Switch to using local references for reusable workflows

[johnbillion]

Reusable workflows used within GitHub Actions are currently referenced using their remote syntax, eg:

uses: WordPress/wordpress-develop/{workflow}.yml@trunk

As these workflows are actually local files, their references can be updated to local ones:

uses: ./{workflow}.yml

The benefit of this is that when PRs are made to make changes to a reusable workflow, the references doesn't need to be updated to point to the fork in order for the changed workflow to run.

@desrosj flagged there might be a security concern with such a change. I don't believe there is, but it's worth double checking.

@desrosj Another consideration. The current syntax means that workflows in older branches will always use the latest reusable workflow from the trunk branch. For example, the 6.4 branch uses the current workflow from trunk, not the workflow as it was at 6.4.

Is this a feature or a bug?

Ah, yes. This is absolutely a feature. We only need to update the workflow file once this way. See https://core.trac.wordpress.org/ticket/61213. Otherwise, we need to periodically backport fixes to all supported branches, and this is a large undertaking.

One way around this could be that after branching a release, we update all workflows to use the @trunk syntax instead. That allows trunk to use the local references for easier testing, but ensures the same benefits for older branches.

That sounds reasonable. Would need to be added to the post release checklist.

@desrosj I've added a command which converts all the local workflow references to remote ones. It can be run after trunk branches to the release branch to update all the references. What do you think?

npm run grunt replace:workflow-references-local-to-remote

@desrosj I've added a command which converts all the local workflow references to remote ones. It can be run after trunk branches to the release branch to update all the references. What do you think?

npm run grunt replace:workflow-references-local-to-remote

Good idea! Hadn't thought of that. I like it.

Would it be worth adding a step to each workflow that confirms the correct reference format based on the branch initiating the workflow run?

Would it be worth adding a step to each workflow that confirms the correct reference format based on the branch initiating the workflow run?

Maybe! I think there's a few options for enforcing the remote reference in the release branches. Let's get this in and then it can be discussed in another ticket or PR.

[johnbillion]

In 59673:

Build/Test Tools: Switch to using local references for reusable workflows.

The benefit of this is that when PRs are made to make changes to a reusable workflow, the references doesn't need to be updated to point to the fork in order for the changed workflow to run.

A npm run grunt replace:workflow-references-local-to-remote command has also been introduced in order to convert these local references back to remote ones. This command can be used to switch release branches over to using remote workflows, as they are currently, so they continue to benefit from workflow changes in trunk without the need for continual backporting to all the branches.

Props desrosj, johnbillion

Fixes #62416