Drupal Core Roadmap for Automatic Updates

Core Alpha Experimental blockers for Package Manager

These issues block #3346707: Add Alpha level Experimental Package Manager module.

Dependencies

1. ⚠️ core issue⚠️#3331078: Add php-tuf/composer-stager to core dependencies and governance — for experimental Automatic Updates & Project Browser modules
2. ⚠️ core issue⚠️#3370269: [policy] Add php-tuf/php-tuf to core governance — for experimental Automatic Updates & Project Browser modules
3. ⚠️ core issue⚠️#3370270: Add php-tuf/composer-integration to core dependencies and governance — for experimental Automatic Updates & Project Browser modules
4. ⚠️ infrastructure issue⚠️#3343490: Deploy rugged for TUF signing to production
5. ⚠️ infrastructure issue⚠️#3352216: Securely sign Drupal core packages, even though they are hosted on GitHub/packagist directly (or alternative solution for drupal/core to be TUF protected)

Security ^(gate)

1. ⚠️ core issue⚠️#3352210: Security review of secure signing components for package manager
2. #3358504: Require PHP-TUF's Composer integration plugin

Policy Questions

1. ⚠️ core issue⚠️#3349368: [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager?
2. ⚠️ core issue⚠️#3385644: [policy, no patch] Consider whether to keep Package Manager and Automatic Updates in a separate repo/package than core in order to facilitate releasing updates to the updater

API

Currently none! 🎉

Miscellaneous issues

Currently none! 🎉

Core Alpha Experimental blockers for Automatic Updates

These issues, plus the ones above, block #3253158: Add Alpha level Experimental Automatic Updates module.

1. #3377458: Remove work arounds for 10.0.x support
2. #3392196: Exceptions in batch no longer are shown on the page when Javascript is disabled - Core bug in 11.x, our AU tests will not pass without it.
3. #3397228: Possible random failure in build tests for cron updates

Core Beta Experimental blockers for Package Manager and Automatic Updates

These issues, plus the ones above, block promoting PM and AU to beta-level stability in core.

Reliability

Currently none! 🎉

Testing ^(gate)

None

Public API

None

Maintainability

None!

Core mergeability

Currently none! 🎉

Policy Questions

1. #3408901: [policy, no patch] Decide if and when automatic updates should rely only on packagist data to determine installability of modules

Post-MVP ^{Stable blockers or Post-Stable}

Beta blockers

#3474292: Package manager/ Automatic Updates should disallow composer patches by default

Stable blockers

To be categorized as beta/stable blockers or post stable clean-up:

Usability

1. #3321972: Make readiness check failure messages clear, consistent, and actionable - Needs summary update to actually define the problem and see if it is really a blocker
2. #3346644: If an error occurs during an attended process, delete the stage on behalf of the user

Not yet categorized

1. #3336867: Identify & vet commonly used composer plugins in the Drupal ecosystem
2. #3338651: Drupal core's coding standards forbid translated exceptions, but does that anyway — f.e. FileValidationException
3. #3345649: Update every ComposerValidator-dependent validator to have explicit test coverage that that dependency works
4. #3342790: Validate PHP version to be used by the Composer process calls
5. #3354011: Support scanning Composer Stager library for translatable strings

Core Merge request planning

This is section deals with issues that won't necessary results in changes to the core versions of the module but will make it easier to ensure that contrib version is easy to automatically convert to the versions in the core merge requests and that these merge requests will pass tests.

We are currently relying on Drupalci to test the contrib module. Although Core uses gitlab only now switching to gitlab in the contrib module would not necessarily make things easier for us because core and contrib modules are set up differently for gitlab testing. We can use drupalci until July. If we are not in core by June we can convert our tests to gitlab.

