From 961b750e41a88ed1bfd70717404203b4fac06afa Mon Sep 17 00:00:00 2001 From: Filip Ilic Date: Fri, 29 May 2026 15:13:16 +0200 Subject: [PATCH 1/6] Pin setup-php to 2.37.1 in plugin-check workflow The Plugin Check job ("test") fails at `wp package install` with "github oauth token contains invalid characters". The token is the auto-injected GITHUB_TOKEN that setup-php hands to Composer; a behavior change in the floating @v2 tag surfaced the rejection. Pin to a known version to stabilize the job. Repo has no custom token secret, so this is not a credentials issue. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/plugin-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/plugin-check.yml b/.github/workflows/plugin-check.yml index fe48df729..62a923a17 100644 --- a/.github/workflows/plugin-check.yml +++ b/.github/workflows/plugin-check.yml @@ -10,7 +10,7 @@ jobs: uses: actions/checkout@v5 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@2.37.1 with: php-version: '8.3' coverage: none From 3f1f6702b65dea0a87f4538a2db86482b8f2d87f Mon Sep 17 00:00:00 2001 From: Filip Ilic Date: Fri, 29 May 2026 15:17:01 +0200 Subject: [PATCH 2/6] Clear GitHub token for dist-archive-command install step The setup-php pin did not fix the Plugin Check job: the token rejection ("invalid characters") comes from wp-cli's bundled Composer, not setup-php. setup-php exports the Actions GITHUB_TOKEN for Composer, and wp-cli's Composer refuses its format. Clear the token env for just this step so the single public-package fetch runs unauthenticated (well within rate limits). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/plugin-check.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin-check.yml b/.github/workflows/plugin-check.yml index 62a923a17..c119bc1b5 100644 --- a/.github/workflows/plugin-check.yml +++ b/.github/workflows/plugin-check.yml @@ -10,13 +10,20 @@ jobs: uses: actions/checkout@v5 - name: Setup PHP - uses: shivammathur/setup-php@2.37.1 + uses: shivammathur/setup-php@v2 with: php-version: '8.3' coverage: none tools: wp-cli - name: Install latest version of dist-archive-command + # Clear the GitHub token for this step: setup-php exports it for + # Composer, but wp-cli's bundled Composer rejects the Actions token + # format ("invalid characters"). Fetching this single public package + # unauthenticated is well within the rate limit. + env: + GITHUB_TOKEN: '' + COMPOSER_TOKEN: '' run: wp package install wp-cli/dist-archive-command:v3.1.0 - name: Build plugin From b0ec35d601eaa62328b6b07e718049c64892bcc7 Mon Sep 17 00:00:00 2001 From: Filip Ilic Date: Fri, 29 May 2026 15:19:30 +0200 Subject: [PATCH 3/6] unset GITHUB_TOKEN so wp-cli skips invalid Composer token wp-cli writes GITHUB_TOKEN to Composer's github-oauth config whenever it is a string (an empty env value still counts), and Composer rejects the Actions token as "invalid characters". Unsetting the var in the shell makes getenv() return false so wp-cli skips token config; the single public package fetch runs unauthenticated, within rate limits. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/plugin-check.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/plugin-check.yml b/.github/workflows/plugin-check.yml index c119bc1b5..9b6f9f8e4 100644 --- a/.github/workflows/plugin-check.yml +++ b/.github/workflows/plugin-check.yml @@ -17,14 +17,15 @@ jobs: tools: wp-cli - name: Install latest version of dist-archive-command - # Clear the GitHub token for this step: setup-php exports it for - # Composer, but wp-cli's bundled Composer rejects the Actions token - # format ("invalid characters"). Fetching this single public package - # unauthenticated is well within the rate limit. - env: - GITHUB_TOKEN: '' - COMPOSER_TOKEN: '' - run: wp package install wp-cli/dist-archive-command:v3.1.0 + # wp-cli reads GITHUB_TOKEN and, if it is *any* string (including an + # empty one), writes it to Composer's github-oauth config — and + # Composer rejects the Actions token value as "invalid characters". + # `unset` makes getenv() return false so wp-cli skips token config + # entirely; fetching this single public package unauthenticated is + # well within the rate limit. + run: | + unset GITHUB_TOKEN + wp package install wp-cli/dist-archive-command:v3.1.0 - name: Build plugin run: | From 3c1fd6d02363136fc9cb3831b86c030bee956e6a Mon Sep 17 00:00:00 2001 From: Filip Ilic Date: Fri, 29 May 2026 15:32:22 +0200 Subject: [PATCH 4/6] Update WP-CLI to nightly so its bundled Composer accepts new GitHub token MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Plugin Check job fails at `wp package install` because the Composer bundled in the stable WP-CLI phar rejects the new GitHub Actions token format (hyphens) with "contains invalid characters" — composer#12076. The token is exported by setup-php via COMPOSER_AUTH, so neutralizing GITHUB_TOKEN had no effect. The nightly WP-CLI bundles a Composer with relaxed token validation, fixing it at the root. