#57572 closed task (blessed) (fixed)
GitHub Actions updates and improvements for 6.2
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 6.2 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Build/Test Tools | Keywords: | has-patch |
Focuses: | Cc: |
Description
This ticket is for various updates and improvements for Core's GitHub Actions workflows.
Previously, these were tracked as a part of the "test tool and unit test improvements" tickets (see #56793 for 6.2), but there's enough volume to warrant this be a separate ticket.
Change History (35)
This ticket was mentioned in PR #3929 on WordPress/wordpress-develop by @desrosj.
2 years ago
#1
- Keywords has-patch added
This ticket was mentioned in PR #3937 on WordPress/wordpress-develop by @johnbillion.
2 years ago
#3
Trac ticket: https://core.trac.wordpress.org/ticket/57572
The permissions
key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.
Docs:
This ticket was mentioned in Slack in #core by costdev. View the logs.
2 years ago
#6
@
2 years ago
@johnbillion I left a few questions on https://github.com/WordPress/wordpress-develop/pull/3937. If we can get those sorted out before RC1 on Tuesday, I'd like to just merge that instead of kicking it down to #57865.
This ticket was mentioned in PR #4177 on WordPress/wordpress-develop by @desrosj.
2 years ago
#7
This is an expanded approach to #3937.
- Merges the latest
trunk
- Adds
permissions
to the new Performance testing workflow. - Adds
permissions: {}
at the workflow level for all workflows. This ensures that any jobs added in the future will also be restricted until permissions are manually adjusted at the specific job level.
Original description from #3937:
Trac ticket: https://core.trac.wordpress.org/ticket/57572
The
permissions
key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.
## Docs
## Changes
- Jobs that re-run workflows have been restricted to
actions: write
as they post to the actions API- The main Slack notification job has been restricted to
actions: read
andcontents: read
as it prepares the data for its dependent jobs, all of which have been restricted to no permissions- The new contributor workflow has been restricted to
issues: write
as it posts a comment to the PR- All other jobs have been restricted to
contents: read
as they need no access other than to read the repo
This ticket was mentioned in Slack in #core by mukeshpanchal27. View the logs.
2 years ago
#12
@
2 years ago
- Resolution set to fixed
- Status changed from new to closed
Per the discussion in the bug scrub, as we're about to enter RC, closing this ticket out for 6.2.
@johnbillion commented on PR #3937:
2 years ago
#32
Closing in favour of #4177
@johnbillion commented on PR #4177:
2 years ago
#33
@desrosj Wanna move this to 6.3? I see the backports for 6.2 have already been done.
Trac ticket: https://core.trac.wordpress.org/ticket/57572