Skip to content

ci: automate WordPress.org deployment with GitHub Actions#867

Merged
GaryJones merged 1 commit intodevelopfrom
security/harden-github-workflows
Dec 27, 2025
Merged

ci: automate WordPress.org deployment with GitHub Actions#867
GaryJones merged 1 commit intodevelopfrom
security/harden-github-workflows

Conversation

@GaryJones
Copy link
Copy Markdown
Contributor

@GaryJones GaryJones commented Dec 27, 2025

Summary

  • Replaces manual SVN deployment with automated GitHub Actions workflow
  • Adds security hardening to all workflows (SHA-pinned actions, minimal permissions)
  • Cleans up legacy build artifacts and deployment scripts

Changes

New deployment workflow

  • Triggers on GitHub Release creation
  • Builds assets with npm ci && npm run build
  • Deploys to WordPress.org SVN using 10up/action-wordpress-plugin-deploy
  • Attaches distribution zip to the GitHub Release

Security improvements

  • All GitHub Actions pinned to specific SHAs
  • Minimal permissions at workflow and job level
  • Disabled npm cache in release workflow to prevent cache poisoning

Cleanup

  • Moved screenshots and icon to .wordpress-org/ (required by 10up action)
  • Removed legacy .svnignore and bin/prepare-svn-release.sh
  • Removed orphaned dist/ and modules/calendar/lib/dist/ directories (PHP loads from build/)
  • Updated .distignore with comprehensive exclusions
  • Updated PUBLISHING.md to document new automated workflow

Test plan

  • Verify PHP linting workflow passes
  • Test deployment by creating a pre-release (when ready)

🤖 Generated with Claude Code

@GaryJones @claude
ci: automate WordPress.org deployment with GitHub Actions
a0d23d0 
Replace manual SVN deployment with an automated GitHub Actions workflow
that triggers on GitHub Releases. The new workflow builds assets, deploys
to WordPress.org SVN, and attaches a distribution zip to the release.

Key changes:
- Add deploy.yml workflow using 10up/action-wordpress-plugin-deploy
- Security harden all workflows (SHA-pinned actions, minimal permissions)
- Move screenshots and icon to .wordpress-org/ for 10up action compatibility
- Expand .distignore to exclude all development files from distribution
- Remove legacy deployment tooling (.svnignore, bin/prepare-svn-release.sh)
- Remove orphaned build artifacts (dist/, modules/calendar/lib/dist/)
- Update PUBLISHING.md to document the automated workflow

The dist/ directories contained legacy build output from before the build
was centralised to /build/ via wp-scripts. The PHP already loads from
build/, so these files were unused.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@GaryJones GaryJones requested a review from a team as a code owner December 27, 2025 19:02
@GaryJones GaryJones self-assigned this Dec 27, 2025
@GaryJones GaryJones added the type: maintenance Routine maintenance and code quality improvements label Dec 27, 2025
@GaryJones GaryJones added this to the Next (minor) milestone Dec 27, 2025
@GaryJones GaryJones merged commit c0845f7 into develop Dec 27, 2025
14 checks passed
@GaryJones GaryJones deleted the security/harden-github-workflows branch December 27, 2025 19:14
@GaryJones GaryJones mentioned this pull request Jan 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GaryJones GaryJones

Labels

type: maintenance Routine maintenance and code quality improvements

Projects

None yet

Milestone

0.10.0

Development

Successfully merging this pull request may close these issues.

1 participant

@GaryJones