Revert "Disable auto-commit workflow temporarily"

youknowriad · youknowriad · commit 85681d8597d7 · 2025-12-16T16:29:49.000+01:00
This reverts commit cd57438.
diff --git a/.github/workflows/check-built-files.yml b/.github/workflows/check-built-files.yml
@@ -0,0 +1,51 @@
+# Checks for uncommitted changes to built files in pull requests.
+name: Check Built Files (PRs)
+
+on:
+  # Because all commits happen through SVN and should always be manually reviewed by a committer, this workflow only
+  # runs for pull requests.
+  #
+  # Other workflows that run for the push event will detect changes to versioned files and fail.
+  pull_request:
+    branches:
+      - trunk
+      - '6.[8-9]'
+      - '[7-9].[0-9]'
+    paths:
+      # Any change to a CSS, JavaScript, JSON, or SASS file should run checks.
+      - '**.css'
+      - '**.js'
+      - '**.json'
+      - '**.sass'
+      # These files configure npm and the task runner. Changes could affect the outcome.
+      - 'package*.json'
+      - '.npmrc'
+      - '.nvmrc'
+      - 'Gruntfile.js'
+      - 'webpack.config.js'
+      - 'tools/webpack/**'
+      # These files configure Composer. Changes could affect the outcome.
+      - 'composer.*'
+      # Confirm any changes to relevant workflow files.
+      - '.github/workflows/check-built-files.yml'
+      # Changes to the default themes should be handled by the themes workflows.
+      - '!src/wp-content/themes/twenty**'
+
+# Cancels all previous workflow runs for pull requests that have not completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name for pull requests
+  # or the commit hash for any other events.
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
+  cancel-in-progress: true
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  check-for-built-file-changes:
+    name: Check built files
+    if: ${{ github.repository == 'wordpress/wordpress-develop' }}
+    uses: ./.github/workflows/reusable-check-built-files.yml
+    permissions:
+      contents: read
diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml
@@ -0,0 +1,170 @@
+# Commits all missed changes to built files back to pull request branches.
+name: Commit Built File Changes (PRs)
+
+on:
+  workflow_run:
+    workflows:
+      - 'Check Built Files (PRs)'
+      - 'Test Default Themes & Create ZIPs'
+    types:
+      - completed
+
+# Cancels all previous workflow runs for pull requests that have not completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name for pull requests
+  # or the commit hash for any other events.
+  group: ${{ github.workflow }}-${{ github.event_name == 'workflow_run' && format( '{0}-{1}', github.event.workflow_run.head_branch, github.event.workflow_run.head_repository.name ) || github.sha }}
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  # Checks a PR for uncommitted changes to built files.
+  #
+  # Performs the following steps:
+  # - Attempts to download the artifact containing the PR diff.
+  # - Checks for the existence of an artifact.
+  # - Unzips the artifact.
+  # - Generates a token for authenticating with the GitHub App.
+  # - Checks out the repository.
+  # - Applies the patch file.
+  # - Displays the result of git diff.
+  # - Configures the Git author.
+  # - Stages changes.
+  # - Commits changes.
+  # - Pushes changes.
