Build/Test Tools: Restrict the permissions granted to jobs on GitHub …

…Actions The `permissions` key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have. Props desrosj, johnbillion See #57865 git-svn-id: https://develop.svn.wordpress.org/trunk@55715 602fd350-edb4-49c9-b593-d223f7449a82
AKJUS · May 3, 2023 · 3bfc661 · 3bfc661
1 parent eb409e4
commit 3bfc661
Show file tree

Hide file tree

Showing 13 changed files with 103 additions and 0 deletions.
diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml
@@ -40,6 +40,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs PHP coding standards checks.
   #
@@ -59,6 +63,8 @@ jobs:
   phpcs:
     name: PHP coding standards
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 20
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
 
@@ -130,6 +136,8 @@ jobs:
   jshint:
     name: JavaScript coding standards
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 20
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     env:
@@ -177,6 +185,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ phpcs, jshint, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml
@@ -26,6 +26,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 env:
   LOCAL_DIR: build
 
@@ -48,6 +52,8 @@ jobs:
   e2e-tests:
     name: E2E Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 20
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
 
@@ -123,6 +129,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ e2e-tests, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/failed-workflow.yml b/.github/workflows/failed-workflow.yml
@@ -11,6 +11,10 @@ on:
         required: true
         type: 'string'
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Attempts to rerun a workflow.
   #
@@ -20,6 +24,8 @@ jobs:
   failed-workflow:
     name: Rerun a workflow
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     timeout-minutes: 5
 
     steps:

diff --git a/.github/workflows/javascript-tests.yml b/.github/workflows/javascript-tests.yml
@@ -38,6 +38,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the QUnit tests for WordPress.
   #
@@ -51,6 +55,8 @@ jobs:
   test-js:
     name: QUnit Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 20
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
 
@@ -96,6 +102,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ test-js, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
@@ -25,6 +25,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 env:
   # This workflow takes two sets of measurements — one for the current commit,
   # and another against a consistent version that is used as a baseline measurement.
@@ -66,6 +70,8 @@ jobs:
   performance:
     name: Run performance tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
 
     steps:
@@ -204,6 +210,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ performance, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/php-compatibility.yml b/.github/workflows/php-compatibility.yml
@@ -35,6 +35,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
 
   # Runs PHP compatibility testing.
@@ -54,6 +58,8 @@ jobs:
   php-compatibility:
     name: Check PHP compatibility
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 20
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
 
@@ -121,6 +127,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ php-compatibility, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml
@@ -26,6 +26,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 env:
   PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
   LOCAL_PHP_MEMCACHED: ${{ false }}
@@ -54,6 +58,8 @@ jobs:
   test-php:
     name: ${{ matrix.php }}${{ matrix.multisite && ' multisite' || '' }}${{ matrix.split_slow && ' slow tests' || '' }}${{ matrix.memcached && ' with memcached' || '' }} on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     timeout-minutes: 20
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     strategy:
@@ -233,6 +239,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ test-php, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/slack-notifications.yml b/.github/workflows/slack-notifications.yml
@@ -26,6 +26,10 @@ on:
         description: 'The Slack webhook URL for a failed build.'
         required: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 env:
   CURRENT_BRANCH: ${{ github.ref_name }}
 
@@ -44,6 +48,9 @@ jobs:
   prepare:
     name: Prepare notifications
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
     timeout-minutes: 5
     if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event.workflow_run.event != 'pull_request' }}
     outputs:

diff --git a/.github/workflows/test-and-zip-default-themes.yml b/.github/workflows/test-and-zip-default-themes.yml
@@ -44,6 +44,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Tests the build script for themes that have one.
   #
@@ -56,6 +60,8 @@ jobs:
   test-build-scripts:
     name: Test ${{ matrix.theme }} build script
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 10
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     strategy:
@@ -101,6 +107,8 @@ jobs:
   bundle-theme:
     name: Create ${{ matrix.theme }} ZIP file
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: [ test-build-scripts ]
     timeout-minutes: 10
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
@@ -152,6 +160,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ test-build-scripts, bundle-theme, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/test-coverage.yml b/.github/workflows/test-coverage.yml
@@ -24,6 +24,10 @@ on:
   # Allow manually triggering the workflow.
   workflow_dispatch:
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 env:
   PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
   LOCAL_PHP: '7.4-fpm'
@@ -56,6 +60,8 @@ jobs:
   test-coverage-report:
     name: ${{ matrix.multisite && 'Multisite' || 'Single site' }} report
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 120
     if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     strategy:
@@ -182,6 +188,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ test-coverage-report, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/test-npm.yml b/.github/workflows/test-npm.yml
@@ -33,6 +33,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 env:
   PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: ${{ true }}
 
@@ -53,6 +57,8 @@ jobs:
   test-npm:
     name: Test npm on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     timeout-minutes: 20
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     strategy:
@@ -122,6 +128,8 @@ jobs:
   test-npm-macos:
     name: Test npm on MacOS
     runs-on: macos-latest
+    permissions:
+      contents: read
     timeout-minutes: 30
     if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     steps:
@@ -179,6 +187,8 @@ jobs:
   failed-workflow:
     name: Failed workflow tasks
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     needs: [ test-npm, test-npm-macos, slack-notifications ]
     if: |
       always() &&

diff --git a/.github/workflows/test-old-branches.yml b/.github/workflows/test-old-branches.yml
@@ -12,10 +12,16 @@ on:
     - cron: '0 0 1 * *'
     - cron: '0 0 15 * *'
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   dispatch-workflows-for-old-branches:
     name: ${{ matrix.workflow }} for ${{ matrix.branch }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     timeout-minutes: 20
     if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     strategy:

diff --git a/.github/workflows/welcome-new-contributors.yml b/.github/workflows/welcome-new-contributors.yml
@@ -4,10 +4,16 @@ on:
   pull_request_target:
     types: [ opened ]
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Comments on a pull request when the author is a new contributor.
   post-welcome-message:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     timeout-minutes: 5
     if: ${{ github.repository == 'WordPress/wordpress-develop' }}