We are currently using our .gitlab-ci.yml to:

1. convert the module to the core version, using them same composer core-convert command we use to make the merge requests
2. Run the all tests besides the Build tests on the core converted version

Alnought .gitlab-ci.yml attempts to make sure we don't break the core onversion it is not exactly like test in in the core merge requests. For this reason we have a core issue #3411111: Automatic Updates Gitlab Conversion test issue that we can use to test out the conversion. We can use this avoid noise on the core merge request issues that will be reviewed especially when we are making changes to the converter itself or want to test out the conversion in the middle of contrib issue exactly how it will be in core.

Here are the remaining issue that need to be addressed

1. #3411110: Test Automatic Updates and Package Manager as part of Drupal core 11.x on GitLab CI. we can't test in 11.x, our target core version, in DrupalCi.
2. #3411240: Run core code quality checks on the core converted version of the module
3. #3411241: Expand ConverterCommand documentation to make it easier to run.

🏁 Completed

This section mimics the structure of the above sections.

Dependencies

1. #3317409: Update Composer Stager to v1.2.0
2. #3302524: Support Composer 2.2
3. #3298444: Symlink validator should delegate to Composer Stager's precondition
4. #3321933: Remove dependency on symfony/finder
5. #3345039: Remove dependency on symfony/config
6. #3345766: CollectIgnoredPathsFailValidator should use ComposerInspector instead of ComposerUtility
7. #3345772: \Drupal\automatic_updates\Form\UpdateReady should use ComposerInspector instead of ComposerUtility
8. #3345754: Updater should use ComposerInspector instead of ComposerUtility
9. #3345767: FakeSiteFixtureTest should use ComposerInspector instead of ComposerUtility
10. #3345771: VersionPolicyValidator should use ComposerInspector instead of ComposerUtility
11. #3345757: \Drupal\automatic_updates_extensions\Form\UpdateReady should use ComposerInspector instead of ComposerUtility
12. #3345769: RequestedUpdateValidator should use ComposerInspector instead of ComposerUtility
13. #3345755: ExtensionUpdater should use ComposerInspector instead of ComposerUtility
14. #3345761: UpdateReleaseValidator should use ComposerInspector instead of ComposerUtility
15. #3345760: \Drupal\automatic_updates_extensions\Form\UpdaterForm should use ComposerInspector instead of ComposerUtility
16. #3337760: ComposerPatchesValidator should use ComposerInspector instead of ComposerUtility
17. #3345762: GitExcluder should use ComposerInspector instead of ComposerUtility
18. #3346628: FixtureManipulator should only use Composer commands, rather than manipulating JSON directly
19. #3345763: UnknownPathExcluder should use ComposerInspector instead of ComposerUtility
20. #3345633: Remove FixtureManipulator::modifyPackage() last usage
21. #3342227: ScaffoldFilePermissionsValidator should use ComposerInspector instead of ComposerUtility
22. #3347031: Stage::validatePackageNames() should not use the Composer API
23. #3316368: Remove our runtime dependency on composer/composer: remove ComposerUtility - should review core issue #3243899: [policy] Move composer/composer from a dev dependency to a production dependency to determine if we shouldn't just use Composer API directly
24. #3347959: ComposerPluginsValidator uses Composer's internal Package class
25. #3321905: Add colinodell/psr-test-logger to core's dev dependencies
26. #3360485: Add Symfony Console command to allow running cron updates via console and by a separate user, for defense-in-depth

Security ^(gate)

1. #3316617: Add a validator to check that PHP-TUF's Composer integration is present and configured correctly
2. #3351247: Harden our HTTPS requirement
3. #3311200: Cron updater should delete the existing stage if not available and the site is currently on an insecure version
4. #3316611: If unattended updates are enabled, send an email when status checks start failing
5. #3356804: Flag a warning during status check if the OpenSSL extension is not enabled
6. #3360763: Switch failure marker file from *.json to *.yml to prevent it from being readable from the web
7. #3400146: Require the OpenSSL extension

