ci: add workflow_dispatch to phpunit.yml for on-demand re-runs

[Copilot]

Nightly CI failed on 2026-02-28 and 2026-03-01 due to integration test bugs in ExitPathTest (wrong Challenge constructor arg order, is_admin() returning false in gate tests). Those fixes landed in main at 197afa9 but the next scheduled run isn't until 3 AM UTC — no way to confirm the fix without a push.

Changes

• .github/workflows/phpunit.yml: add workflow_dispatch trigger alongside the existing push, pull_request, and schedule triggers, enabling manual re-runs from the Actions UI

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

🎮 Try in WordPress Playground

Open this PR in Playground →

Logs in as admin / password and installs the plugin from this PR's commit.

✅ What you can test

Feature	Notes
Plugin activation & settings page	✅
Gate fires on dangerous actions (plugin activate/delete, user delete, etc.)	✅
Challenge / reauthentication page	✅
Password verification & session cookie	✅
Admin bar countdown timer	✅
Request stash & replay after auth	✅
Rate limiting / 5-attempt lockout	✅ within session
Session expiry by time	✅ wait out the configured duration (1–15 min)
Two Factor plugin (TOTP)	✅ installed automatically via blueprint
unfiltered_html removed from Editor role	✅

❌ What won't work

Feature	Why
WP-CLI / Cron entry point policies	No CLI in browser
REST / XML-RPC entry point policies	Network disabled in Playground
Two Factor email / magic-link providers	PHP outbound network is off
Multisite behaviour	Single-site only
State after refreshing Playground	Full reset on page reload

Transients and user meta persist across normal WP navigation within
a session, but are wiped if you reload the Playground page itself.
Use the integration test suite to verify
transient TTL, real bcrypt, and multisite isolation.