Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub Actions workflow hardening #69126

Draft
wants to merge 15 commits into
base: trunk
Choose a base branch
from
Draft

GitHub Actions workflow hardening #69126

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
32951b8
Add an Actionlint workflow.
johnbillion Feb 10, 2025
908465e
Add Octoscan, Zizmor, and Poutine.
johnbillion Feb 10, 2025
a93c6c9
Replace inline expressions with environment variables.
johnbillion Feb 10, 2025
8480d4e
Be explicit about credential use when checking out a repo.
johnbillion Feb 10, 2025
26e53c3
Be strict about quoting environment variables.
johnbillion Feb 10, 2025
45a258f
Update Zizmor.
johnbillion Feb 11, 2025
571dc91
Update upload-sarif.
johnbillion Feb 11, 2025
4d489d2
Disable the dangerous-write rule in Octoscan for now, to reduce the n…
johnbillion Feb 11, 2025
5ddbdd3
Add some more quoting to prevent word splitting.
johnbillion Feb 11, 2025
5ed7adf
These are false positives.
johnbillion Feb 11, 2025
d1426f7
o_O
johnbillion Feb 11, 2025
5f09ce6
Disable permissions for all available scopes by default.
johnbillion Feb 11, 2025
8450599
Add explicit permissions for all jobs.
johnbillion Feb 11, 2025
354cd3d
Remove use of the npm cache during the build.
johnbillion Feb 11, 2025
e32c9b0
Not much we can do about local actions.
johnbillion Feb 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/setup-node/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ runs:
- name: Get Node.js and npm version
id: node-version
run: |
echo "NODE_VERSION=$(node -v)" >> $GITHUB_OUTPUT
echo "NODE_VERSION=$(node -v)" >> "$GITHUB_OUTPUT"
shell: bash

- name: Cache node_modules
Expand Down
95 changes: 60 additions & 35 deletions .github/workflows/build-plugin-zip.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,14 @@
curl \
-H "Accept: application/vnd.github.v3+json" \
-o latest.json \
"https://api.github.com/repos/${{ github.repository }}/releases/latest"
LATEST_STABLE_TAG=$(jq --raw-output '.tag_name' latest.json)
"https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest"
LATEST_STABLE_TAG="$(jq --raw-output '.tag_name' latest.json)"
IFS='.' read LATEST_STABLE_MAJOR LATEST_STABLE_MINOR LATEST_STABLE_PATCH <<< "${LATEST_STABLE_TAG#v}"
echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> $GITHUB_OUTPUT
if [[ ${LATEST_STABLE_MINOR} == "9" ]]; then
echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> $GITHUB_OUTPUT
echo "current_stable_branch=release/${LATEST_STABLE_MAJOR}.${LATEST_STABLE_MINOR}" >> "$GITHUB_OUTPUT"
Fixed Show fixed Hide fixed
if [[ "${LATEST_STABLE_MINOR}" == "9" ]]; then
echo "next_stable_branch=release/$((LATEST_STABLE_MAJOR + 1)).0" >> "$GITHUB_OUTPUT"
Fixed Show fixed Hide fixed
else
echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> $GITHUB_OUTPUT
echo "next_stable_branch=release/${LATEST_STABLE_MAJOR}.$((LATEST_STABLE_MINOR + 1))" >> "$GITHUB_OUTPUT"
Fixed Show fixed Hide fixed
fi

bump-version:
Expand Down Expand Up @@ -76,31 +76,34 @@
with:
token: ${{ secrets.GUTENBERG_TOKEN }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: true

