Changeset 55715 for trunk/.github/workflows/test-and-zip-default-themes.yml

Timestamp:

05/03/2023 10:15:27 PM (2 years ago)

Author:

johnbillion

Message:

Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The permissions key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865

File:

• trunk/.github/workflows/test-and-zip-default-themes.yml (modified) (4 diffs)

trunk/.github/workflows/test-and-zip-default-themes.yml

@@ -45 +45 @@
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Tests the build script for themes that have one.
@@ -57 +61 @@
     name: Test ${{ matrix.theme }} build script
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 10
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
@@ -102 +108 @@
     name: Create ${{ matrix.theme }} ZIP file
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: [ test-build-scripts ]
     timeout-minutes: 10
@@ -153 +161 @@
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ test-build-scripts, bundle-theme, slack-notifications ]
     if: |