Skip to content

GitHub Actions workflow hardening #69126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
johnbillion merged 26 commits into from
Apr 22, 2025
Merged

GitHub Actions workflow hardening #69126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
32951b8
Add an Actionlint workflow.
johnbillion Feb 10, 2025
908465e
Add Octoscan, Zizmor, and Poutine.
johnbillion Feb 10, 2025
a93c6c9
Replace inline expressions with environment variables.
johnbillion Feb 10, 2025
8480d4e
Be explicit about credential use when checking out a repo.
johnbillion Feb 10, 2025
26e53c3
Be strict about quoting environment variables.
johnbillion Feb 10, 2025
45a258f
Update Zizmor.
johnbillion Feb 11, 2025
571dc91
Update upload-sarif.
johnbillion Feb 11, 2025
4d489d2
Disable the dangerous-write rule in Octoscan for now, to reduce the n…
johnbillion Feb 11, 2025
5ddbdd3
Add some more quoting to prevent word splitting.
johnbillion Feb 11, 2025
5ed7adf
These are false positives.
johnbillion Feb 11, 2025
d1426f7
o_O
johnbillion Feb 11, 2025
5f09ce6
Disable permissions for all available scopes by default.
johnbillion Feb 11, 2025
8450599
Add explicit permissions for all jobs.
johnbillion Feb 11, 2025
354cd3d
Remove use of the npm cache during the build.
johnbillion Feb 11, 2025
e32c9b0
Not much we can do about local actions.
johnbillion Feb 11, 2025
d6f5a6d
Replace some more inline expressions with environment variables.
johnbillion Feb 11, 2025
17c4dd3
Merge branch 'trunk' into harden-workflows
johnbillion Mar 2, 2025
8977e1f
Remove another inline expression.
johnbillion Mar 2, 2025
2ca9e32
Another round of updates to address shellcheck concerns.
johnbillion Mar 2, 2025
2678d27
Don't redirect to the same file that's being read.
johnbillion Mar 2, 2025
9b437c9
The `-ignore` flag is, ironically, being ignored. Let's see if the is…
johnbillion Mar 2, 2025
02a3fbf
More adjustments to the actionlint config.
johnbillion Mar 3, 2025
28655e8
Whoops.
johnbillion Mar 3, 2025
c1e6cbb
Update zizmor for one final check.
johnbillion Mar 3, 2025
471fa67
Everything is green, so we'll remove Octoscan, Zizmor, and Poutine. U…
johnbillion Mar 3, 2025
a781612
Merge branch 'trunk' into harden-workflows
johnbillion Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/actionlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# This is the configuration file for actionlint, a static checker for GitHub Actions workflow files.
# See https://github.com/rhysd/actionlint.

# Path-specific configurations.
paths:
.github/workflows/**/*.{yml,yaml}:
ignore:
# [SC2129](https://www.shellcheck.net/wiki/SC2129) is ignored because it is a stylistic issue.
- 'shellcheck reported issue in this script: SC2129:.+'
.github/workflows/end2end-test.yml:
ignore:
# This file gets created in the step prior.
- 'file "build/index.js" does not exist.+'
2 changes: 1 addition & 1 deletion .github/setup-node/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ runs:
- name: Get Node.js and npm version
id: node-version
run: |
echo "NODE_VERSION=$(node -v)" >> $GITHUB_OUTPUT
echo "NODE_VERSION=$(node -v)" >> "$GITHUB_OUTPUT"
shell: bash

