Skip to content

GitHub Actions workflow updates #2471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
westonruter merged 5 commits into from
May 13, 2026
Merged

GitHub Actions workflow updates #2471

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
eb13606
Grant minimally-scoped permissions.
johnbillion May 13, 2026
599cb69
Set timeouts on all jobs.
johnbillion May 13, 2026
a8a8fed
Apply suggestions from code review
johnbillion May 13, 2026
236f8fc
Remove `contents: read` permissions.
desrosj May 13, 2026
3d9b512
Increase the timeout for the `deploy` job.
desrosj May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/workflows/bump-wordpress-tested-up-to.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,17 @@ on:
description: 'Plugin slug (leave empty for all plugins)'
required: false

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
prepare-matrix:
name: Prepare plugins matrix
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read # Required to clone the repo.
Copy link
Copy Markdown
Member

@thelovekesh thelovekesh May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

safe to keep but not required for public repos.

Copy link
Copy Markdown
Member

@desrosj desrosj May 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With permissions: {} being set at the workflow level, I think the idea here is to be explicit instead of relying on an implicit fallback.

It's also good to have just in case the workflow's overall permissions change for some reason, or someone creates a private fork or mirror (which does happen for some of the important repositories in the WordPress org).

Copy link
Copy Markdown
Member Author

@johnbillion johnbillion May 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it also facilitates contributors running the workflows on a private fork. See:

outputs:
matrix: ${{ steps.set-matrix.outputs.plugins }}
steps:
Expand Down Expand Up @@ -39,6 +46,9 @@ jobs:
name: Update "Tested up to" value for ${{ matrix.plugin }}
needs: prepare-matrix
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read # Required to clone the repo.
env:
PLUGIN_SLUG: ${{ matrix.plugin }}
strategy:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,10 @@ jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
Comment thread
johnbillion marked this conversation as resolved.
security-events: write
contents: read # Required for actions/checkout to read the repository.
security-events: write # Required to upload CodeQL results.
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
15 changes: 11 additions & 4 deletions .github/workflows/deploy-plugins.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,17 @@ on:
description: 'Debug mode (run without publishing).'
default: false

# Disable permissions for all available scopes.
# Enable permissions for specific scopes as needed on job level.
permissions: {}

jobs:
pre-run:
name: Pre-run
runs-on: ubuntu-latest
timeout-minutes: 10
Comment thread
desrosj marked this conversation as resolved.
permissions:
contents: read # Required to clone the repo.
outputs:
matrix: ${{ steps.set-matrix.outputs.plugins }}
steps:
Expand Down Expand Up @@ -50,9 +55,10 @@ jobs:
name: 'Deploy Plugin: ${{ matrix.plugin }}'
needs: pre-run
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
Comment thread
desrosj marked this conversation as resolved.
actions: write
deployments: write
contents: read # Required to clone the repo.
deployments: write # Required by bobheadxi/deployments to create and update deployments.
strategy:
matrix:
plugin: ${{ fromJSON(needs.pre-run.outputs.matrix) }}
Expand Down Expand Up @@ -162,9 +168,10 @@ jobs:
name: Add release assets
needs: [pre-run, deploy]
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
actions: read
contents: write
actions: read # Required to look up workflow run artifacts via the GitHub API.
contents: write # Required by softprops/action-gh-release to upload release assets.
if: github.event_name == 'release'
strategy:
matrix:
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/e2e-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,17 @@ on:
- reopened
- synchronize

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
e2e-test:
name: E2E Tests
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read # Required to clone the repo.
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/js-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,18 @@ on:
- reopened
- synchronize

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
js-lint:
name: JS Lint
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read # Required to clone the repo.
actions: write # Required by styfle/cancel-workflow-action to cancel prior runs.
steps:
- uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # 0.13.1
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/php-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,18 @@ on:
- reopened
- synchronize

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
php-lint:
name: PHP
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read # Required to clone the repo.
actions: write # Required by styfle/cancel-workflow-action to cancel prior runs.
steps:
- uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # 0.13.1
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/php-test-plugins.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,18 @@ on:
- reopened
- synchronize

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
php-test-plugins:
name: 'PHP ${{ matrix.php }} / WP ${{ matrix.wp }}'
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read # Required to clone the repo.
actions: write # Required by styfle/cancel-workflow-action to cancel prior runs.
Comment thread
desrosj marked this conversation as resolved.
Copy link
Copy Markdown
Member

@thelovekesh thelovekesh May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unrelated to this, but need to audit third-party actions here.

styfle/cancel-workflow-action should be replaced with concurrency.