- name: Compute old and new version
id: get_version
env:
VERSION: ${{ github.event.inputs.version }}
run: |
OLD_VERSION=$(jq --raw-output '.version' package.json)
echo "old_version=${OLD_VERSION}" >> $GITHUB_OUTPUT
if [[ ${{ github.event.inputs.version }} == 'stable' ]]; then
NEW_VERSION=$(npx semver $OLD_VERSION -i patch)
OLD_VERSION="$(jq --raw-output '.version' package.json)"
echo "old_version=${OLD_VERSION}" >> "$GITHUB_OUTPUT"
Fixed Show fixed Hide fixed
if [[ "$VERSION" == 'stable' ]]; then
NEW_VERSION="$(npx semver "$OLD_VERSION" -i patch)"
else
if [[ $OLD_VERSION == *"rc"* ]]; then
NEW_VERSION=$(npx semver $OLD_VERSION -i prerelease)
if [[ "$OLD_VERSION" == *"rc"* ]]; then
NEW_VERSION="$(npx semver "$OLD_VERSION" -i prerelease)"
else
# WordPress version guidelines: If minor is 9, bump major instead.
IFS='.' read -r -a OLD_VERSION_ARRAY <<< "$OLD_VERSION"
if [[ ${OLD_VERSION_ARRAY[1]} == "9" ]]; then
NEW_VERSION="$(npx semver $OLD_VERSION -i major)-rc.1"
NEW_VERSION="$(npx semver "$OLD_VERSION" -i major)-rc.1"
else
NEW_VERSION="$(npx semver $OLD_VERSION -i minor)-rc.1"
NEW_VERSION="$(npx semver "$OLD_VERSION" -i minor)-rc.1"
fi
fi
fi
echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT
echo "new_version=${NEW_VERSION}" >> "$GITHUB_OUTPUT"
Fixed Show fixed Hide fixed
IFS='.' read -r -a NEW_VERSION_ARRAY <<< "$NEW_VERSION"
RELEASE_BRANCH="release/${NEW_VERSION_ARRAY[0]}.${NEW_VERSION_ARRAY[1]}"
echo "release_branch=${RELEASE_BRANCH}" >> $GITHUB_OUTPUT
echo "release_branch=${RELEASE_BRANCH}" >> "$GITHUB_OUTPUT"
Fixed Show fixed Hide fixed

- name: Configure git user name and email
run: |
Expand All @@ -111,46 +114,57 @@
if: |
github.event.inputs.version == 'rc' &&
! contains( steps.get_version.outputs.old_version, 'rc' )
run: git checkout -b "${{ steps.get_version.outputs.release_branch }}"
env:
TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }}
run: git checkout -b "$TARGET_BRANCH"
Fixed Show fixed Hide fixed

- name: Switch to release branch
if: |
github.event.inputs.version == 'stable' ||
contains( steps.get_version.outputs.old_version, 'rc' )
env:
TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }}
run: |
git fetch --depth=1 origin "${{ steps.get_version.outputs.release_branch }}"
git checkout "${{ steps.get_version.outputs.release_branch }}"
git fetch --depth=1 origin "$TARGET_BRANCH"
git checkout "$TARGET_BRANCH"
Fixed Show fixed Hide fixed

- name: Update plugin version
env:
VERSION: ${{ steps.get_version.outputs.new_version }}
OLD_VERSION: ${{ steps.get_version.outputs.old_version }}
run: |
cat <<< $(jq --tab --arg version "${VERSION}" '.version = $version' package.json) > package.json
cat <<< $(jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json) > package-lock.json
sed -i "s/${{ steps.get_version.outputs.old_version }}/${VERSION}/g" gutenberg.php
cat <<< "$(jq --tab --arg version "${VERSION}" '.version = $version' package.json)" > package.json
cat <<< "$(jq --tab --arg version "${VERSION}" '.version = $version | .packages[""].version = $version' package-lock.json)" > package-lock.json
sed -i "s/${OLD_VERSION}/${VERSION}/g" gutenberg.php

- name: Commit the version bump to the release branch
id: commit_version_bump_to_release_branch
env:
TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }}
VERSION: ${{ steps.get_version.outputs.new_version }}
run: |
git add gutenberg.php package.json package-lock.json
git commit -m "Bump plugin version to ${{ steps.get_version.outputs.new_version }}"
git push --set-upstream origin "${{ steps.get_version.outputs.release_branch }}"
echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> $GITHUB_OUTPUT
git commit -m "Bump plugin version to ${VERSION}"
git push --set-upstream origin "$TARGET_BRANCH"
echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> "$GITHUB_OUTPUT"
Fixed Show fixed Hide fixed

- name: Fetch trunk
if: ${{ github.ref != 'refs/heads/trunk' }}
run: git fetch --depth=1 origin trunk

