Add --ssl-verify-server-cert flag for MariaDB to suppress passwordless login warnings

[Copilot]

MariaDB tests were failing due to SSL warnings cluttering STDERR: WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login. These warnings trigger Behat test failures even when commands succeed.

Changes

• DB_Command::run(): Auto-add --ssl-verify-server-cert flag when MariaDB is detected via Utils\get_db_type()
• get_mysql_args(): Add ssl-verify-server-cert to allowed MySQL options

The flag is only added if not already present in user arguments, preserving override capability. MySQL installations are unaffected.

// Add --ssl-verify-server-cert for MariaDB to suppress passwordless login warning.
if ( 'mariadb' === Utils\get_db_type() && ! isset( $assoc_args['ssl-verify-server-cert'] ) ) {
    $required['ssl-verify-server-cert'] = true;
}

Mirrors the fix from wp-cli/wp-cli-tests#297, extending it to all db commands (export, import, query, etc.).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Improve MariaDB tests</issue_title>
<issue_description>They are still allowed to fail but would be nice to get them to green. There are currently quite a few failing tests, almost all because of --ssl-verify-server-cert warnings cluttering STDERR.

Perhaps we need to pass it manually like was done in wp-cli/wp-cli-tests#297?

Examples:

Failed steps:

001 Scenario: Display information about a non default WordPress table                                                # features/db-columns.feature:44
      And I run `wp db query "CREATE TABLE not_wp ( date DATE NOT NULL, awesome_stuff TEXT, PRIMARY KEY (date) );;"` # features/db-columns.feature:46
        $ wp db query "CREATE TABLE not_wp ( date DATE NOT NULL, awesome_stuff TEXT, PRIMARY KEY (date) );;"
        
        WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
        cwd: /tmp/wp-cli-test-run--6987f0c7c6bcc3.53632177/
        run time: 0.16866993904114
        exit status: 0 (RuntimeException)

002 Scenario: Database exports with random hash applied # features/db-export.feature:3
      When I run `wp db export --porcelain`             # features/db-export.feature:6
        $ wp db export --porcelain
        wp_cli_test-2026-02-08-68c4205.sql
        
        WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
        cwd: /tmp/wp-cli-test-run--6987f0c848a357.72059523/
        run time: 0.19305086135864
        exit status: 0 (RuntimeException)

003 Scenario: Database export to a specified file path      # features/db-export.feature:13
      When I run `wp db export wp_cli_test.sql --porcelain` # features/db-export.feature:16
        $ wp db export wp_cli_test.sql --porcelain
        wp_cli_test.sql
        
        WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
        cwd: /tmp/wp-cli-test-run--6987f0c8c233a4.45982247/
        run time: 0.19237279891968
        exit status: 0 (RuntimeException)

004 Scenario: Exclude tables when exporting the database                              # features/db-export.feature:23
      When I run `wp db export wp_cli_test.sql --exclude_tables=wp_users --porcelain` # features/db-export.feature:26
        $ wp db export wp_cli_test.sql --exclude_tables=wp_users --porcelain
        wp_cli_test.sql
        
        WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
        cwd: /tmp/wp-cli-test-run--6987f0c94b0ca7.31860636/
        run time: 0.18274307250977
        exit status: 0 (RuntimeException)

005 Scenario: Export database to STDOUT # features/db-export.feature:37
      When I run `wp db export -`       # features/db-export.feature:40
        $ wp db export -

        WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
        cwd: /tmp/wp-cli-test-run--6987f0c9c54811.18958571/
        run time: 0.19263005256653
        exit status: 0 (RuntimeException)

006 Scenario: Export database with mysql defaults to STDOUT # features/db-export.feature:46
      When I run `wp db export --defaults -`                # features/db-export.feature:49
        $ wp db export --defaults -

        WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
        cwd: /tmp/wp-cli-test-run--6987f0c9c54811.18958571/
        run time: 0.19263005256653
        exit status: 0 (RuntimeException)

008 Scenario: Export database with passed-in options                 # features/db-export.feature:64
      When I run `wp db export - --dbpass=password1 --skip-comments` # features/db-export.feature:67
        $ wp db export - --dbpass=password1 --skip-comments

        WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
        cwd: /tmp/wp-cli-test-run--6987f0cb900c03.97350758/
        run time: 0.18559980392456
        exit status: 0 (RuntimeException)

009 Scenario: Import from database name path by default # features/db-import.feature:3
      When I run `wp db export wp_cli_test.sql`         # features/db-import.feature:6
        $ wp db export wp_cli_test.sql
        Success: Exported to 'wp_cli_test.sql'.
        
        WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
        cwd: /tmp/wp-cli-test-run--6987f0cd0bbfc5.61320675/
        run time: 0.18721199035645
        exit status: 0 (RuntimeException)

010 Scenario: Import from database name path by default with mysql defaults # features/db-import.feature:15
      When I run `wp db export wp_cli_test.sql`                             # features/db-import.feature:18
        $ wp db export wp_cli_test.sql
        Success: Exported to 'wp_cli_test.sql'.
        
        WARNING: option --ssl-verify-server-cert is dis...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes wp-cli/db-command#309

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/DB_Command.php	66.66%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[swissspidy]

/gemini review

[gemini-code-assist]

Code Review

This pull request effectively resolves an issue with MariaDB test failures caused by SSL warnings. The changes are well-targeted and correctly implemented. By conditionally adding the --ssl-verify-server-cert flag for MariaDB connections, you've addressed the root cause of the warnings while preserving the ability for users to override this behavior. The corresponding addition of ssl-verify-server-cert to the allowed options in get_mysql_args() is also correct. I have one minor suggestion regarding documenting the potential impact of this change for users in specific configurations.

[gemini-code-assist]

This change correctly suppresses the MariaDB warnings and improves the default security posture. However, it's worth noting that this introduces a potential breaking change for users on MariaDB with passwordless logins and an invalid or untrusted server SSL certificate. Previously, their commands would succeed with a warning; now, they will fail due to the enforced SSL verification.

While users can opt-out by using --no-ssl-verify-server-cert, this change in default behavior could be surprising. I'd recommend adding a note about this to the relevant command documentation or the project's release notes to ensure users are aware of the change and how to manage it.