Build/Test Tools: Restrict the permissions granted to jobs on GitHub Actions

The `permissions` key in a job declares the GitHub permissions that are granted to the token that's used by the job. Restricting the permissions reduces the impact that a vulnerability in the CI system can have. Props desrosj, johnbillion See #57865 git-svn-id: https://develop.svn.wordpress.org/trunk@55715 602fd350-edb4-49c9-b593-d223f7449a82
2026-03-27 16:54:30 +00:00 · 2023-05-03 22:15:27 +00:00
parent eb409e4cac
commit 3bfc6611ad
13 changed files with 103 additions and 0 deletions
--- a/.github/workflows/javascript-tests.yml
+++ b/.github/workflows/javascript-tests.yml
@@ -38,6 +38,10 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
  cancel-in-progress: true

+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
  # Runs the QUnit tests for WordPress.
  #
@@ -51,6 +55,8 @@ jobs:
  test-js:
    name: QUnit Tests
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    timeout-minutes: 20
    if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}

@@ -96,6 +102,8 @@ jobs:
  failed-workflow:
    name: Failed workflow tasks
    runs-on: ubuntu-latest
+    permissions:
+      actions: write
    needs: [ test-js, slack-notifications ]
    if: |
      always() &&