Update CI test matrix and fix PHPUnit security advisory failure

[Ninodevo]

Changes proposed in this Pull Request

• Fix CI failure caused by Composer's security audit blocking PHPUnit 4.x–9.x due to advisory PKSA-z3gr-8qht-p93v (CVE-2026-24765). Pin phpunit/phpunit to ^9.6 which resolves to 9.6.34 - a patched version outside the advisory's affected range
• Upgrade yoast/phpunit-polyfills from ^1.0.1 to ^2.0.
• Drop EOL PHP versions (7.2, 7.3) and outdated WordPress versions (5.2, 5.4, 5.7) from the test matrix. The minimum tested combination is now PHP 7.4 / WP 6.2.
• Simplify the test matrix from ~14 jobs down to 3 (PHP 7.4 + WP 6.2, PHP 8.2 + latest, PHP 8.4 + latest), covering the low end, middle, and high end of supported versions.
• Simplify the GitHub Actions test workflow by removing the 4-type Composer install branching logic that was only needed for WP < 5.9 compatibility. A single ramsey/composer-install step with dependency-versions: highest now handles all matrix entries.
• Simplify the MySQL service to always use MySQL 8.0, removing the conditional 5.6/5.7 image selection.
• Fix the PHPCS workflow: remove redundant composer require step (packages already in composer.json), upgrade PHP from 7.4 to 8.3, update action versions, and fix cs2pr XML parsing by adding the -q flag.
• Narrow CI triggers to only run on pushes to trunk and on pull requests (previously ran on all pushes to any branch).
• Update phpunit.xml.dist to remove deprecated PHPUnit 10-incompatible attributes (convertErrorsToExceptions, convertNoticesToExceptions, convertWarningsToExceptions).

Testing instructions

• Verify all 3 test matrix jobs pass in CI (PHP 7.4 / WP 6.2, PHP 8.2 / WP latest, PHP 8.4 / WP latest).
• Verify the PHPCS workflow passes.
• Confirm composer install resolves locally without errors or security advisory warnings.

[zaerl]

I am not completely sure why this was made. The WordPress importer, like all the other standard ones, supports down to WP 5.4 and WordPress down to PHP 7.2. To fix GHSA-vvj3-c3rp-c85p unit tests failing? If that's the only reason, it's ok.

But please make these two changes on https://github.com/WordPress/substack-importer/blob/trunk/readme.txt:

1. Tested up to 6.9
2. Require PHP: 7.4

A new version for these only changes is not needed. At the next one please add this line:

= x.y.z =
1. Compatibility: the plugin now requires PHP 7.4 or higher.

[Ninodevo]

Yes, it was to fix the unit tests failing in GHSA-vvj3-c3rp-c85p. PHPUnit ^9.6 is now used, which has the issue fixed. I can probably add continue-on-error: true for older versions and use a lower PHPUnit, but I figured that it's okay like this. Let me know if I should do it that way, and I'll fix it in another PR.