fix: always regenerate encrypted OAuth secrets in release build

[superdav42]

Summary

• Fixes {\"error\":\"invalid_client\",\"error_description\":\"No client id supplied\"} that every customer on the current release hits when clicking Connect to UltimateMultisite.com on the Addons page.
• Root cause: inc/stuff.php was shipped encrypted with an AES key derived from an older snapshot of inc/class-addon-repository.php. Any change to that file changes the sha256 used as the key, so openssl_decrypt() returns false and the OAuth request is sent with empty client_id / client_secret.
• The release workflow was supposed to regenerate inc/stuff.php on every build (via npm run prearchive → php encrypt-secrets.php), but an mtime shortcut (filemtime(class-addon-repository.php) > filemtime(stuff.php)) always evaluated false in CI — actions/checkout gives every file the same mtime — so the stale ciphertext was shipped unchanged.

Change

encrypt-secrets.php: remove the mtime guard. Regenerate inc/stuff.php unconditionally whenever MU_CLIENT_ID and MU_CLIENT_SECRET are supplied. Added an explanatory comment so the optimisation doesn't get reintroduced.

Reproduction (before)

php -r '
\$key = hash_file(\"sha256\", \"inc/class-addon-repository.php\");
\$stuff = include \"inc/stuff.php\";
foreach (\$stuff as \$i => \$data) {
    \$data = base64_decode(\$data);
    \$iv_len = openssl_cipher_iv_length(\"aes-256-cbc\");
    \$iv = substr(\$data, 0, \$iv_len);
    \$ct = substr(\$data, \$iv_len);
    echo \"slot \$i: \" . var_export(openssl_decrypt(\$ct, \"aes-256-cbc\", \$key, 0, \$iv), true) . \"\\n\";
}
'
# slot 0: false
# slot 1: false

Verification

• Round-trip encrypt/decrypt succeeds with the new script against the current class file.
• Simulated the CI equal-mtime scenario: previously printed "up to date" and skipped; now regenerates correctly.

Release plan

After merge, run the release workflow. With the env secrets MU_CLIENT_ID / MU_CLIENT_SECRET present, npm run prearchive will now regenerate inc/stuff.php with the current class file's hash, and the shipped zip will authenticate correctly against ultimatemultisite.com.

[coderabbitai]

Warning

Rate limit exceeded

@superdav42 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes and 18 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 48 minutes and 18 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc13b147-026d-415f-ab3a-58e58c0084ef

📥 Commits

Reviewing files that changed from the base of the PR and between d666041 and 436e7c1.

📒 Files selected for processing (1)

• encrypt-secrets.php

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/regenerate-oauth-secrets-in-release-build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[github-actions]

Performance Test Results

Performance test results for f5e463f are in 🛎️!

Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown.

URL: /

Run	DB Queries	Memory	Before Template	Template	WP Total	LCP	TTFB	LCP - TTFB
0	40 (-2 / -5% )	37.78 MB	815.50 ms (-66.50 ms / -8% )	171.00 ms (+24.00 ms / +14% )	1027.50 ms (-35.00 ms / -3% )	2002.00 ms	1908.45 ms	89.30 ms (+4.50 ms / +5% )
1	56	49.03 MB	948.50 ms	142.00 ms	1089.50 ms	2070.00 ms	1993.55 ms	79.00 ms

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password