Merge changes published in the Gutenberg plugin "release/20.8" branch

Author: gutenbergplugin

.github/actionlint.yml

@@ -0,0 +1,13 @@
+# This is the configuration file for actionlint, a static checker for GitHub Actions workflow files.
+# See https://github.com/rhysd/actionlint.
+
+# Path-specific configurations.
+paths:
+  .github/workflows/**/*.{yml,yaml}:
+    ignore:
+      # [SC2129](https://www.shellcheck.net/wiki/SC2129) is ignored because it is a stylistic issue.
+      - 'shellcheck reported issue in this script: SC2129:.+'
+  .github/workflows/end2end-test.yml:
+    ignore:
+      # This file gets created in the step prior.
+      - 'file "build/index.js" does not exist.+'

.github/setup-node/action.yml

@@ -10,7 +10,7 @@ runs:
     using: 'composite'
     steps:
         - name: Use desired version of Node.js
-          uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+          uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
           with:
               node-version-file: '.nvmrc'
               node-version: ${{ inputs.node-version }}
@@ -20,12 +20,12 @@ runs:
         - name: Get Node.js and npm version
           id: node-version
           run: |
-              echo "NODE_VERSION=$(node -v)" >> $GITHUB_OUTPUT
+              echo "NODE_VERSION=$(node -v)" >> "$GITHUB_OUTPUT"
           shell: bash
 
         - name: Cache node_modules
           id: cache-node_modules
-          uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+          uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
           with:
               path: '**/node_modules'
               key: node_modules-${{ runner.os }}-${{ runner.arch }}-${{ steps.node-version.outputs.NODE_VERSION }}-${{ hashFiles('package-lock.json') }}
@@ -36,7 +36,7 @@ runs:
               npm ci
           shell: bash
         - name: Upload npm logs as an artifact on failure
-          uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+          uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
           if: failure()
           with:
               name: npm-logs

.github/workflows/build-plugin-zip.yml

@@ -31,19 +31,27 @@ concurrency:
     group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
     cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     build:
         name: Check
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
+          pull-requests: write
 
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   fetch-depth: 1
                   show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+                  persist-credentials: false
 
             - name: Use desired version of Node.js
-              uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+              uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
               with:
                   node-version-file: '.nvmrc'
                   check-latest: true

.github/workflows/bundle-size.yml

@@ -18,16 +18,25 @@ on:
             - '!packages/block-serialization-default-parser/**'
             - '!packages/widgets/**'
             - '!packages/e2e-tests/**'
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     check:
         name: Check for a Core backport changelog entry
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
         if: ${{ !contains(github.event.pull_request.labels.*.name, 'No Core Sync Required') && !contains(github.event.pull_request.labels.*.name, 'Backport from WordPress Core') }}
         steps:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   ref: ${{ github.event.pull_request.head.ref }}
                   repository: ${{ github.event.pull_request.head.repo.full_name }}
+                  persist-credentials: false
+
             - name: Check the changelog folder
               env:
                   PR_NUMBER: ${{ github.event.number }}
@@ -46,7 +55,7 @@ jobs:
                     exit 1
                   fi
 
-                  core_pr_number=$(basename "${changelog_file}" .md)
+                  core_pr_number="$(basename "${changelog_file}" .md)"
                   core_pr_url="https://github\.com/WordPress/wordpress-develop/pull/${core_pr_number}"
 
                   # Confirm that the entry has the correct core backport PR URL.

.github/workflows/check-backport-changelog.yml

@@ -14,31 +14,42 @@ on:
             - '!packages/components/src/**/*.native.js'
             - '!packages/components/src/**/*.native.scss'
             - '!packages/components/src/**/react-native-*'
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     check:
         name: Check CHANGELOG diff
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
         steps:
             - name: 'Get PR commit count'
-              run: echo "PR_COMMIT_COUNT=$(( ${{ github.event.pull_request.commits }} + 1 ))" >> "${GITHUB_ENV}"
+              env:
+                  PR_COUNT: ${{ github.event.pull_request.commits }}
+              run: echo "PR_COMMIT_COUNT=$(( PR_COUNT + 1 ))" >> "${GITHUB_ENV}"
             - name: Checkout code
               uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   ref: ${{ github.event.pull_request.head.ref }}
                   repository: ${{ github.event.pull_request.head.repo.full_name }}
                   fetch-depth: ${{ env.PR_COMMIT_COUNT }}
                   show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+                  persist-credentials: false
             - name: 'Fetch relevant history from origin'
-              run: git fetch origin ${{ github.event.pull_request.base.ref }}
+              run: git fetch origin "$GITHUB_BASE_REF"
             - name: Check CHANGELOG status
               env:
                   PR_NUMBER: ${{ github.event.number }}
+                  BASE_SHA: ${{ github.event.pull_request.base.sha }}
               run: |
                   changelog_path="packages/components/CHANGELOG.md"
                   optional_check_notice="This isn't a required check, so if you think your changes are small enough that they don't warrant a CHANGELOG entry, please go ahead and merge without one."
 
