From 32951b874173de03a8e4353e4e0fb0b755582e6e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 10 Feb 2025 18:22:11 +0100 Subject: [PATCH 01/24] Add an Actionlint workflow. --- .github/workflows/reusable-workflow-lint.yml | 34 ++++++++++++++++++ .github/workflows/workflow-lint.yml | 36 ++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 .github/workflows/reusable-workflow-lint.yml create mode 100644 .github/workflows/workflow-lint.yml diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml new file mode 100644 index 00000000000000..8929cd27ed6709 --- /dev/null +++ b/.github/workflows/reusable-workflow-lint.yml @@ -0,0 +1,34 @@ +name: Lint GitHub Actions workflows +on: + workflow_call: + +permissions: {} + +jobs: + # Runs the actionlint GitHub Action workflow file linter. + # + # This helps guard against common mistakes including strong type checking for expressions (${{ }}), security checks, + # `run:` script checking, glob syntax validation, and more. + # + # Performs the following steps: + # - Checks out the repository. + # - Runs actionlint. + actionlint: + name: Run actionlint + runs-on: ubuntu-24.04 + permissions: + contents: read + timeout-minutes: 5 + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + + # actionlint is static checker for GitHub Actions workflow files. + # See https://github.com/rhysd/actionlint. + - name: Run actionlint + uses: docker://rhysd/actionlint:1.7.7 + with: + args: "-color -verbose" diff --git a/.github/workflows/workflow-lint.yml b/.github/workflows/workflow-lint.yml new file mode 100644 index 00000000000000..6789acb03785f8 --- /dev/null +++ b/.github/workflows/workflow-lint.yml @@ -0,0 +1,36 @@ +name: Lint GitHub Actions workflow files + +on: + push: + branches: + - trunk + paths: + # Only run when changes are made to workflow files. + - '.github/workflows/**' + pull_request: + branches: + - trunk + paths: + # Only run when changes are made to workflow files. + - '.github/workflows/**' + workflow_dispatch: + +# Cancels all previous workflow runs for pull requests that have not completed. +concurrency: + # The concurrency group contains the workflow name and the branch name for pull requests + # or the commit hash for any other events. + group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} + cancel-in-progress: true + +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + +jobs: + lint: + name: Lint GitHub Action files + permissions: + security-events: write + actions: read + contents: read + uses: ./.github/workflows/reusable-workflow-lint.yml From 908465e8072db2e3028a7f02aaf3c3d178ce948c Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 10 Feb 2025 18:29:34 +0100 Subject: [PATCH 02/24] Add Octoscan, Zizmor, and Poutine. --- .github/workflows/reusable-workflow-lint.yml | 75 ++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 8929cd27ed6709..9a264650bc5d45 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -32,3 +32,78 @@ jobs: uses: docker://rhysd/actionlint:1.7.7 with: args: "-color -verbose" + + octoscan: + name: Octoscan + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + timeout-minutes: 10 + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Run octoscan + id: octoscan + uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 + with: + filter_triggers: '' + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 + with: + sarif_file: ${{steps.octoscan.outputs.sarif_output}} + category: octoscan + + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1 + + # https://github.com/woodruffw/zizmor + - name: Run zizmor + run: uvx zizmor@1.2.2 --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 + with: + sarif_file: results.sarif + category: zizmor + + poutine: + name: Poutine + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Run Poutine + uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 + with: + sarif_file: results.sarif + category: poutine From a93c6c9fe246b8e4071bcf2f46fc82d78eb75843 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 10 Feb 2025 20:05:40 +0100 Subject: [PATCH 03/24] Replace inline expressions with environment variables. --- .github/workflows/build-plugin-zip.yml | 58 +++++++++++++------ .../workflows/check-components-changelog.yml | 5 +- .github/workflows/cherry-pick-wp-release.yml | 10 ++-- .github/workflows/performance.yml | 14 ++--- .github/workflows/publish-npm-packages.yml | 3 +- .github/workflows/unit-test.yml | 12 +++- .../upload-release-to-plugin-repo.yml | 8 ++- 7 files changed, 70 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index 281146b63f2909..16676e99af8720 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -36,8 +36,8 @@ jobs: curl \ -H "Accept: application/vnd.github.v3+json" \ -o latest.json \ - "https://api.github.com/repos/${{ github.repository }}/releases/latest" - LATEST_STABLE_TAG=$(jq --raw-output '.tag_name' latest.json) + "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" + LATEST_STABLE_TAG="$(jq --raw-output '.tag_name' latest.json)" IFS='.' read LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}" echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> $GITHUB_OUTPUT if [[ ${LATEST_STABLE_MINOR} == "9" ]]; then @@ -79,10 +79,12 @@ jobs: - name: Compute old and new version id: get_version + env: + VERSION: ${{ github.event.inputs.version }} run: | OLD_VERSION=$(jq --raw-output '.version' package.json) - echo "old_version=${OLD_VERSION}" >> $GITHUB_OUTPUT - if [[ ${{ github.event.inputs.version }} == 'stable' ]]; then + echo "old_version=${OLD_VERSION}" >> "$GITHUB_OUTPUT" + if [[ "$VERSION" == 'stable' ]]; then NEW_VERSION=$(npx semver $OLD_VERSION -i patch) else if [[ $OLD_VERSION == *"rc"* ]]; then @@ -111,31 +113,39 @@ jobs: if: | github.event.inputs.version == 'rc' && ! contains( steps.get_version.outputs.old_version, 'rc' ) - run: git checkout -b "${{ steps.get_version.outputs.release_branch }}" + env: + TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }} + run: git checkout -b "$TARGET_BRANCH" - name: Switch to release branch if: | github.event.inputs.version == 'stable' || contains( steps.get_version.outputs.old_version, 'rc' ) + env: + TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }} run: | - git fetch --depth=1 origin "${{ steps.get_version.outputs.release_branch }}" - git checkout "${{ steps.get_version.outputs.release_branch }}" + git fetch --depth=1 origin "$TARGET_BRANCH" + git checkout "$TARGET_BRANCH" - name: Update plugin version env: VERSION: ${{ steps.get_version.outputs.new_version }} + OLD_VERSION: ${{ steps.get_version.outputs.old_version }} run: | cat <<< $(jq --tab --arg version "${VERSION}" '.version = $version' package.json) > package.json cat <<< $(jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json) > package-lock.json - sed -i "s/${{ steps.get_version.outputs.old_version }}/${VERSION}/g" gutenberg.php + sed -i "s/${OLD_VERSION}/${VERSION}/g" gutenberg.php - name: Commit the version bump to the release branch id: commit_version_bump_to_release_branch + env: + TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }} + VERSION: ${{ steps.get_version.outputs.new_version }} run: | git add gutenberg.php package.json package-lock.json - git commit -m "Bump plugin version to ${{ steps.get_version.outputs.new_version }}" - git push --set-upstream origin "${{ steps.get_version.outputs.release_branch }}" - echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> $GITHUB_OUTPUT + git commit -m "Bump plugin version to ${VERSION}" + git push --set-upstream origin "$TARGET_BRANCH" + echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> "$GITHUB_OUTPUT" - name: Fetch trunk if: ${{ github.ref != 'refs/heads/trunk' }} @@ -143,12 +153,15 @@ jobs: - name: Cherry-pick the version bump commit to trunk id: commit_version_bump_to_trunk + env: + TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }} + OLD_VERSION: ${{ steps.get_version.outputs.old_version }} run: | git checkout trunk git pull - TRUNK_VERSION=$(jq --raw-output '.version' package.json) - if [[ ${{ steps.get_version.outputs.old_version }} == "$TRUNK_VERSION" ]]; then - git cherry-pick "${{ steps.get_version.outputs.release_branch }}" + TRUNK_VERSION="$(jq --raw-output '.version' package.json)" + if [[ "$OLD_VERSION" == "$TRUNK_VERSION" ]]; then + git cherry-pick "$TARGET_BRANCH" git push echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> $GITHUB_OUTPUT fi @@ -200,7 +213,7 @@ jobs: MILESTONE="Gutenberg ${VERSION_ARRAY[0]}.${VERSION_ARRAY[1]}" npm run other:changelog -- --milestone="$MILESTONE" --unreleased > release-notes.txt sed -ie '1,6d' release-notes.txt - if [[ ${{ needs.bump-version.outputs.new_version }} != *"rc"* ]]; then + if [[ "${VERSION}" != *"rc"* ]]; then # Include previous RCs' release notes, if any CHANGELOG_REGEX="=\s[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?\s=" RC_REGEX="=\s${VERSION}(-rc\.[0-9]+)?\s=" @@ -241,23 +254,30 @@ jobs: if: | github.event.inputs.version == 'stable' || contains( needs.bump-version.outputs.old_version, 'rc' ) + env: + RELEAD_BRANCH_COMMIT: ${{ needs.bump-version.outputs.release_branch_commit }} + RELEASE_BRANCH: ${{ needs.bump-version.outputs.release_branch }} run: | - git revert --no-edit ${{ needs.bump-version.outputs.release_branch_commit }} - git push --set-upstream origin "${{ needs.bump-version.outputs.release_branch }}" + git revert --no-edit "$RELEAD_BRANCH_COMMIT" + git push --set-upstream origin "$RELEASE_BRANCH" - name: Delete release branch if it was only just created for the RC if: | github.event.inputs.version == 'rc' && ! contains( needs.bump-version.outputs.old_version, 'rc' ) + env: + RELEASE_BRANCH: ${{ needs.bump-version.outputs.release_branch }} run: | - git push origin :"${{ needs.bump-version.outputs.release_branch }}" + git push origin :"$RELEASE_BRANCH" - name: Revert version bump on trunk if: ${{ needs.bump-version.outputs.trunk_commit }} + env: + TRUNK_COMMIT: ${{ needs.bump-version.outputs.trunk_commit }} run: | git fetch --depth=2 origin trunk git checkout trunk - git revert --no-edit ${{ needs.bump-version.outputs.trunk_commit }} + git revert --no-edit "$TRUNK_COMMIT" git push --set-upstream origin trunk create-release: diff --git a/.github/workflows/check-components-changelog.yml b/.github/workflows/check-components-changelog.yml index 373a782d5d6ddf..553f070b300231 100644 --- a/.github/workflows/check-components-changelog.yml +++ b/.github/workflows/check-components-changelog.yml @@ -29,16 +29,17 @@ jobs: fetch-depth: ${{ env.PR_COMMIT_COUNT }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} - name: 'Fetch relevant history from origin' - run: git fetch origin ${{ github.event.pull_request.base.ref }} + run: git fetch origin "$GITHUB_BASE_REF" - name: Check CHANGELOG status env: PR_NUMBER: ${{ github.event.number }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | changelog_path="packages/components/CHANGELOG.md" optional_check_notice="This isn't a required check, so if you think your changes are small enough that they don't warrant a CHANGELOG entry, please go ahead and merge without one." # Fail if the PR doesn't touch the changelog - if git diff --quiet ${{ github.event.pull_request.base.sha }} HEAD -- "$changelog_path"; then + if git diff --quiet "$HEAD_SHA" HEAD -- "$changelog_path"; then echo "Please add a CHANGELOG entry to $changelog_path" echo echo "${optional_check_notice}" diff --git a/.github/workflows/cherry-pick-wp-release.yml b/.github/workflows/cherry-pick-wp-release.yml index 14bee71c90c909..8aecf722e1e3db 100644 --- a/.github/workflows/cherry-pick-wp-release.yml +++ b/.github/workflows/cherry-pick-wp-release.yml @@ -85,19 +85,19 @@ jobs: id: cherry-pick if: env.cherry_pick == 'true' run: | - TARGET_BRANCH="wp/${{ env.version }}" - COMMIT_SHA="${{ env.commit_sha }}" + TARGET_BRANCH="wp/${version}" + COMMIT_SHA="${commit_sha}" echo "Target branch: $TARGET_BRANCH" echo "Commit SHA: $COMMIT_SHA" git checkout $TARGET_BRANCH git cherry-pick $COMMIT_SHA || echo "cherry-pick-failed" > result if [ -f result ] && grep -q "cherry-pick-failed" result; then - echo "conflict=true" >> $GITHUB_ENV + echo "conflict=true" >> "$GITHUB_ENV" git cherry-pick --abort else CHERRY_PICK_SHA=$(git rev-parse HEAD) - echo "conflict=false" >> $GITHUB_ENV - echo "cherry_pick_sha=$CHERRY_PICK_SHA" >> $GITHUB_ENV + echo "conflict=false" >> "$GITHUB_ENV" + echo "cherry_pick_sha=$CHERRY_PICK_SHA" >> "$GITHUB_ENV" git push origin $TARGET_BRANCH fi diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index 4a5b576b424b53..6183c3ef5261d6 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -49,7 +49,7 @@ jobs: - name: Compare performance with base branch if: github.event_name == 'pull_request' - run: ./bin/plugin/cli.js perf $GITHUB_SHA ${{ github.base_ref }} --tests-branch $GITHUB_SHA + run: ./bin/plugin/cli.js perf "$GITHUB_SHA" "$GITHUB_BASE_REF" --tests-branch "$GITHUB_SHA" - name: Compare performance with current WordPress Core and previous Gutenberg versions if: github.event_name == 'release' @@ -64,7 +64,7 @@ jobs: WP_VERSION=$(awk -F ': ' '/^Tested up to/{print $2}' readme.txt) IFS=. read -ra WP_VERSION_ARRAY <<< "$WP_VERSION" WP_MAJOR="${WP_VERSION_ARRAY[0]}.${WP_VERSION_ARRAY[1]}" - ./bin/plugin/cli.js perf "wp/$WP_MAJOR" "$PREVIOUS_RELEASE_BRANCH" "$CURRENT_RELEASE_BRANCH" --tests-branch $GITHUB_SHA --wp-version "$WP_MAJOR" + ./bin/plugin/cli.js perf "wp/$WP_MAJOR" "$PREVIOUS_RELEASE_BRANCH" "$CURRENT_RELEASE_BRANCH" --tests-branch "$GITHUB_SHA" --wp-version "$WP_MAJOR" - name: Compare performance with base branch if: github.event_name == 'push' @@ -75,7 +75,7 @@ jobs: WP_VERSION=$(awk -F ': ' '/^Tested up to/{print $2}' readme.txt) IFS=. read -ra WP_VERSION_ARRAY <<< "$WP_VERSION" WP_MAJOR="${WP_VERSION_ARRAY[0]}.${WP_VERSION_ARRAY[1]}" - ./bin/plugin/cli.js perf $GITHUB_SHA c7722262e65a3f4d0f1a2d1ad29eccb2069509e4 --tests-branch $GITHUB_SHA --wp-version "$WP_MAJOR" + ./bin/plugin/cli.js perf "$GITHUB_SHA" c7722262e65a3f4d0f1a2d1ad29eccb2069509e4 --tests-branch "$GITHUB_SHA" --wp-version "$WP_MAJOR" - name: Compare performance with custom branches if: github.event_name == 'workflow_dispatch' @@ -83,10 +83,10 @@ jobs: BRANCHES: ${{ github.event.inputs.branches }} WP_VERSION: ${{ github.event.inputs.wpversion }} run: | - ./bin/plugin/cli.js perf $(echo $BRANCHES | tr ',' ' ') --tests-branch $GITHUB_SHA --wp-version "$WP_VERSION" + ./bin/plugin/cli.js perf $(echo $BRANCHES | tr ',' ' ') --tests-branch "$GITHUB_SHA" --wp-version "$WP_VERSION" - name: Add workflow summary - run: cat ${{ env.WP_ARTIFACTS_PATH }}/summary.md >> $GITHUB_STEP_SUMMARY + run: cat "${WP_ARTIFACTS_PATH}/summary.md" >> "$GITHUB_STEP_SUMMARY" - name: Archive performance results if: success() @@ -100,8 +100,8 @@ jobs: env: CODEHEALTH_PROJECT_TOKEN: ${{ secrets.CODEHEALTH_PROJECT_TOKEN }} run: | - COMMITTED_AT=$(git show -s $GITHUB_SHA --format="%cI") - ./bin/log-performance-results.js $CODEHEALTH_PROJECT_TOKEN trunk $GITHUB_SHA c7722262e65a3f4d0f1a2d1ad29eccb2069509e4 $COMMITTED_AT + COMMITTED_AT=$(git show -s "$GITHUB_SHA" --format="%cI") + ./bin/log-performance-results.js $CODEHEALTH_PROJECT_TOKEN trunk "$GITHUB_SHA" c7722262e65a3f4d0f1a2d1ad29eccb2069509e4 $COMMITTED_AT - name: Archive debug artifacts (screenshots, HTML snapshots) uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 diff --git a/.github/workflows/publish-npm-packages.yml b/.github/workflows/publish-npm-packages.yml index 7a354ed819dfce..9b4e4904716fc0 100644 --- a/.github/workflows/publish-npm-packages.yml +++ b/.github/workflows/publish-npm-packages.yml @@ -104,6 +104,7 @@ jobs: run: | cd publish npm ci - npx lerna publish patch --dist-tag wp-${{ github.event.inputs.wp_version }} --no-private --yes --no-verify-access + npx lerna publish patch --dist-tag "wp-$WP_VERSION" --no-private --yes --no-verify-access env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + WP_VERSION: ${{ github.event.inputs.wp_version }} diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index b5c5e2255da5e2..810c6a18876674 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -52,10 +52,12 @@ jobs: run: npx lerna run build - name: Running the tests + env: + MAXWORKERS: ${{ steps.cpu-cores.outputs.count }} run: | npm run test:unit -- \ --ci \ - --maxWorkers="${{ steps.cpu-cores.outputs.count }}" \ + --maxWorkers="$MAXWORKERS" \ --shard="${{ matrix.shard }}" \ --cacheDirectory="$HOME/.jest-cache" @@ -90,7 +92,9 @@ jobs: run: npx lerna run build - name: Run the date tests - run: npm run test:unit:date -- --ci --maxWorkers=${{ steps.cpu-cores.outputs.count }} --cacheDirectory="$HOME/.jest-cache" + env: + MAXWORKERS: ${{ steps.cpu-cores.outputs.count }} + run: npm run test:unit:date -- --ci --maxWorkers="$MAXWORKERS" --cacheDirectory="$HOME/.jest-cache" compute-previous-wordpress-version: name: Compute previous WordPress version @@ -366,4 +370,6 @@ jobs: run: npx lerna run build - name: Running the tests - run: npm run test:native -- --ci --maxWorkers=${{ steps.cpu-cores.outputs.count }} --cacheDirectory="$HOME/.jest-cache" + env: + MAXWORKERS: ${{ steps.cpu-cores.outputs.count }} + run: npm run test:native -- --ci --maxWorkers="$MAXWORKERS" --cacheDirectory="$HOME/.jest-cache" diff --git a/.github/workflows/upload-release-to-plugin-repo.yml b/.github/workflows/upload-release-to-plugin-repo.yml index 7d2c780599cddf..edb7a83cc147b0 100644 --- a/.github/workflows/upload-release-to-plugin-repo.yml +++ b/.github/workflows/upload-release-to-plugin-repo.yml @@ -31,9 +31,9 @@ jobs: id: compute_should_update_trunk env: GITHUB_REF: ${{ github.ref }} + LATEST_VERSION: ${{ steps.compute_latest_version_in_core_repo.outputs.version }} run: | latestPublishedVersion=$(echo "$GITHUB_REF" | sed -E 's/refs\/tags\/(v?)([0-9.]+)/\2/') - latestVersionInCoreRepo="${{ steps.compute_latest_version_in_core_repo.outputs.version }}" # Determines if the first version string is greater than the second version string. # @@ -55,7 +55,7 @@ jobs: # than the version currently published in the WP plugins repo. If not, then it # will upload it as a new tag. shouldUpdateTrunk=false - if is_first_version_greater_than_second "$latestPublishedVersion" "$latestVersionInCoreRepo"; then + if is_first_version_greater_than_second "$latestPublishedVersion" "$LATEST_VERSION"; then shouldUpdateTrunk=true fi @@ -135,6 +135,8 @@ jobs: git config user.email gutenberg@wordpress.org - name: Commit the Changelog update + env: + TARGET_BRANCH: ${{ matrix.branch }} run: | git add changelog.txt # Remove files that are not meant to be committed @@ -143,7 +145,7 @@ jobs: # Only attempt to commit changelog if it has been modified. if ! git diff-index --quiet HEAD --; then git commit -m "Update Changelog for ${TAG#v}" - git push --set-upstream origin "${{ matrix.branch }}" + git push --set-upstream origin "$TARGET_BRANCH" fi - name: Upload Changelog artifact From 8480d4eb4baff2282c1bcd0206978e04f24834fa Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 10 Feb 2025 20:06:31 +0100 Subject: [PATCH 04/24] Be explicit about credential use when checking out a repo. --- .github/workflows/build-plugin-zip.yml | 5 +++++ .github/workflows/bundle-size.yml | 1 + .github/workflows/check-backport-changelog.yml | 2 ++ .github/workflows/check-components-changelog.yml | 1 + .github/workflows/cherry-pick-wp-release.yml | 1 + .github/workflows/create-block.yml | 1 + .github/workflows/end2end-test.yml | 2 ++ .github/workflows/gradle-wrapper-validation.yml | 2 ++ .github/workflows/performance.yml | 1 + .github/workflows/publish-npm-packages.yml | 3 +++ .github/workflows/pull-request-automation.yml | 1 + .github/workflows/rnmobile-android-runner.yml | 1 + .github/workflows/rnmobile-ios-runner.yml | 1 + .github/workflows/static-checks.yml | 1 + .github/workflows/storybook-check.yml | 1 + .github/workflows/storybook-pages.yml | 1 + .github/workflows/sync-assets-to-plugin-repo.yml | 1 + .github/workflows/sync-backport-changelog.yml | 1 + .github/workflows/unit-test.yml | 6 ++++++ .github/workflows/upload-release-to-plugin-repo.yml | 1 + 20 files changed, 34 insertions(+) diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index 16676e99af8720..245a7f7831f180 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -76,6 +76,7 @@ jobs: with: token: ${{ secrets.GUTENBERG_TOKEN }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: true - name: Compute old and new version id: get_version @@ -185,6 +186,7 @@ jobs: with: ref: ${{ needs.bump-version.outputs.release_branch || github.ref }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Use desired version of Node.js uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 @@ -244,6 +246,7 @@ jobs: ref: ${{ needs.bump-version.outputs.release_branch }} token: ${{ secrets.GUTENBERG_TOKEN }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: true - name: Configure git user name and email run: | @@ -339,6 +342,7 @@ jobs: path: main ref: trunk show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Checkout (for publishing) uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -348,6 +352,7 @@ jobs: ref: trunk token: ${{ secrets.GUTENBERG_TOKEN }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Configure git user name and email (for publishing) run: | diff --git a/.github/workflows/bundle-size.yml b/.github/workflows/bundle-size.yml index b967157836a4de..94b78e457f94ef 100644 --- a/.github/workflows/bundle-size.yml +++ b/.github/workflows/bundle-size.yml @@ -41,6 +41,7 @@ jobs: with: fetch-depth: 1 show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Use desired version of Node.js uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 diff --git a/.github/workflows/check-backport-changelog.yml b/.github/workflows/check-backport-changelog.yml index 48fb56b425be39..830cc53b2f6535 100644 --- a/.github/workflows/check-backport-changelog.yml +++ b/.github/workflows/check-backport-changelog.yml @@ -26,6 +26,8 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false + - name: Check the changelog folder env: PR_NUMBER: ${{ github.event.number }} diff --git a/.github/workflows/check-components-changelog.yml b/.github/workflows/check-components-changelog.yml index 553f070b300231..9b38d49a5bbb23 100644 --- a/.github/workflows/check-components-changelog.yml +++ b/.github/workflows/check-components-changelog.yml @@ -28,6 +28,7 @@ jobs: repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: ${{ env.PR_COMMIT_COUNT }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: 'Fetch relevant history from origin' run: git fetch origin "$GITHUB_BASE_REF" - name: Check CHANGELOG status diff --git a/.github/workflows/cherry-pick-wp-release.yml b/.github/workflows/cherry-pick-wp-release.yml index 8aecf722e1e3db..16928b9f5a1a21 100644 --- a/.github/workflows/cherry-pick-wp-release.yml +++ b/.github/workflows/cherry-pick-wp-release.yml @@ -74,6 +74,7 @@ jobs: with: token: ${{ secrets.GUTENBERG_TOKEN }} fetch-depth: 0 + persist-credentials: false - name: Set up Git if: env.cherry_pick == 'true' diff --git a/.github/workflows/create-block.yml b/.github/workflows/create-block.yml index 1cb40466abe1ef..9ff1c0dbe408a0 100644 --- a/.github/workflows/create-block.yml +++ b/.github/workflows/create-block.yml @@ -27,6 +27,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node diff --git a/.github/workflows/end2end-test.yml b/.github/workflows/end2end-test.yml index ea85a8949573f3..f97a9ad76e4914 100644 --- a/.github/workflows/end2end-test.yml +++ b/.github/workflows/end2end-test.yml @@ -30,6 +30,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node @@ -106,6 +107,7 @@ jobs: with: ref: trunk show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - uses: actions/download-artifact@v4.1.8 # Don't fail the job if there isn't any flaky tests report. diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index c4c5eeba9c51a7..4a5785d13fff0a 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -10,5 +10,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false + - name: Validate checksums uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index 6183c3ef5261d6..1057129895e7f4 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -36,6 +36,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node diff --git a/.github/workflows/publish-npm-packages.yml b/.github/workflows/publish-npm-packages.yml index 9b4e4904716fc0..8eacdf72b69a31 100644 --- a/.github/workflows/publish-npm-packages.yml +++ b/.github/workflows/publish-npm-packages.yml @@ -36,6 +36,7 @@ jobs: path: cli ref: trunk show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Checkout (for publishing) if: ${{ github.event.inputs.release_type != 'wp' }} @@ -46,6 +47,7 @@ jobs: ref: trunk token: ${{ secrets.GUTENBERG_TOKEN }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Checkout (for publishing WP major version) if: ${{ github.event.inputs.release_type == 'wp' && github.event.inputs.wp_version }} @@ -58,6 +60,7 @@ jobs: fetch-depth: 999 token: ${{ secrets.GUTENBERG_TOKEN }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Configure git user name and email (for publishing) run: | diff --git a/.github/workflows/pull-request-automation.yml b/.github/workflows/pull-request-automation.yml index e1a3defc641aa3..d369700f2bd77a 100644 --- a/.github/workflows/pull-request-automation.yml +++ b/.github/workflows/pull-request-automation.yml @@ -16,6 +16,7 @@ jobs: with: ref: trunk show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node diff --git a/.github/workflows/rnmobile-android-runner.yml b/.github/workflows/rnmobile-android-runner.yml index 4989239286462f..bbed1a88335d15 100644 --- a/.github/workflows/rnmobile-android-runner.yml +++ b/.github/workflows/rnmobile-android-runner.yml @@ -27,6 +27,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Use desired version of Java uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 diff --git a/.github/workflows/rnmobile-ios-runner.yml b/.github/workflows/rnmobile-ios-runner.yml index 4d6b310e60f977..9e73e17bfe99b0 100644 --- a/.github/workflows/rnmobile-ios-runner.yml +++ b/.github/workflows/rnmobile-ios-runner.yml @@ -27,6 +27,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - uses: ruby/setup-ruby@1287d2b408066abada82d5ad1c63652e758428d9 # v1.214.0 with: diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml index 9281158aab8331..4a9390a5900a95 100644 --- a/.github/workflows/static-checks.yml +++ b/.github/workflows/static-checks.yml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Use desired version of Node.js uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 diff --git a/.github/workflows/storybook-check.yml b/.github/workflows/storybook-check.yml index dd710f96747128..ed686c4c3dc177 100644 --- a/.github/workflows/storybook-check.yml +++ b/.github/workflows/storybook-check.yml @@ -19,6 +19,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node diff --git a/.github/workflows/storybook-pages.yml b/.github/workflows/storybook-pages.yml index 4af4934cf0325b..2a7bf284e45882 100644 --- a/.github/workflows/storybook-pages.yml +++ b/.github/workflows/storybook-pages.yml @@ -16,6 +16,7 @@ jobs: with: ref: trunk show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node diff --git a/.github/workflows/sync-assets-to-plugin-repo.yml b/.github/workflows/sync-assets-to-plugin-repo.yml index c841b3ffc79579..8992d0da150c0f 100644 --- a/.github/workflows/sync-assets-to-plugin-repo.yml +++ b/.github/workflows/sync-assets-to-plugin-repo.yml @@ -33,6 +33,7 @@ jobs: assets show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} path: git + persist-credentials: false - name: Copy files from git checkout to svn working copy run: cp -R git/assets/* assets diff --git a/.github/workflows/sync-backport-changelog.yml b/.github/workflows/sync-backport-changelog.yml index e530ca667de3d7..f434a900b20fa0 100644 --- a/.github/workflows/sync-backport-changelog.yml +++ b/.github/workflows/sync-backport-changelog.yml @@ -23,6 +23,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 2 # Fetch the last two commits to compare changes + persist-credentials: false - name: Check for changes in backport-changelog if: github.event_name == 'push' run: | diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index 810c6a18876674..c9686a958e70c7 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -35,6 +35,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node @@ -75,6 +76,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node @@ -128,6 +130,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node @@ -180,6 +183,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Setup Node.js and install dependencies uses: ./.github/setup-node @@ -285,6 +289,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up PHP uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0 @@ -355,6 +360,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Determine the number of CPU cores uses: SimenB/github-actions-cpu-cores@97ba232459a8e02ff6121db9362b09661c875ab8 # v2.0.0 diff --git a/.github/workflows/upload-release-to-plugin-repo.yml b/.github/workflows/upload-release-to-plugin-repo.yml index edb7a83cc147b0..9fbf0c3125710d 100644 --- a/.github/workflows/upload-release-to-plugin-repo.yml +++ b/.github/workflows/upload-release-to-plugin-repo.yml @@ -101,6 +101,7 @@ jobs: ref: ${{ matrix.branch }} token: ${{ secrets.GUTENBERG_TOKEN }} show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: true - name: Update the Changelog to include the release notes run: | From 26e53c33cb6f19ae80ca244ce8dc1f240eb399ff Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 10 Feb 2025 20:06:59 +0100 Subject: [PATCH 05/24] Be strict about quoting environment variables. --- .github/setup-node/action.yml | 2 +- .github/workflows/build-plugin-zip.yml | 14 +++++++------- .github/workflows/unit-test.yml | 6 +++--- .../workflows/upload-release-to-plugin-repo.yml | 6 +++--- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/setup-node/action.yml b/.github/setup-node/action.yml index a17adfe5f50071..5fc76a6bc2d122 100644 --- a/.github/setup-node/action.yml +++ b/.github/setup-node/action.yml @@ -20,7 +20,7 @@ runs: - name: Get Node.js and npm version id: node-version run: | - echo "NODE_VERSION=$(node -v)" >> $GITHUB_OUTPUT + echo "NODE_VERSION=$(node -v)" >> "$GITHUB_OUTPUT" shell: bash - name: Cache node_modules diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index 245a7f7831f180..e23f42b2c19985 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -39,11 +39,11 @@ jobs: "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" LATEST_STABLE_TAG="$(jq --raw-output '.tag_name' latest.json)" IFS='.' read LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}" - echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> $GITHUB_OUTPUT + echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> "$GITHUB_OUTPUT" if [[ ${LATEST_STABLE_MINOR} == "9" ]]; then - echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> $GITHUB_OUTPUT + echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> "$GITHUB_OUTPUT" else - echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> $GITHUB_OUTPUT + echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> "$GITHUB_OUTPUT" fi bump-version: @@ -100,10 +100,10 @@ jobs: fi fi fi - echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT + echo "new_version=${NEW_VERSION}" >> "$GITHUB_OUTPUT" IFS='.' read -r -a NEW_VERSION_ARRAY <<< "$NEW_VERSION" RELEASE_BRANCH="release/${NEW_VERSION_ARRAY[0]}.${NEW_VERSION_ARRAY[1]}" - echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT + echo "release_branch=${RELEASE_BRANCH}" >> "$GITHUB_OUTPUT" - name: Configure git user name and email run: | @@ -164,7 +164,7 @@ jobs: if [[ "$OLD_VERSION" == "$TRUNK_VERSION" ]]; then git cherry-pick "$TARGET_BRANCH" git push - echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> $GITHUB_OUTPUT + echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> "$GITHUB_OUTPUT" fi build: @@ -293,7 +293,7 @@ jobs: id: get_release_version env: VERSION: ${{ needs.bump-version.outputs.new_version }} - run: echo "version=$(echo $VERSION | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> $GITHUB_OUTPUT + run: echo "version=$(echo $VERSION | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> "$GITHUB_OUTPUT" - name: Download Plugin Zip Artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index c9686a958e70c7..c32fd58589e9c0 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -120,7 +120,7 @@ jobs: PREVIOUS_WP_SERIES="${LATEST_WP_MAJOR}.