- name: Cache node_modules
Expand Down
117 changes: 80 additions & 37 deletions .github/workflows/build-plugin-zip.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,16 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
compute-stable-branches:
name: Compute current and next stable release branches
runs-on: ubuntu-latest
permissions:
contents: read
if: ${{ github.event_name == 'workflow_dispatch' }}
outputs:
current_stable_branch: ${{ steps.get_branches.outputs.current_stable_branch }}
Expand All @@ -36,19 +42,22 @@ jobs:
curl \
-H "Accept: application/vnd.github.v3+json" \
-o latest.json \
"https://api.github.com/repos/${{ github.repository }}/releases/latest"
LATEST_STABLE_TAG=$(jq --raw-output '.tag_name' latest.json)
IFS='.' read LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}"
echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> $GITHUB_OUTPUT
if [[ ${LATEST_STABLE_MINOR} == "9" ]]; then
echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> $GITHUB_OUTPUT
"https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest"
LATEST_STABLE_TAG="$(jq --raw-output '.tag_name' latest.json)"
# shellcheck disable=SC2034
IFS='.' read -r LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}"
echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> "$GITHUB_OUTPUT"
if [[ "${LATEST_STABLE_MINOR}" == "9" ]]; then
echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> "$GITHUB_OUTPUT"
else
echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> $GITHUB_OUTPUT
echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> "$GITHUB_OUTPUT"
fi

bump-version:
name: Bump version
runs-on: ubuntu-latest
permissions:
contents: write
needs: compute-stable-branches
if: |
github.event_name == 'workflow_dispatch' && (
Expand Down Expand Up @@ -76,31 +85,34 @@ jobs:
with:
token: ${{ secrets.GUTENBERG_TOKEN }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: true

- name: Compute old and new version
id: get_version
env:
VERSION: ${{ github.event.inputs.version }}
run: |
OLD_VERSION=$(jq --raw-output '.version' package.json)
echo "old_version=${OLD_VERSION}" >> $GITHUB_OUTPUT
if [[ ${{ github.event.inputs.version }} == 'stable' ]]; then
NEW_VERSION=$(npx semver $OLD_VERSION -i patch)
OLD_VERSION="$(jq --raw-output '.version' package.json)"
echo "old_version=${OLD_VERSION}" >> "$GITHUB_OUTPUT"
if [[ "$VERSION" == 'stable' ]]; then
NEW_VERSION="$(npx semver "$OLD_VERSION" -i patch)"
else
if [[ $OLD_VERSION == *"rc"* ]]; then
NEW_VERSION=$(npx semver $OLD_VERSION -i prerelease)
if [[ "$OLD_VERSION" == *"rc"* ]]; then
NEW_VERSION="$(npx semver "$OLD_VERSION" -i prerelease)"
else
# WordPress version guidelines: If minor is 9, bump major instead.
IFS='.' read -r -a OLD_VERSION_ARRAY <<< "$OLD_VERSION"
if [[ ${OLD_VERSION_ARRAY[1]} == "9" ]]; then
NEW_VERSION="$(npx semver $OLD_VERSION -i major)-rc.1"
NEW_VERSION="$(npx semver "$OLD_VERSION" -i major)-rc.1"
else
NEW_VERSION="$(npx semver $OLD_VERSION -i minor)-rc.1"
NEW_VERSION="$(npx semver "$OLD_VERSION" -i minor)-rc.1"
fi
fi
fi
echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT
echo "new_version=${NEW_VERSION}" >> "$GITHUB_OUTPUT"
IFS='.' read -r -a NEW_VERSION_ARRAY <<< "$NEW_VERSION"
RELEASE_BRANCH="release/${NEW_VERSION_ARRAY[0]}.${NEW_VERSION_ARRAY[1]}"
echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT
echo "release_branch=${RELEASE_BRANCH}" >> "$GITHUB_OUTPUT"

- name: Configure git user name and email
run: |
Expand All @@ -111,51 +123,66 @@ jobs:
if: |
github.event.inputs.version == 'rc' &&
! contains( steps.get_version.outputs.old_version, 'rc' )
run: git checkout -b "${{ steps.get_version.outputs.release_branch }}"
env:
TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }}
run: git checkout -b "$TARGET_BRANCH"

- name: Switch to release branch
if: |
github.event.inputs.version == 'stable' ||
contains( steps.get_version.outputs.old_version, 'rc' )
env:
TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }}
run: |
git fetch --depth=1 origin "${{ steps.get_version.outputs.release_branch }}"
git checkout "${{ steps.get_version.outputs.release_branch }}"
git fetch --depth=1 origin "$TARGET_BRANCH"
git checkout "$TARGET_BRANCH"