UX improvements

1. #3314787: StagedDBUpdateValidator will throw an exception during status check if the stage exists, but is unclaimed
2. #3280403: Show all updates for all supported branches in the current major on the update form
3. #3316932: Do not skip 'update.settings' route in displaying status check messages
4. #3281340: [Plan] Send emails
5. #3310696: if only newer releases are pre-releases Updating from one minor to latest version Drupal version, module does not show any other updates
6. #3313349: Possible DB updates are displayed twice on UpdateReady form
7. #3313717: Improve the wording of UpdateException when re-throwing an ApplyFailedException
8. #3310946: Improve the wording of the email notifications about a failed unattended update
9. #3299087: Override the core Update module's routes to redirect to Automatic Updates' form
10. #3308711: Dispatch StatusCheckEvent in UpdateReady forms and do not allow the update to continue if there are errors
11. #3299612: Send an email when an unattended update fails
12. #3305240: Add a link to the the symlink validation message in package_manager to the updated help page
13. #3304617: Display readiness checks failure at admin/reports/updates/automatic-update
14. #3321206: The same xdebug warning shows on the status report 2 times
15. #3325654: Improve the user experience of having your staged update deleted before it was applied
16. #3339657: Always show summary of validation result if exists
17. #3339016: "Composer not found" does provide link to help page
18. #3342430: Hard failure after module install if composer is not found
19. #3319507: Add symlink support to Composer Stager 2.0, require that version, and simplify UX & tests accordingly
20. #3347267: ComposerMinimumStabilityValidator doesn't check dev packages
21. #3284443: Enable unattended updates
22. #3357657: ComposerValidator's hook_help() integration is imprecise and incomplete
23. #3362143: Use the rsync file syncer by default

Documentation ^(gate)

1. #3314143: Add documentation for testing minor updates
2. #3312669: Add help text explaining how to set an alternate port for cron
3. #3309025: Document that Stage::require() does not need version numbers
4. #3303727: Document in README how to add paths to composer.json:extra.drupal-core-vendor-hardening to avoid symlink errors
5. #3336243: Update Package Manager event documentation in package_manager.api.php
6. #3325869: Improve documentation for package_manager_bypass test module
7. #3318306: Define the Package Manager API (package_manager.api.php is outdated)

Testing ^(gate)

