From a27f60a20e1fce5bcc2d9eb8803a8ce4536c0212 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 13 May 2026 14:17:50 +0100 Subject: [PATCH 1/3] Grant minimally-scoped permissions. --- .github/workflows/build.yml | 6 ++++++ .github/workflows/comment-with-checklist.yml | 6 +++++- .../workflows/content-checklist-from-comment.yml | 14 ++++++++++++++ .github/workflows/content-checklist-from-issue.yml | 14 ++++++++++++++ .github/workflows/i18n.yml | 6 ++++++ .../add-to-project-when-labeled.yml | 13 +++++++++++++ .../automate-review-documentation.yml | 7 ++++++- .github/workflows/label-feedback-from-comment.yml | 6 +++++- .github/workflows/label-feedback-from-issue.yml | 6 +++++- .github/workflows/linters.yml | 6 ++++++ .github/workflows/published-content.yml | 6 ++++++ .github/workflows/review-instructions.yml | 6 +++++- .github/workflows/self-assign-issue.yml | 6 ++++++ 13 files changed, 97 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b6b5c4e25..a8ca96492 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,10 +5,16 @@ on: branches: [trunk] workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: build: name: Build runs-on: ubuntu-latest + permissions: + contents: write # Required to push the build branch steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/comment-with-checklist.yml b/.github/workflows/comment-with-checklist.yml index 21c11099d..c92422483 100644 --- a/.github/workflows/comment-with-checklist.yml +++ b/.github/workflows/comment-with-checklist.yml @@ -8,11 +8,15 @@ on: content-type: type: string +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: add-comment: runs-on: ubuntu-latest permissions: - issues: write + issues: write # Required to comment on issues and add labels steps: - uses: peter-evans/create-or-update-comment@v3 if: contains(inputs.content-type, 'tutorial') diff --git a/.github/workflows/content-checklist-from-comment.yml b/.github/workflows/content-checklist-from-comment.yml index e6008989b..a03391e3b 100644 --- a/.github/workflows/content-checklist-from-comment.yml +++ b/.github/workflows/content-checklist-from-comment.yml @@ -6,33 +6,47 @@ on: types: created # types: [created, edited] <= Use this if we want the workflow to run when a comment is edited, too +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: tutorial-issue: if: ${{ contains(github.event.comment.body, '//tutorial') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'tutorial' online-workshop-issue: if: ${{ contains(github.event.comment.body, '//online-workshop') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'online-workshop' lesson-plan-issue: if: ${{ contains(github.event.comment.body, '//lesson-plan') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'lesson-plan' course-issue: if: ${{ contains(github.event.comment.body, '//course') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'course' lesson-issue: if: ${{ contains(github.event.comment.body, '//lesson') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'lesson' diff --git a/.github/workflows/content-checklist-from-issue.yml b/.github/workflows/content-checklist-from-issue.yml index 64844b48f..8476092d5 100644 --- a/.github/workflows/content-checklist-from-issue.yml +++ b/.github/workflows/content-checklist-from-issue.yml @@ -6,33 +6,47 @@ on: types: opened # types: [opened, edited] <= Use this if we want the workflow to run when an issue is edited, too +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: tutorial-issue: if: ${{ contains(github.event.issue.body, '//tutorial') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'tutorial' online-workshop-issue: if: ${{ contains(github.event.issue.body, '//online-workshop') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'online-workshop' lesson-plan-issue: if: ${{ contains(github.event.issue.body, '//teach') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'teach' course-issue: if: ${{ contains(github.event.issue.body, '//course') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'course' lesson-issue: if: ${{ contains(github.event.issue.body, '//lesson') }} + permissions: + issues: write # Required to comment on issues and add labels uses: ./.github/workflows/comment-with-checklist.yml with: content-type: 'lesson' diff --git a/.github/workflows/i18n.yml b/.github/workflows/i18n.yml index 880ce7992..969a32b4b 100644 --- a/.github/workflows/i18n.yml +++ b/.github/workflows/i18n.yml @@ -5,11 +5,17 @@ on: - cron: '0 6,18 * * *' workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: translation-strings: name: Translation strings runs-on: ubuntu-latest + permissions: + contents: write # Required to commit and push updated translation strings steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml b/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml index 562002313..fe23b3ef9 100644 --- a/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml +++ b/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml @@ -9,10 +9,17 @@ on: types: - labeled +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: add-to-web-development-project: name: Add issues labeled "[Type] Bug" to web development project runs-on: ubuntu-latest + permissions: + issues: read # Required to read issue data + projects: write # Required to add issues to the GitHub project steps: - uses: actions/add-to-project@v0.5.0 if: contains(github.event.issue.labels.*.name, 'Awaiting Triage') @@ -24,6 +31,9 @@ jobs: add-to-content-feedback-project: name: Add issues labeled "Content Feedback" to LearnWP Content - Feedback project runs-on: ubuntu-latest + permissions: + issues: read # Required to read issue data + projects: write # Required to add issues to the GitHub project steps: - uses: actions/add-to-project@v0.5.0 if: contains(github.event.issue.labels.*.name, 'Awaiting Triage') @@ -35,6 +45,9 @@ jobs: add-to-admin-project: name: Add handbook issues to Training Team Administration project runs-on: ubuntu-latest + permissions: + issues: read # Required to read issue data + projects: write # Required to add issues to the GitHub project steps: - uses: actions/add-to-project@v0.5.0 if: contains(github.event.issue.labels.*.name, 'Awaiting Triage') || contains(github.event.issue.labels.*.name, '[Admin] Meeting Agenda') diff --git a/.github/workflows/incomplete-workflows/automate-review-documentation.yml b/.github/workflows/incomplete-workflows/automate-review-documentation.yml index a69290a61..f5dd56524 100644 --- a/.github/workflows/incomplete-workflows/automate-review-documentation.yml +++ b/.github/workflows/incomplete-workflows/automate-review-documentation.yml @@ -14,12 +14,17 @@ on: issues: types: - labeled + +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: add-comment: if: github.event.label.name == 'Ready for Review' runs-on: ubuntu-latest permissions: - issues: write + issues: write # Required to post comments on issues steps: - name: Add comment uses: peter-evans/create-or-update-comment@5f728c3dae25f329afbe34ee4d08eef25569d79f diff --git a/.github/workflows/label-feedback-from-comment.yml b/.github/workflows/label-feedback-from-comment.yml index 2f65acc37..ddcc826fb 100644 --- a/.github/workflows/label-feedback-from-comment.yml +++ b/.github/workflows/label-feedback-from-comment.yml @@ -5,13 +5,17 @@ on: issue_comment: types: [created, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: label_issues: if: ${{ !github.event.issue.pull_request }} runs-on: ubuntu-latest permissions: - issues: write + issues: write # Required to add labels to issues steps: - uses: actions/github-script@v7.0.1 with: diff --git a/.github/workflows/label-feedback-from-issue.yml b/.github/workflows/label-feedback-from-issue.yml index 1800e704d..f2b1fc694 100644 --- a/.github/workflows/label-feedback-from-issue.yml +++ b/.github/workflows/label-feedback-from-issue.yml @@ -5,13 +5,17 @@ on: issues: types: [opened, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: label_issues: if: ${{ !github.event.issue.pull_request }} runs-on: ubuntu-latest permissions: - issues: write + issues: write # Required to add labels to issues steps: - uses: actions/github-script@v7.0.1 with: diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index f53bd1a39..dc9565650 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -7,10 +7,16 @@ on: pull_request: workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: check: name: Lint runs-on: ubuntu-latest + permissions: + contents: read # Required to clone the repo steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/published-content.yml b/.github/workflows/published-content.yml index d64d99dd6..7fcc99cb5 100644 --- a/.github/workflows/published-content.yml +++ b/.github/workflows/published-content.yml @@ -7,10 +7,16 @@ on: issue_comment: types: [created, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: publish-commment: runs-on: ubuntu-latest if: contains(github.event.comment.body, '//publish') + permissions: + issues: write # Required to add/remove labels and close issues steps: - name: Remove co-host label if: contains(github.event.issue.labels.