Make WordPress Core

Changeset 55715


Ignore:
Timestamp:
05/03/2023 10:15:27 PM (17 months ago)
Author:
johnbillion
Message:

Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The permissions key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865

Location:
trunk/.github/workflows
Files:
13 edited

Legend:

Unmodified
Added
Removed
  • trunk/.github/workflows/coding-standards.yml

    r55487 r55715  
    4141  cancel-in-progress: true
    4242
     43# Disable permissions for all available scopes by default.
     44# Any needed permissions should be configured at the job level.
     45permissions: {}
     46
    4347jobs:
    4448  # Runs PHP coding standards checks.
     
    6064    name: PHP coding standards
    6165    runs-on: ubuntu-latest
     66    permissions:
     67      contents: read
    6268    timeout-minutes: 20
    6369    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    131137    name: JavaScript coding standards
    132138    runs-on: ubuntu-latest
     139    permissions:
     140      contents: read
    133141    timeout-minutes: 20
    134142    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    178186    name: Failed workflow tasks
    179187    runs-on: ubuntu-latest
     188    permissions:
     189      actions: write
    180190    needs: [ phpcs, jshint, slack-notifications ]
    181191    if: |
  • trunk/.github/workflows/end-to-end-tests.yml

    r55152 r55715  
    2727  cancel-in-progress: true
    2828
     29# Disable permissions for all available scopes by default.
     30# Any needed permissions should be configured at the job level.
     31permissions: {}
     32
    2933env:
    3034  LOCAL_DIR: build
     
    4953    name: E2E Tests
    5054    runs-on: ubuntu-latest
     55    permissions:
     56      contents: read
    5157    timeout-minutes: 20
    5258    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    124130    name: Failed workflow tasks
    125131    runs-on: ubuntu-latest
     132    permissions:
     133      actions: write
    126134    needs: [ e2e-tests, slack-notifications ]
    127135    if: |
  • trunk/.github/workflows/failed-workflow.yml

    r55152 r55715  
    1212        type: 'string'
    1313
     14# Disable permissions for all available scopes by default.
     15# Any needed permissions should be configured at the job level.
     16permissions: {}
     17
    1418jobs:
    1519  # Attempts to rerun a workflow.
     
    2125    name: Rerun a workflow
    2226    runs-on: ubuntu-latest
     27    permissions:
     28      actions: write
    2329    timeout-minutes: 5
    2430
  • trunk/.github/workflows/javascript-tests.yml

    r55152 r55715  
    3939  cancel-in-progress: true
    4040
     41# Disable permissions for all available scopes by default.
     42# Any needed permissions should be configured at the job level.
     43permissions: {}
     44
    4145jobs:
    4246  # Runs the QUnit tests for WordPress.
     
    5256    name: QUnit Tests
    5357    runs-on: ubuntu-latest
     58    permissions:
     59      contents: read
    5460    timeout-minutes: 20
    5561    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    97103    name: Failed workflow tasks
    98104    runs-on: ubuntu-latest
     105    permissions:
     106      actions: write
    99107    needs: [ test-js, slack-notifications ]
    100108    if: |
  • trunk/.github/workflows/performance.yml

    r55508 r55715  
    2525  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
    2626  cancel-in-progress: true
     27
     28# Disable permissions for all available scopes by default.
     29# Any needed permissions should be configured at the job level.
     30permissions: {}
    2731
    2832env:
     
    6771    name: Run performance tests
    6872    runs-on: ubuntu-latest
     73    permissions:
     74      contents: read
    6975    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
    7076
     
    205211    name: Failed workflow tasks
    206212    runs-on: ubuntu-latest
     213    permissions:
     214      actions: write
    207215    needs: [ performance, slack-notifications ]
    208216    if: |
  • trunk/.github/workflows/php-compatibility.yml

    r55487 r55715  
    3636  cancel-in-progress: true
    3737
     38# Disable permissions for all available scopes by default.
     39# Any needed permissions should be configured at the job level.
     40permissions: {}
     41
    3842jobs:
    3943
     
    5559    name: Check PHP compatibility
    5660    runs-on: ubuntu-latest
     61    permissions:
     62      contents: read
    5763    timeout-minutes: 20
    5864    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    122128    name: Failed workflow tasks
    123129    runs-on: ubuntu-latest
     130    permissions:
     131      actions: write
    124132    needs: [ php-compatibility, slack-notifications ]
    125133    if: |
  • trunk/.github/workflows/phpunit-tests.yml

    r55487 r55715  
    2626  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
    2727  cancel-in-progress: true
     28
     29# Disable permissions for all available scopes by default.
     30# Any needed permissions should be configured at the job level.
     31permissions: {}
    2832
    2933env:
     