- name: Cherry-pick the version bump commit to trunk
id: commit_version_bump_to_trunk
env:
TARGET_BRANCH: ${{ steps.get_version.outputs.release_branch }}
OLD_VERSION: ${{ steps.get_version.outputs.old_version }}
run: |
git checkout trunk
git pull
TRUNK_VERSION=$(jq --raw-output '.version' package.json)
if [[ ${{ steps.get_version.outputs.old_version }} == "$TRUNK_VERSION" ]]; then
git cherry-pick "${{ steps.get_version.outputs.release_branch }}"
TRUNK_VERSION="$(jq --raw-output '.version' package.json)"
if [[ "$OLD_VERSION" == "$TRUNK_VERSION" ]]; then
git cherry-pick "$TARGET_BRANCH"
git push
echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> $GITHUB_OUTPUT
echo "version_bump_commit=$(git rev-parse --verify --short HEAD)" >> "$GITHUB_OUTPUT"
Fixed Show fixed Hide fixed
fi

build:
Expand All @@ -172,6 +186,7 @@
with:
ref: ${{ needs.bump-version.outputs.release_branch || github.ref }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Use desired version of Node.js
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
Expand Down Expand Up @@ -200,7 +215,7 @@
MILESTONE="Gutenberg ${VERSION_ARRAY[0]}.${VERSION_ARRAY[1]}"
npm run other:changelog -- --milestone="$MILESTONE" --unreleased > release-notes.txt
sed -ie '1,6d' release-notes.txt
if [[ ${{ needs.bump-version.outputs.new_version }} != *"rc"* ]]; then
if [[ "${VERSION}" != *"rc"* ]]; then
# Include previous RCs' release notes, if any
CHANGELOG_REGEX="=\s[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?\s="
RC_REGEX="=\s${VERSION}(-rc\.[0-9]+)?\s="
Expand Down Expand Up @@ -231,6 +246,7 @@
ref: ${{ needs.bump-version.outputs.release_branch }}
token: ${{ secrets.GUTENBERG_TOKEN }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: true

- name: Configure git user name and email
run: |
Expand All @@ -241,23 +257,30 @@
if: |
github.event.inputs.version == 'stable' ||
contains( needs.bump-version.outputs.old_version, 'rc' )
env:
RELEAD_BRANCH_COMMIT: ${{ needs.bump-version.outputs.release_branch_commit }}
RELEASE_BRANCH: ${{ needs.bump-version.outputs.release_branch }}
run: |
git revert --no-edit ${{ needs.bump-version.outputs.release_branch_commit }}
git push --set-upstream origin "${{ needs.bump-version.outputs.release_branch }}"
git revert --no-edit "$RELEAD_BRANCH_COMMIT"
git push --set-upstream origin "$RELEASE_BRANCH"

- name: Delete release branch if it was only just created for the RC
if: |
github.event.inputs.version == 'rc' &&
! contains( needs.bump-version.outputs.old_version, 'rc' )
env:
RELEASE_BRANCH: ${{ needs.bump-version.outputs.release_branch }}
run: |
git push origin :"${{ needs.bump-version.outputs.release_branch }}"
git push origin :"$RELEASE_BRANCH"

- name: Revert version bump on trunk
if: ${{ needs.bump-version.outputs.trunk_commit }}
env:
TRUNK_COMMIT: ${{ needs.bump-version.outputs.trunk_commit }}
run: |
git fetch --depth=2 origin trunk
git checkout trunk
git revert --no-edit ${{ needs.bump-version.outputs.trunk_commit }}
git revert --no-edit "$TRUNK_COMMIT"
git push --set-upstream origin trunk

create-release:
Expand All @@ -270,7 +293,7 @@
id: get_release_version
env:
VERSION: ${{ needs.bump-version.outputs.new_version }}
run: echo "version=$(echo $VERSION | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> $GITHUB_OUTPUT
run: echo "version=$(echo "$VERSION" | cut -d / -f 3 | sed 's/-rc./ RC/' )" >> "$GITHUB_OUTPUT"

