GitHub Actions workflow updates#404
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions workflows by applying the principle of least privilege (defaulting permissions to none and granting only what each job needs) and by adding explicit timeout-minutes values to prevent runaway jobs.
Changes:
- Set workflow-level
permissions: {}across workflows and add job-levelpermissions(primarilycontents: read, withcontents: writewhere publishing is needed). - Add/standardize
timeout-minutesacross jobs (including release workflows). - Update/clarify inline permission rationale comments (e.g., why
contents: read/writeis required).
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/wp-tests-phpunit.yml | Disables default token permissions and grants contents: read per job; keeps job timeouts. |
| .github/workflows/wp-tests-end-to-end.yml | Disables default token permissions and grants contents: read for checkout; keeps job timeout. |
| .github/workflows/wasm-spike.yml | Disables default token permissions and grants contents: read per job; keeps job timeouts. |
| .github/workflows/verify-version.yml | Disables default token permissions, adds contents: read, and adds a job timeout. |
| .github/workflows/release-wporg.yml | Disables default token permissions; adds job timeout and keeps contents: read for checkout/release download. |
| .github/workflows/release-publish.yml | Disables default token permissions; adds job timeout; scopes contents: write for release creation and contents: read for called deploy workflow. |
| .github/workflows/publish-wasm-extension-artifact.yml | Disables default token permissions; adds job-level permissions (contents: read / contents: write) aligned to build vs publish steps. |
| .github/workflows/phpunit-tests.yml | Disables default token permissions and adds inline rationale for contents: read on the reusable-workflow job. |
| .github/workflows/phpunit-tests-run.yml | Disables default token permissions and grants contents: read for checkout within the called workflow job. |
| .github/workflows/mysql-proxy-tests.yml | Disables default token permissions and grants contents: read for checkout; keeps job timeout. |
| .github/workflows/mysql-parser-extension-tests.yml | Disables default token permissions and grants contents: read for checkout; keeps job timeout. |
| .github/workflows/end-to-end-tests.yml | Disables default token permissions and grants contents: read for checkout; keeps job timeout. |
| .github/workflows/cs.yml | Disables default token permissions; adds job timeout and contents: read for checkout. |
Comments suppressed due to low confidence (1)
.github/workflows/cs.yml:44
actions/checkout@mainis a mutable reference and weakens the security posture (supply-chain risk), especially now that workflows are being tightened for least privilege. Pinactions/checkoutto a stable tag (e.g.,@v4) or a full commit SHA.
contents: read # Required to clone the repo.
steps:
- name: Checkout code
uses: actions/checkout@main
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
desrosj
approved these changes
May 13, 2026
Member
desrosj
left a comment
desrosj
left a comment
There was a problem hiding this comment.
I merged one suggestion from Copilot on this one. Looked valid and reasonable to me. @johnbillion would appreciate a double check when you can.
Member
Author
|
I'm honestly not sure on that one, the workflow has been running without it. But it's safe to add so yes let's keep it. |
Member
This setting has been changed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This updates the GitHub Actions workflow files to:
Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".
References
Use of AI
Claude Code was used to create the initial changes. All permissions and timeouts changes were reviewed and adjusted by me where necessary.