+  update-built-files:
+    name: Check and update built files
+    runs-on: ubuntu-24.04
+    # Temporarily disabled while working on Gutenberg integration
+    if: false
+    # if: ${{ github.repository == 'wordpress/wordpress-develop' }}
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+      - name: Download artifact
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const artifacts = await github.rest.actions.listWorkflowRunArtifacts( {
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: process.env.RUN_ID,
+            } );
+
+            const matchArtifact = artifacts.data.artifacts.filter( ( artifact ) => {
+              return artifact.name === 'pr-built-file-changes'
+            } )[0];
+
+            if ( ! matchArtifact ) {
+              core.info( 'No artifact found!' );
+              return;
+            }
+
+            const download = await github.rest.actions.downloadArtifact( {
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            } );
+
+            const fs = require( 'fs' );
+            fs.writeFileSync( '${{ github.workspace }}/pr-built-file-changes.zip', Buffer.from( download.data ) )
+        env:
+          RUN_ID: ${{ github.event.workflow_run.id }}
+
+      - name: Check for artifact
+        id: artifact-check
+        run: |
+          if [ -f "pr-built-file-changes.zip" ]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Unzip the artifact containing the PR data
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        run: unzip pr-built-file-changes.zip
+
+      - name: Generate Installation Token
+        id: generate_token
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        env:
+          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+          GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }}
+        run: |
+          echo "$GH_APP_PRIVATE_KEY" > private-key.pem
+
+          # Generate JWT
+          JWT=$(python3 - <<EOF
+          import jwt, time
+          private_key = open("private-key.pem", "r").read()
+          payload = {
+              "iat": int(time.time()),
+              "exp": int(time.time()) + 600,  # 10-minute expiration
+              "iss": $GH_APP_ID
+          }
+          print(jwt.encode(payload, private_key, algorithm="RS256"))
+          EOF
+          )
+
+          # Get Installation ID
+          INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/app/installations | jq -r '.[0].id')
+
+          # Request Installation Access Token
+          ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
+
+          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
+
+          rm -f private-key.pem
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_branch }}
+          path: 'pr-repo'
+          show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          token: ${{ env.ACCESS_TOKEN }}
+
+      - name: Apply patch
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        working-directory: 'pr-repo'
+        run: git apply ${{ github.workspace }}/changes.diff
+
+      - name: Display changes to versioned files
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        working-directory: 'pr-repo'
+        run: git diff
+
+      - name: Configure git user name and email
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        working-directory: 'pr-repo'
+        env:
+          GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
+        run: |
+          git config user.name "wordpress-develop-pr-bot[bot]"
+          git config user.email ${{ env.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com
+
+      - name: Stage changes
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        working-directory: 'pr-repo'
+        run: git add .
+
+      - name: Commit changes
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        working-directory: 'pr-repo'
+        run: |
+          git commit -m "Automation: Updating built files with changes."
+
+      - name: Push changes
+        if: ${{ steps.artifact-check.outputs.exists == 'true' }}
+        working-directory: 'pr-repo'
+        run: git push
diff --git a/.github/workflows/reusable-check-built-files.yml b/.github/workflows/reusable-check-built-files.yml
@@ -0,0 +1,110 @@
+##
+# A reusable workflow that checks for uncommitted changes to built files in pull requests.
+##
+name: Check Built Files (PRs)
+
+on:
+  workflow_call:
+
+permissions: {}
+
+jobs:
+  # Checks a PR for uncommitted changes to built files.
+  #
+  # When changes are detected, the patch is stored as an artifact for processing by the Commit Built File Changes
+  # workflow.
+  #
+  # Performs the following steps:
+  # - Checks out the repository.
+  # - Sets up Node.js.
+  # - Configures caching for Composer.
+  # - Installs Composer dependencies.
+  # - Logs general debug information about the runner.
+  # - Installs npm dependencies.
+  # - Builds CSS file using SASS.
+  # - Builds Emoji files.
+  # - Builds bundled Root Certificate files.
+  # - Builds WordPress.
+  # - Checks for changes to versioned files.
+  # - Displays the result of git diff for debugging purposes.
+  # - Saves the diff to a patch file.
+  # - Uploads the patch file as an artifact.
+  update-built-files:
+    name: Check and update built files
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+
+      - name: Set up Node.js
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+
+      # This date is used to ensure that the PHPCS cache is cleared at least once every week.
+      # http://man7.org/linux/man-pages/man1/date.1.html
+      - name: "Get last Monday's date"
+        id: get-date
+        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
+
+      # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
+      # passing a custom cache suffix ensures that the cache is flushed at least once per week.
+      - name: Install Composer dependencies
+        uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # v3.1.1
+        with:
+          custom-cache-suffix: ${{ steps.get-date.outputs.date }}
+
+      - name: Log debug information
+        run: |
+          npm --version
+          node --version
+          curl --version
+          git --version
+
+      - name: Install npm Dependencies
+        run: npm ci
+
+      - name: Run SASS precommit tasks
+        run: npm run grunt precommit:css
+
+      - name: Run Emoji precommit task
+        run: npm run grunt precommit:emoji
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run certificate tasks
+        run: npm run grunt copy:certificates
+
+      - name: Build WordPress
+        run: npm run build:dev
+
+      - name: Check for changes to versioned files
+        id: built-file-check
+        run: |
+          if git diff --quiet; then
+            echo "uncommitted_changes=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "uncommitted_changes=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Display changes to versioned files
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
+        run: git diff
+
+      - name: Save diff to a file
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
+        run: git diff > ./changes.diff
+
+      # Uploads the diff file as an artifact.
+      - name: Upload diff file as artifact
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
+        with:
+          name: pr-built-file-changes
+          path: changes.diff
