mirror of
git://develop.git.wordpress.org/
synced 2025-01-17 21:08:44 +01:00
Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions
The `permissions` key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have. Props desrosj, johnbillion See #57865 git-svn-id: https://develop.svn.wordpress.org/trunk@55715 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
eb409e4cac
commit
3bfc6611ad
10
.github/workflows/coding-standards.yml
vendored
10
.github/workflows/coding-standards.yml
vendored
@ -40,6 +40,10 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
# Runs PHP coding standards checks.
|
||||
#
|
||||
@ -59,6 +63,8 @@ jobs:
|
||||
phpcs:
|
||||
name: PHP coding standards
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 20
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
|
||||
@ -130,6 +136,8 @@ jobs:
|
||||
jshint:
|
||||
name: JavaScript coding standards
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 20
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
env:
|
||||
@ -177,6 +185,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ phpcs, jshint, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
8
.github/workflows/end-to-end-tests.yml
vendored
8
.github/workflows/end-to-end-tests.yml
vendored
@ -26,6 +26,10 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
env:
|
||||
LOCAL_DIR: build
|
||||
|
||||
@ -48,6 +52,8 @@ jobs:
|
||||
e2e-tests:
|
||||
name: E2E Tests
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 20
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
|
||||
@ -123,6 +129,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ e2e-tests, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
6
.github/workflows/failed-workflow.yml
vendored
6
.github/workflows/failed-workflow.yml
vendored
@ -11,6 +11,10 @@ on:
|
||||
required: true
|
||||
type: 'string'
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
# Attempts to rerun a workflow.
|
||||
#
|
||||
@ -20,6 +24,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Rerun a workflow
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
timeout-minutes: 5
|
||||
|
||||
steps:
|
||||
|
8
.github/workflows/javascript-tests.yml
vendored
8
.github/workflows/javascript-tests.yml
vendored
@ -38,6 +38,10 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
# Runs the QUnit tests for WordPress.
|
||||
#
|
||||
@ -51,6 +55,8 @@ jobs:
|
||||
test-js:
|
||||
name: QUnit Tests
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 20
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
|
||||
@ -96,6 +102,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ test-js, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
8
.github/workflows/performance.yml
vendored
8
.github/workflows/performance.yml
vendored
@ -25,6 +25,10 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
env:
|
||||
# This workflow takes two sets of measurements — one for the current commit,
|
||||
# and another against a consistent version that is used as a baseline measurement.
|
||||
@ -66,6 +70,8 @@ jobs:
|
||||
performance:
|
||||
name: Run performance tests
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
|
||||
steps:
|
||||
@ -204,6 +210,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ performance, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
8
.github/workflows/php-compatibility.yml
vendored
8
.github/workflows/php-compatibility.yml
vendored
@ -35,6 +35,10 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
|
||||
# Runs PHP compatibility testing.
|
||||
@ -54,6 +58,8 @@ jobs:
|
||||
php-compatibility:
|
||||
name: Check PHP compatibility
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 20
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
|
||||
@ -121,6 +127,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ php-compatibility, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
8
.github/workflows/phpunit-tests.yml
vendored
8
.github/workflows/phpunit-tests.yml
vendored
@ -26,6 +26,10 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
env:
|
||||
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
|
||||
LOCAL_PHP_MEMCACHED: ${{ false }}
|
||||
@ -54,6 +58,8 @@ jobs:
|
||||
test-php:
|
||||
name: ${{ matrix.php }}${{ matrix.multisite && ' multisite' || '' }}${{ matrix.split_slow && ' slow tests' || '' }}${{ matrix.memcached && ' with memcached' || '' }} on ${{ matrix.os }}
|
||||
runs-on: ${{ matrix.os }}
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 20
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
strategy:
|
||||
@ -233,6 +239,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ test-php, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
7
.github/workflows/slack-notifications.yml
vendored
7
.github/workflows/slack-notifications.yml
vendored
@ -26,6 +26,10 @@ on:
|
||||
description: 'The Slack webhook URL for a failed build.'
|
||||
required: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
env:
|
||||
CURRENT_BRANCH: ${{ github.ref_name }}
|
||||
|
||||
@ -44,6 +48,9 @@ jobs:
|
||||
prepare:
|
||||
name: Prepare notifications
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
timeout-minutes: 5
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event.workflow_run.event != 'pull_request' }}
|
||||
outputs:
|
||||
|
@ -44,6 +44,10 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
# Tests the build script for themes that have one.
|
||||
#
|
||||
@ -56,6 +60,8 @@ jobs:
|
||||
test-build-scripts:
|
||||
name: Test ${{ matrix.theme }} build script
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 10
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
strategy:
|
||||
@ -101,6 +107,8 @@ jobs:
|
||||
bundle-theme:
|
||||
name: Create ${{ matrix.theme }} ZIP file
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
needs: [ test-build-scripts ]
|
||||
timeout-minutes: 10
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
@ -152,6 +160,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ test-build-scripts, bundle-theme, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
8
.github/workflows/test-coverage.yml
vendored
8
.github/workflows/test-coverage.yml
vendored
@ -24,6 +24,10 @@ on:
|
||||
# Allow manually triggering the workflow.
|
||||
workflow_dispatch:
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
env:
|
||||
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
|
||||
LOCAL_PHP: '7.4-fpm'
|
||||
@ -56,6 +60,8 @@ jobs:
|
||||
test-coverage-report:
|
||||
name: ${{ matrix.multisite && 'Multisite' || 'Single site' }} report
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 120
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' }}
|
||||
strategy:
|
||||
@ -182,6 +188,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ test-coverage-report, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
10
.github/workflows/test-npm.yml
vendored
10
.github/workflows/test-npm.yml
vendored
@ -33,6 +33,10 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
env:
|
||||
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
|
||||
|
||||
@ -53,6 +57,8 @@ jobs:
|
||||
test-npm:
|
||||
name: Test npm on ${{ matrix.os }}
|
||||
runs-on: ${{ matrix.os }}
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 20
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
|
||||
strategy:
|
||||
@ -122,6 +128,8 @@ jobs:
|
||||
test-npm-macos:
|
||||
name: Test npm on MacOS
|
||||
runs-on: macos-latest
|
||||
permissions:
|
||||
contents: read
|
||||
timeout-minutes: 30
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' }}
|
||||
steps:
|
||||
@ -179,6 +187,8 @@ jobs:
|
||||
failed-workflow:
|
||||
name: Failed workflow tasks
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
needs: [ test-npm, test-npm-macos, slack-notifications ]
|
||||
if: |
|
||||
always() &&
|
||||
|
6
.github/workflows/test-old-branches.yml
vendored
6
.github/workflows/test-old-branches.yml
vendored
@ -12,10 +12,16 @@ on:
|
||||
- cron: '0 0 1 * *'
|
||||
- cron: '0 0 15 * *'
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
dispatch-workflows-for-old-branches:
|
||||
name: ${{ matrix.workflow }} for ${{ matrix.branch }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: write
|
||||
timeout-minutes: 20
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' }}
|
||||
strategy:
|
||||
|
@ -4,10 +4,16 @@ on:
|
||||
pull_request_target:
|
||||
types: [ opened ]
|
||||
|
||||
# Disable permissions for all available scopes by default.
|
||||
# Any needed permissions should be configured at the job level.
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
# Comments on a pull request when the author is a new contributor.
|
||||
post-welcome-message:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
issues: write
|
||||
timeout-minutes: 5
|
||||
if: ${{ github.repository == 'WordPress/wordpress-develop' }}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user