WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
01/22/2025 03:13:21 PM (17 months ago)
Author:
johnbillion
Message:

Build/Test Tools: Improve the security and correctness of the GitHub Actions workflows files.

This includes removing use of dangerous inline GitHub Actions expressions, preventing word splitting, further tightening permissions, and generally improving many aspects of the workflows.

This also introduces a new workflow that runs Actionlint to detect incorrect and insecure code and configuration in workflow files.

Props johnbillion, swissspidy, flixos90, desrosj.

See #62221

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/.github/workflows/upgrade-testing.yml

    r59673 r59679  
    6060    uses: ./.github/workflows/reusable-upgrade-testing.yml
    6161    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
    62     permissions:
    63       contents: read
    6462    strategy:
    6563      fail-fast: false
     
    9795    uses: ./.github/workflows/reusable-upgrade-testing.yml
    9896    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
    99     permissions:
    100       contents: read
    10197    strategy:
    10298      fail-fast: false
     
    112108          # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218.
    113109          - php: '7.2'
    114             db-version: '8.4'
    115           - php: '7.3'
    116110            db-version: '8.4'
    117111    with:
     
    142136          # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218.
    143137          - php: '7.2'
    144             db-version: '8.4'
    145           - php: '7.3'
    146138            db-version: '8.4'
    147139    with:
     
    201193          # The PHP <= 7.3/MySQL 8.4 jobs currently fail due to mysql_native_password being disabled by default. See https://core.trac.wordpress.org/ticket/61218.
    202194          - php: '7.2'
    203             db-version: '8.4'
    204           - php: '7.3'
    205195            db-version: '8.4'
    206196    with:
Note: See TracChangeset for help on using the changeset viewer.