From 663d4c04408369657aef8a2f3556ad41bfb95445 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Wed, 13 May 2026 10:58:24 -0700
Subject: [PATCH 1/4] Copilot: pre-warm wp-env in the coding agent's setup
 steps

The Copilot coding agent's firewall blocks DNS for hosts not on its
allowlist, so `wp-env start` (called from `npm run test-php`) fails when
it tries to download WordPress core from wordpress.org.

Add `.github/workflows/copilot-setup-steps.yml`, the special workflow
Copilot runs in its dev environment before the firewall engages, to
pre-fetch everything the agent will need offline later: WordPress core,
Composer/npm packages, and the Docker images wp-env uses. The filename
and the `copilot-setup-steps` job name are both required exactly for
Copilot to pick it up, and the file must be on the default branch to
take effect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/copilot-setup-steps.yml | 45 +++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 .github/workflows/copilot-setup-steps.yml

diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
new file mode 100644
index 0000000000..b44085b7f5
--- /dev/null
+++ b/.github/workflows/copilot-setup-steps.yml
@@ -0,0 +1,45 @@
+name: Copilot Setup Steps
+
+# Pre-warms the GitHub Copilot coding agent's development environment so that
+# everything fetched from the network (WordPress core from wordpress.org,
+# Composer/npm packages, and the Docker images wp-env needs) is available
+# before Copilot's network firewall engages. Without this, `npm run test-php`
+# fails when `wp-env start` tries to download WordPress and is blocked at the
+# DNS layer.
+#
+# The filename and the `copilot-setup-steps` job name are required exactly —
+# Copilot will not pick up the workflow otherwise.
+# See: https://docs.github.com/en/copilot/customizing-copilot/customizing-the-development-environment-for-copilot-coding-agent
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+permissions: {}
+
+jobs:
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Setup Node.js (.nvmrc)
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+      - name: npm install
+        run: npm ci
+      - name: Composer install
+        run: composer install --no-interaction --no-progress
+      - name: Build assets
+        run: npm run build
+      - name: Install WordPress
+        run: npm run wp-env start
\ No newline at end of file

From 72197593a8693cefc6bd317364621655274ccc76 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Thu, 14 May 2026 11:35:33 -0700
Subject: [PATCH 2/4] Copilot setup steps: install husky hooks after npm ci

The repo's .npmrc sets `ignore-scripts = true` to mitigate supply-chain
attacks, which also blocks this project's own `prepare` script from
running. So `npm ci` leaves the husky pre-commit hooks (phpstan-diff,
PHPCS) uninstalled. Run `npm run prepare` explicitly so the agent's
commits get the same hook coverage as a local contributor's.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/copilot-setup-steps.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
index b44085b7f5..bf456db551 100644
--- a/.github/workflows/copilot-setup-steps.yml
+++ b/.github/workflows/copilot-setup-steps.yml
@@ -37,6 +37,11 @@ jobs:
           cache: npm
       - name: npm install
         run: npm ci
+      - name: Install husky git hooks
+        # The repo's .npmrc sets `ignore-scripts = true`, so `npm ci` skips the
+        # `prepare` script that wires up husky. Run it explicitly so the agent's
+        # commits get the pre-commit hooks (phpstan-diff, PHPCS) applied.
+        run: npm run prepare
       - name: Composer install
         run: composer install --no-interaction --no-progress
       - name: Build assets

From 1682fa7a7b55981875acbe064bbff6291b824e9e Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Thu, 14 May 2026 11:43:49 -0700
Subject: [PATCH 3/4] Copilot setup steps: pin PHP 8.2 and cache Composer
 downloads
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pull two additions over from #2352 (Copilot's own attempt at this
workflow):

- Pin PHP via shivammathur/setup-php so `composer install` runs against
  a deterministic interpreter across runner image updates. Pinned to
  8.2 since that's the WordPress.org-reported most-used PHP version,
  which matches what most plugin users actually run.
- Cache the Composer cache directory across runs. The first session
  still pays the full packagist download cost, but subsequent setup-step
  runs restore the cache and `composer install` does much less network
  work — which both speeds the agent up and reduces firewall surface.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/copilot-setup-steps.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
index bf456db551..52b5e6752a 100644
--- a/.github/workflows/copilot-setup-steps.yml
+++ b/.github/workflows/copilot-setup-steps.yml
@@ -42,6 +42,22 @@ jobs:
         # `prepare` script that wires up husky. Run it explicitly so the agent's
         # commits get the pre-commit hooks (phpstan-diff, PHPCS) applied.
         run: npm run prepare
+      - name: Set up PHP
+        # Pinned to 8.2 because that's the WordPress.org-reported most-used
+        # PHP version, so it matches what the majority of plugin users run.
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
+        with:
+          php-version: '8.2'
+      - name: Get Composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
+      - name: Cache Composer downloads
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-composer-
       - name: Composer install
         run: composer install --no-interaction --no-progress
       - name: Build assets

From 0726dce7e93f4efab81f7c5decd45ad945f9e66d Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Thu, 14 May 2026 11:44:42 -0700
Subject: [PATCH 4/4] Add EOF EOL and improve step name

---
 .github/workflows/copilot-setup-steps.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
index 52b5e6752a..2c016deb7e 100644
--- a/.github/workflows/copilot-setup-steps.yml
+++ b/.github/workflows/copilot-setup-steps.yml
@@ -62,5 +62,5 @@ jobs:
         run: composer install --no-interaction --no-progress
       - name: Build assets
         run: npm run build
-      - name: Install WordPress
-        run: npm run wp-env start
\ No newline at end of file
+      - name: Install WordPress and start environment
+        run: npm run wp-env start