*.name, '[Content] Needs Co-host') diff --git a/.github/workflows/review-instructions.yml b/.github/workflows/review-instructions.yml index c00ecdf6c..4ec1ad3be 100644 --- a/.github/workflows/review-instructions.yml +++ b/.github/workflows/review-instructions.yml @@ -3,11 +3,15 @@ on: issue_comment: types: [created, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: add-comment: runs-on: ubuntu-latest permissions: - issues: write + issues: write # Required to post comments on issues steps: - uses: peter-evans/create-or-update-comment@v3 if: ${{ contains(github.event.comment.body, '//review') }} diff --git a/.github/workflows/self-assign-issue.yml b/.github/workflows/self-assign-issue.yml index a24c8c111..87a97ae2c 100644 --- a/.github/workflows/self-assign-issue.yml +++ b/.github/workflows/self-assign-issue.yml @@ -5,10 +5,16 @@ on: issue_comment: types: [created, edited] +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: assign-issue: if: contains(github.event.comment.body, '//assign') runs-on: ubuntu-latest + permissions: + issues: write # Required to assign issues, add labels, and post comments steps: - name: Assign the comment author uses: takanome-dev/assign-issue-action@v2.0.0 From 1385ffe785b497524f65664baf73c52a2e006603 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 13 May 2026 14:18:06 +0100 Subject: [PATCH 2/3] Set timeouts on all jobs. --- .github/workflows/build.yml | 1 + .github/workflows/comment-with-checklist.yml | 1 + .github/workflows/i18n.yml | 1 + .../incomplete-workflows/add-to-project-when-labeled.yml | 3 +++ .../incomplete-workflows/automate-review-documentation.yml | 1 + .github/workflows/label-feedback-from-comment.yml | 1 + .github/workflows/label-feedback-from-issue.yml | 1 + .github/workflows/linters.yml | 1 + .github/workflows/published-content.yml | 1 + .github/workflows/review-instructions.yml | 1 + .github/workflows/self-assign-issue.yml | 1 + 11 files changed, 13 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a8ca96492..e02a6e6e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,7 @@ jobs: build: name: Build runs-on: ubuntu-latest + timeout-minutes: 30 permissions: contents: write # Required to push the build branch steps: diff --git a/.github/workflows/comment-with-checklist.yml b/.github/workflows/comment-with-checklist.yml index c92422483..706a7afbb 100644 --- a/.github/workflows/comment-with-checklist.yml +++ b/.github/workflows/comment-with-checklist.yml @@ -15,6 +15,7 @@ permissions: {} jobs: add-comment: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write # Required to comment on issues and add labels steps: diff --git a/.github/workflows/i18n.yml b/.github/workflows/i18n.yml index 969a32b4b..9db096e26 100644 --- a/.github/workflows/i18n.yml +++ b/.github/workflows/i18n.yml @@ -14,6 +14,7 @@ jobs: name: Translation strings runs-on: ubuntu-latest + timeout-minutes: 30 permissions: contents: write # Required to commit and push updated translation strings diff --git a/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml b/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml index fe23b3ef9..124bd2e8b 100644 --- a/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml +++ b/.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml @@ -17,6 +17,7 @@ jobs: add-to-web-development-project: name: Add issues labeled "[Type] Bug" to web development project runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: read # Required to read issue data projects: write # Required to add issues to the GitHub project @@ -31,6 +32,7 @@ jobs: add-to-content-feedback-project: name: Add issues labeled "Content Feedback" to LearnWP Content - Feedback project runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: read # Required to read issue data projects: write # Required to add issues to the GitHub project @@ -45,6 +47,7 @@ jobs: add-to-admin-project: name: Add handbook issues to Training Team Administration project runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: read # Required to read issue data projects: