates like this can happen in trunk for 6.6.

@swissspidy commented on PR #5625:


3 months ago
#25

No longer needed I think

#26 @desrosj
3 weeks ago

In 58276:

Build/Test Tools: Make use of new reusable workflows.

This updates the 6.4 branch to utilize the new reusable workflows in trunk introduced in [58165].

This also includes backports for a some additional improvements and bug fixes that are necessary for the local development environment to continue working long term:

  • Migrating to Docker Compose V2 (#60901).
  • Removing the version property from docker-compose.yml (#59416).
  • Improvements to how artifacts and comments for Playground testing are generated.
  • Removing SVN related commands causing failures (#61216).
  • Updating the actions/github-scripts action to the latest version.

Merges [57918], [58157], [57124], [57125], [57249] to the 6.4 branch.

Props johnbillion, joemcgill, swissspidy, thelovekesh, narenin, mukesh27, JeffPaul, peterwilsoncc, zieladam, ockham, SergeyBiryukov, jorbin.
Fixes #61216. See #60901, #61101, #59416, #59805, #61213.

#27 @desrosj
3 weeks ago

In 58300:

Build/Test Tools: Make use of new reusable workflows for 6.3.

This updates the 6.3 branch to utilize the new reusable workflows in trunk introduced in [58165].

This also includes backports for a some additional improvements and bug fixes that are necessary for the local development environment to continue working long term:

  • The image and platform properties for the mysql container have been updated to always prefer amd64 containers (#60822).
  • macos-13 is now pinned for MacOS jobs instead of macos-latest (#61340).
  • Removes the performance testing workflow. This workflow was overhauled in 6.4 to use Playwright. Continuing to support Puppeteer-based performance testing in 6.1-6.3 (which was historically very flaky) in a reusable workflow outweighs the benefit.
  • Migrating to Docker Compose V2 (#60901).
  • Removing the version property from docker-compose.yml (#59416).
  • Improvements to how artifacts and comments for Playground testing are generated.
  • Removing SVN related commands causing failures (#61216).
  • Updating the actions/github-scripts action to the latest version.

Merges [57918], [58157], [57124], [57125], [57249] to the 6.3 branch.

Props johnbillion, joemcgill, swissspidy, thelovekesh, narenin, mukesh27, JeffPaul, peterwilsoncc, zieladam, ockham, SergeyBiryukov, jorbin.
Fixes #61340, #60822. See #61216, #60901, #61101, #59416, #59805, #61213.

#28 @desrosj
3 weeks ago

In 58301:

Build/Test Tools: Make use of new reusable workflows for 6.2.

This updates the 6.2 branch to utilize the new reusable workflows in trunk introduced in [58165].

This also includes backports for a some additional improvements and bug fixes that are necessary for the local development environment to continue working long term:

  • The image and platform properties for the mysql container have been updated to always prefer amd64 containers (#60822).
  • macos-13 is now pinned for MacOS jobs instead of macos-latest (#61340).
  • Removes the performance testing workflow. This workflow was overhauled in 6.4 to use Playwright. Continuing to support Puppeteer-based performance testing in 6.1-6.3 (which was historically very flaky) in a reusable workflow outweighs the benefit.
  • Migrating to Docker Compose V2 (#60901).
  • Removing the version property from docker-compose.yml (#59416).
  • Improvements to how artifacts and comments for Playground testing are generated.
  • Removing SVN related commands causing failures (#61216).
  • Updating the actions/github-scripts action to the latest version.

Merges [57918], [58157], [57124], [57125], [57249] to the 6.2 branch.

Props johnbillion, joemcgill, swissspidy, thelovekesh, narenin, mukesh27, JeffPaul, peterwilsoncc, zieladam, ockham, SergeyBiryukov, jorbin.
See #61340, #60822, #61216, #60901, #61101, #59416, #59805, #61213.

#29 @desrosj
3 weeks ago

In 58302:

Build/Test Tools: Include files missed in [58301].

Unprops desrosj.
See #61340, #60822, #61216, #60901, #61101, #59416, #59805, #61213.

#30 @desrosj
2 weeks ago

In 58330:

Build/Test Tools: Make use of new reusable workflows for 6.1.