1. #3337049: Assert no errors after creating the test project in ModuleUpdateTest(still open but now only affects automatic_updates_extensions)
2. #3338666: Add functional test that proves there is reasonable UX whenever a stage event subscriber has an exception
3. #3348159: Fix remaining @todos in ComposerPluginsValidatorTest
4. #3348129: Autowire everything everywhere all at once … in *Test.php files
5. #3319768: Document why using dblog to query logged messages in build tests is justified
6. #3321386: Add missing test coverage in SupportedReleaseValidatorTest
7. #3322203: Make sure packages in our fake-site fixture match in both installed.json and installed.php
8. #3323211: Remove duplicate aaa_update_test.1.1.xml
9. #3323037: Add comment in every release history XML fixture file
10. #3322404: Remove active composer fixture files used for SupportedReleaseValidatorTest
11. #3322589: Assert 'type' key is set in FixtureUtilityTrait::addPackage
12. #3316484: Check if the message "Your site has not recently run an update readiness check." would appear on admin pages after cron is run.
13. #3318625: Remove active composer fixture files in UpdaterFormTest
14. #3275991: Write test coverage for the bug fix in #3275311
15. #3318846: Remove staged fixture files used for SupportedReleaseValidatorTest
16. #3320638: Give more meaningful error results in CoreUpdateTest::testCron
17. #3318313: Make OverwriteExistingPackagesValidatorTest fixture-less
18. #3319044: Refactor assertUpdateSuccessful() to get more meaningful error results.
19. #3320815: Make validation result comparison test messages more helpful
20. #3319497: Build test failure on local in 8.x-2.x due to drupal core packages being added to vendor.json
21. #3316895: Create a test to prove our fake-site is error free starting point
22. #3317988: Make ComposerExecutableValidatorTest easier to understand
23. #3317996: FixtureUtilityTrait's package manipulation methods need to take installation path into account
24. #3317385: Remove staged fixtures from StagedProjectsValidatorTest
25. #3317278: Remove info files from stub modules in StagedProjectsValidatorTest fixtures
26. #3317220: UpdatePathTest fails because expirable values have expired
27. #3298889: Make \Drupal\package_manager_test_api\ApiController more easily extendable
28. #3315700: Remove Environment::setTimeLimit() call from build tests
29. #3316318: Ensure release history fixture files are readable in build tests
30. #3315449: Don't bother testing core updates via the UI or API with the LegacyProject template
31. #3313630: Automatic Updates help has the wrong route name and errors
32. #3313346: UpdateReady is not displaying all the messages for statusCheck validation results
33. #3312085: UpdateReady hides the Continue button if StatusCheckEvent only returns warnings
34. #3306163: Also skip info.yml files in more test directories in DuplicateInfoFileValidator
35. #3303185: Add unit test coverage of PathLocator::getWebRoot()
36. #3308686: Logic error in XdebugValidator
37. #3309676: \Drupal\Tests\automatic_updates\Kernel\ReadinessValidation\StagedProjectsValidatorTest::testEventConsumesExceptionResults should not disable validators
38. #3304640: Logic error in \Drupal\automatic_updates\Controller\UpdateController::onFinish
39. #3305998: Ensure AutoUpdate validator only apply where the stage is an Updater instance
40. #3326934: Tests are failing for php 7.4
41. #3321236: Add actual project folders in \Drupal\Tests\package_manager\Traits\FixtureUtilityTrait::addPackage
42. #3326334: Remove unneeded fixtures folders
43. #3318065: SymlinkValidatorTest doesn't test PreApplyEvent
44. #3320782: xdebug being enabled causes tests to fail without clear indication that it is the problem
45. #3328234: Improve test DX *and* confidence: stop using VFS
46. #3331471: Add documentation for SymlinkValidatorTest
47. #3332256: package_manager_bypass should *minimally* bypass php-tuf/composer-stager, not maximally
48. #3335908: The 'fake_site' fixture cannot be using with `composer show` because the packages are not installed
49. #3337068: PackageManagerKernelTestBase::assertResults does not show actual results if none were expected.
50. #3337062: PackageManagerKernelTestBase::assertResults does not give helpful error message if asserting results are empty fails
51. #3340284: anonymous ProcessOutputCallbackInterface class ComposerInspector::getConfig() assumes __invoke does receive any data in error buffer
52. #3343430: Stop reusing core's commit-code-check.sh in favor of 4 simple commands
53. #3344124: Validate fake_site with composer
54. #3344689: Do not disable package_manager.validator.composer in tests
55. #3344127: Run `composer validate` after FixtureManipulator commits its changes
56. #3343827: Update FixtureManipulator to work with InstalledPackagesList, real composer show command
57. #3345881: Remove fake-site fixture for automatic_updates_extensions
58. #3338789: Random failure: "PHP temp directory (/tmp) does not exist or is not writable to Composer."
59. #3343768: Benchmark how slow using composer require would be in kernel tests
60. #3354099: Add functional test that proves there is reasonable UX whenever Composer Stager operations have a hard failure
61. GH-CS-68: Perform and automate performance testing of Composer Stager's preconditions