write # Required to add issues to the GitHub project diff --git a/.github/workflows/incomplete-workflows/automate-review-documentation.yml b/.github/workflows/incomplete-workflows/automate-review-documentation.yml index f5dd56524..2626b0962 100644 --- a/.github/workflows/incomplete-workflows/automate-review-documentation.yml +++ b/.github/workflows/incomplete-workflows/automate-review-documentation.yml @@ -23,6 +23,7 @@ jobs: add-comment: if: github.event.label.name == 'Ready for Review' runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write # Required to post comments on issues steps: diff --git a/.github/workflows/label-feedback-from-comment.yml b/.github/workflows/label-feedback-from-comment.yml index ddcc826fb..aefb706b8 100644 --- a/.github/workflows/label-feedback-from-comment.yml +++ b/.github/workflows/label-feedback-from-comment.yml @@ -14,6 +14,7 @@ jobs: label_issues: if: ${{ !github.event.issue.pull_request }} runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write # Required to add labels to issues steps: diff --git a/.github/workflows/label-feedback-from-issue.yml b/.github/workflows/label-feedback-from-issue.yml index f2b1fc694..3ca5d226c 100644 --- a/.github/workflows/label-feedback-from-issue.yml +++ b/.github/workflows/label-feedback-from-issue.yml @@ -14,6 +14,7 @@ jobs: label_issues: if: ${{ !github.event.issue.pull_request }} runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write # Required to add labels to issues steps: diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index dc9565650..224cebf86 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -15,6 +15,7 @@ jobs: check: name: Lint runs-on: ubuntu-latest + timeout-minutes: 30 permissions: contents: read # Required to clone the repo steps: diff --git a/.github/workflows/published-content.yml b/.github/workflows/published-content.yml index 7fcc99cb5..b19ce0482 100644 --- a/.github/workflows/published-content.yml +++ b/.github/workflows/published-content.yml @@ -14,6 +14,7 @@ permissions: {} jobs: publish-commment: runs-on: ubuntu-latest + timeout-minutes: 10 if: contains(github.event.comment.body, '//publish') permissions: issues: write # Required to add/remove labels and close issues diff --git a/.github/workflows/review-instructions.yml b/.github/workflows/review-instructions.yml index 4ec1ad3be..75c048eab 100644 --- a/.github/workflows/review-instructions.yml +++ b/.github/workflows/review-instructions.yml @@ -10,6 +10,7 @@ permissions: {} jobs: add-comment: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write # Required to post comments on issues steps: diff --git a/.github/workflows/self-assign-issue.yml b/.github/workflows/self-assign-issue.yml index 87a97ae2c..12857e5d1 100644 --- a/.github/workflows/self-assign-issue.yml +++ b/.github/workflows/self-assign-issue.yml @@ -13,6 +13,7 @@ jobs: assign-issue: if: contains(github.event.comment.body, '//assign') runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write # Required to assign issues, add labels, and post comments steps: From f5857ed70cdc46962828b1d2e1ea30a1ef3d6dd3 Mon Sep 17 00:00:00 2001 From: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> Date: Wed, 13 May 2026 09:41:17 -0400 Subject: [PATCH 3/3] Address minor feedback on surrounding lines. Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/published-content.yml | 2 +- .github/workflows/review-instructions.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/published-content.yml b/.github/workflows/published-content.yml index b19ce0482..7dc0a3af7 100644 --- a/.github/workflows/published-content.yml +++ b/.github/workflows/published-content.yml @@ -12,7 +12,7 @@ on: permissions: {} jobs: - publish-commment: + publish-comment: runs-on: ubuntu-latest timeout-minutes: 10 if: contains(github.event.comment.body, '//publish') diff --git a/.github/workflows/review-instructions.yml b/.github/workflows/review-instructions.yml index 75c048eab..a34a78ddd 100644 --- a/.github/workflows/review-instructions.yml +++ b/.github/workflows/review-instructions.yml @@ -15,7 +15,7 @@ jobs: issues: write # Required to post comments on issues steps: - uses: peter-evans/create-or-update-comment@v3 - if: ${{ contains(github.event.comment.body, '//review') }} + if: ${{ contains(github.event.comment.body, '//review') }} with: issue-number: ${{ github.event.issue.number }} body: |