Changeset 59679 for trunk/.github/workflows/reusable-php-compatibility.yml

Timestamp:

01/22/2025 03:13:21 PM (15 months ago)

Author:

johnbillion

Message:

Build/Test Tools: Improve the security and correctness of the GitHub Actions workflows files.

This includes removing use of dangerous inline GitHub Actions expressions, preventing word splitting, further tightening permissions, and generally improving many aspects of the workflows.

This also introduces a new workflow that runs Actionlint to detect incorrect and insecure code and configuration in workflow files.

Props johnbillion, swissspidy, flixos90, desrosj.

See #62221

File:

• trunk/.github/workflows/reusable-php-compatibility.yml (modified) (4 diffs)

trunk/.github/workflows/reusable-php-compatibility.yml

@@ -12 +12 @@
         type: 'string'
         default: 'latest'
+
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
 
 jobs:
@@ -40 +44 @@
         with:
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
 
       - name: Set up PHP
@@ -56 +61 @@
       - name: "Get last Monday's date"
         id: get-date
-        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT
+        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
 
       - name: Cache PHP compatibility scan cache
@@ -72 +77 @@
 
       - name: Make Composer packages available globally
-        run: echo "${PWD}/vendor/bin" >> $GITHUB_PATH
+        run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH"
 
       - name: Run PHP compatibility tests