GitHub Actions workflow hardening #69126
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Size Change: 0 B Total Size: 1.85 MB ℹ️ View Unchanged
|
This comment was marked as off-topic.
This comment was marked as off-topic.
t-hamano
added
[Type] Security
…se of these will be proposed separately.
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
swissspidy
approved these changes
Apr 8, 2025
desrosj
reviewed
Apr 8, 2025
| name: Lint GitHub Actions workflow files | ||
|
|
||
| on: | ||
| push: |
Member
There was a problem hiding this comment.
Should we also include this for the wp/X.Y branches? Going forward, this would lint suggested changes to the workflows in these branches, which are used to push out point releases for older versions of WP when necessary.
Member
Author
There was a problem hiding this comment.
Yes, but I think that means we can only start doing that with the next point release after this is merged, do you agree?
desrosj
approved these changes
Apr 8, 2025
Member
desrosj
left a comment
desrosj
left a comment
There was a problem hiding this comment.
Thanks for working on this, @johnbillion! Let's give it a go!
joehoyle
approved these changes
Apr 8, 2025
| jobs: | ||
| # Runs the actionlint GitHub Action workflow file linter. | ||
| # | ||
| # This helps guard against common mistakes including strong type checking for expressions (${{ }}), security checks, |
There was a problem hiding this comment.
I assume this also checks the permissions: {} top level permissions too?
Member
Author
There was a problem hiding this comment.
Actionlint only checks that the given permission scopes and access levels are valid -- both at the top level workflow level and the job level -- ie. it lints them but doesn't check for overly broad permissions. Zizmor does check for excessive permissions, but I will be writing a separate proposal for adopting that.
This was referenced May 1, 2025
This was referenced Sep 5, 2025
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What?
These changes harden the security of the GitHub Actions workflows. GitHub Actions workflows operate in a highly privileged software supply chain environment, for example they have access to publish npm packages, deploy the plugin to the WordPress.org plugin directory, and push commits to the repo. Hardening these workflows reduces the attack surface available to vulnerabilities and malicious actors.
See WordPress/wordpress-develop#8007 for where the same thing was done for the
wordpress-developrepo.permissionsdeclarations to workflows and jobs.Not all workflows are testable in isolation, so we will need to check each subsequent run of affected workflows when they next run. We learnt a few things after making these changes in the
wordpress-developrepo, so hopefully everything has been accounted for. The actionlint workflow helps a great deal.Why?
GitHub Actions workflows are highly privileged. They can push to the repo, they can publish packages, and they work with inputs that shouldn't necessarily be trusted. Hardening the workflows reduces the attack surface for including malicious code in a package or exposing sensitive information.
Notes
wordpress-developandgutenbergrepos.References