Make WordPress Core


Ignore:
Timestamp:
05/03/2023 10:15:27 PM (18 months ago)
Author:
johnbillion
Message:

Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The permissions key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/.github/workflows/phpunit-tests.yml

    r55487 r55715  
    2626  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
    2727  cancel-in-progress: true
     28
     29# Disable permissions for all available scopes by default.
     30# Any needed permissions should be configured at the job level.
     31permissions: {}
    2832
    2933env:
     
    5559    name: ${{ matrix.php }}${{ matrix.multisite && ' multisite' || '' }}${{ matrix.split_slow && ' slow tests' || '' }}${{ matrix.memcached && ' with memcached' || '' }} on ${{ matrix.os }}
    5660    runs-on: ${{ matrix.os }}
     61    permissions:
     62      contents: read
    5763    timeout-minutes: 20
    5864    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    234240    name: Failed workflow tasks
    235241    runs-on: ubuntu-latest
     242    permissions:
     243      actions: write
    236244    needs: [ test-php, slack-notifications ]
    237245    if: |
Note: See TracChangeset for help on using the changeset viewer.