Public API

1. #3341406: Document when PostApplyEvent should be used instead of hook_update_n() or post update
2. #3342817: Decide which classes should be internal and/or final — delete ExcludedPathsTrait, make CollectPathsToExcludeEvent richer
3. #3326486: Rename Stage to StageBase to clarify its relationship to its subclasses, and add "Stage" suffix to the Updater classes
4. #3348122: Autowire everything everywhere all at once … in *.services.yml files
5. #3331355: Refactor exception architecture
6. #3322918: Mark everything under */tests/src @internal
7. #3317599: Log an error if protected Stage constants are overridden
8. #3317267: Deprecate the overridability of Stage::TEMPSTORE_LOCK_KEY and Stage::TEMPSTORE_METADATA_KEY
9. #3316115: Change "readiness check" to "status check" everywhere except user-facing strings
10. #3314764: Stop listening to ReadinessCheckEvent
11. #3314946: UpdateReady mistakenly assigns a special CSS class to all validation results
12. #3109082: Allow hosting platforms to declare that they don't support Package Manager
13. #3305167: Warn if apply and post-apply are done in same request
14. #3310702: Stage::__construct() should require $path_factory
15. #3310000: RequireEventTrait should default unspecified version constraints to *
16. #3308404: Make PackageManagerUpdateProcessor internal and final
17. #3304367: Add StatusCheckEvent to report errors and warnings in the staging error to the user
18. #3325716: Deprecate config factory in Stage
19. #3331168: Limit trusted Composer plugins to a known list, allow user to add more
20. #3321474: Adopt PHP 8.1-only capabilities such as constructor property promotion + drop BC layers
21. #3323003: Mark FailureMarker @internal and document ComposerUtility, PathLocator and ValidationResult
22. #3342364: Make StageEvent::$stage a public readonly property, and remove getStage()
23. #3342137: Rename validator methods to `validate` unless there different methods for different events
24. #3334994: Add new InstalledPackagesList which does not rely on Composer API to get package info
25. #3344556: Make ComposerInspector::getVersion() private
26. #3345765: SupportedReleaseValidator should use ComposerInspector instead of ComposerUtility
27. #3345764: OverwriteExistingPackagesValidator should use ComposerInspector instead of ComposerUtility
28. #3345768: StatusCheckTraitTest should use ComposerInspector instead of ComposerUtility
29. #3404429: Add getType to StageBase to allow subclasses to be internal

