Make WordPress Core


Ignore:
Timestamp:
05/03/2023 10:15:27 PM (18 months ago)
Author:
johnbillion
Message:

Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The permissions key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/.github/workflows/test-npm.yml

    r55152 r55715  
    3434  cancel-in-progress: true
    3535
     36# Disable permissions for all available scopes by default.
     37# Any needed permissions should be configured at the job level.
     38permissions: {}
     39
    3640env:
    3741  PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
     
    5458    name: Test npm on ${{ matrix.os }}
    5559    runs-on: ${{ matrix.os }}
     60    permissions:
     61      contents: read
    5662    timeout-minutes: 20
    5763    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     
    123129    name: Test npm on MacOS
    124130    runs-on: macos-latest
     131    permissions:
     132      contents: read
    125133    timeout-minutes: 30
    126134    if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     
    180188    name: Failed workflow tasks
    181189    runs-on: ubuntu-latest
     190    permissions:
     191      actions: write
    182192    needs: [ test-npm, test-npm-macos, slack-notifications ]
    183193    if: |
Note: See TracChangeset for help on using the changeset viewer.