Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The `permissions` key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have.

Props desrosj, johnbillion

See #57865


git-svn-id: https://develop.svn.wordpress.org/trunk@55715 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
John Blackbourn 2023-05-03 22:15:27 +00:00
parent eb409e4cac
commit 3bfc6611ad
13 changed files with 103 additions and 0 deletions

View File

@ -40,6 +40,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
# Runs PHP coding standards checks.
#
@ -59,6 +63,8 @@ jobs:
phpcs:
name: PHP coding standards
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 20
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
@ -130,6 +136,8 @@ jobs:
jshint:
name: JavaScript coding standards
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 20
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
env:
@ -177,6 +185,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ phpcs, jshint, slack-notifications ]
if: |
always() &&

View File

@ -26,6 +26,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
env:
LOCAL_DIR: build
@ -48,6 +52,8 @@ jobs:
e2e-tests:
name: E2E Tests
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 20
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
@ -123,6 +129,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ e2e-tests, slack-notifications ]
if: |
always() &&

View File

@ -11,6 +11,10 @@ on:
required: true
type: 'string'
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
# Attempts to rerun a workflow.
#
@ -20,6 +24,8 @@ jobs:
failed-workflow:
name: Rerun a workflow
runs-on: ubuntu-latest
permissions:
actions: write
timeout-minutes: 5
steps:

View File

@ -38,6 +38,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
# Runs the QUnit tests for WordPress.
#
@ -51,6 +55,8 @@ jobs:
test-js:
name: QUnit Tests
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 20
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
@ -96,6 +102,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ test-js, slack-notifications ]
if: |
always() &&

View File

@ -25,6 +25,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
env:
# This workflow takes two sets of measurements — one for the current commit,
# and another against a consistent version that is used as a baseline measurement.
@ -66,6 +70,8 @@ jobs:
performance:
name: Run performance tests
runs-on: ubuntu-latest
permissions:
contents: read
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
steps:
@ -204,6 +210,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ performance, slack-notifications ]
if: |
always() &&

View File

@ -35,6 +35,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
# Runs PHP compatibility testing.
@ -54,6 +58,8 @@ jobs:
php-compatibility:
name: Check PHP compatibility
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 20
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
@ -121,6 +127,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ php-compatibility, slack-notifications ]
if: |
always() &&

View File

@ -26,6 +26,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
env:
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
LOCAL_PHP_MEMCACHED: ${{ false }}
@ -54,6 +58,8 @@ jobs:
test-php:
name: ${{ matrix.php }}${{ matrix.multisite && ' multisite' || '' }}${{ matrix.split_slow && ' slow tests' || '' }}${{ matrix.memcached && ' with memcached' || '' }} on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
permissions:
contents: read
timeout-minutes: 20
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
strategy:
@ -233,6 +239,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ test-php, slack-notifications ]
if: |
always() &&

View File

@ -26,6 +26,10 @@ on:
description: 'The Slack webhook URL for a failed build.'
required: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
env:
CURRENT_BRANCH: ${{ github.ref_name }}
@ -44,6 +48,9 @@ jobs:
prepare:
name: Prepare notifications
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
timeout-minutes: 5
if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event.workflow_run.event != 'pull_request' }}
outputs:

View File

@ -44,6 +44,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
# Tests the build script for themes that have one.
#
@ -56,6 +60,8 @@ jobs:
test-build-scripts:
name: Test ${{ matrix.theme }} build script
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 10
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
strategy:
@ -101,6 +107,8 @@ jobs:
bundle-theme:
name: Create ${{ matrix.theme }} ZIP file
runs-on: ubuntu-latest
permissions:
contents: read
needs: [ test-build-scripts ]
timeout-minutes: 10
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
@ -152,6 +160,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ test-build-scripts, bundle-theme, slack-notifications ]
if: |
always() &&

View File

@ -24,6 +24,10 @@ on:
# Allow manually triggering the workflow.
workflow_dispatch:
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
env:
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
LOCAL_PHP: '7.4-fpm'
@ -56,6 +60,8 @@ jobs:
test-coverage-report:
name: ${{ matrix.multisite && 'Multisite' || 'Single site' }} report
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 120
if: ${{ github.repository == 'WordPress/wordpress-develop' }}
strategy:
@ -182,6 +188,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ test-coverage-report, slack-notifications ]
if: |
always() &&

View File

@ -33,6 +33,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
env:
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
@ -53,6 +57,8 @@ jobs:
test-npm:
name: Test npm on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
permissions:
contents: read
timeout-minutes: 20
if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
strategy:
@ -122,6 +128,8 @@ jobs:
test-npm-macos:
name: Test npm on MacOS
runs-on: macos-latest
permissions:
contents: read
timeout-minutes: 30
if: ${{ github.repository == 'WordPress/wordpress-develop' }}
steps:
@ -179,6 +187,8 @@ jobs:
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ test-npm, test-npm-macos, slack-notifications ]
if: |
always() &&

View File

@ -12,10 +12,16 @@ on:
- cron: '0 0 1 * *'
- cron: '0 0 15 * *'
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
dispatch-workflows-for-old-branches:
name: ${{ matrix.workflow }} for ${{ matrix.branch }}
runs-on: ubuntu-latest
permissions:
actions: write
timeout-minutes: 20
if: ${{ github.repository == 'WordPress/wordpress-develop' }}
strategy:

View File

@ -4,10 +4,16 @@ on:
pull_request_target:
types: [ opened ]
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
# Comments on a pull request when the author is a new contributor.
post-welcome-message:
runs-on: ubuntu-latest
permissions:
issues: write
timeout-minutes: 5
if: ${{ github.repository == 'WordPress/wordpress-develop' }}