$((LATEST_WP_MINOR - 1))" fi PREVIOUS_WP_VERSION=$(jq --raw-output --arg series "${PREVIOUS_WP_SERIES}" 'with_entries(select(.key|startswith($series)))|keys[-1]' versions.json) - echo "previous-wordpress-version=${PREVIOUS_WP_VERSION}" >> $GITHUB_OUTPUT + echo "previous-wordpress-version=${PREVIOUS_WP_VERSION}" >> "$GITHUB_OUTPUT" rm versions.json build-assets: @@ -302,7 +302,7 @@ jobs: # http://man7.org/linux/man-pages/man1/date.1.html - name: "Get last Monday's date" id: get-date - run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT + run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT" - name: Cache PHPCS scan cache uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 @@ -318,7 +318,7 @@ jobs: custom-cache-suffix: ${{ steps.get-date.outputs.date }} - name: Make Composer packages available globally - run: echo "${PWD}/vendor/bin" >> $GITHUB_PATH + run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH" - name: Run PHPCS on all Gutenberg files id: phpcs-gutenberg diff --git a/.github/workflows/upload-release-to-plugin-repo.yml b/.github/workflows/upload-release-to-plugin-repo.yml index 9fbf0c3125710d..c20b8ab96a24ea 100644 --- a/.github/workflows/upload-release-to-plugin-repo.yml +++ b/.github/workflows/upload-release-to-plugin-repo.yml @@ -25,7 +25,7 @@ jobs: run: | latest_version_in_core_repo=$(curl -s 'https://api.wordpress.org/plugins/info/1.2/?action=plugin_information&request\[slug\]=gutenberg' | jq -r '.version') echo "Latest Core Repo version: $latest_version_in_core_repo" - echo "version=$latest_version_in_core_repo" >> $GITHUB_OUTPUT + echo "version=$latest_version_in_core_repo" >> "$GITHUB_OUTPUT" - name: Decide if it is a trunk or tag update id: compute_should_update_trunk @@ -60,7 +60,7 @@ jobs: fi echo "Should update trunk: $shouldUpdateTrunk" - echo "should_update_trunk=$shouldUpdateTrunk" >> $GITHUB_OUTPUT + echo "should_update_trunk=$shouldUpdateTrunk" >> "$GITHUB_OUTPUT" get-release-branch: name: Get release branch name @@ -76,7 +76,7 @@ jobs: run: | IFS='.' read -r -a VERSION_ARRAY <<< "${TAG#v}" RELEASE_BRANCH="release/${VERSION_ARRAY[0]}.${VERSION_ARRAY[1]}" - echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT + echo "release_branch=${RELEASE_BRANCH}" >> "$GITHUB_OUTPUT" update-changelog: name: Update Changelog on ${{ matrix.branch }} branch From 45a258fcbd38b96b540769320f2c43d8f9f37484 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 11:01:19 +0100 Subject: [PATCH 06/24] Update Zizmor. --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 9a264650bc5d45..c1aecd36b1f4fe 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -77,7 +77,7 @@ jobs: # https://github.com/woodruffw/zizmor - name: Run zizmor - run: uvx zizmor@1.2.2 --format sarif . > results.sarif + run: uvx zizmor@1.3.1 --format sarif . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 571dc918eb90415663f324e912d59a35c7c3b648 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 11:01:38 +0100 Subject: [PATCH 07/24] Update upload-sarif. --- .github/workflows/reusable-workflow-lint.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index c1aecd36b1f4fe..6be8ef77f5964d 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -54,7 +54,7 @@ jobs: filter_triggers: '' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 + uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 with: sarif_file: ${{steps.octoscan.outputs.sarif_output}} category: octoscan @@ -82,7 +82,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 + uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 with: sarif_file: results.sarif category: zizmor @@ -103,7 +103,7 @@ jobs: uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1 + uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 with: sarif_file: results.sarif category: poutine From 4d489d2986d759a802b8d26d9966f0d76d473743 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 11:13:45 +0100 Subject: [PATCH 08/24] Disable the dangerous-write rule in Octoscan for now, to reduce the noise in the PR output. --- .github/workflows/reusable-workflow-lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 6be8ef77f5964d..1cd53ad3afde77 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -52,6 +52,7 @@ jobs: uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 with: filter_triggers: '' + disable_rules: dangerous-write - name: Upload SARIF file uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 From 5ddbdd38935b2fb29c51d654f4e7deaa050aeba1 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 11:37:27 +0100 Subject: [PATCH 09/24] Add some more quoting to prevent word splitting. --- .github/workflows/build-plugin-zip.yml | 20 +++++++++---------- .../workflows/check-backport-changelog.yml | 2 +- .github/workflows/cherry-pick-wp-release.yml | 8 ++++---- .github/workflows/performance.yml | 10 +++++----- .github/workflows/unit-test.yml | 14 ++++++------- .../upload-release-to-plugin-repo.yml | 4 ++-- 6 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index e23f42b2c19985..11f6e1c5860c41 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -40,7 +40,7 @@ jobs: LATEST_STABLE_TAG="$(jq --raw-output '.tag_name' latest.json)" IFS='.' read LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}" echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> "$GITHUB_OUTPUT" - if [[ ${LATEST_STABLE_MINOR} == "9" ]]; then + if [[ "${LATEST_STABLE_MINOR}" == "9" ]]; then echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> "$GITHUB_OUTPUT" else echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> "$GITHUB_OUTPUT" @@ -83,20 +83,20 @@ jobs: env: VERSION: ${{ github.event.inputs.version }} run: | - OLD_VERSION=$(jq --raw-output '.version' package.json) + OLD_VERSION="$(jq --raw-output '.version' package.json)" echo "old_version=${OLD_VERSION}" >> "$GITHUB_OUTPUT" if [[ "$VERSION" == 'stable' ]]; then - NEW_VERSION=$(npx semver $OLD_VERSION -i patch) + NEW_VERSION="$(npx semver "$OLD_VERSION" -i patch)" else - if [[ $OLD_VERSION == *"rc"* ]]; then - NEW_VERSION=$(npx semver $OLD_VERSION -i prerelease) + if [[ "$OLD_VERSION" == *"rc"* ]]; then + NEW_VERSION="$(npx semver "$OLD_VERSION" -i prerelease)" else # WordPress version guidelines: If minor is 9, bump major instead. IFS='.' read -r -a OLD_VERSION_ARRAY <<< "$OLD_VERSION" if [[ ${OLD_VERSION_ARRAY[1]} == "9" ]]; then - NEW_VERSION="$(npx semver $OLD_VERSION -i major)-rc.1" + NEW_VERSION="$(npx semver "$OLD_VERSION" -i major)-rc.1" else - NEW_VERSION="$(npx semver $OLD_VERSION -i minor)-rc.1" + NEW_VERSION="$(npx semver "$OLD_VERSION" -i minor)-rc.1" fi fi fi @@ -133,8 +133,8 @@ jobs: VERSION: ${{ steps.get_version.outputs.new_version }} OLD_VERSION: ${{ steps.get_version.outputs.old_version }} run: | - cat <<< $(jq --tab --arg version "${VERSION}" '.version = $version' package.json) > package.json - cat <<< $(jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json) > package-lock.json + cat <<< "$(jq --tab --arg version "${VERSION}" '.version = $version' package.json)" > package.json + cat <<< "$(jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json)" > package-lock.json sed -i "s/${OLD_VERSION}/${VERSION}/g" gutenberg.php - name: Commit the version bump to the release branch @@ -293,7 +293,7 @@ jobs: id: get_release_version env: VERSION: ${{ needs.bump-version.outputs.new_version }} - run: echo "version=$(echo $VERSION | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> "$GITHUB_OUTPUT" + run: echo "version=$(echo "$VERSION" | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> "$GITHUB_OUTPUT" - name: Download Plugin Zip Artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 diff --git a/.github/workflows/check-backport-changelog.yml b/.github/workflows/check-backport-changelog.yml index 830cc53b2f6535..128aea8acc678d 100644 --- a/.github/workflows/check-backport-changelog.yml +++ b/.github/workflows/check-backport-changelog.yml @@ -46,7 +46,7 @@ jobs: exit 1 fi - core_pr_number=$(basename "${changelog_file}" .md) + core_pr_number="$(basename "${changelog_file}" .md)" core_pr_url="https://github\.com/WordPress/wordpress-develop/pull/${core_pr_number}" # Confirm that the entry has the correct core backport PR URL. diff --git a/.github/workflows/cherry-pick-wp-release.yml b/.github/workflows/cherry-pick-wp-release.yml index 16928b9f5a1a21..4c5291fa26515d 100644 --- a/.github/workflows/cherry-pick-wp-release.yml +++ b/.github/workflows/cherry-pick-wp-release.yml @@ -90,16 +90,16 @@ jobs: COMMIT_SHA="${commit_sha}" echo "Target branch: $TARGET_BRANCH" echo "Commit SHA: $COMMIT_SHA" - git checkout $TARGET_BRANCH - git cherry-pick $COMMIT_SHA || echo "cherry-pick-failed" > result + git checkout "$TARGET_BRANCH" + git cherry-pick "$COMMIT_SHA" || echo "cherry-pick-failed" > result if [ -f result ] && grep -q "cherry-pick-failed" result; then echo "conflict=true" >> "$GITHUB_ENV" git cherry-pick --abort else - CHERRY_PICK_SHA=$(git rev-parse HEAD) + CHERRY_PICK_SHA="$(git rev-parse HEAD)" echo "conflict=false" >> "$GITHUB_ENV" echo "cherry_pick_sha=$CHERRY_PICK_SHA" >> "$GITHUB_ENV" - git push origin $TARGET_BRANCH + git push origin "$TARGET_BRANCH" fi - name: Remove cherry-pick label diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index 1057129895e7f4..c08423bd7e2053 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -62,7 +62,7 @@ jobs: CURRENT_RELEASE_BRANCH="release/${PLUGIN_VERSION_ARRAY[0]}.${PLUGIN_VERSION_ARRAY[1]}" PREVIOUS_VERSION_BASE_10=$((PLUGIN_VERSION_ARRAY[0] * 10 + PLUGIN_VERSION_ARRAY[1] - 1)) PREVIOUS_RELEASE_BRANCH="release/$((PREVIOUS_VERSION_BASE_10 / 10)).$((PREVIOUS_VERSION_BASE_10 % 10))" - WP_VERSION=$(awk -F ': ' '/^Tested up to/{print $2}' readme.txt) + WP_VERSION="$(awk -F ': ' '/^Tested up to/{print $2}' readme.txt)" IFS=. read -ra WP_VERSION_ARRAY <<< "$WP_VERSION" WP_MAJOR="${WP_VERSION_ARRAY[0]}.${WP_VERSION_ARRAY[1]}" ./bin/plugin/cli.js perf "wp/$WP_MAJOR" "$PREVIOUS_RELEASE_BRANCH" "$CURRENT_RELEASE_BRANCH" --tests-branch "$GITHUB_SHA" --wp-version "$WP_MAJOR" @@ -73,7 +73,7 @@ jobs: # The current one is c7722262e65a3f4d0f1a2d1ad29eccb2069509e4 and it needs to be updated every WP major release. # It is used as a base comparison point to avoid fluctuation in the performance metrics. run: | - WP_VERSION=$(awk -F ': ' '/^Tested up to/{print $2}' readme.txt) + WP_VERSION="$(awk -F ': ' '/^Tested up to/{print $2}' readme.txt)" IFS=. read -ra WP_VERSION_ARRAY <<< "$WP_VERSION" WP_MAJOR="${WP_VERSION_ARRAY[0]}.${WP_VERSION_ARRAY[1]}" ./bin/plugin/cli.js perf "$GITHUB_SHA" c7722262e65a3f4d0f1a2d1ad29eccb2069509e4 --tests-branch "$GITHUB_SHA" --wp-version "$WP_MAJOR" @@ -84,7 +84,7 @@ jobs: BRANCHES: ${{ github.event.inputs.branches }} WP_VERSION: ${{ github.event.inputs.wpversion }} run: | - ./bin/plugin/cli.js perf $(echo $BRANCHES | tr ',' ' ') --tests-branch "$GITHUB_SHA" --wp-version "$WP_VERSION" + ./bin/plugin/cli.js perf "$(echo "$BRANCHES" | tr ',' ' ')" --tests-branch "$GITHUB_SHA" --wp-version "$WP_VERSION" - name: Add workflow summary run: cat "${WP_ARTIFACTS_PATH}/summary.md" >> "$GITHUB_STEP_SUMMARY" @@ -101,8 +101,8 @@ jobs: env: CODEHEALTH_PROJECT_TOKEN: ${{ secrets.CODEHEALTH_PROJECT_TOKEN }} run: | - COMMITTED_AT=$(git show -s "$GITHUB_SHA" --format="%cI") - ./bin/log-performance-results.js $CODEHEALTH_PROJECT_TOKEN trunk "$GITHUB_SHA" c7722262e65a3f4d0f1a2d1ad29eccb2069509e4 $COMMITTED_AT + COMMITTED_AT="$(git show -s "$GITHUB_SHA" --format="%cI")" + ./bin/log-performance-results.js "$CODEHEALTH_PROJECT_TOKEN" trunk "$GITHUB_SHA" c7722262e65a3f4d0f1a2d1ad29eccb2069509e4 "$COMMITTED_AT" - name: Archive debug artifacts (screenshots, HTML snapshots) uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index c32fd58589e9c0..3b8d5dc3a4d642 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -112,14 +112,14 @@ jobs: -H "Accept: application/json" \ -o versions.json \ "http://api.wordpress.org/core/stable-check/1.0/" - LATEST_WP_VERSION=$(jq --raw-output 'with_entries(select(.value=="latest"))|keys[]' versions.json) + LATEST_WP_VERSION="$(jq --raw-output 'with_entries(select(.value=="latest"))|keys[]' versions.json)" IFS='.' read LATEST_WP_MAJOR LATEST_WP_MINOR LATEST_WP_PATCH <<< "${LATEST_WP_VERSION}" - if [[ ${LATEST_WP_MINOR} == "0" ]]; then + if [[ "${LATEST_WP_MINOR}" == "0" ]]; then PREVIOUS_WP_SERIES="$((LATEST_WP_MAJOR - 1)).9" else PREVIOUS_WP_SERIES="${LATEST_WP_MAJOR}.