Reliability

1. #3323461: Hosting environment (e.g. cPanel) may add additional files (including symlinks) to the project, which breaks AU
2. #3357578: str_starts_with($path, '/') does not correctly detect absolute paths on Windows
3. #3337667: Allow JsonProcessOutputCallback and other Composer runner callbacks to gracefully handle deprecated command options
4. #3338346: Do not allow drupal/core-composer-scaffold to be used by packages other than core
5. #3277034: Unhandled Composer Stager exceptions leave the update process in an indeterminate state
6. #3340022: Tighten ComposerPluginsValidator: support only specified version constraint
7. #3318770: Explicitly validate that all request package updates have been updated expected versions
8. #3276645: Run status checkers after form core update
9. #3311200: Cron updater should delete the existing stage if not available and the site is currently on an insecure version - should determine if this is security issue. Maybe not MVP if not a security issue
10. #3320558: When parsing releases, place ProjectRelease::createFromArray in a try block
11. #3321282: Add 'declare(strict_types = 1)' where needed
12. #3315798: Post-apply always fails during cron
13. #3304365: Do not check excluded folders for symlinks
14. #3322931: OverwriteExistingPackagesValidator does not handle packages with no install path
15. #3310666: UpdaterForm throws an exception if you try to update to the next minor beta
16. #3257134: Don't stage node_modules directories
17. #3317232: Stages can be owned by someone other than their creator
18. #3314734: automatic_updates_extensions\BatchProcessor does not ensure that PostApply runs in another web request
19. #3310914: LockFileValidator should listen to StatusCheckEvent
20. #3312981: Move XdebugValidator into Package Manager
21. #3303124: [meta] Package Manager should add validation to try avoid conflicts with non-Composer installed code
22. #3312779: Improve Composer package name validation
23. #3293146: Don't run cron updates with PHP's built-in web server without an alternate port
24. #3310901: Stage::require() should validate the incoming package names
25. #3307611: Create a validator to add a warning if updated extensions have database updates
26. #3311534: package_manager_requirements() should check for the presence of the failure marker
27. #3308828: Handle the case where the marker file has been detected but can't be decoded
28. #3311436: Stage::require() should override the default process timeout to 300 seconds
29. #3293417: If an update failed to apply don't allow more use of the module
30. #3305564: Create a validator to stop newly installed packages from overwriting existing directories on apply
31. #3305874: \Drupal\package_manager\ComposerUtility::getPackageForProject() assumes direct project to package conversion when it should not
32. #3307163: Add the ability to ProjectInfo handle projects not in the active codebase
33. #3303902: Move ProjectInfo class into package_manager
34. #3305994: We don't want to run the XdebugValidator for non-Automatic Updates stage.
35. #3305568: Create a validator that detects duplicate info.yml files in the stage on apply
36. #3309602: Error: Composer could not find the config file
37. #3321256: Fix race condition in \Drupal\automatic_updates_test_cron\Enabler
38. #3323565: Add 'declare(strict_types = 1)' in tests + recheck test modules + check *.module files.
39. #3320836: Handle runtime error correctly in ComposerExecutableValidator
40. #3321684: Most validators that subscribe to PreCreate to check readiness to update should also subscribe to PreApply
41. #3330140: Update StatusCheckTrait::runStatusCheck() to reorder/avoid dispatching CollectIgnoredPathsEvent earlier than StatusCheckEvent
42. #3299094: Prevent staging areas that nested in the active Composer project directory
43. #3325522: Automatic Updates & Package Manager should use DependencySerializationTrait when needed
44. #3334054: Add error handling for \Drupal\package_manager\Stage::getIgnoredPaths()
45. #3315834: GitExcluder should not ignore .git directories that belong to packages installed by Composer
46. #3316668: ComposerSettingsValidator should run `composer config` to determine if HTTPS is enabled
47. #3311229: Validate compliance with composer minimum stability during PreRequireEvent
48. #3335766: Harden LockFileValidator, add stopPropagation() at failures
49. #3331310: Exclude unknown paths in project base: only allow vendor + web root + whatever drupal/core-composer-scaffold allows
50. #3252299: Reliably support cweagans/composer-patches in Package Manager & Automatic Updates: validate stage
51. #3342726: UnknownPathExcluder doesn’t consider hidden files
52. #3341224: Always catch \Throwable, not \Exception, and pass the old exception when re-throwing.
53. #3267646: Refine multisite detection: many aliases for a single site is fine!
54. #3344039: Add a validate() method to ComposerInspector to ensure that Composer is usable
55. #3344595: ComposerInspector::validate() should run `composer validate`
56. #3343889: Drop support for end-of-life versions of Composer
57. #3345549: PackageManagerKernelTestBase::assertResults ignores event class
58. #3312960: Create an API for base requirement validators which run before other validators and stop event propagation if they fail
59. #3344583: ComposerInspector::validate() should throw ComposerNotReadyException instead of \Exception
60. #3345646: InstalledPackage::$path for metapackages should be NULL
61. #3357969: For web server dependent unattended updates run the entire life cycle in a separate process that will not be affected by hosting time limits
62. #3319679: Assert known preconditions for test runs and fail early if unmet
63. #3322917: Create a test (or tests) to prove Package Manager works with submodules as implemented by packages.drupal.org

Translatability

1. #3312619: Ensure all validation results use translatable strings except when created from throwables
2. #3312963: Package Manager's requirements titles should be translated
3. #3368808: Override Composer Stager's TranslatableFactory to return Drupal's TranslatableMarkup