- name: Update plugin version
env:
VERSION: ${{ steps.get_version.outputs.new_version }}
OLD_VERSION: ${{ steps.get_version.outputs.old_version }}
run: |
cat <<< $(jq --tab --arg version "${VERSION}" '.version = $version' package.json) > package.json
cat <<< $(jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json) > package-lock.json
sed -i "s/${{ steps.get_version.outputs.old_version }}/${VERSION}/g" gutenberg.php
jq --tab --arg version "${VERSION}" '.version = $version' package.json > package.json.tmp
mv package.json.tmp package.json
jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json > package-lock.json.tmp
mv package-lock.json.tmp package-lock.json
sed -i "s/${OLD_VERSION}/${VERSION}/g" gutenberg.php

- name: Commit the version bump to the release branch
id: commit_version_bump_to_release_branch
env:
TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }}
VERSION: ${{ steps.get_version.outputs.new_version }}
run: |
git add gutenberg.php package.json package-lock.json
git commit -m "Bump plugin version to ${{ steps.get_version.outputs.new_version }}"
git push --set-upstream origin "${{ steps.get_version.outputs.release_branch }}"
echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> $GITHUB_OUTPUT
git commit -m "Bump plugin version to ${VERSION}"
git push --set-upstream origin "$TARGET_BRANCH"
echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> "$GITHUB_OUTPUT"

- name: Fetch trunk
if: ${{ github.ref != 'refs/heads/trunk' }}
run: git fetch --depth=1 origin trunk

- name: Cherry-pick the version bump commit to trunk
id: commit_version_bump_to_trunk
env:
TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }}
OLD_VERSION: ${{ steps.get_version.outputs.old_version }}
run: |
git checkout trunk
git pull
TRUNK_VERSION=$(jq --raw-output '.version' package.json)
if [[ ${{ steps.get_version.outputs.old_version }} == "$TRUNK_VERSION" ]]; then
git cherry-pick "${{ steps.get_version.outputs.release_branch }}"
TRUNK_VERSION="$(jq --raw-output '.version' package.json)"
if [[ "$OLD_VERSION" == "$TRUNK_VERSION" ]]; then
git cherry-pick "$TARGET_BRANCH"
git push
echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> $GITHUB_OUTPUT
echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> "$GITHUB_OUTPUT"
fi

build:
name: Build Release Artifact
runs-on: ubuntu-latest
permissions:
contents: read
needs: bump-version
if: |
always() && (
Expand All @@ -172,13 +199,13 @@ jobs:
with:
ref: ${{ needs.bump-version.outputs.release_branch || github.ref }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Use desired version of Node.js
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
with:
node-version-file: '.nvmrc'
check-latest: true
cache: npm

- name: Build Gutenberg plugin ZIP file
run: ./bin/build-plugin-zip.sh
Expand All @@ -200,7 +227,7 @@ jobs:
MILESTONE="Gutenberg ${VERSION_ARRAY[0]}.${VERSION_ARRAY[1]}"
npm run other:changelog -- --milestone="$MILESTONE" --unreleased > release-notes.txt
sed -ie '1,6d' release-notes.txt
if [[ ${{ needs.bump-version.outputs.new_version }} != *"rc"* ]]; then
if [[ "${VERSION}" != *"rc"* ]]; then
# Include previous RCs' release notes, if any
CHANGELOG_REGEX="=\s[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?\s="
RC_REGEX="=\s${VERSION}(-rc\.[0-9]+)?\s="
Expand All @@ -218,6 +245,8 @@ jobs:
name: Revert version bump if build failed
needs: [bump-version, build]
runs-on: ubuntu-latest
permissions:
contents: write
if: |
always() &&
( needs.build.outputs.job_status == 'failure' ) &&
Expand All @@ -231,6 +260,7 @@ jobs:
ref: ${{ needs.bump-version.outputs.release_branch }}
token: ${{ secrets.GUTENBERG_TOKEN }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: true

