`certificates:update` Grunt task does not actually update the dependency

[desrosj]

The certificates:update Grunt task attempts to update the composer/ca-bundle dependency managed by Composer when an update is available. The task is not currently working as expected for a few reasons:

• When a composer.lock file is not present, composer update cannot update an individual dependency (ie. composer update org/package)
• Because the dependency is pinned to an exact version, composer update would not work as expected anyway.

The workflow responsible for testing and verifying the results of the build scripts should also be updated to confirm that all related files subject to version control have been properly updated.

The certificate related scripts were originally introduced in [59740].

Because an exact version is pinned for composer/ca-bundle, the composer update command cannot update the dependency to the latest version.

The command would not work for an individual dependency anyway due to the fact that there is no composer.lock file generated.

This also updates the workflow that tests the build process to verify that the certificate related files in src/wp-includes/certificates affected by the Grunt tasks are up to date.

Trac ticket: https://core.trac.wordpress.org/ticket/63939.

What's the bet way to test this? Manually downgrade composer/ca-bundle and then run npm run grunt certificates:upgrade-package?

That's right.

• rm -rf vendor
• Change pinned version to any earlier.
• Run composer update, npm run grunt copy:certificates and npm run grunt build:certificates to put the old version in Core appropriately. Make note of the files changed in version control.
• npm run grunt certificates:upgrade.
• The changed files under version control should disappear because it should update to the latest version.
• npm run grunt certificates:upgrade should succeed and output "latest version already installed."

[desrosj]

In 60765:

Build/Test Tools: Improve certificate-related build scripts.

Because an exact version is pinned for composer/ca-bundle, the composer update command cannot update the dependency to the latest version. The command also does not work for a single dependency due to the fact that Composer has been configured not to generate a composer.lock file.

This updates the Grunt task to determine the new version using composer outdated before running composer require composer/ca-bundle:NEW_VERSION --dev to properly update the pinned version.

This also updates the build process test workflow to confirm that the certificate-related files under version control in src/wp-includes/certificates are up to date.

Props johnbillion.
Fixes #63939.

[desrosj]

In 60766:

Build/Test Tools: Test certificate-related scripts in 6.8 branch.

This makes use of the new input added in [60765], which runs the copy:certificates and build:certificates Grunt tasks to ensure there are no uncommitted changes to files under version control.

Follow up to [60765].

See #63939.