Bump the dev-docker group with 3 updates

.github/dependabot.yml

@@ -29,3 +29,101 @@ updates:
       composer-packages:
         patterns:
           - "composer/ca-bundle"
+
+  # Monitor some npm dependencies for updates in groups.
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 50
+    ignore:
+      - dependency-name: "@wordpress/*"
+    groups:
+      ##
+      # Groups for updating devDependencies.
+      ##
+
+      # Dependencies related to Playwright testing (E2E, performance).
+      tests-playwright:
+        patterns:
+          - "*playwright*"
+      # Dependencies related to JavaScript testing with QUnit.
+      tests-qunit:
+        patterns:
+          - "*qunit*"
+          - "sinon*"
+      # Dependencies related to CSS and SASS building and manilupating.
+      dev-css-sass:
+        patterns:
+          - "autoprefixer"
+          # postcss and css related dependencies.
+          - "*css*"
+          - "*sass"
+      # Dependencies related to the Webpack build process.
+      dev-webpack:
+        patterns:
+          - "*webpack*"
+          - "react-refresh"
+          - "source-map-loader"
+      # Dependencies related to the local Docker development environment.
+      dev-docker:
+        patterns:
+          - "dotenv*"
+          - "wait-on"
+      # Dependencies that do not fall into a specific grouping.
+      dev-miscellaneous:
+        patterns:
+          - "chalk"
+          - "check-node-version"
+          - "ink-docstrap"
+          - "install-changed"
+          - "matchdep"
+          - "uuid"
+      # Dependencies related to JavaScript minification.
+      dev-uglify:
+        patterns:
+          - "*uglify*"
+      # All GruntJS related dependencies that do not relate to another group.
+      dev-grunt:
+        patterns:
+          - "*grunt*"
+
+      ##
+      # Groups for updating production dependencies.
+      ##
+
+      # Dependencies related to jQuery and its ecosystem.
+      external-jquery:
+        patterns:
+          - "jquery*"
+      # Dependencies related to React and its ecosystem.
+      external-react:
+        patterns:
+          - "react*"
+          - "!react-refresh"
+      # Dependencies used for bundling polyfill libraries into WordPress.
+      external-polyfills:
+        patterns:
+          - "core-js-url-browser"
+          - "element-closest"
+          - "formdata-polyfill"
+          - "imagesloaded"
+          - "objectFitPolyfill"
+          - "polyfill-library"
+          - "regenerator-runtime"
+          - "whatwg-fetch"
+          - "wicg-inert"
+      # Dependencies related to the Masonry library.
+      external-masonry:
+        patterns:
+          - "masonry-layout"
+      # Dependencies that do not fall into a specific grouping.
+      external-miscellaneous:
+        patterns:
+          - "backbone"
+          - "clipboard"
+          - "hoverintent"
+          - "json2php"
+          - "lodash"
+          - "moment"
+          - "underscore"

.github/workflows/pull-requests-built-files.yml

@@ -0,0 +1,157 @@
+# Responsible for checking pull requests for changes to built files.
+name: Manage Built Files for PRs
+
+on:
+  pull_request_target:
+    branches:
+      - trunk
+      - '6.[8-9]'
+      - '[7-9].[0-9]'
+    paths:
+      # Any change to a CSS, JavaScript, JSON, or SASS file should run checks.
+      - '**.css'
+      - '**.js'
+      - '**.json'
+      - '**.sass'
+      # These files configure npm and the task runner. Changes could affect the outcome.
+      - 'package*.json'
+      - 'Gruntfile.js'
+      - 'webpack.config.js'
+      - 'tools/webpack/**'
+      # These files configure Composer. Changes could affect the outcome.
+      - 'composer.*'
+      # Confirm any changes to relevant workflow files.
+      - '.github/workflows/pull-requests-built-files.yml'
+
+# Cancels all previous workflow runs for pull requests that have not completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name for pull requests
+  # or the commit hash for any other events.
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.sha }}
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
+jobs:
+  # Checks a PR for uncommitted changes to built files.
+  update-built-files:
+    name: Updates built files when necessary
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    if: ${{ github.event_name == 'pull_request_target' && github.event.commits < 2 && 'dependabot[bot]' == github.actor }}
+    steps:
+      - name: Generate Installation Token
+        id: generate_token
+        env:
+          GH_APP_ID: ${{ secrets.GH_APP_ID }}
+          GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
+        run: |
+          echo "${{ env.GH_APP_PRIVATE_KEY }}" > private-key.pem
+
+          APP_ID=${{ env.GH_APP_ID }}
+
+          # Generate JWT
+          JWT=$(python3 - <<EOF
+          import jwt, time
+          private_key = open("private-key.pem", "r").read()
+          payload = {
+              "iat": int(time.time()),
+              "exp": int(time.time()) + 600,  # 10-minute expiration
+              "iss": $APP_ID
+          }
+          print(jwt.encode(payload, private_key, algorithm="RS256"))
+          EOF
+          )
+
+          # Get Installation ID
+          INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/app/installations | jq -r '.[0].id')
+
+          # Request Installation Access Token
+          ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens | jq -r '.token')
+
+          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
+
+          rm -f private-key.pem
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.head_ref }}
+          show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          token: ${{ env.ACCESS_TOKEN }}
+
+      - name: Set up Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+
+      # This date is used to ensure that the PHPCS cache is cleared at least once every week.
+      # http://man7.org/linux/man-pages/man1/date.1.html
+      - name: "Get last Monday's date"
+        id: get-date
+        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
+
+      # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
+      # passing a custom cache suffix ensures that the cache is flushed at least once per week.
+      - name: Install Composer dependencies
+        uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # v3.0.0
+        with:
+          custom-cache-suffix: ${{ steps.get-date.outputs.date }}
+
+      - name: Log debug information
+        run: |
+          npm --version
+          node --version
+          curl --version
+          git --version
+
+      - name: Install npm Dependencies
+        run: npm ci
+
+      - name: Run SASS precommit tasks
+        run: npm run grunt precommit:css
+
+      - name: Run Emoji precommit task
+        run: npm run grunt precommit:emoji
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run certificate tasks
+        run: npm run grunt copy:certificates
+
+      - name: Build WordPress
+        run: npm run build:dev
+
+      - name: Configure git user name and email
+        run: |
+          git config user.name "dependabot[bot]"
+          git config user.email 49699333+dependabot[bot]@users.noreply.github.com
+
+      - name: Ensure version-controlled files are not modified or deleted during building
+        id: built-file-check
+        run: |
+          diff_output=$(git diff)
+          if [ -n "$diff_output" ]; then
+            echo "uncommitted_changes=$(echo $diff_output)" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Stage changes
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes != '' }}
+        run: git add .
+
+      - name: Commit changes
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes != '' }}
+        run: |
+          git commit -m "Automation: Updating built files with changes. [dependabot skip]"
+
+      - name: Push changes
+        if: ${{ steps.built-file-check.outputs.uncommitted_changes != '' }}
+        run: git push
+

composer.json

@@ -17,7 +17,7 @@
 		"ext-dom": "*"
 	},
 	"require-dev": {
-		"composer/ca-bundle": "1.5.5",
+		"composer/ca-bundle": "1.5.3",
 		"squizlabs/php_codesniffer": "3.10.3",
 		"wp-coding-standards/wpcs": "~3.1.0",
 		"phpcompatibility/phpcompatibility-wp": "~2.1.3",