From 3bfc6611add9aca2257ac3c062150468da440c3d Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 3 May 2023 22:15:27 +0000 Subject: [PATCH] Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions The `permissions` key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have. Props desrosj, johnbillion See #57865 git-svn-id: https://develop.svn.wordpress.org/trunk@55715 602fd350-edb4-49c9-b593-d223f7449a82 --- .github/workflows/coding-standards.yml | 10 ++++++++++ .github/workflows/end-to-end-tests.yml | 8 ++++++++ .github/workflows/failed-workflow.yml | 6 ++++++ .github/workflows/javascript-tests.yml | 8 ++++++++ .github/workflows/performance.yml | 8 ++++++++ .github/workflows/php-compatibility.yml | 8 ++++++++ .github/workflows/phpunit-tests.yml | 8 ++++++++ .github/workflows/slack-notifications.yml | 7 +++++++ .github/workflows/test-and-zip-default-themes.yml | 10 ++++++++++ .github/workflows/test-coverage.yml | 8 ++++++++ .github/workflows/test-npm.yml | 10 ++++++++++ .github/workflows/test-old-branches.yml | 6 ++++++ .github/workflows/welcome-new-contributors.yml | 6 ++++++ 13 files changed, 103 insertions(+) diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 46eb15ad1f..44b9707d93 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -40,6 +40,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs PHP coding standards checks. # @@ -59,6 +63,8 @@ jobs: phpcs: name: PHP coding standards runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} @@ -130,6 +136,8 @@ jobs: jshint: name: JavaScript coding standards runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} env: @@ -177,6 +185,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ phpcs, jshint, slack-notifications ] if: | always() && diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml index 4e58c766c7..8a5fafe193 100644 --- a/.github/workflows/end-to-end-tests.yml +++ b/.github/workflows/end-to-end-tests.yml @@ -26,6 +26,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + env: LOCAL_DIR: build @@ -48,6 +52,8 @@ jobs: e2e-tests: name: E2E Tests runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} @@ -123,6 +129,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ e2e-tests, slack-notifications ] if: | always() && diff --git a/.github/workflows/failed-workflow.yml b/.github/workflows/failed-workflow.yml index d64149e283..af2208d94c 100644 --- a/.github/workflows/failed-workflow.yml +++ b/.github/workflows/failed-workflow.yml @@ -11,6 +11,10 @@ on: required: true type: 'string' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Attempts to rerun a workflow. # @@ -20,6 +24,8 @@ jobs: failed-workflow: name: Rerun a workflow runs-on: ubuntu-latest + permissions: + actions: write timeout-minutes: 5 steps: diff --git a/.github/workflows/javascript-tests.yml b/.github/workflows/javascript-tests.yml index 8c48cdef49..bf0fdcc525 100644 --- a/.github/workflows/javascript-tests.yml +++ b/.github/workflows/javascript-tests.yml @@ -38,6 +38,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs the QUnit tests for WordPress. # @@ -51,6 +55,8 @@ jobs: test-js: name: QUnit Tests runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} @@ -96,6 +102,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ test-js, slack-notifications ] if: | always() && diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index e4b0501d43..c7c3b58471 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -25,6 +25,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + env: # This workflow takes two sets of measurements — one for the current commit, # and another against a consistent version that is used as a baseline measurement. @@ -66,6 +70,8 @@ jobs: performance: name: Run performance tests runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} steps: @@ -204,6 +210,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ performance, slack-notifications ] if: | always() && diff --git a/.github/workflows/php-compatibility.yml b/.github/workflows/php-compatibility.yml index 4bcec47a1d..fab3f9228d 100644 --- a/.github/workflows/php-compatibility.yml +++ b/.github/workflows/php-compatibility.yml @@ -35,6 +35,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Runs PHP compatibility testing. @@ -54,6 +58,8 @@ jobs: php-compatibility: name: Check PHP compatibility runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} @@ -121,6 +127,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ php-compatibility, slack-notifications ] if: | always() && diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index bb82018cb1..c3f00152ba 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -26,6 +26,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + env: PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }} LOCAL_PHP_MEMCACHED: ${{ false }} @@ -54,6 +58,8 @@ jobs: test-php: name: ${{ matrix.php }}${{ matrix.multisite && ' multisite' || '' }}${{ matrix.split_slow && ' slow tests' || '' }}${{ matrix.memcached && ' with memcached' || '' }} on ${{ matrix.os }} runs-on: ${{ matrix.os }} + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} strategy: @@ -233,6 +239,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ test-php, slack-notifications ] if: | always() && diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml index be8bdf41c0..da596ed71f 100644 --- a/.github/workflows/slack-notifications.yml +++ b/.github/workflows/slack-notifications.yml @@ -26,6 +26,10 @@ on: description: 'The Slack webhook URL for a failed build.' required: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + env: CURRENT_BRANCH: ${{ github.ref_name }} @@ -44,6 +48,9 @@ jobs: prepare: name: Prepare notifications runs-on: ubuntu-latest + permissions: + actions: read + contents: read timeout-minutes: 5 if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event.workflow_run.event != 'pull_request' }} outputs: diff --git a/.github/workflows/test-and-zip-default-themes.yml b/.github/workflows/test-and-zip-default-themes.yml index 6295be7961..9378e8757c 100644 --- a/.github/workflows/test-and-zip-default-themes.yml +++ b/.github/workflows/test-and-zip-default-themes.yml @@ -44,6 +44,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Tests the build script for themes that have one. # @@ -56,6 +60,8 @@ jobs: test-build-scripts: name: Test ${{ matrix.theme }} build script runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 10 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} strategy: @@ -101,6 +107,8 @@ jobs: bundle-theme: name: Create ${{ matrix.theme }} ZIP file runs-on: ubuntu-latest + permissions: + contents: read needs: [ test-build-scripts ] timeout-minutes: 10 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} @@ -152,6 +160,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ test-build-scripts, bundle-theme, slack-notifications ] if: | always() && diff --git a/.github/workflows/test-coverage.yml b/.github/workflows/test-coverage.yml index bb1cb6bf4b..a8f101565c 100644 --- a/.github/workflows/test-coverage.yml +++ b/.github/workflows/test-coverage.yml @@ -24,6 +24,10 @@ on: # Allow manually triggering the workflow. workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + env: PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }} LOCAL_PHP: '7.4-fpm' @@ -56,6 +60,8 @@ jobs: test-coverage-report: name: ${{ matrix.multisite && 'Multisite' || 'Single site' }} report runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 120 if: ${{ github.repository == 'WordPress/wordpress-develop' }} strategy: @@ -182,6 +188,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ test-coverage-report, slack-notifications ] if: | always() && diff --git a/.github/workflows/test-npm.yml b/.github/workflows/test-npm.yml index 512984d71b..2e0831a57b 100644 --- a/.github/workflows/test-npm.yml +++ b/.github/workflows/test-npm.yml @@ -33,6 +33,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + env: PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }} @@ -53,6 +57,8 @@ jobs: test-npm: name: Test npm on ${{ matrix.os }} runs-on: ${{ matrix.os }} + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }} strategy: @@ -122,6 +128,8 @@ jobs: test-npm-macos: name: Test npm on MacOS runs-on: macos-latest + permissions: + contents: read timeout-minutes: 30 if: ${{ github.repository == 'WordPress/wordpress-develop' }} steps: @@ -179,6 +187,8 @@ jobs: failed-workflow: name: Failed workflow tasks runs-on: ubuntu-latest + permissions: + actions: write needs: [ test-npm, test-npm-macos, slack-notifications ] if: | always() && diff --git a/.github/workflows/test-old-branches.yml b/.github/workflows/test-old-branches.yml index cb998ee711..9e6fc72847 100644 --- a/.github/workflows/test-old-branches.yml +++ b/.github/workflows/test-old-branches.yml @@ -12,10 +12,16 @@ on: - cron: '0 0 1 * *' - cron: '0 0 15 * *' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: dispatch-workflows-for-old-branches: name: ${{ matrix.workflow }} for ${{ matrix.branch }} runs-on: ubuntu-latest + permissions: + actions: write timeout-minutes: 20 if: ${{ github.repository == 'WordPress/wordpress-develop' }} strategy: diff --git a/.github/workflows/welcome-new-contributors.yml b/.github/workflows/welcome-new-contributors.yml index 15457f65bd..048fb787fa 100644 --- a/.github/workflows/welcome-new-contributors.yml +++ b/.github/workflows/welcome-new-contributors.yml @@ -4,10 +4,16 @@ on: pull_request_target: types: [ opened ] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Comments on a pull request when the author is a new contributor. post-welcome-message: runs-on: ubuntu-latest + permissions: + issues: write timeout-minutes: 5 if: ${{ github.repository == 'WordPress/wordpress-develop' }}