diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index f93cd4bd662ec..b6ba9935ba675 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -131,11 +131,12 @@ jobs: path: 'pr-repo' show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} token: ${{ env.ACCESS_TOKEN }} + persist-credentials: true - name: Apply patch if: ${{ steps.artifact-check.outputs.exists == 'true' }} working-directory: 'pr-repo' - run: git apply ${{ github.workspace }}/changes.diff + run: git apply "$GITHUB_WORKSPACE/changes.diff" - name: Display changes to versioned files if: ${{ steps.artifact-check.outputs.exists == 'true' }} @@ -149,7 +150,7 @@ jobs: GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} run: | git config user.name "wordpress-develop-pr-bot[bot]" - git config user.email ${{ env.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com + git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com" - name: Stage changes if: ${{ steps.artifact-check.outputs.exists == 'true' }} diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index f15d6e4830268..f042853ca1bc5 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -49,7 +49,6 @@ jobs: uses: ./.github/workflows/reusable-support-json-reader-v1.yml permissions: contents: read - secrets: inherit if: ${{ github.repository == 'WordPress/wordpress-develop' }} with: wp-version: ${{ inputs.wp-version }} diff --git a/.github/workflows/local-docker-environment.yml b/.github/workflows/local-docker-environment.yml index 5ddb5f5d6fe57..31c42aaf7f90b 100644 --- a/.github/workflows/local-docker-environment.yml +++ b/.github/workflows/local-docker-environment.yml @@ -77,7 +77,6 @@ jobs: uses: ./.github/workflows/reusable-support-json-reader-v1.yml permissions: contents: read - secrets: inherit if: ${{ github.repository == 'WordPress/wordpress-develop' }} with: wp-version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }} diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index de36d5a505187..85604b1182db7 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -66,7 +66,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }} strategy: fail-fast: false @@ -143,7 +145,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }} strategy: fail-fast: false @@ -195,7 +199,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }} strategy: fail-fast: false @@ -238,7 +244,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }} strategy: fail-fast: false @@ -267,7 +275,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ ! startsWith( github.repository, 'WordPress/' ) && github.event_name == 'pull_request' }} strategy: fail-fast: false diff --git a/.github/workflows/reusable-check-built-files.yml b/.github/workflows/reusable-check-built-files.yml index 11d97639a30fc..8951f26547733 100644 --- a/.github/workflows/reusable-check-built-files.yml +++ b/.github/workflows/reusable-check-built-files.yml @@ -40,6 +40,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index 9dae63cb213d3..e42d741be1b4e 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -43,13 +43,17 @@ jobs: COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')" echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> "$GITHUB_OUTPUT" - - name: Find pull requests - id: linked-prs + - name: Find and close pull requests if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }} uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + FIXED_LIST: ${{ steps.trac-tickets.outputs.fixed_list }} + SVN_REVISION_NUMBER: ${{ steps.git-svn-id.outputs.svn_revision_number }} with: script: | - const fixedList = "${{ steps.trac-tickets.outputs.fixed_list }}".split(' ').filter(Boolean); + const fixedList = process.env.FIXED_LIST.split(' ').filter(Boolean); + const svnRevisionNumber = process.env.SVN_REVISION_NUMBER; + const githubSha = process.env.GITHUB_SHA; let prNumbers = []; for (const ticket of fixedList) { @@ -86,19 +90,10 @@ jobs: prNumbers.push(...matchingPRs); } - return prNumbers; - - - name: Comment and close pull requests - if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }} - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - script: | - const prNumbers = ${{ steps.linked-prs.outputs.result }}; - const commentBody = `A commit was made that fixes the Trac ticket referenced in the description of this pull request. - SVN changeset: [${{ steps.git-svn-id.outputs.svn_revision_number }}](https://core.trac.wordpress.org/changeset/${{ steps.git-svn-id.outputs.svn_revision_number }}) - GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${{ github.sha }} + SVN changeset: [${svnRevisionNumber}](https://core.trac.wordpress.org/changeset/${svnRevisionNumber}) + GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${githubSha} This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.`; diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 3a538a8a99690..b3b9d5a289d2f 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -7,12 +7,10 @@ permissions: {} jobs: # Runs the actionlint GitHub Action workflow file linter. # + # See https://github.com/rhysd/actionlint. + # # This helps guard against common mistakes including strong type checking for expressions (${{ }}), security checks, # `run:` script checking, glob syntax validation, and more. - # - # Performs the following steps: - # - Checks out the repository. - # - Runs actionlint. actionlint: name: Run actionlint runs-on: ubuntu-24.04 @@ -26,9 +24,41 @@ jobs: persist-credentials: false show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} - # actionlint is static checker for GitHub Actions workflow files. - # See https://github.com/rhysd/actionlint. - name: Run actionlint - uses: docker://rhysd/actionlint@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # v1.7.7 + uses: docker://rhysd/actionlint@sha256:5457037ba91acd225478edac3d4b32e45cf6c10291e0dabbfd2491c63129afe1 # v1.7.11 with: args: "-color -verbose" + + # Runs the Zizmor GitHub Action workflow file linter. + # + # See https://github.com/zizmorcore/zizmor + # + # This helps guard against supply chain attacks, unpinned dependencies, excessive permissions, + # dangerous triggers, credential leaks, and sophisticated security vulnerabilities. + zizmor: + name: Zizmor + runs-on: ubuntu-24.04 + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 + + - name: Run zizmor + run: uvx zizmor@1.23.1 --persona=regular --format=sarif --strict-collection . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + with: + sarif_file: results.sarif + category: zizmor + wait-for-processing: false diff --git a/.github/workflows/test-coverage.yml b/.github/workflows/test-coverage.yml index deb190eba9e9b..cf430db4f15e6 100644 --- a/.github/workflows/test-coverage.yml +++ b/.github/workflows/test-coverage.yml @@ -11,15 +11,15 @@ on: - 'docker-compose.yml' - 'phpunit.xml.dist' - 'tests/phpunit/multisite.xml' - pull_request: - branches: - - trunk - paths: - - '.github/workflows/test-coverage.yml' - - '.github/workflows/reusable-phpunit-tests-v3.yml' - - 'docker-compose.yml' - - 'phpunit.xml.dist' - - 'tests/phpunit/multisite.xml' + # pull_request: + # branches: + # - trunk + # paths: + # - '.github/workflows/test-coverage.yml' + # - '.github/workflows/reusable-phpunit-tests-v3.yml' + # - 'docker-compose.yml' + # - 'phpunit.xml.dist' + # - 'tests/phpunit/multisite.xml' # Once daily at 00:00 UTC. schedule: - cron: '0 0 * * *' diff --git a/README.md b/README.md index 4c27999495f55..949c085e3aacb 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,29 @@ npm run test:php -- --filter npm run test:php -- --group ``` +#### To lint the workflow files + +GitHub Actions workflows operate in a privileged software supply chain environment, therefore the workflow files must be adhere to a high degree of quality and security standards. + +The YAML workflow files in the `.github/workflows` directory are statically scanned during GitHub Actions workflow runs using [Actionlint](https://github.com/rhysd/actionlint) and [Zizmor](https://github.com/zizmorcore/zizmor). If you're making changes to those files then you can install both these tools locally using a package manager for your operating system and then run them to lint the files. + +- [Actionlint installations instructions](https://github.com/rhysd/actionlint/blob/main/docs/install.md) +- [Zizmor installation instructions](https://docs.zizmor.sh/installation/) + +To run Actionlint: + +``` +actionlint +``` + +To run Zizmor (note the trailing period): + +``` +zizmor . +``` + +The linting that happens during GitHub Actions workflow runs is connected to GitHub Code Scanning, so linting errors won't cause workflow runs to fail directly. Some linting issues that are reported locally may be ignored in the Code Scanning settings. + #### Generating a code coverage report PHP code coverage reports are [generated daily](https://github.com/WordPress/wordpress-develop/actions/workflows/test-coverage.yml) and [submitted to Codecov.io](https://app.codecov.io/gh/WordPress/wordpress-develop).