Make WordPress Core


Ignore:
Timestamp:
05/03/2023 10:15:27 PM (17 months ago)
Author:
johnbillion
Message:

Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The permissions key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/.github/workflows/performance.yml

    r55508 r55715  
    2525  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
    2626  cancel-in-progress: true
     27
     28# Disable permissions for all available scopes by default.
     29# Any needed permissions should be configured at the job level.
     30permissions: {}
    2731
    2832env:
     
    6771    name: Run performance tests
    6872    runs-on: ubuntu-latest
     73    permissions:
     74      contents: read
    6975    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
    7076
     
    205211    name: Failed workflow tasks
    206212    runs-on: ubuntu-latest
     213    permissions:
     214      actions: write
    207215    needs: [ performance, slack-notifications ]
    208216    if: |
Note: See TracChangeset for help on using the changeset viewer.