Changeset 55715 for trunk/.github/workflows/slack-notifications.yml

Timestamp:

05/03/2023 10:15:27 PM (2 years ago)

Author:

johnbillion

Message:

Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The permissions key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865

File:

• trunk/.github/workflows/slack-notifications.yml (modified) (2 diffs)

trunk/.github/workflows/slack-notifications.yml

@@ -26 +26 @@
         description: 'The Slack webhook URL for a failed build.'
         required: true
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
 
 env:
@@ -45 +49 @@
     name: Prepare notifications
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
     timeout-minutes: 5
     if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event.workflow_run.event != 'pull_request' }}