Make WordPress Core


Ignore:
Timestamp:
05/03/2023 10:15:27 PM (18 months ago)
Author:
johnbillion
Message:

Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The permissions key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/.github/workflows/test-coverage.yml

    r55487 r55715  
    2424  # Allow manually triggering the workflow.
    2525  workflow_dispatch:
     26
     27# Disable permissions for all available scopes by default.
     28# Any needed permissions should be configured at the job level.
     29permissions: {}
    2630
    2731env:
     
    5761    name: ${{ matrix.multisite && 'Multisite' || 'Single site' }} report
    5862    runs-on: ubuntu-latest
     63    permissions:
     64      contents: read
    5965    timeout-minutes: 120
    6066    if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     
    183189    name: Failed workflow tasks
    184190    runs-on: ubuntu-latest
     191    permissions:
     192      actions: write
    185193    needs: [ test-coverage-report, slack-notifications ]
    186194    if: |
Note: See TracChangeset for help on using the changeset viewer.