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true  # or expression which evaluates to true/false

Copy link
Copy Markdown
Member

@thelovekesh thelovekesh May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @westonruter

Copy link
Copy Markdown
Member

@desrosj desrosj May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thelovekesh Good call out. I will resolve my review comment stating the same.

Copy link
Copy Markdown
Member

@westonruter westonruter May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened #2472 to address this.

strategy:
fail-fast: false
matrix:
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/plugin-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,10 @@ jobs:
detect-changes:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
timeout-minutes: 20
permissions:
contents: read
pull-requests: read
contents: read # Required to clone the repo.
pull-requests: read # Required by dorny/paths-filter to read PR file changes.
outputs:
changed-plugins: ${{ steps.filter-plugins.outputs.changed-plugins }}
steps:
Expand Down Expand Up @@ -74,8 +75,9 @@ jobs:
runs-on: ubuntu-latest
# Always run this job, even if detect-changes was skipped
if: always() && (needs.detect-changes.result == 'success' || needs.detect-changes.result == 'skipped')
timeout-minutes: 20
permissions:
contents: read
contents: read # Required to clone the repo.
outputs:
plugins: ${{ steps.set-matrix.outputs.plugins }}
steps:
Expand Down Expand Up @@ -141,8 +143,7 @@ jobs:
if: needs.prepare-matrix.result == 'success' && needs.prepare-matrix.outputs.plugins != '[]'
name: Check ${{ matrix.plugin }}
runs-on: ubuntu-24.04
permissions:
contents: read
permissions: {}
timeout-minutes: 20
strategy:
fail-fast: false
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/pr-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,24 @@ on:
env:
LABELS: ${{ join( github.event.pull_request.labels.*.name, ' ' ) }}

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
check-type-label:
name: Check [Type] Label
runs-on: ubuntu-latest
timeout-minutes: 10
permissions: {}
Copy link
Copy Markdown
Member

@thelovekesh thelovekesh May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe redundant given permission are already disabled on workflow level?

Copy link
Copy Markdown
Member

@desrosj desrosj May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion, it's good to leave this and be explicit just in case the workflow-level permissions are changed unintentionally/unknowingly. @johnbillion what do you think?

Copy link
Copy Markdown
Member Author

@johnbillion johnbillion May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah the idea here is to be as explicit as possible. Defence in depth, etc.

Copy link
Copy Markdown
Member

@thelovekesh thelovekesh May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good

steps:
- if: contains( env.LABELS, '[Type]' ) == false
run: exit 1
check-milestone:
name: Check Milestone
runs-on: ubuntu-latest
timeout-minutes: 10
permissions: {}
Copy link
Copy Markdown
Member

@thelovekesh thelovekesh May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

steps:
- if: github.event.pull_request.milestone == null && contains( env.LABELS, 'no milestone' ) == false
run: exit 1
5 changes: 2 additions & 3 deletions .github/workflows/props-bot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,8 @@ jobs:
name: Generate a list of props
runs-on: ubuntu-latest
permissions:
# The action needs permission `write` permission for PRs in order to add a comment.
pull-requests: write
contents: read
pull-requests: write # Required by WordPress/props-bot-action to post the props comment on the PR.
contents: read # Required to clone the repo.
timeout-minutes: 20
# The job will run when pull requests are open, ready for review and:
#
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/spell-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,17 @@ name: Spell Check

on: [pull_request]

# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}

jobs:
spell-checker:
name: Spell Check with Typos
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read # Required to clone the repo.
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Search for misspellings
Expand Down
Loading