-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#62221 GitHub Actions workflow hardening #8007
base: trunk
Are you sure you want to change the base?
Conversation
…ions in JavaScript steps.
…ub Actions expressions with environment variables.
This comment was marked as off-topic.
This comment was marked as off-topic.
# Conflicts: # .github/workflows/reusable-performance.yml
This comment was marked as outdated.
This comment was marked as outdated.
…lue benefits from the double quote encapsulation, which is not true. Revert to the prior syntax.
# Conflicts: # docker-compose.yml
…environment or the output.
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN:
To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@johnbillion Based on my limited GH Actions knowledge, this looks reasonable to me.
Since it covers all the different workflows, I think we need to do some extra post-commit verification though. Obviously all workflows should pass, but there are other aspects that we also need to test that wouldn't cause a workflow to fail - such as ensuring the performance data for each commit is still sent to the Code Vitals dashboard as expected.
- name: Set commit details | ||
# Only needed when publishing results. | ||
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' && ! inputs.memcached && ! inputs.multisite }} | ||
# Write to an environment variable to have the output available in later steps of the job. | ||
run: echo "COMMITTED_AT=$(git show -s $GITHUB_SHA --format='%cI')" >> $GITHUB_ENV |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was just recently modified to fix a problem in https://core.trac.wordpress.org/changeset/59582. Your change looks right, but let's double-check that the commit data is still sent correctly after this has been committed to Core.
@@ -64,6 +64,10 @@ env: | |||
LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }} | |||
LOCAL_MULTISITE: ${{ inputs.multisite }} | |||
|
|||
# Disable permissions for all available scopes by default. | |||
# Any needed permissions should be configured at the job level. | |||
permissions: {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not quite familiar with how this permissions
element works in GH Actions. Makes sense that it's an empty default for security. But I'm curious, for what kind of steps or jobs would one need to override this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typically for any write action, like pushing changes to the repository or writing PR comments or changing labels.
By disabling that by default if not needed, this reduces risk of privilege escalation, where for example one can suddenly push changes to a repository through a workflow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some really fine-grained permissions available, so there's a good number of possibilities.
We also use contents: read
permissions for the Slack notifications workflow so that the steps can read previous workflow runs and determine which message to send to Slack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this, @johnbillion! Looks really great. I left mostly questions, some inline documentation additions, and a few suggestions. Feel free to commit after going through them!
push: | ||
branches: | ||
- trunk | ||
- '[0-9].[0-9]' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the past when introducing new workflows, I've tried to use only future facing patterns starting with when the workflow was introduced. I don't feel strongly about not doing that here, but may be nice for consistency.
- '[0-9].[0-9]' | |
- '6.[8-9]' | |
- '[7-9].[0-9]' |
This would require an update once we get to version 10.0
, but based on 3 releases per year, that's not for at least 7 years from now.
branches: | ||
- trunk | ||
- '[0-9].[0-9]' | ||
tags: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be run on tagging? Since this is only a build tool facing linter, I'm not sure we need to run it on a tag. We don't currently run the Docker environment or theme build test workflows on tag.
|
||
# https://github.com/rhysd/actionlint | ||
- name: Run actionlint | ||
uses: docker://rhysd/actionlint:1.7.7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know if this get picked up by Dependabot as currently configured? It's not clear in the docs.
with: | ||
persist-credentials: false | ||
|
||
# https://github.com/rhysd/actionlint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# https://github.com/rhysd/actionlint | |
# actionlint is static checker for GitHub Actions workflow files. | |
# See https://github.com/rhysd/actionlint. |
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
timeout-minutes: 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would we want to pad this to 5
to guard against poor network connectivity or service level issues that cause delays?
|
||
jobs: | ||
actionlint: | ||
name: Actionlint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name: Actionlint | |
name: Run actionlint |
permissions: {} | ||
|
||
jobs: | ||
actionlint: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actionlint: | |
# Runs the actionlint GitHub Action workflow file linter. | |
# | |
# This helps guard against common mistakes including strong type checking for expressions (${{ }}), security checks, | |
# `run:` script checking, glob syntax validation, and more. | |
# | |
# Performs the following steps: | |
# - Checks out the repository. | |
# - Runs actionlint. | |
actionlint: |
- name: Checkout repository | ||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
with: | ||
persist-credentials: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
persist-credentials: false | |
persist-credentials: false | |
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} |
We have this in other workflows calling checkout
to limit the output when debug mode is disabled.
|
||
jobs: | ||
lint: | ||
name: Lint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name: Lint | |
name: Lint GitHub Action files |
Makes the job name a bit less generic.
@@ -37,6 +37,10 @@ on: | |||
type: 'string' | |||
default: '5.7' | |||
|
|||
# Disable permissions for all available scopes by default. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we're now disabling permissions for all jobs in this callable workflow, but the upugrade-testing.yml
file is passing contents: read
. Unless I'm missing something, that can be changed to {}
.
What this does:
permissions: {}
declarations to workflows and jobs.environment
properties in docker-compose.yml.Notes
This PR previously included additional static analysis of workflow files using Octoscan, Zizmor, and Poutine, but I've removed these and I'll be proposing them separately at a later date.
Trac ticket: https://core.trac.wordpress.org/ticket/62221