                   # Fail if the PR doesn't touch the changelog
-                  if git diff --quiet ${{ github.event.pull_request.base.sha }} HEAD -- "$changelog_path"; then
+                  if git diff --quiet "$BASE_SHA" HEAD -- "$changelog_path"; then
                     echo "Please add a CHANGELOG entry to $changelog_path"
                     echo
                     echo "${optional_check_notice}"

.github/workflows/check-components-changelog.yml

@@ -16,9 +16,17 @@ concurrency:
     group: ${{ github.workflow }}
     cancel-in-progress: false
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     cherry-pick:
         runs-on: ubuntu-latest
+        permissions:
+          contents: write
+          issues: write
+          pull-requests: read
         # When in the context of a PR, ensure the PR is merged.
         if: github.event.pull_request == null || github.event.pull_request.merged == true
         steps:
@@ -74,6 +82,7 @@ jobs:
               with:
                   token: ${{ secrets.GUTENBERG_TOKEN }}
                   fetch-depth: 0
+                  persist-credentials: false
 
             - name: Set up Git
               if: env.cherry_pick == 'true'
@@ -85,20 +94,20 @@ jobs:
               id: cherry-pick
               if: env.cherry_pick == 'true'
               run: |
-                  TARGET_BRANCH="wp/${{ env.version }}"
-                  COMMIT_SHA="${{ env.commit_sha }}"
+                  TARGET_BRANCH="wp/${version}"
+                  COMMIT_SHA="${commit_sha}"
                   echo "Target branch: $TARGET_BRANCH"
                   echo "Commit SHA: $COMMIT_SHA"
-                  git checkout $TARGET_BRANCH
-                  git cherry-pick $COMMIT_SHA || echo "cherry-pick-failed" > result
+                  git checkout "$TARGET_BRANCH"
+                  git cherry-pick "$COMMIT_SHA" || echo "cherry-pick-failed" > result
                   if [ -f result ] && grep -q "cherry-pick-failed" result; then
-                    echo "conflict=true" >> $GITHUB_ENV
+                    echo "conflict=true" >> "$GITHUB_ENV"
                     git cherry-pick --abort
                   else
-                    CHERRY_PICK_SHA=$(git rev-parse HEAD)
-                    echo "conflict=false" >> $GITHUB_ENV
-                    echo "cherry_pick_sha=$CHERRY_PICK_SHA" >> $GITHUB_ENV
-                    git push origin $TARGET_BRANCH
+                    CHERRY_PICK_SHA="$(git rev-parse HEAD)"
+                    echo "conflict=false" >> "$GITHUB_ENV"
+                    echo "cherry_pick_sha=$CHERRY_PICK_SHA" >> "$GITHUB_ENV"
+                    git push origin "$TARGET_BRANCH"
                   fi
 
             - name: Remove cherry-pick label

.github/workflows/cherry-pick-wp-release.yml

@@ -12,10 +12,16 @@ concurrency:
     group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
     cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     checks:
         name: Checks w/Node.js ${{ matrix.node }} on ${{ matrix.os }}
         runs-on: ${{ matrix.os }}
+        permissions:
+          contents: read
         if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }}
         strategy:
             fail-fast: false
@@ -27,6 +33,7 @@ jobs:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+                  persist-credentials: false
 
             - name: Setup Node.js and install dependencies
               uses: ./.github/setup-node

.github/workflows/create-block.yml

@@ -15,10 +15,16 @@ concurrency:
     group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
     cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     e2e-playwright:
         name: Playwright - ${{ matrix.part }}
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
         if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }}
         strategy:
             fail-fast: false
@@ -30,6 +36,7 @@ jobs:
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+                  persist-credentials: false
 
             - name: Setup Node.js and install dependencies
               uses: ./.github/setup-node
@@ -48,8 +55,10 @@ jobs:
             - name: Run the tests
               env:
                   PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+                  SHARD_PART: ${{ matrix.part }}
+                  SHARD_TOTAL: ${{ matrix.totalParts }}
               run: |
-                  xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- npm run test:e2e -- --shard=${{ matrix.part }}/${{ matrix.totalParts }}
+                  xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- npm run test:e2e -- --shard="${SHARD_PART}/${SHARD_TOTAL}"
 
             - name: Archive debug artifacts (screenshots, traces)
               uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
@@ -72,6 +81,7 @@ jobs:
         if: ${{ !cancelled() }}
         needs: [e2e-playwright]
         runs-on: ubuntu-latest
+        permissions: {}
         outputs:
             has-flaky-test-report: ${{ !!steps.merge-flaky-tests-reports.outputs.artifact-id }}
         steps:
@@ -99,15 +109,20 @@ jobs:
         needs: [merge-artifacts]
         if: ${{ needs.merge-artifacts.outputs.has-flaky-test-report == 'true' }}
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
+          issues: write
+          pull-requests: write
         steps:
             # Checkout defaults to using the branch which triggered the event, which
             # isn't necessarily `trunk` (e.g. in the case of a merge).
             - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   ref: trunk
                   show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+                  persist-credentials: false
 
-            - uses: actions/download-artifact@v4.2.1
+            - uses: actions/download-artifact@v4.3.0
               # Don't fail the job if there isn't any flaky tests report.
               continue-on-error: true
               with:

.github/workflows/end2end-test.yml

@@ -2,6 +2,11 @@ name: Enforce labels on Pull Request
 on:
     pull_request_target:
         types: [labeled, unlabeled, ready_for_review, review_requested]
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     type-related-labels:
         runs-on: ubuntu-latest

.github/workflows/enforce-pr-labels.yml

@@ -1,14 +1,22 @@
 name: 'Validate Gradle Wrapper'
 on: [push, pull_request]
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     validation:
         name: 'Validation'
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
         steps:
             - name: Checkout repository
               uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+                  persist-credentials: false
+
             - name: Validate checksums
               uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2