    5559    name: ${{ matrix.php }}${{ matrix.multisite && ' multisite' || '' }}${{ matrix.split_slow && ' slow tests' || '' }}${{ matrix.memcached && ' with memcached' || '' }} on ${{ matrix.os }}
    5660    runs-on: ${{ matrix.os }}
     61    permissions:
     62      contents: read
    5763    timeout-minutes: 20
    5864    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    234240    name: Failed workflow tasks
    235241    runs-on: ubuntu-latest
     242    permissions:
     243      actions: write
    236244    needs: [ test-php, slack-notifications ]
    237245    if: |
  • trunk/.github/workflows/slack-notifications.yml

    r55152 r55715  
    2626        description: 'The Slack webhook URL for a failed build.'
    2727        required: true
     28
     29# Disable permissions for all available scopes by default.
     30# Any needed permissions should be configured at the job level.
     31permissions: {}
    2832
    2933env:
     
    4549    name: Prepare notifications
    4650    runs-on: ubuntu-latest
     51    permissions:
     52      actions: read
     53      contents: read
    4754    timeout-minutes: 5
    4855    if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event.workflow_run.event != 'pull_request' }}
  • trunk/.github/workflows/test-and-zip-default-themes.yml

    r55152 r55715  
    4545  cancel-in-progress: true
    4646
     47# Disable permissions for all available scopes by default.
     48# Any needed permissions should be configured at the job level.
     49permissions: {}
     50
    4751jobs:
    4852  # Tests the build script for themes that have one.
     
    5761    name: Test ${{ matrix.theme }} build script
    5862    runs-on: ubuntu-latest
     63    permissions:
     64      contents: read
    5965    timeout-minutes: 10
    6066    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    102108    name: Create ${{ matrix.theme }} ZIP file
    103109    runs-on: ubuntu-latest
     110    permissions:
     111      contents: read
    104112    needs: [ test-build-scripts ]
    105113    timeout-minutes: 10
     
    153161    name: Failed workflow tasks
    154162    runs-on: ubuntu-latest
     163    permissions:
     164      actions: write
    155165    needs: [ test-build-scripts, bundle-theme, slack-notifications ]
    156166    if: |
  • trunk/.github/workflows/test-coverage.yml

    r55487 r55715  
    2424  # Allow manually triggering the workflow.
    2525  workflow_dispatch:
     26
     27# Disable permissions for all available scopes by default.
     28# Any needed permissions should be configured at the job level.
     29permissions: {}
    2630
    2731env:
     
    5761    name: ${{ matrix.multisite && 'Multisite' || 'Single site' }} report
    5862    runs-on: ubuntu-latest
     63    permissions:
     64      contents: read
    5965    timeout-minutes: 120
    6066    if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     
    183189    name: Failed workflow tasks
    184190    runs-on: ubuntu-latest
     191    permissions:
     192      actions: write
    185193    needs: [ test-coverage-report, slack-notifications ]
    186194    if: |
  • trunk/.github/workflows/test-npm.yml

    r55152 r55715  
    3434  cancel-in-progress: true
    3535
     36# Disable permissions for all available scopes by default.
     37# Any needed permissions should be configured at the job level.
     38permissions: {}
     39
    3640env:
    3741  PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
     
    5458    name: Test npm on ${{ matrix.os }}
    5559    runs-on: ${{ matrix.os }}
     60    permissions:
     61      contents: read
    5662    timeout-minutes: 20
    5763    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    123129    name: Test npm on MacOS
    124130    runs-on: macos-latest
     131    permissions:
     132      contents: read
    125133    timeout-minutes: 30
    126134    if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     
    180188    name: Failed workflow tasks
    181189    runs-on: ubuntu-latest
     190    permissions:
     191      actions: write
    182192    needs: [ test-npm, test-npm-macos, slack-notifications ]
    183193    if: |
  • trunk/.github/workflows/test-old-branches.yml

    r55507 r55715  
    1313    - cron: '0 0 15 * *'
    1414
     15# Disable permissions for all available scopes by default.
     16# Any needed permissions should be configured at the job level.
     17permissions: {}
     18
    1519jobs:
    1620  dispatch-workflows-for-old-branches:
    1721    name: ${{ matrix.workflow }} for ${{ matrix.branch }}
    1822    runs-on: ubuntu-latest
     23    permissions:
     24      actions: write
    1925    timeout-minutes: 20
    2026    if: ${{ github.repository == 'WordPress/wordpress-develop' }}
  • trunk/.github/workflows/welcome-new-contributors.yml

    r55487 r55715  
    55    types: [ opened ]
    66
     7# Disable permissions for all available scopes by default.
     8# Any needed permissions should be configured at the job level.
     9permissions: {}
     10
    711jobs:
    812  # Comments on a pull request when the author is a new contributor.
    913  post-welcome-message:
    1014    runs-on: ubuntu-latest
     15    permissions:
     16      issues: write
    1117    timeout-minutes: 5
    1218    if: ${{ github.repository == 'WordPress/wordpress-develop' }}
Note: See TracChangeset for help on using the changeset viewer.