$((LATEST_WP_MINOR - 1))" fi - PREVIOUS_WP_VERSION=$(jq --raw-output --arg series "${PREVIOUS_WP_SERIES}" 'with_entries(select(.key|startswith($series)))|keys[-1]' versions.json) + PREVIOUS_WP_VERSION="$(jq --raw-output --arg series "${PREVIOUS_WP_SERIES}" 'with_entries(select(.key|startswith($series)))|keys[-1]' versions.json)" echo "previous-wordpress-version=${PREVIOUS_WP_VERSION}" >> "$GITHUB_OUTPUT" rm versions.json @@ -266,14 +266,14 @@ jobs: run: | # Note: relies on PHPUnit execution to fail on test failure. # Extract the number of executed tests from the log file. - if ! num_tests=$(grep -Eo 'OK \([0-9]+ tests' phpunit.log) ; then - if ! num_tests=$(grep -Eo 'Tests: [0-9]+, Assertions:' phpunit.log) ; then + if ! num_tests="$(grep -Eo 'OK \([0-9]+ tests' phpunit.log)" ; then + if ! num_tests="$(grep -Eo 'Tests: [0-9]+, Assertions:' phpunit.log)" ; then echo "PHPUnit failed or did not run. Check the PHPUnit output in the previous step to debug." && exit 1 fi fi # Extract just the number of tests from the string. - num_tests=$(echo "$num_tests" | grep -Eo '[0-9]+') - if [ $num_tests -lt 500 ] ; then + num_tests="$(echo "$num_tests" | grep -Eo '[0-9]+')" + if [ "$num_tests" -lt 500 ] ; then echo "Only $num_tests tests passed, which is much fewer than expected." && exit 1 fi echo "$num_tests tests passed." diff --git a/.github/workflows/upload-release-to-plugin-repo.yml b/.github/workflows/upload-release-to-plugin-repo.yml index c20b8ab96a24ea..5d48ab5e083821 100644 --- a/.github/workflows/upload-release-to-plugin-repo.yml +++ b/.github/workflows/upload-release-to-plugin-repo.yml @@ -187,7 +187,7 @@ jobs: env: PLUGIN_URL: ${{ github.event.release.assets[0].browser_download_url }} run: | - curl -L -o gutenberg.zip $PLUGIN_URL + curl -L -o gutenberg.zip "$PLUGIN_URL" unzip gutenberg.zip -d trunk rm gutenberg.zip @@ -238,7 +238,7 @@ jobs: PLUGIN_URL: ${{ github.event.release.assets[0].browser_download_url }} run: | # do the magic here - curl -L -o gutenberg.zip $PLUGIN_URL + curl -L -o gutenberg.zip "$PLUGIN_URL" unzip gutenberg.zip -d "$VERSION" rm gutenberg.zip From 5ed7adff97628b7d9da8590a550fe9bfaf650b62 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 12:27:06 +0100 Subject: [PATCH 10/24] These are false positives. --- .github/workflows/reusable-workflow-lint.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 1cd53ad3afde77..38af2ca86d7e39 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -52,7 +52,9 @@ jobs: uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 with: filter_triggers: '' - disable_rules: dangerous-write + # dangerous-write: Valid but ignored because we have to use these writes + # dangerous-checkout: Three false positives + disable_rules: dangerous-write, dangerous-checkout - name: Upload SARIF file uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 From d1426f7a9021f2cc699def47d293518d5a628e6f Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 12:35:05 +0100 Subject: [PATCH 11/24] o_O --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 38af2ca86d7e39..bcff7d40e314bf 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -54,7 +54,7 @@ jobs: filter_triggers: '' # dangerous-write: Valid but ignored because we have to use these writes # dangerous-checkout: Three false positives - disable_rules: dangerous-write, dangerous-checkout + disable_rules: dangerous-write,dangerous-checkout - name: Upload SARIF file uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 From 5f09ce60dac122a4ec9aaec1d406d587a1287928 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 13:31:54 +0100 Subject: [PATCH 12/24] Disable permissions for all available scopes by default. --- .github/workflows/build-plugin-zip.yml | 4 ++++ .github/workflows/bundle-size.yml | 4 ++++ .github/workflows/check-backport-changelog.yml | 5 +++++ .github/workflows/check-components-changelog.yml | 5 +++++ .github/workflows/cherry-pick-wp-release.yml | 4 ++++ .github/workflows/create-block.yml | 4 ++++ .github/workflows/end2end-test.yml | 4 ++++ .github/workflows/enforce-pr-labels.yml | 5 +++++ .github/workflows/gradle-wrapper-validation.yml | 4 ++++ .github/workflows/performance.yml | 4 ++++ .github/workflows/publish-npm-packages.yml | 4 ++++ .github/workflows/pull-request-automation.yml | 4 ++++ .github/workflows/reusable-workflow-lint.yml | 2 ++ .github/workflows/rnmobile-android-runner.yml | 4 ++++ .github/workflows/rnmobile-ios-runner.yml | 4 ++++ .github/workflows/stale-issue-gardening.yml | 4 ++++ .github/workflows/static-checks.yml | 4 ++++ .github/workflows/storybook-check.yml | 4 ++++ .github/workflows/storybook-pages.yml | 4 ++++ .github/workflows/sync-assets-to-plugin-repo.yml | 4 ++++ .github/workflows/sync-backport-changelog.yml | 4 ++++ .github/workflows/unit-test.yml | 4 ++++ .github/workflows/upload-release-to-plugin-repo.yml | 4 ++++ 23 files changed, 93 insertions(+) diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index 11f6e1c5860c41..2b7e5efd85278a 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -20,6 +20,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: compute-stable-branches: name: Compute current and next stable release branches diff --git a/.github/workflows/bundle-size.yml b/.github/workflows/bundle-size.yml index 94b78e457f94ef..d8f6f4e664b067 100644 --- a/.github/workflows/bundle-size.yml +++ b/.github/workflows/bundle-size.yml @@ -31,6 +31,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: build: name: Check diff --git a/.github/workflows/check-backport-changelog.yml b/.github/workflows/check-backport-changelog.yml index 128aea8acc678d..b6a0efa055679f 100644 --- a/.github/workflows/check-backport-changelog.yml +++ b/.github/workflows/check-backport-changelog.yml @@ -16,6 +16,11 @@ on: - 'packages/**/*.php' - '!packages/block-library/**' - '!packages/e2e-tests/**' + +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: check: name: Check for a Core backport changelog entry diff --git a/.github/workflows/check-components-changelog.yml b/.github/workflows/check-components-changelog.yml index 9b38d49a5bbb23..c2d00cb30bb01c 100644 --- a/.github/workflows/check-components-changelog.yml +++ b/.github/workflows/check-components-changelog.yml @@ -14,6 +14,11 @@ on: - '!packages/components/src/**/*.native.js' - '!packages/components/src/**/*.native.scss' - '!packages/components/src/**/react-native-*' + +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: check: name: Check CHANGELOG diff diff --git a/.github/workflows/cherry-pick-wp-release.yml b/.github/workflows/cherry-pick-wp-release.yml index 4c5291fa26515d..4376959e126512 100644 --- a/.github/workflows/cherry-pick-wp-release.yml +++ b/.github/workflows/cherry-pick-wp-release.yml @@ -16,6 +16,10 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: false +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: cherry-pick: runs-on: ubuntu-latest diff --git a/.github/workflows/create-block.yml b/.github/workflows/create-block.yml index 9ff1c0dbe408a0..ebe4c26728cd2d 100644 --- a/.github/workflows/create-block.yml +++ b/.github/workflows/create-block.yml @@ -12,6 +12,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: checks: name: Checks w/Node.js ${{ matrix.node }} on ${{ matrix.os }} diff --git a/.github/workflows/end2end-test.yml b/.github/workflows/end2end-test.yml index f97a9ad76e4914..095989d93ab912 100644 --- a/.github/workflows/end2end-test.yml +++ b/.github/workflows/end2end-test.yml @@ -15,6 +15,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: e2e-playwright: name: Playwright - ${{ matrix.part }} diff --git a/.github/workflows/enforce-pr-labels.yml b/.github/workflows/enforce-pr-labels.yml index 7493459a6ff35c..b7f0c27a716331 100644 --- a/.github/workflows/enforce-pr-labels.yml +++ b/.github/workflows/enforce-pr-labels.yml @@ -2,6 +2,11 @@ name: Enforce labels on Pull Request on: pull_request_target: types: [labeled, unlabeled, ready_for_review, review_requested] + +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: type-related-labels: runs-on: ubuntu-latest diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index 4a5785d13fff0a..6fdc5867ba10ec 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -1,6 +1,10 @@ name: 'Validate Gradle Wrapper' on: [push, pull_request] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: validation: name: 'Validation' diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index c08423bd7e2053..9822cc8cc3ffc3 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -23,6 +23,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: performance: timeout-minutes: 60 diff --git a/.github/workflows/publish-npm-packages.yml b/.github/workflows/publish-npm-packages.yml index 8eacdf72b69a31..18b179efe907e2 100644 --- a/.github/workflows/publish-npm-packages.yml +++ b/.github/workflows/publish-npm-packages.yml @@ -23,6 +23,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: release: name: Release - ${{ github.event.inputs.release_type }} diff --git a/.github/workflows/pull-request-automation.yml b/.github/workflows/pull-request-automation.yml index d369700f2bd77a..a6a5436bcdf505 100644 --- a/.github/workflows/pull-request-automation.yml +++ b/.github/workflows/pull-request-automation.yml @@ -4,6 +4,10 @@ on: push: name: Pull request automation +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: pull-request-automation: runs-on: ubuntu-latest diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index bcff7d40e314bf..ff176d48eacd25 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -2,6 +2,8 @@ name: Lint GitHub Actions workflows on: workflow_call: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: diff --git a/.github/workflows/rnmobile-android-runner.yml b/.github/workflows/rnmobile-android-runner.yml index bbed1a88335d15..f9981f4c7c3c6f 100644 --- a/.github/workflows/rnmobile-android-runner.yml +++ b/.github/workflows/rnmobile-android-runner.yml @@ -12,6 +12,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: test: runs-on: macos-13 diff --git a/.github/workflows/rnmobile-ios-runner.yml b/.github/workflows/rnmobile-ios-runner.yml index 9e73e17bfe99b0..2d2ac3caee9c9d 100644 --- a/.github/workflows/rnmobile-ios-runner.yml +++ b/.github/workflows/rnmobile-ios-runner.yml @@ -12,6 +12,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: test: runs-on: macos-13 diff --git a/.github/workflows/stale-issue-gardening.yml b/.github/workflows/stale-issue-gardening.yml index 6b8c7e82d1ca7b..84d06473c19e93 100644 --- a/.github/workflows/stale-issue-gardening.yml +++ b/.github/workflows/stale-issue-gardening.yml @@ -4,6 +4,10 @@ on: schedule: - cron: '0 0 * * *' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: issue-gardening: name: ${{ matrix.name }} diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml index 4a9390a5900a95..e869a2fd2694b5 100644 --- a/.github/workflows/static-checks.yml +++ b/.github/workflows/static-checks.yml @@ -15,6 +15,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: check: name: All diff --git a/.github/workflows/storybook-check.yml b/.github/workflows/storybook-check.yml index ed686c4c3dc177..252edf3bf0dcd8 100644 --- a/.github/workflows/storybook-check.yml +++ b/.github/workflows/storybook-check.yml @@ -9,6 +9,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/storybook-pages.yml b/.github/workflows/storybook-pages.yml index 2a7bf284e45882..0521dd95470e93 100644 --- a/.github/workflows/storybook-pages.yml +++ b/.github/workflows/storybook-pages.yml @@ -5,6 +5,10 @@ on: branches: - trunk +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/sync-assets-to-plugin-repo.yml b/.github/workflows/sync-assets-to-plugin-repo.yml index 8992d0da150c0f..cc0fa34c9137ae 100644 --- a/.github/workflows/sync-assets-to-plugin-repo.yml +++ b/.github/workflows/sync-assets-to-plugin-repo.yml @@ -7,6 +7,10 @@ on: paths: - assets/** +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: sync-assets: name: Sync assets to WordPress.org plugin repo diff --git a/.github/workflows/sync-backport-changelog.yml b/.github/workflows/sync-backport-changelog.yml index f434a900b20fa0..77b34425784cdd 100644 --- a/.github/workflows/sync-backport-changelog.yml +++ b/.github/workflows/sync-backport-changelog.yml @@ -7,6 +7,10 @@ on: issues: types: [labeled] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: sync-backport-changelog: name: Sync Core Backport Issue diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index 3b8d5dc3a4d642..29a6342ad0e6ca 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -19,6 +19,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: unit-js: name: JavaScript (Node.js ${{ matrix.node }}) ${{ matrix.shard }} diff --git a/.github/workflows/upload-release-to-plugin-repo.yml b/.github/workflows/upload-release-to-plugin-repo.yml index 5d48ab5e083821..cf2273795e19a6 100644 --- a/.github/workflows/upload-release-to-plugin-repo.yml +++ b/.github/workflows/upload-release-to-plugin-repo.yml @@ -4,6 +4,10 @@ on: release: types: [published] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: compute-should-update-trunk: name: Decide if trunk or tag From 845059952378344090b9b6dbc49d8ed1ecc5e2a3 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 13:59:08 +0100 Subject: [PATCH 13/24] Add explicit permissions for all jobs. --- .github/workflows/build-plugin-zip.yml | 12 ++++++++++++ .github/workflows/bundle-size.yml | 3 +++ .github/workflows/check-backport-changelog.yml | 2 ++ .github/workflows/check-components-changelog.yml | 2 ++ .github/workflows/cherry-pick-wp-release.yml | 4 ++++ .github/workflows/create-block.yml | 2 ++ .github/workflows/end2end-test.yml | 7 +++++++ .github/workflows/gradle-wrapper-validation.yml | 2 ++ .github/workflows/performance.yml | 2 ++ .github/workflows/publish-npm-packages.yml | 2 ++ .github/workflows/pull-request-automation.yml | 4 ++++ .github/workflows/rnmobile-android-runner.yml | 2 ++ .github/workflows/rnmobile-ios-runner.yml | 2 ++ .github/workflows/stale-issue-gardening.yml | 3 +++ .github/workflows/static-checks.yml | 2 ++ .github/workflows/storybook-check.yml | 2 ++ .github/workflows/storybook-pages.yml | 2 ++ .github/workflows/sync-assets-to-plugin-repo.yml | 2 ++ .github/workflows/sync-backport-changelog.yml | 3 +++ .github/workflows/unit-test.yml | 14 ++++++++++++++ .../workflows/upload-release-to-plugin-repo.yml | 6 ++++++ 21 files changed, 80 insertions(+) diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index 2b7e5efd85278a..3a7d91aa4b7311 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -28,6 +28,8 @@ jobs: compute-stable-branches: name: Compute current and next stable release branches runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.event_name == 'workflow_dispatch' }} outputs: current_stable_branch: ${{ steps.get_branches.outputs.current_stable_branch }} @@ -53,6 +55,8 @@ jobs: bump-version: name: Bump version runs-on: ubuntu-latest + permissions: + contents: write needs: compute-stable-branches if: | github.event_name == 'workflow_dispatch' && ( @@ -174,6 +178,8 @@ jobs: build: name: Build Release Artifact runs-on: ubuntu-latest + permissions: + contents: read needs: bump-version if: | always() && ( @@ -237,6 +243,8 @@ jobs: name: Revert version bump if build failed needs: [bump-version, build] runs-on: ubuntu-latest + permissions: + contents: write if: | always() && ( needs.build.outputs.job_status == 'failure' ) && @@ -291,6 +299,8 @@ jobs: name: Create Release Draft and Attach Asset needs: [bump-version, build] runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Set Release Version @@ -336,6 +346,8 @@ jobs: npm-publish: name: Publish WordPress packages to npm runs-on: ubuntu-latest + permissions: + contents: read environment: WordPress packages needs: [bump-version, build] if: ${{ endsWith( needs.bump-version.outputs.new_version, '-rc.1' ) }} diff --git a/.github/workflows/bundle-size.yml b/.github/workflows/bundle-size.yml index d8f6f4e664b067..77cc5284423a43 100644 --- a/.github/workflows/bundle-size.yml +++ b/.github/workflows/bundle-size.yml @@ -39,6 +39,9 @@ jobs: build: name: Check runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/check-backport-changelog.yml b/.github/workflows/check-backport-changelog.yml index b6a0efa055679f..b5fa8517293557 100644 --- a/.github/workflows/check-backport-changelog.yml +++ b/.github/workflows/check-backport-changelog.yml @@ -25,6 +25,8 @@ jobs: check: name: Check for a Core backport changelog entry runs-on: ubuntu-latest + permissions: + contents: read if: ${{ !contains(github.event.pull_request.labels.*.name, 'No Core Sync Required') && !contains(github.event.pull_request.labels.*.name, 'Backport from WordPress Core') }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/check-components-changelog.yml b/.github/workflows/check-components-changelog.yml index c2d00cb30bb01c..d39097a4a13c5c 100644 --- a/.github/workflows/check-components-changelog.yml +++ b/.github/workflows/check-components-changelog.yml @@ -23,6 +23,8 @@ jobs: check: name: Check CHANGELOG diff runs-on: ubuntu-latest + permissions: + contents: read steps: - name: 'Get PR commit count' run: echo "PR_COMMIT_COUNT=$(( ${{ github.event.pull_request.commits }} + 1 ))" >> "${GITHUB_ENV}" diff --git a/.github/workflows/cherry-pick-wp-release.yml b/.github/workflows/cherry-pick-wp-release.yml index 4376959e126512..b6393f8eff8b73 100644 --- a/.github/workflows/cherry-pick-wp-release.yml +++ b/.github/workflows/cherry-pick-wp-release.yml @@ -23,6 +23,10 @@ permissions: {} jobs: cherry-pick: runs-on: ubuntu-latest + permissions: + contents: write + issues: write + pull-requests: read # When in the context of a PR, ensure the PR is merged. if: github.event.pull_request == null || github.event.pull_request.merged == true steps: diff --git a/.github/workflows/create-block.yml b/.github/workflows/create-block.yml index ebe4c26728cd2d..2caed50f86c62a 100644 --- a/.github/workflows/create-block.yml +++ b/.github/workflows/create-block.yml @@ -20,6 +20,8 @@ jobs: checks: name: Checks w/Node.js ${{ matrix.node }} on ${{ matrix.os }} runs-on: ${{ matrix.os }} + permissions: + contents: read if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} strategy: fail-fast: false diff --git a/.github/workflows/end2end-test.yml b/.github/workflows/end2end-test.yml index 095989d93ab912..07ed1a81f3de94 100644 --- a/.github/workflows/end2end-test.yml +++ b/.github/workflows/end2end-test.yml @@ -23,6 +23,8 @@ jobs: e2e-playwright: name: Playwright - ${{ matrix.part }} runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} strategy: fail-fast: false @@ -77,6 +79,7 @@ jobs: if: ${{ !cancelled() }} needs: [e2e-playwright] runs-on: ubuntu-latest + permissions: {} outputs: has-flaky-test-report: ${{ !!steps.merge-flaky-tests-reports.outputs.artifact-id }} steps: @@ -104,6 +107,10 @@ jobs: needs: [merge-artifacts] if: ${{ needs.merge-artifacts.outputs.has-flaky-test-report == 'true' }} runs-on: ubuntu-latest + permissions: + contents: read + issues: write + pull-requests: write steps: # Checkout defaults to using the branch which triggered the event, which # isn't necessarily `trunk` (e.g. in the case of a merge). diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index 6fdc5867ba10ec..d674ee2626b29f 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -9,6 +9,8 @@ jobs: validation: name: 'Validation' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index 9822cc8cc3ffc3..78352971755d67 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -32,6 +32,8 @@ jobs: timeout-minutes: 60 name: Run performance tests runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'WordPress/gutenberg' }} env: WP_ARTIFACTS_PATH: ${{ github.workspace }}/artifacts diff --git a/.github/workflows/publish-npm-packages.yml b/.github/workflows/publish-npm-packages.yml index 18b179efe907e2..00dbd25dadfaa9 100644 --- a/.github/workflows/publish-npm-packages.yml +++ b/.github/workflows/publish-npm-packages.yml @@ -31,6 +31,8 @@ jobs: release: name: Release - ${{ github.event.inputs.release_type }} runs-on: ubuntu-latest + permissions: + contents: read environment: WordPress packages steps: - name: Checkout (for CLI) diff --git a/.github/workflows/pull-request-automation.yml b/.github/workflows/pull-request-automation.yml index a6a5436bcdf505..c77041ec78e4bd 100644 --- a/.github/workflows/pull-request-automation.yml +++ b/.github/workflows/pull-request-automation.yml @@ -11,6 +11,10 @@ permissions: {} jobs: pull-request-automation: runs-on: ubuntu-latest + permissions: + contents: read + issues: write + pull-requests: write if: ${{ github.repository == 'WordPress/gutenberg' }} steps: diff --git a/.github/workflows/rnmobile-android-runner.yml b/.github/workflows/rnmobile-android-runner.yml index f9981f4c7c3c6f..26fe9e675a203b 100644 --- a/.github/workflows/rnmobile-android-runner.yml +++ b/.github/workflows/rnmobile-android-runner.yml @@ -19,6 +19,8 @@ permissions: {} jobs: test: runs-on: macos-13 + permissions: + contents: read if: false #if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} strategy: diff --git a/.github/workflows/rnmobile-ios-runner.yml b/.github/workflows/rnmobile-ios-runner.yml index 2d2ac3caee9c9d..10ff4b98ede4f6 100644 --- a/.github/workflows/rnmobile-ios-runner.yml +++ b/.github/workflows/rnmobile-ios-runner.yml @@ -19,6 +19,8 @@ permissions: {} jobs: test: runs-on: macos-13 + permissions: + contents: read if: false #if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} strategy: diff --git a/.github/workflows/stale-issue-gardening.yml b/.github/workflows/stale-issue-gardening.yml index 84d06473c19e93..075dd43adc6ac6 100644 --- a/.github/workflows/stale-issue-gardening.yml +++ b/.github/workflows/stale-issue-gardening.yml @@ -12,6 +12,9 @@ jobs: issue-gardening: name: ${{ matrix.name }} runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write if: ${{ github.repository == 'WordPress/gutenberg' }} strategy: matrix: diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml index e869a2fd2694b5..259225e523d8b9 100644 --- a/.github/workflows/static-checks.yml +++ b/.github/workflows/static-checks.yml @@ -23,6 +23,8 @@ jobs: check: name: All runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} steps: diff --git a/.github/workflows/storybook-check.yml b/.github/workflows/storybook-check.yml index 252edf3bf0dcd8..734b0e111153cb 100644 --- a/.github/workflows/storybook-check.yml +++ b/.github/workflows/storybook-check.yml @@ -16,6 +16,8 @@ permissions: {} jobs: check: runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} steps: diff --git a/.github/workflows/storybook-pages.yml b/.github/workflows/storybook-pages.yml index 0521dd95470e93..1dd951e05a1d29 100644 --- a/.github/workflows/storybook-pages.yml +++ b/.github/workflows/storybook-pages.yml @@ -12,6 +12,8 @@ permissions: {} jobs: deploy: runs-on: ubuntu-latest + permissions: + contents: write if: ${{ github.repository == 'WordPress/gutenberg' }} steps: diff --git a/.github/workflows/sync-assets-to-plugin-repo.yml b/.github/workflows/sync-assets-to-plugin-repo.yml index cc0fa34c9137ae..356b4f15c39109 100644 --- a/.github/workflows/sync-assets-to-plugin-repo.yml +++ b/.github/workflows/sync-assets-to-plugin-repo.yml @@ -15,6 +15,8 @@ jobs: sync-assets: name: Sync assets to WordPress.org plugin repo runs-on: ubuntu-latest + permissions: + contents: read environment: wp.org plugin env: PLUGIN_REPO_URL: 'https://plugins.svn.wordpress.org/gutenberg' diff --git a/.github/workflows/sync-backport-changelog.yml b/.github/workflows/sync-backport-changelog.yml index 77b34425784cdd..6d38d218a7cd1a 100644 --- a/.github/workflows/sync-backport-changelog.yml +++ b/.github/workflows/sync-backport-changelog.yml @@ -15,6 +15,9 @@ jobs: sync-backport-changelog: name: Sync Core Backport Issue runs-on: ubuntu-latest + permissions: + contents: read + issues: write if: > github.event_name == 'push' || ( diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index 29a6342ad0e6ca..809a4369246d86 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -27,6 +27,8 @@ jobs: unit-js: name: JavaScript (Node.js ${{ matrix.node }}) ${{ matrix.shard }} runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} strategy: fail-fast: false @@ -69,6 +71,8 @@ jobs: unit-js-date: name: JavaScript Date Tests (Node.js ${{ matrix.node }}) runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} strategy: fail-fast: false @@ -105,6 +109,7 @@ jobs: compute-previous-wordpress-version: name: Compute previous WordPress version runs-on: ubuntu-latest + permissions: {} outputs: previous-wordpress-version: ${{ steps.get-previous-wordpress-version.outputs.previous-wordpress-version }} @@ -130,6 +135,8 @@ jobs: build-assets: name: Build JavaScript assets for PHP unit tests runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -154,6 +161,8 @@ jobs: name: PHP ${{ matrix.php }}${{ matrix.multisite && ' multisite' || '' }}${{ matrix.wordpress != '' && format( ' (WP {0}) ', matrix.wordpress ) || '' }} on ubuntu-latest needs: [compute-previous-wordpress-version, build-assets] runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} strategy: @@ -285,6 +294,8 @@ jobs: phpcs: name: PHP coding standards runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 20 if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} @@ -339,6 +350,7 @@ jobs: unit-php: name: PHP runs-on: ubuntu-latest + permissions: {} needs: [test-php, phpcs] if: ${{ always() }} steps: @@ -357,6 +369,8 @@ jobs: mobile-unit-js: name: Mobile runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'WordPress/gutenberg' || github.event_name == 'pull_request' }} steps: diff --git a/.github/workflows/upload-release-to-plugin-repo.yml b/.github/workflows/upload-release-to-plugin-repo.yml index cf2273795e19a6..36f5eb185c1238 100644 --- a/.github/workflows/upload-release-to-plugin-repo.yml +++ b/.github/workflows/upload-release-to-plugin-repo.yml @@ -12,6 +12,7 @@ jobs: compute-should-update-trunk: name: Decide if trunk or tag runs-on: ubuntu-latest + permissions: {} # Skip this job if the release is a release candidate. This will in turn skip # the upload jobs, which are only relevant for non-RC releases. # We first check if the release is a prerelease, and then if the ref contains @@ -69,6 +70,7 @@ jobs: get-release-branch: name: Get release branch name runs-on: ubuntu-latest + permissions: {} outputs: release_branch: ${{ steps.get_release_branch.outputs.release_branch }} @@ -85,6 +87,8 @@ jobs: update-changelog: name: Update Changelog on ${{ matrix.branch }} branch runs-on: ubuntu-latest + permissions: + contents: write if: | github.event.release.assets[0] needs: get-release-branch @@ -162,6 +166,7 @@ jobs: upload: name: Publish as trunk (and tag) runs-on: ubuntu-latest + permissions: {} environment: wp.org plugin needs: [compute-should-update-trunk, update-changelog] if: | @@ -221,6 +226,7 @@ jobs: upload-tag: name: Publish as tag runs-on: ubuntu-latest + permissions: {} environment: wp.org plugin needs: [compute-should-update-trunk, update-changelog] if: | From 354cd3d325587df5bf9a48c370ac523165fb848a Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 14:07:28 +0100 Subject: [PATCH 14/24] Remove use of the npm cache during the build. --- .github/workflows/build-plugin-zip.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index 3a7d91aa4b7311..6f0e36fb55feb6 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -203,7 +203,6 @@ jobs: with: node-version-file: '.nvmrc' check-latest: true - cache: npm - name: Build Gutenberg plugin ZIP file run: ./bin/build-plugin-zip.sh From e32c9b0b715102f8780777d47569b3ecde91cac9 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 14:07:37 +0100 Subject: [PATCH 15/24] Not much we can do about local actions. --- .github/workflows/reusable-workflow-lint.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index ff176d48eacd25..2fa177b3f92abe 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -56,7 +56,8 @@ jobs: filter_triggers: '' # dangerous-write: Valid but ignored because we have to use these writes # dangerous-checkout: Three false positives - disable_rules: dangerous-write,dangerous-checkout + # local-action: Not much we can do about this + disable_rules: dangerous-write,dangerous-checkout,local-action - name: Upload SARIF file uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 From d6f5a6dc7cac835cf1436ae5fe234391c7d23d37 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 11 Feb 2025 16:24:46 +0100 Subject: [PATCH 16/24] Replace some more inline expressions with environment variables. --- .github/workflows/check-components-changelog.yml | 4 +++- .github/workflows/end2end-test.yml | 4 +++- .github/workflows/props-bot.yml | 4 +++- .github/workflows/rnmobile-android-runner.yml | 4 +++- .github/workflows/rnmobile-ios-runner.yml | 12 +++++++++--- .github/workflows/unit-test.yml | 7 +++++-- 6 files changed, 26 insertions(+), 9 deletions(-) diff --git a/.github/workflows/check-components-changelog.yml b/.github/workflows/check-components-changelog.yml index d39097a4a13c5c..ee97f185613de1 100644 --- a/.github/workflows/check-components-changelog.yml +++ b/.github/workflows/check-components-changelog.yml @@ -27,7 +27,9 @@ jobs: contents: read steps: - name: 'Get PR commit count' - run: echo "PR_COMMIT_COUNT=$(( ${{ github.event.pull_request.commits }} + 1 ))" >> "${GITHUB_ENV}" + env: + PR_COUNT: ${{ github.event.pull_request.commits }} + run: echo "PR_COMMIT_COUNT=$(( $PR_COUNT + 1 ))" >> "${GITHUB_ENV}" - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/end2end-test.yml b/.github/workflows/end2end-test.yml index 07ed1a81f3de94..718e5b5c8239c8 100644 --- a/.github/workflows/end2end-test.yml +++ b/.github/workflows/end2end-test.yml @@ -55,8 +55,10 @@ jobs: - name: Run the tests env: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 + SHARD_PART: ${{ matrix.part }} + SHARD_TOTAL: ${{ matrix.totalParts }} run: | - xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- npm run test:e2e -- --shard=${{ matrix.part }}/${{ matrix.totalParts }} + xvfb-run --auto-servernum --server-args="-screen 0 1280x960x24" -- npm run test:e2e -- --shard="${SHARD_PART}/${SHARD_TOTAL}" - name: Archive debug artifacts (screenshots, traces) uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 diff --git a/.github/workflows/props-bot.yml b/.github/workflows/props-bot.yml index b2332aabb816c7..574aea9f9ae948 100644 --- a/.github/workflows/props-bot.yml +++ b/.github/workflows/props-bot.yml @@ -76,6 +76,8 @@ jobs: - name: Remove the props-bot label uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: ${{ github.event.action == 'labeled' && 'props-bot' == github.event.label.name }} + env: + ISSUE_NUMBER: ${{ github.event.number }} with: retries: 2 retry-exempt-status-codes: 418 @@ -83,6 +85,6 @@ jobs: github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, - issue_number: '${{ github.event.number }}', + issue_number: process.env.ISSUE_NUMBER, name: 'props-bot' }); diff --git a/.github/workflows/rnmobile-android-runner.yml b/.github/workflows/rnmobile-android-runner.yml index 26fe9e675a203b..b5364a7854e989 100644 --- a/.github/workflows/rnmobile-android-runner.yml +++ b/.github/workflows/rnmobile-android-runner.yml @@ -82,6 +82,8 @@ jobs: - name: Run tests uses: reactivecircus/android-emulator-runner@62dbb605bba737720e10b196cb4220d374026a6d # v2.33.0 + env: + NATIVE_TEST_NAME: ${{ matrix.native-test-name }} with: api-level: ${{ matrix.api-level }} force-avd-creation: false @@ -89,7 +91,7 @@ jobs: disable-animations: true arch: x86_64 profile: Nexus 6 - script: npm run native test:e2e:android:local ${{ matrix.native-test-name }} + script: npm run native test:e2e:android:local "$NATIVE_TEST_NAME" - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() diff --git a/.github/workflows/rnmobile-ios-runner.yml b/.github/workflows/rnmobile-ios-runner.yml index 10ff4b98ede4f6..551f7b3a07ac36 100644 --- a/.github/workflows/rnmobile-ios-runner.yml +++ b/.github/workflows/rnmobile-ios-runner.yml @@ -41,10 +41,14 @@ jobs: working-directory: packages/react-native-editor/ios - name: Switch Xcode version to ${{ matrix.xcode }} - run: sudo xcode-select --switch /Applications/Xcode_${{ matrix.xcode }}.app + env: + VERSION: ${{ matrix.xcode }} + run: sudo xcode-select --switch "/Applications/Xcode_${VERSION}.app" - name: Launch simulator - run: (open -a Simulator && xcrun simctl boot '${{ matrix.device }}') & + env: + DEVICE: ${{ matrix.device }} + run: (open -a Simulator && xcrun simctl boot "${DEVICE}") & - name: Setup Node.js and install dependencies uses: ./.github/setup-node @@ -90,7 +94,9 @@ jobs: run: test -d packages/react-native-editor/ios/build/WDA || npm run native test:e2e:build-wda - name: Run iOS Device Tests - run: TEST_RN_PLATFORM=ios npm run native device-tests:local ${{ matrix.native-test-name }} + env: + NATIVE_TEST_NAME: ${{ matrix.native-test-name }} + run: TEST_RN_PLATFORM=ios npm run native device-tests:local "$NATIVE_TEST_NAME" - name: Prepare build cache run: | diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index 809a4369246d86..31f7c4f5706e24 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -61,11 +61,12 @@ jobs: - name: Running the tests env: MAXWORKERS: ${{ steps.cpu-cores.outputs.count }} + SHARD: ${{ matrix.shard }} run: | npm run test:unit -- \ --ci \ --maxWorkers="$MAXWORKERS" \ - --shard="${{ matrix.shard }}" \ + --shard="$SHARD" \ --cacheDirectory="$HOME/.jest-cache" unit-js-date: @@ -217,7 +218,9 @@ jobs: # Ensure that Composer installs the correct versions of packages. - name: Override PHP version in composer.json - run: composer config platform.php ${{ matrix.php }} + env: + VERSION: ${{ matrix.php }} + run: composer config platform.php "$VERSION" # Since Composer dependencies are installed using `composer update` and no lock file is in version control, # passing a custom cache suffix ensures that the cache is flushed at least once per week. From 8977e1f662a2c1c006436c911350ff24621a9a54 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 2 Mar 2025 18:49:16 +0000 Subject: [PATCH 17/24] Remove another inline expression. --- .github/workflows/upload-release-to-plugin-repo.