Build/Test Tools: Improve the security and correctness of the GitHub …

…Actions workflows files. This includes removing use of dangerous inline GitHub Actions expressions, preventing word splitting, further tightening permissions, and generally improving many aspects of the workflows. This also introduces a new workflow that runs Actionlint to detect incorrect and insecure code and configuration in workflow files. Props johnbillion, swissspidy, flixos90, desrosj. See #62221 git-svn-id: https://develop.svn.wordpress.org/trunk@59679 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · Jan 22, 2025 · 8209135 · 8209135
1 parent c7cd04c
commit 8209135
Show file tree

Hide file tree

Showing 32 changed files with 407 additions and 175 deletions.
diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml
@@ -107,6 +107,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });
diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml
@@ -93,6 +93,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });
diff --git a/.github/workflows/failed-workflow.yml b/.github/workflows/failed-workflow.yml
@@ -38,7 +38,7 @@ jobs:
             const workflow_run = await github.rest.actions.getWorkflowRun({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              run_id: ${{ inputs.run_id }},
+              run_id: process.env.RUN_ID,
             });
 
             // Only rerun after the first run attempt.
@@ -49,6 +49,8 @@ jobs:
             const rerun = await github.rest.actions.reRunWorkflowFailedJobs({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              run_id: ${{ inputs.run_id }},
+              run_id: process.env.RUN_ID,
               enable_debug_logging: true
             });
+        env:
+          RUN_ID: ${{ inputs.run_id }}
diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml
@@ -119,16 +119,20 @@ jobs:
         with:
           php-version: '${{ matrix.php }}'
           coverage: none
-          tools: wp-cli${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && ':2.4.0' || '' }}
+          tools: ${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && 'wp-cli:2.4.0' || 'wp-cli' }}
 
       - name: Download WordPress
-        run: wp core download ${{ inputs.wp-version && format( '--version={0}', inputs.wp-version ) || '--version=nightly' }}
+        run: wp core download --version="${WP_VERSION}"
+        env:
+          WP_VERSION: ${{ inputs.wp-version || 'nightly' }}
 
       - name: Create wp-config.php file
-        run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost=127.0.0.1:${{ job.services.database.ports['3306'] }}
+        run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost="127.0.0.1:${DB_PORT}"
+        env:
+          DB_PORT: ${{ job.services.database.ports['3306'] }}
 
       - name: Install WordPress
-        run: wp core ${{ matrix.multisite && 'multisite-' || '' }}install --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password [email protected] --skip-email
+        run: wp core ${{ matrix.multisite && 'multisite-install' || 'install' }} --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password [email protected] --skip-email
 
   slack-notifications:
     name: Slack Notifications
@@ -175,6 +179,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });
diff --git a/.github/workflows/javascript-tests.yml b/.github/workflows/javascript-tests.yml
@@ -97,6 +97,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });
diff --git a/.github/workflows/local-docker-environment.yml b/.github/workflows/local-docker-environment.yml
@@ -104,7 +104,6 @@ jobs:
       db-type: 'mysql'
       db-version: ${{ matrix.db-version }}
       memcached: ${{ matrix.memcached }}
-      tests-domain: ${{ matrix.tests-domain }}
 
   slack-notifications:
     name: Slack Notifications
@@ -151,6 +150,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });
diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
@@ -93,6 +93,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });
diff --git a/.github/workflows/php-compatibility.yml b/.github/workflows/php-compatibility.yml
@@ -94,6 +94,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });
diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml
@@ -144,7 +144,7 @@ jobs:
       multisite: ${{ matrix.multisite }}
       memcached: ${{ matrix.memcached }}
       phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }}
-      report: ${{ matrix.report || false }}
+      report: ${{ false }}
 
   #
   # Creates PHPUnit test jobs to test MariaDB and MySQL innovation releases.
@@ -193,7 +193,7 @@ jobs:
       multisite: ${{ matrix.multisite }}
       memcached: ${{ matrix.memcached }}
       phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }}
-      report: ${{ matrix.report || false }}
+      report: ${{ false }}
 
   #
   # Runs specific individual test groups.
@@ -263,6 +263,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });
diff --git a/.github/workflows/props-bot.yml b/.github/workflows/props-bot.yml
@@ -85,6 +85,8 @@ jobs:
             github.rest.issues.removeLabel({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              issue_number: '${{ github.event.number }}',
+              issue_number: process.env.ISSUE_NUMBER,
               name: 'props-bot'
             });
+        env:
+          ISSUE_NUMBER: ${{ github.event.number }}
diff --git a/.github/workflows/pull-request-comments.yml b/.github/workflows/pull-request-comments.yml
@@ -96,7 +96,7 @@ jobs:
             const artifacts = await github.rest.actions.listWorkflowRunArtifacts( {
                owner: context.repo.owner,
                repo: context.repo.repo,
-               run_id: ${{ github.event.workflow_run.id }},
+               run_id: process.env.RUN_ID,
             } );
 
             const matchArtifact = artifacts.data.artifacts.filter( ( artifact ) => {
@@ -117,6 +117,8 @@ jobs:
 
             const fs = require( 'fs' );
             fs.writeFileSync( '${{github.workspace}}/pr-number.zip', Buffer.from( download.data ) )
+        env:
+          RUN_ID: ${{ github.event.workflow_run.id }}
 