- name: Configure git user name and email
run: |
Expand All @@ -241,36 +271,45 @@ jobs:
if: |
github.event.inputs.version == 'stable' ||
contains( needs.bump-version.outputs.old_version, 'rc' )
env:
RELEAD_BRANCH_COMMIT: ${{ needs.bump-version.outputs.release_branch_commit }}
RELEASE_BRANCH: ${{ needs.bump-version.outputs.release_branch }}
run: |
git revert --no-edit ${{ needs.bump-version.outputs.release_branch_commit }}
git push --set-upstream origin "${{ needs.bump-version.outputs.release_branch }}"
git revert --no-edit "$RELEAD_BRANCH_COMMIT"
git push --set-upstream origin "$RELEASE_BRANCH"

- name: Delete release branch if it was only just created for the RC
if: |
github.event.inputs.version == 'rc' &&
! contains( needs.bump-version.outputs.old_version, 'rc' )
env:
RELEASE_BRANCH: ${{ needs.bump-version.outputs.release_branch }}
run: |
git push origin :"${{ needs.bump-version.outputs.release_branch }}"
git push origin :"$RELEASE_BRANCH"

- name: Revert version bump on trunk
if: ${{ needs.bump-version.outputs.trunk_commit }}
env:
TRUNK_COMMIT: ${{ needs.bump-version.outputs.trunk_commit }}
run: |
git fetch --depth=2 origin trunk
git checkout trunk
git revert --no-edit ${{ needs.bump-version.outputs.trunk_commit }}
git revert --no-edit "$TRUNK_COMMIT"
git push --set-upstream origin trunk

create-release:
name: Create Release Draft and Attach Asset
needs: [bump-version, build]
runs-on: ubuntu-latest
permissions:
contents: write

steps:
- name: Set Release Version
id: get_release_version
env:
VERSION: ${{ needs.bump-version.outputs.new_version }}
run: echo "version=$(echo $VERSION | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> $GITHUB_OUTPUT
run: echo "version=$(echo "$VERSION" | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> "$GITHUB_OUTPUT"

- name: Download Plugin Zip Artifact
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
Expand Down Expand Up @@ -309,6 +348,8 @@ jobs:
npm-publish:
name: Publish WordPress packages to npm
runs-on: ubuntu-latest
permissions:
contents: read
environment: WordPress packages
needs: [bump-version, build]
if: ${{ endsWith( needs.bump-version.outputs.new_version, '-rc.1' ) }}
Expand All @@ -319,6 +360,7 @@ jobs:
path: main
ref: trunk
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Checkout (for publishing)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand All @@ -328,6 +370,7 @@ jobs:
ref: trunk
token: ${{ secrets.GUTENBERG_TOKEN }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Configure git user name and email (for publishing)
run: |
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/bundle-size.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,24 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
build:
name: Check
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write

steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 1
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Use desired version of Node.js
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
Expand Down
11 changes: 10 additions & 1 deletion .github/workflows/check-backport-changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,25 @@ on:
- '!packages/block-serialization-default-parser/**'
- '!packages/widgets/**'
- '!packages/e2e-tests/**'

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
check:
name: Check for a Core backport changelog entry
runs-on: ubuntu-latest
permissions:
contents: read
if: ${{ !contains(github.event.pull_request.labels.*.name, 'No Core Sync Required') && !contains(github.event.pull_request.labels.*.name, 'Backport from WordPress Core') }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
persist-credentials: false

- name: Check the changelog folder
env:
PR_NUMBER: ${{ github.event.number }}
Expand All @@ -46,7 +55,7 @@ jobs:
exit 1
fi

core_pr_number=$(basename "${changelog_file}" .md)
core_pr_number="$(basename "${changelog_file}" .md)"
core_pr_url="https://github\.com/WordPress/wordpress-develop/pull/${core_pr_number}"

# Confirm that the entry has the correct core backport PR URL.
Expand Down
Loading
Loading