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/upload-release-to-plugin-repo.yml b/.github/workflows/upload-release-to-plugin-repo.yml index 97e2c7e8d8770c..fc2555524132b2 100644 --- a/.github/workflows/upload-release-to-plugin-repo.yml +++ b/.github/workflows/upload-release-to-plugin-repo.yml @@ -112,6 +112,8 @@ jobs: persist-credentials: true - name: Update the Changelog to include the release notes + env: + RELEASE_BODY: ${{ github.event.release.body }} run: | # First, determine where to insert the new Changelog entry. SERIES="${RELEASE_BRANCH#release/}" @@ -128,9 +130,7 @@ jobs: head -n $(( "${BEFORE}" - 1 )) changelog.txt > new_changelog.txt printf '= %s =\n\n' "${TAG#v}" >> new_changelog.txt # Need to use a heredoc in order to preserve special characters. - cat <<- "EOF" > release_notes.txt - ${{ github.event.release.body }} - EOF + echo "$RELEASE_BODY" > release_notes.txt # Normalize empty lines: Trim them from beginning and end of file... awk 'NF {p=1} p' <<< "$(< release_notes.txt)" >> new_changelog.txt # ...then add two empty lines at the end. From 2ca9e32bd8239aeb344b96246a332ffb3864fd89 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 2 Mar 2025 19:26:10 +0000 Subject: [PATCH 18/24] Another round of updates to address shellcheck concerns. --- .github/workflows/build-plugin-zip.yml | 3 ++- .github/workflows/check-components-changelog.yml | 2 +- .github/workflows/reusable-workflow-lint.yml | 3 ++- .github/workflows/unit-test.yml | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index ecc56fe547abc5..01dae2d888e75d 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -44,7 +44,8 @@ jobs: -o latest.json \ "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" LATEST_STABLE_TAG="$(jq --raw-output '.tag_name' latest.json)" - IFS='.' read LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}" + # shellcheck disable=SC2034 + IFS='.' read -r LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}" echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> "$GITHUB_OUTPUT" if [[ "${LATEST_STABLE_MINOR}" == "9" ]]; then echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/check-components-changelog.yml b/.github/workflows/check-components-changelog.yml index ee97f185613de1..dc29606008accb 100644 --- a/.github/workflows/check-components-changelog.yml +++ b/.github/workflows/check-components-changelog.yml @@ -29,7 +29,7 @@ jobs: - name: 'Get PR commit count' env: PR_COUNT: ${{ github.event.pull_request.commits }} - run: echo "PR_COMMIT_COUNT=$(( $PR_COUNT + 1 ))" >> "${GITHUB_ENV}" + run: echo "PR_COMMIT_COUNT=$(( PR_COUNT + 1 ))" >> "${GITHUB_ENV}" - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 2fa177b3f92abe..01e01cf5746b71 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -30,10 +30,11 @@ jobs: # actionlint is static checker for GitHub Actions workflow files. # See https://github.com/rhysd/actionlint. + # [SC2129](https://www.shellcheck.net/wiki/SC2129) is ignored because it is a stylistic issue. - name: Run actionlint uses: docker://rhysd/actionlint:1.7.7 with: - args: "-color -verbose" + args: "-color -verbose -ignore 'SC2129:'" octoscan: name: Octoscan diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index 350f2f0dee4abb..b861b3ecdbe163 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -123,7 +123,8 @@ jobs: -o versions.json \ "http://api.wordpress.org/core/stable-check/1.0/" LATEST_WP_VERSION="$(jq --raw-output 'with_entries(select(.value=="latest"))|keys[]' versions.json)" - IFS='.' read LATEST_WP_MAJOR LATEST_WP_MINOR LATEST_WP_PATCH <<< "${LATEST_WP_VERSION}" + # shellcheck disable=SC2034 + IFS='.' read -r LATEST_WP_MAJOR LATEST_WP_MINOR LATEST_WP_PATCH <<< "${LATEST_WP_VERSION}" if [[ "${LATEST_WP_MINOR}" == "0" ]]; then PREVIOUS_WP_SERIES="$((LATEST_WP_MAJOR - 1)).9" else From 2678d2728867cb9cdb2585433415b0b293b13a93 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 2 Mar 2025 19:26:24 +0000 Subject: [PATCH 19/24] Don't redirect to the same file that's being read. --- .github/workflows/build-plugin-zip.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml index 01dae2d888e75d..5a80f748e33692 100644 --- a/.github/workflows/build-plugin-zip.yml +++ b/.github/workflows/build-plugin-zip.yml @@ -142,8 +142,10 @@ jobs: VERSION: ${{ steps.get_version.outputs.new_version }} OLD_VERSION: ${{ steps.get_version.outputs.old_version }} run: | - cat <<< "$(jq --tab --arg version "${VERSION}" '.version = $version' package.json)" > package.json - cat <<< "$(jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json)" > package-lock.json + jq --tab --arg version "${VERSION}" '.version = $version' package.json > package.json.tmp + mv package.json.tmp package.json + jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json > package-lock.json.tmp + mv package-lock.json.tmp package-lock.json sed -i "s/${OLD_VERSION}/${VERSION}/g" gutenberg.php - name: Commit the version bump to the release branch From 9b437c94bcc4d70b31e401e32771ecc065d27f6b Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 2 Mar 2025 20:28:22 +0000 Subject: [PATCH 20/24] The `-ignore` flag is, ironically, being ignored. Let's see if the issue is due to the quotes. --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 01e01cf5746b71..f4e1080f0437c8 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -34,7 +34,7 @@ jobs: - name: Run actionlint uses: docker://rhysd/actionlint:1.7.7 with: - args: "-color -verbose -ignore 'SC2129:'" + args: '-color -verbose -ignore "SC2129:"' octoscan: name: Octoscan From 02a3fbf3204cab1e0eb2d43ad53053cc7e6a63cf Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 3 Mar 2025 10:09:49 +0000 Subject: [PATCH 21/24] More adjustments to the actionlint config. --- .github/actionlint.yml | 13 +++++++++++++ .github/workflows/reusable-workflow-lint.yml | 4 ++-- 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 .github/actionlint.yml diff --git a/.github/actionlint.yml b/.github/actionlint.yml new file mode 100644 index 00000000000000..fe1b21b7156f7c --- /dev/null +++ b/.github/actionlint.yml @@ -0,0 +1,13 @@ +# This is the configuration file for actionlint, a static checker for GitHub Actions workflow files. +# See https://github.com/rhysd/actionlint. + +# Path-specific configurations. +paths: + .github/workflows/**/*.{yml,yaml}: + ignore: + # [SC2129](https://www.shellcheck.net/wiki/SC2129) is ignored because it is a stylistic issue. + - 'shellcheck reported issue in this script: SC2129:.+' + .github/workflows/end2end-test.yml: + ignore: + # This file gets created in the step prior. + - 'file "build/index.js" does not exist.+' diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index f4e1080f0437c8..fa122c4845af00 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -30,11 +30,11 @@ jobs: # actionlint is static checker for GitHub Actions workflow files. # See https://github.com/rhysd/actionlint. - # [SC2129](https://www.shellcheck.net/wiki/SC2129) is ignored because it is a stylistic issue. + # Configuration file: .github/actionlint.yml - name: Run actionlint uses: docker://rhysd/actionlint:1.7.7 with: - args: '-color -verbose -ignore "SC2129:"' + args: '-color -verbose -ignore' octoscan: name: Octoscan From 28655e85f79e5b73255f26faa12a96c64d4498fa Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 3 Mar 2025 10:11:34 +0000 Subject: [PATCH 22/24] Whoops. --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index fa122c4845af00..03c03bd2560bc1 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -34,7 +34,7 @@ jobs: - name: Run actionlint uses: docker://rhysd/actionlint:1.7.7 with: - args: '-color -verbose -ignore' + args: '-color -verbose' octoscan: name: Octoscan From c1e6cbb569d7da1e8a4bcb5a8116daaf5ec39a64 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 3 Mar 2025 10:29:13 +0000 Subject: [PATCH 23/24] Update zizmor for one final check. --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 03c03bd2560bc1..7d2127b172aa60 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -84,7 +84,7 @@ jobs: # https://github.com/woodruffw/zizmor - name: Run zizmor - run: uvx zizmor@1.3.1 --format sarif . > results.sarif + run: uvx zizmor@1.4.1 --format sarif . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 471fa6790be9810436b6baa6a7cb11344f0de6ab Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 3 Mar 2025 10:39:28 +0000 Subject: [PATCH 24/24] Everything is green, so we'll remove Octoscan, Zizmor, and Poutine. Use of these will be proposed separately. --- .github/workflows/reusable-workflow-lint.yml | 79 -------------------- 1 file changed, 79 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 7d2127b172aa60..fc2e7752211c19 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -35,82 +35,3 @@ jobs: uses: docker://rhysd/actionlint:1.7.7 with: args: '-color -verbose' - - octoscan: - name: Octoscan - runs-on: ubuntu-latest - permissions: - security-events: write - actions: read - contents: read - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Run octoscan - id: octoscan - uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 - with: - filter_triggers: '' - # dangerous-write: Valid but ignored because we have to use these writes - # dangerous-checkout: Three false positives - # local-action: Not much we can do about this - disable_rules: dangerous-write,dangerous-checkout,local-action - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 - with: - sarif_file: ${{steps.octoscan.outputs.sarif_output}} - category: octoscan - - zizmor: - name: Zizmor - runs-on: ubuntu-latest - permissions: - security-events: write - actions: read - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Install the latest version of uv - uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1 - - # https://github.com/woodruffw/zizmor - - name: Run zizmor - run: uvx zizmor@1.4.1 --format sarif . > results.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 - with: - sarif_file: results.sarif - category: zizmor - - poutine: - name: Poutine - runs-on: ubuntu-latest - permissions: - security-events: write - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Run Poutine - uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 - with: - sarif_file: results.sarif - category: poutine