This updates the 6.1 branch to utilize the new reusable workflows in trunk introduced in [58165].

This also includes backports for a some additional improvements and bug fixes that are necessary for the local development environment to continue working long term:

  • The image and platform properties for the mysql container have been updated to always prefer amd64 containers (#60822).
  • macos-13 is now pinned for MacOS jobs instead of macos-latest (#61340).
  • Removes the performance testing workflow. This workflow was overhauled in 6.4 to use Playwright. Continuing to support Puppeteer-based performance testing in 6.1-6.3 (which was historically very flaky) in a reusable workflow outweighs the benefit.
  • Run E2E tests with and without SCRIPT_DEBUG (#58661).
  • Migrating to Docker Compose V2 (#60901).
  • Removing the version property from docker-compose.yml (#59416).
  • Improvements to how artifacts and comments for Playground testing are generated.
  • Removing SVN related commands causing failures (#61216).
  • Updating the actions/github-scripts action to the latest version.

Merges [56113], [56114], [57918], [58157], [57124], [57125], [57249] to the 6.1 branch.

Props johnbillion, joemcgill, swissspidy, thelovekesh, narenin, mukesh27, JeffPaul, peterwilsoncc, zieladam, ockham, SergeyBiryukov, jorbin.
See #61340, #60822, #61216, #60901, #61101, #59416, #59805, #61213, #58661.

#31 @desrosj
2 weeks ago

In 58357:

Build/Test Tools: Make use of new reusable workflows for 6.0.

This updates the 6.0 branch to utilize the new reusable workflows in trunk introduced in [58165].

This also includes backports for a some additional improvements and bug fixes that are necessary for the local development environment to continue working long term:

  • The image and platform properties for the mysql container have been updated to always prefer amd64 containers (#60822).
  • macos-13 is now pinned for MacOS jobs instead of macos-latest (#61340).
  • Run E2E tests with and without SCRIPT_DEBUG (#58661).
  • Migrating to Docker Compose V2 (#60901).
  • Removing the version property from docker-compose.yml (#59416).
  • Improvements to how artifacts and comments for Playground testing are generated.
  • Removing SVN related commands causing failures (#61216).
  • Updating the actions/github-scripts action to the latest version.
  • Move the Memcached container into the Docker Compose config (#55700).
  • Configure Xdebug modes in the local Docker environment (#56022).

Merges [53895], [53552], [56113], [56114], [57918], [58157], [57124], [57125], [57249] to the 6.0 branch.

Props johnbillion, joemcgill, swissspidy, thelovekesh, narenin, mukesh27, JeffPaul, peterwilsoncc, zieladam, ockham, SergeyBiryukov, jorbin, Clorith, afragen.
See #55700, #61340, #60822, #61216, #60901, #61101, #59416, #59805, #61213, #58661.

#32 @desrosj
2 weeks ago

In 58358:

Build/Test Tools: Make use of new reusable workflows for 5.9.

This updates the 5.9 branch to utilize the new reusable workflows in trunk introduced in [58165].

This also includes backports for a some additional improvements and bug fixes that are necessary for the local development environment to continue working long term:

  • The image and platform properties for the mysql container have been updated to always prefer amd64 containers (#60822).
  • macos-13 is now pinned for MacOS jobs instead of macos-latest (#61340).
  • Run E2E tests with and without SCRIPT_DEBUG (#58661).
  • Migrating to Docker Compose V2 (#60901).
  • Removing the version property from docker-compose.yml (#59416).
  • Improvements to how artifacts and comments for Playground testing are generated.
  • Removing SVN related commands causing failures (#61216).
  • Updating the actions/github-scripts action to the latest version.
  • Move the Memcached container into the Docker Compose config (#55700).
  • Configure Xdebug modes in the local Docker environment (#56022).

Merges [53895], [53552], [56113], [56114], [57918], [58157], [57124], [57125], [57249] to the 5.9 branch.

Props johnbillion, joemcgill, swissspidy, thelovekesh, narenin, mukesh27, JeffPaul, peterwilsoncc, zieladam, ockham, SergeyBiryukov, jorbin, Clorith, afragen.
See #55700, #61340, #60822, #61216, #60901, #61101, #59416, #59805, #61213, #58661.

Note: See TracTickets for help on using tickets.