       - name: Unzip the artifact containing the PR number
         run: unzip pr-number.zip

diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml
@@ -29,21 +29,19 @@ jobs:
     steps:
       - name: Find fixed ticket numbers
         id: trac-tickets
+        env:
+          COMMIT_MSG_RAW: ${{ github.event.head_commit.message }}
         run: |
-          COMMIT_MESSAGE=$(cat <<'EOF' | sed -n '/^Fixes #/,/\./p'
-          ${{ github.event.head_commit.message }}
-          EOF
-          )
-          echo "fixed_list=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> $GITHUB_OUTPUT
+          COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '/^Fixes #/,/\./p')"
+          echo "fixed_list=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*Fixes #\([0-9]\+\).*/\1/p' | tr '\n' ' ')" >> "$GITHUB_OUTPUT"
 
       - name: Get the SVN revision
         id: git-svn-id
+        env:
+          COMMIT_MSG_RAW: ${{ github.event.head_commit.message }}
         run: |
-          COMMIT_MESSAGE=$(cat <<'EOF' | sed -n '$p'
-          ${{ github.event.head_commit.message }}
-          EOF
-          )
-          echo "svn_revision_number=$(echo \"$COMMIT_MESSAGE\" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> $GITHUB_OUTPUT
+          COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')"
+          echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> "$GITHUB_OUTPUT"
 
       - name: Find pull requests
         id: linked-prs

diff --git a/.github/workflows/reusable-coding-standards-javascript.yml b/.github/workflows/reusable-coding-standards-javascript.yml
@@ -9,6 +9,10 @@ on:
 env:
   PUPPETEER_SKIP_DOWNLOAD: ${{ true }}
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the JavaScript coding standards checks.
   #
@@ -33,6 +37,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0

diff --git a/.github/workflows/reusable-coding-standards-php.yml b/.github/workflows/reusable-coding-standards-php.yml
@@ -17,6 +17,10 @@ on:
         type: 'boolean'
         default: false
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the PHP coding standards checks.
   #
@@ -45,6 +49,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
 
       - name: Set up PHP
         uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
@@ -57,7 +62,7 @@ jobs:
       # http://man7.org/linux/man-pages/man1/date.1.html
       - name: "Get last Monday's date"
         id: get-date
-        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> $GITHUB_OUTPUT
+        run: echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
 
       - name: Cache PHPCS scan cache
         uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
@@ -75,7 +80,7 @@ jobs:
           custom-cache-suffix: ${{ steps.get-date.outputs.date }}
 
       - name: Make Composer packages available globally
-        run: echo "${PWD}/vendor/bin" >> $GITHUB_PATH
+        run: echo "${PWD}/vendor/bin" >> "$GITHUB_PATH"
 
       - name: Run PHPCS on all Core files
         id: phpcs-core

diff --git a/.github/workflows/reusable-end-to-end-tests.yml b/.github/workflows/reusable-end-to-end-tests.yml
@@ -33,6 +33,10 @@ env:
   LOCAL_DIR: build
   LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }}
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the end-to-end test suite.
   #
@@ -63,13 +67,14 @@ jobs:
     steps:
       - name: Configure environment variables
         run: |
-          echo "PHP_FPM_UID=$(id -u)" >> $GITHUB_ENV
-          echo "PHP_FPM_GID=$(id -g)" >> $GITHUB_ENV
+          echo "PHP_FPM_UID=$(id -u)" >> "$GITHUB_ENV"
+          echo "PHP_FPM_GID=$(id -g)" >> "$GITHUB_ENV"
 
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -117,13 +122,18 @@ jobs:
 
       - name: Install Gutenberg
         if: ${{ inputs.install-gutenberg }}
-        run: npm run env:cli -- plugin install gutenberg${{ inputs.gutenberg-version && format( ' --version={0}', inputs.gutenberg-version ) || '' }} --path=/var/www/${{ env.LOCAL_DIR }}
+        run: |
+          npm run env:cli -- plugin install gutenberg \
+          ${{ inputs.gutenberg-version && '--version="${GUTENBERG_VERSION}"' || '' }} \
+          --path="/var/www/${LOCAL_DIR}"
+        env:
+          GUTENBERG_VERSION: ${{ inputs.gutenberg-version }}
 
       - name: Install additional languages
         run: |
-          npm run env:cli -- language core install de_DE --path=/var/www/${{ env.LOCAL_DIR }}
-          npm run env:cli -- language plugin install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }}
-          npm run env:cli -- language theme install de_DE --all --path=/var/www/${{ env.LOCAL_DIR }}
+          npm run env:cli -- language core install de_DE --path="/var/www/${LOCAL_DIR}"
+          npm run env:cli -- language plugin install de_DE --all --path="/var/www/${LOCAL_DIR}"
+          npm run env:cli -- language theme install de_DE --all --path="/var/www/${LOCAL_DIR}"
 
       - name: Run E2E tests
         run: npm run test:e2e

diff --git a/.github/workflows/reusable-javascript-tests.yml b/.github/workflows/reusable-javascript-tests.yml
@@ -12,6 +12,10 @@ on:
         type: 'boolean'
         default: false
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the QUnit test suite.
   #
@@ -34,6 +38,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0