Make WordPress Core


Ignore:
Timestamp:
05/03/2023 10:15:27 PM (18 months ago)
Author:
johnbillion
Message:

Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The permissions key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/.github/workflows/coding-standards.yml

    r55487 r55715  
    4141  cancel-in-progress: true
    4242
     43# Disable permissions for all available scopes by default.
     44# Any needed permissions should be configured at the job level.
     45permissions: {}
     46
    4347jobs:
    4448  # Runs PHP coding standards checks.
     
    6064    name: PHP coding standards
    6165    runs-on: ubuntu-latest
     66    permissions:
     67      contents: read
    6268    timeout-minutes: 20
    6369    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    131137    name: JavaScript coding standards
    132138    runs-on: ubuntu-latest
     139    permissions:
     140      contents: read
    133141    timeout-minutes: 20
    134142    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    178186    name: Failed workflow tasks
    179187    runs-on: ubuntu-latest
     188    permissions:
     189      actions: write
    180190    needs: [ phpcs, jshint, slack-notifications ]
    181191    if: |
Note: See TracChangeset for help on using the changeset viewer.