Merging latest from upstream

.gitattributes

@@ -0,0 +1,2 @@
+/.gitattributes export-ignore
+/.github export-ignore

.github/actions/setup-step-ca/action.yml

@@ -0,0 +1,42 @@
+name: Setup Step CA ACME server
+description: Installs and runs an ACME compatible server via step-ca
+inputs:
+  path:
+    description: 'step-ca path'
+    required: false
+    default: /root/.step
+runs:
+  using: composite
+  steps:
+    - name: Set STEP_CA_PATH env
+      run: echo STEP_CA_PATH=${{ inputs.path }} >> $GITHUB_ENV
+      shell: bash
+    - name: Download packages
+      run: |
+        wget -q https://dl.step.sm/gh-release/cli/docs-ca-install/v0.18.1/step-cli_0.18.1_amd64.deb
+        wget -q https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.18.1/step-ca_0.18.1_amd64.deb
+      shell: bash
+    - name: Install packages
+      run: |
+        sudo dpkg -i step-cli_0.18.1_amd64.deb
+        sudo dpkg -i step-ca_0.18.1_amd64.deb
+      shell: bash
+    - name: Create password file
+      run: |
+        sudo mkdir $STEP_CA_PATH && sudo touch $STEP_CA_PATH/password.txt
+        echo $(openssl rand -hex 12) | sudo tee $STEP_CA_PATH/password.txt
+      shell: bash
+    - name: Initialize
+      run: |
+        sudo step ca init --name trellis-local-ca --dns 127.0.0.1 --address :8443 --provisioner admin --password-file $STEP_CA_PATH/password.txt --provisioner-password-file $STEP_CA_PATH/password.txt
+        sudo step ca provisioner add acme --type ACME
+      shell: bash
+    - name: Install certificate to system
+      run: |
+        sudo step certificate install $STEP_CA_PATH/certs/root_ca.crt
+      shell: bash
+    - name: Run service
+      run: |
+        sudo cp .github/files/step-ca.service /etc/systemd/system/step-ca.service
+        sudo systemctl start step-ca
+      shell: bash

.github/files/inventory

@@ -0,0 +1,4 @@
+[production]
+localhost ansible_connection=local ansible_python_interpreter=/usr/bin/python3
+[web]
+localhost ansible_connection=local ansible_python_interpreter=/usr/bin/python3

.github/files/step-ca.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=step-ca service
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+Environment=STEPPATH=/root/.step
+WorkingDirectory=/root/.step
+ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt
+
+[Install]
+WantedBy=multi-user.target

.github/files/vault.yml

@@ -0,0 +1,48 @@
+# Documentation: https://roots.io/trellis/docs/vault/
+vault_mysql_root_password: productionpw
+
+# Documentation: https://roots.io/trellis/docs/security/
+vault_users:
+  - name: "{{ admin_user }}"
+    password: example_password
+    salt: "generateme"
+
+# Variables to accompany `group_vars/production/wordpress_sites.yml`
+# Note: the site name (`example.com`) must match up with the site name in the above file.
+vault_wordpress_sites:
+  example.com:
+    env:
+      db_password: example_dbpassword
+      # Generate your keys here: https://roots.io/salts.html
+      auth_key: "generateme"
+      secure_auth_key: "generateme"
+      logged_in_key: "generateme"
+      nonce_key: "generateme"
+      auth_salt: "generateme"
+      secure_auth_salt: "generateme"
+      logged_in_salt: "generateme"
+      nonce_salt: "generateme"
+  example-https.com:
+    env:
+      db_password: example_dbpassword
+      # Generate your keys here: https://roots.io/salts.html
+      auth_key: "generateme"
+      secure_auth_key: "generateme"
+      logged_in_key: "generateme"
+      nonce_key: "generateme"
+      auth_salt: "generateme"
+      secure_auth_salt: "generateme"
+      logged_in_salt: "generateme"
+      nonce_salt: "generateme"
+  redis.example.com:
+    env:
+      db_password: example_dbpassword
+      # Generate your keys here: https://roots.io/salts.html
+      auth_key: "generateme"
+      secure_auth_key: "generateme"
+      logged_in_key: "generateme"
+      nonce_key: "generateme"
+      auth_salt: "generateme"
+      secure_auth_salt: "generateme"
+      logged_in_salt: "generateme"
+      nonce_salt: "generateme"

.github/files/wordpress_sites.yml

@@ -0,0 +1,50 @@
+wordpress_sites:
+  example.com:
+    site_hosts:
+      - canonical: example.com
+        redirects:
+          - www.example.com
+    local_path: ../site
+    repo: [email protected]:roots/bedrock.git
+    branch: master
+    multisite:
+      enabled: false
+    ssl:
+      enabled: false
+      provider: letsencrypt
+    cache:
+      enabled: true
+  example-https.com:
+    site_hosts:
+      - canonical: example-https.com
+        redirects:
+          - www.example-https.com
+    local_path: ../site
+    repo: [email protected]:roots/bedrock.git
+    branch: master
+    multisite:
+      enabled: false
+    ssl:
+      enabled: true
+      provider: letsencrypt
+    cache:
+      enabled: false
+  redis.example.com:
+    site_hosts:
+      - canonical: redis.example.com
+        redirects:
+          - www.redis.example.com
+    local_path: ../site
+    repo: [email protected]:roots/bedrock.git
+    branch: master
+    multisite:
+      enabled: false
+    ssl:
+      enabled: false
+      provider: letsencrypt
+    cache:
+      enabled: true
+    object_cache:
+      enabled: true
+      provider: redis
+      database: 0

.github/renovate.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:base"],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": ["^galaxy\\.ya?ml$"],
+      "matchStrings": [
+        "- name: (?<depName>[^\\n]+)\\n\\s+src: (?<packageName>[^\\n]+)\\n\\s+version: (?<currentValue>[^\\n]+)"
+      ],
+      "datasourceTemplate": "galaxy",
+      "versioningTemplate": "loose"
+    }
+  ],
+  "github-actions": {
+    "enabled": true
+  }
+}

.github/workflows/ci.yml

@@ -0,0 +1,37 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        python-version: ['3.x']
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          architecture: x64
+          cache: 'pip'
+      - run: pip install -r requirements.txt
+      - uses: actions/cache@v5
+        with:
+          path: vendor
+          key: ${{ runner.os }}-galaxy-${{ hashFiles('galaxy.yml') }}
+      - run: ansible-galaxy install -r galaxy.yml
+      - name: Check playbook syntax
+        run: |
+          ansible-playbook --syntax-check -e env=development deploy.yml
+          ansible-playbook --syntax-check -e env=development dev.yml
+          ansible-playbook --syntax-check -e env=development server.yml
+          ansible-playbook --syntax-check -e env=development rollback.yml
+          ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml

.github/workflows/discourse.yml

@@ -0,0 +1,17 @@
+name: Post release topic on Discourse
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  post:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: roots/discourse-topic-github-release-action@main
+      with:
+        discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
+        discourse-base-url: ${{ secrets.DISCOURSE_BASE_URL }}
+        discourse-author-username: swalkinshaw
+        discourse-category: 12
+        discourse-tags: releases