Maintainability

1. #3354701: Ensure exceptions thrown by event subscribers are logged
2. #3318927: FixtureUtilityTrait incorrectly assumes that the package keys are the same in install.json and installed.php
3. #3319045: Assert that all expected package manager events are fired during build tests.
4. #3320487: fake-site fixtures has invalid packages in composer files
5. #3302527: Updater::dispatch() doesn't need to handle a StageValidationException with no message
6. #3314805: Create a base class for UpdaterForm and UpdateReady to help run status checks and display the results
7. #3315139: package_manager.update_data_subscriber does not have to be declared dynamically
8. #3311020: Rename staged/9.8.1 to something clearer
9. #3307369: Validate all changed or updated Drupal projects with Update XML
10. #3248975: Use "stage directory" instead of "staging area" or "staging directory" everywhere
11. #3322913: Create an easy way for functional tests to simulate an update (and update kernel tests to use the same)
12. #3321994: Fail early in all Automatic Updates tests if there's a failure marker
13. #3328516: Remove AutomaticUpdatesFunctionalTestBase::setCoreUpdate() in favor of StageFixtureManipulator
14. #3320755: Remove unnecessarily disabled automatic_updates.composer_executable_validator
15. #3321904: Remove automatic_updates_extensions/tests/fixtures/stage_composer in favor of using StageFixtureManipulator
16. #3330365: Rename AutomaticUpdatesFunctionalTestBase::setCoreVersion() as it is very confusing: does it apply to active or stage?
17. #3330139: Harden PathExclusionsTrait::excludeInProjectRoot() for paths outside of project root.
18. #3327391: Improve FixtureManipulator DX: validate package name + ensure StageFixtureManipulator is committed + ensure `package_manager_bypass_composer_stager` is not set to FALSE
19. #3323706: Split up UpdaterFormTest to speed up test runs: from 13.5 to 10.5 minutes
20. #3335802: Add addDotGitFolder functionality to \Drupal\fixture_manipulator\FixtureManipulator
21. #3320792: Make build tests fail 1) more explicitly, 2) earlier when possible (failing StatusCheckEvent subscribers)
22. #3317815: Remove all fixtures except for one: `fake_site`
23. #3339714: Dynamically copy scaffold file mapping when create fake_site fixture
24. #3355628: Package Manager should keep an audit log of changes it applied to the active codebase

Core mergeability

1. #3348162: Ensure all remaining @todos have a link to an open issue
2. #3352198: Rip out the update path
3. #3305527: Rename test_theme to automatic_updates_extensions_test_theme
4. #3314137: Make Automatic Updates Drupal 10-compatible
5. #3329002: \Drupal\Tests\package_manager\Kernel\TestStageTrait::dispatch() should stop using a deprecated PHP language feature
6. #3322150: Rename remaining instances of 'test_theme' to 'automatic_updates_extensions_test_theme'
7. #3316131: Add array return type hint to all implementations of getSubscribedEvents()
8. #3312937: Fix spelling mistakes
9. #3322546: Update initiative roadmap issue
10. #3328742: phpcs stopped working since the switch to testing on Drupal 10.0.x by default
11. #3340892: Tag 8.x-2.7, and move development to new 3.x branch to focus on Core inclusion
12. #3341708: Update requirements for 3.x
13. #3303167: Stage no longer needs the config factory
14. #3320824: Fix PHP Warning: serialize() in tests on PHP 8
15. #3342460: $tempStore property of stage was removed
16. #3327229: Remove `@requires PHP >= 8.0` annotation from all tests
17. #3342120: Fix PHPStan violations (happened because PHPStan code checks stopped running…)
18. #3341974: Finalize \Drupal\automatic_updates\Development\Converter script to update core MR

Policy Questions

1. #3311472: Only show RC pre-releases of core in the form
2. ⚠️ core issue⚠️#3364565: [policy, no patch] Make PHP's OpenSSL extension a requirement for installing and using Package Manager (and therefore, Automatic Updates and Project Browser)
3. #3394754: [policy, no patch] Use Update XML in Package manager to determine release support status
4. #3385409: [policy, no patch] Disallow using Package Manager (and therefore Automatic Updates and Project Browser) when Composer's disable-tls setting is true