- name: Download Plugin Zip Artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
Expand Down Expand Up @@ -319,6 +342,7 @@
path: main
ref: trunk
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Checkout (for publishing)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand All @@ -328,6 +352,7 @@
ref: trunk
token: ${{ secrets.GUTENBERG_TOKEN }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Configure git user name and email (for publishing)
run: |
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/bundle-size.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ jobs:
with:
fetch-depth: 1
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Use desired version of Node.js
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/check-backport-changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
persist-credentials: false

- name: Check the changelog folder
env:
PR_NUMBER: ${{ github.event.number }}
Expand All @@ -44,7 +46,7 @@ jobs:
exit 1
fi

core_pr_number=$(basename "${changelog_file}" .md)
core_pr_number="$(basename "${changelog_file}" .md)"
core_pr_url="https://github\.com/WordPress/wordpress-develop/pull/${core_pr_number}"

# Confirm that the entry has the correct core backport PR URL.
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/check-components-changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,17 +28,19 @@ jobs:
repository: ${{ github.event.pull_request.head.repo.full_name }}
fetch-depth: ${{ env.PR_COMMIT_COUNT }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false
- name: 'Fetch relevant history from origin'
run: git fetch origin ${{ github.event.pull_request.base.ref }}
run: git fetch origin "$GITHUB_BASE_REF"
- name: Check CHANGELOG status
env:
PR_NUMBER: ${{ github.event.number }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
changelog_path="packages/components/CHANGELOG.md"
optional_check_notice="This isn't a required check, so if you think your changes are small enough that they don't warrant a CHANGELOG entry, please go ahead and merge without one."

# Fail if the PR doesn't touch the changelog
if git diff --quiet ${{ github.event.pull_request.base.sha }} HEAD -- "$changelog_path"; then
if git diff --quiet "$HEAD_SHA" HEAD -- "$changelog_path"; then
echo "Please add a CHANGELOG entry to $changelog_path"
echo
echo "${optional_check_notice}"
Expand Down
19 changes: 10 additions & 9 deletions .github/workflows/cherry-pick-wp-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@
with:
token: ${{ secrets.GUTENBERG_TOKEN }}
fetch-depth: 0
persist-credentials: false

- name: Set up Git
if: env.cherry_pick == 'true'
Expand All @@ -85,20 +86,20 @@
id: cherry-pick
if: env.cherry_pick == 'true'
run: |
TARGET_BRANCH="wp/${{ env.version }}"
COMMIT_SHA="${{ env.commit_sha }}"
TARGET_BRANCH="wp/${version}"
COMMIT_SHA="${commit_sha}"
echo "Target branch: $TARGET_BRANCH"
echo "Commit SHA: $COMMIT_SHA"
git checkout $TARGET_BRANCH
git cherry-pick $COMMIT_SHA || echo "cherry-pick-failed" > result
git checkout "$TARGET_BRANCH"
Fixed Show fixed Hide fixed
git cherry-pick "$COMMIT_SHA" || echo "cherry-pick-failed" > result
if [ -f result ] && grep -q "cherry-pick-failed" result; then
echo "conflict=true" >> $GITHUB_ENV
echo "conflict=true" >> "$GITHUB_ENV"
Fixed Show fixed Hide fixed
git cherry-pick --abort
else
CHERRY_PICK_SHA=$(git rev-parse HEAD)
echo "conflict=false" >> $GITHUB_ENV
echo "cherry_pick_sha=$CHERRY_PICK_SHA" >> $GITHUB_ENV
git push origin $TARGET_BRANCH
CHERRY_PICK_SHA="$(git rev-parse HEAD)"
echo "conflict=false" >> "$GITHUB_ENV"
Fixed Show fixed Hide fixed
echo "cherry_pick_sha=$CHERRY_PICK_SHA" >> "$GITHUB_ENV"
Fixed Show fixed Hide fixed
git push origin "$TARGET_BRANCH"
fi

- name: Remove cherry-pick label
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/create-block.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Setup Node.js and install dependencies
uses: ./.github/setup-node
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/end2end-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Setup Node.js and install dependencies
uses: ./.github/setup-node
Expand Down Expand Up @@ -106,6 +107,7 @@ jobs:
with:
ref: trunk
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- uses: actions/download-artifact@v4.1.8
# Don't fail the job if there isn't any flaky tests report.
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/gradle-wrapper-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
persist-credentials: false

- name: Validate checksums
uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
Loading
Loading