#62221 GitHub Actions workflow hardening #8007

johnbillion · 2024-12-16T13:03:26Z

What this does:

Removes all usage of inline GitHub Actions expressions in scripts, either replacing them with environment variables or refactoring the affected code. Actions expressions are not safe to use inline inside scripts.
Addresses all instances of missing quotes around variables in scripts to prevent word splitting.
Adds some missing permissions: {} declarations to workflows and jobs.
Introduces Actionlint for static analysis of workflow files. It detects syntax errors, semantic errors with expressions, inputs, outputs, and secrets, and includes several security checks.
Fixes a few issues detected by Actionlint that don't relate to security, for example references to non-existent matrix values and inputs.
Standardises on using maps for the environment properties in docker-compose.yml.
Refactors and reformats a few areas of code for legibility and clarity.

Notes

This PR previously included additional static analysis of workflow files using Octoscan, Zizmor, and Poutine, but I've removed these and I'll be proposing them separately at a later date.

Trac ticket: https://core.trac.wordpress.org/ticket/62221

…ions in JavaScript steps.

…ub Actions expressions with environment variables.

# Conflicts: # .github/workflows/reusable-performance.yml

…e config.

…lue benefits from the double quote encapsulation, which is not true. Revert to the prior syntax.

# Conflicts: # docker-compose.yml

…environment or the output.

github-actions · 2025-01-21T12:32:27Z

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props johnbillion.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

felixarntz

@johnbillion Based on my limited GH Actions knowledge, this looks reasonable to me.

Since it covers all the different workflows, I think we need to do some extra post-commit verification though. Obviously all workflows should pass, but there are other aspects that we also need to test that wouldn't cause a workflow to fail - such as ensuring the performance data for each commit is still sent to the Code Vitals dashboard as expected.

felixarntz · 2025-01-21T17:53:24Z

.github/workflows/reusable-performance.yml

-      - name: Set commit details
-        # Only needed when publishing results.
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/trunk' && ! inputs.memcached && ! inputs.multisite }}
-        # Write to an environment variable to have the output available in later steps of the job.
-        run: echo "COMMITTED_AT=$(git show -s $GITHUB_SHA --format='%cI')" >> $GITHUB_ENV


This was just recently modified to fix a problem in https://core.trac.wordpress.org/changeset/59582. Your change looks right, but let's double-check that the commit data is still sent correctly after this has been committed to Core.

felixarntz · 2025-01-21T17:55:18Z

.github/workflows/reusable-performance.yml

@@ -64,6 +64,10 @@ env:
  LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }}
  LOCAL_MULTISITE: ${{ inputs.multisite }}

+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}


I'm not quite familiar with how this permissions element works in GH Actions. Makes sense that it's an empty default for security. But I'm curious, for what kind of steps or jobs would one need to override this?

Typically for any write action, like pushing changes to the repository or writing PR comments or changing labels.

By disabling that by default if not needed, this reduces risk of privilege escalation, where for example one can suddenly push changes to a repository through a workflow.

There are some really fine-grained permissions available, so there's a good number of possibilities.

We also use contents: read permissions for the Slack notifications workflow so that the steps can read previous workflow runs and determine which message to send to Slack.

desrosj

Thanks for this, @johnbillion! Looks really great. I left mostly questions, some inline documentation additions, and a few suggestions. Feel free to commit after going through them!

desrosj · 2025-01-21T21:06:27Z

.github/workflows/workflow-lint.yml

+  push:
+    branches:
+      - trunk
+      - '[0-9].[0-9]'


In the past when introducing new workflows, I've tried to use only future facing patterns starting with when the workflow was introduced. I don't feel strongly about not doing that here, but may be nice for consistency.

Suggested change

- '[0-9].[0-9]'

- '6.[8-9]'

- '[7-9].[0-9]'

This would require an update once we get to version 10.0, but based on 3 releases per year, that's not for at least 7 years from now.

desrosj · 2025-01-21T21:12:55Z

.github/workflows/workflow-lint.yml

+    branches:
+      - trunk
+      - '[0-9].[0-9]'
+    tags:


Should this be run on tagging? Since this is only a build tool facing linter, I'm not sure we need to run it on a tag. We don't currently run the Docker environment or theme build test workflows on tag.

desrosj · 2025-01-21T21:21:07Z