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/plugin-check.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/plugin-check.yml b/.github/workflows/plugin-check.yml index 9b6f9f8e4..142429932 100644 --- a/.github/workflows/plugin-check.yml +++ b/.github/workflows/plugin-check.yml @@ -16,16 +16,16 @@ jobs: coverage: none tools: wp-cli + # The stable WP-CLI phar bundles an old Composer that rejects the new + # GitHub Actions token format (ghs__, contains + # hyphens) with "contains invalid characters" — see + # https://github.com/composer/composer/issues/12076. The nightly build + # bundles a Composer with the relaxed token validation. + - name: Update WP-CLI to nightly + run: wp cli update --nightly --yes + - name: Install latest version of dist-archive-command - # wp-cli reads GITHUB_TOKEN and, if it is *any* string (including an - # empty one), writes it to Composer's github-oauth config — and - # Composer rejects the Actions token value as "invalid characters". - # `unset` makes getenv() return false so wp-cli skips token config - # entirely; fetching this single public package unauthenticated is - # well within the rate limit. - run: | - unset GITHUB_TOKEN - wp package install wp-cli/dist-archive-command:v3.1.0 + run: wp package install wp-cli/dist-archive-command:v3.1.0 - name: Build plugin run: | From 8c937518e985cbd77c5ddb2433e04c3fcb0bf629 Mon Sep 17 00:00:00 2001 From: Filip Ilic Date: Fri, 29 May 2026 15:34:02 +0200 Subject: [PATCH 5/6] Run wp cli update with sudo to overwrite root-owned phar The nightly update failed with "/usr/local/bin/wp-cli is not writable by current user" because setup-php installs the phar to a root-owned path. Run the update via sudo so it can replace the phar in place. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/plugin-check.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin-check.yml b/.github/workflows/plugin-check.yml index 142429932..c41146f22 100644 --- a/.github/workflows/plugin-check.yml +++ b/.github/workflows/plugin-check.yml @@ -22,7 +22,9 @@ jobs: # https://github.com/composer/composer/issues/12076. The nightly build # bundles a Composer with the relaxed token validation. - name: Update WP-CLI to nightly - run: wp cli update --nightly --yes + # setup-php installs the wp-cli phar to a root-owned path, so the + # in-place update needs sudo to overwrite it. + run: sudo -E $(which wp) cli update --nightly --yes - name: Install latest version of dist-archive-command run: wp package install wp-cli/dist-archive-command:v3.1.0 From 3f83a1aca3264c52d0d4ab7d737729904e9ead79 Mon Sep 17 00:00:00 2001 From: Filip Ilic Date: Fri, 29 May 2026 15:46:50 +0200 Subject: [PATCH 6/6] Pin @wordpress/env to 11.5.0 to fix wp-env start in plugin-check The Plugin Check job regressed (last passed 2026-05-05) without any change on our side. plugin-check-action installs @wordpress/env unpinned, so it pulls the latest; 11.6.0/11.7.0 migrated nodegit -> simple-git, which breaks the action's wp-env start (stalls at "Reading configuration", environment never initializes). Pin the global install to 11.5.0, the last version our job ran green with. Also bump the action to v1.1.6. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/plugin-check.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin-check.yml b/.github/workflows/plugin-check.yml index c41146f22..7379462f7 100644 --- a/.github/workflows/plugin-check.yml +++ b/.github/workflows/plugin-check.yml @@ -35,8 +35,16 @@ jobs: mkdir build unzip ${{ github.event.repository.name }}.zip -d build + # plugin-check-action installs @wordpress/env unpinned, so it pulls the + # latest. 11.6.0/11.7.0 migrated nodegit -> simple-git and break the + # action's wp-env start (stalls at "Reading configuration"). Pin to the + # last-known-good 11.5.0 (our last green run, 2026-05-05, used it). + # See https://github.com/WordPress/gutenberg/blob/trunk/packages/env/CHANGELOG.md + - name: Pin @wordpress/env to last-known-good version + run: sudo npm -g --no-fund i @wordpress/env@11.5.0 + - name: Run plugin check - uses: wordpress/plugin-check-action@v1.1.5 + uses: wordpress/plugin-check-action@v1.1.6 with: build-dir: './build/${{ github.event.repository.name }}' exclude-checks: |