Add more workflow file linting with Zizmor

.github/workflows/commit-built-file-changes.yml

@@ -131,11 +131,12 @@ jobs:
           path: 'pr-repo'
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
           token: ${{ env.ACCESS_TOKEN }}
+          persist-credentials: true
 
       - name: Apply patch
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
         working-directory: 'pr-repo'
-        run: git apply ${{ github.workspace }}/changes.diff
+        run: git apply "$GITHUB_WORKSPACE/changes.diff"
 
       - name: Display changes to versioned files
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}
@@ -149,7 +150,7 @@ jobs:
           GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }}
         run: |
           git config user.name "wordpress-develop-pr-bot[bot]"
-          git config user.email ${{ env.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com
+          git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com"
 
       - name: Stage changes
         if: ${{ steps.artifact-check.outputs.exists == 'true' }}

.github/workflows/install-testing.yml

@@ -49,7 +49,6 @@ jobs:
     uses: ./.github/workflows/reusable-support-json-reader-v1.yml
     permissions:
       contents: read
-    secrets: inherit
     if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     with:
       wp-version: ${{ inputs.wp-version }}

.github/workflows/local-docker-environment.yml

@@ -77,7 +77,6 @@ jobs:
     uses: ./.github/workflows/reusable-support-json-reader-v1.yml
     permissions:
       contents: read
-    secrets: inherit
     if: ${{ github.repository == 'WordPress/wordpress-develop' }}
     with:
       wp-version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}

.github/workflows/phpunit-tests.yml

@@ -66,7 +66,9 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
@@ -143,7 +145,9 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
@@ -195,7 +199,9 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
@@ -238,7 +244,9 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' ) }}
     strategy:
       fail-fast: false
@@ -267,7 +275,9 @@ jobs:
     uses: ./.github/workflows/reusable-phpunit-tests-v3.yml
     permissions:
       contents: read
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }}
     if: ${{ ! startsWith( github.repository, 'WordPress/' ) && github.event_name == 'pull_request' }}
     strategy:
       fail-fast: false

.github/workflows/reusable-check-built-files.yml

@@ -40,6 +40,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0

.github/workflows/reusable-cleanup-pull-requests.yml

@@ -43,13 +43,17 @@ jobs:
           COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')"
           echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> "$GITHUB_OUTPUT"
 
-      - name: Find pull requests
-        id: linked-prs
+      - name: Find and close pull requests
         if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }}
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          FIXED_LIST: ${{ steps.trac-tickets.outputs.fixed_list }}
+          SVN_REVISION_NUMBER: ${{ steps.git-svn-id.outputs.svn_revision_number }}
         with:
           script: |
-            const fixedList = "${{ steps.trac-tickets.outputs.fixed_list }}".split(' ').filter(Boolean);
+            const fixedList = process.env.FIXED_LIST.split(' ').filter(Boolean);
+            const svnRevisionNumber = process.env.SVN_REVISION_NUMBER;
+            const githubSha = process.env.GITHUB_SHA;
             let prNumbers = [];
 
             for (const ticket of fixedList) {
@@ -86,19 +90,10 @@ jobs:
               prNumbers.push(...matchingPRs);
             }
 
-            return prNumbers;
-
-      - name: Comment and close pull requests
-        if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: |
-            const prNumbers = ${{ steps.linked-prs.outputs.result }};
-
             const commentBody = `A commit was made that fixes the Trac ticket referenced in the description of this pull request.
 
-            SVN changeset: [${{ steps.git-svn-id.outputs.svn_revision_number }}](https://core.trac.wordpress.org/changeset/${{ steps.git-svn-id.outputs.svn_revision_number }})
-            GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${{ github.sha }}
+            SVN changeset: [${svnRevisionNumber}](https://core.trac.wordpress.org/changeset/${svnRevisionNumber})
+            GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${githubSha}
 
             This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.`;
 

.github/workflows/reusable-workflow-lint.yml

@@ -7,12 +7,10 @@ permissions: {}
 jobs:
   # Runs the actionlint GitHub Action workflow file linter.
   #
+  # See https://github.com/rhysd/actionlint.
+  #
   # This helps guard against common mistakes including strong type checking for expressions (${{ }}), security checks,
   # `run:` script checking, glob syntax validation, and more.
-  #
-  # Performs the following steps:
-  # - Checks out the repository.
-  # - Runs actionlint.
   actionlint:
     name: Run actionlint
     runs-on: ubuntu-24.04
@@ -26,9 +24,41 @@ jobs:
           persist-credentials: false
           show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
 
-      # actionlint is static checker for GitHub Actions workflow files.
-      # See https://github.com/rhysd/actionlint.
       - name: Run actionlint
-        uses: docker://rhysd/actionlint@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # v1.7.7
+        uses: docker://rhysd/actionlint@sha256:5457037ba91acd225478edac3d4b32e45cf6c10291e0dabbfd2491c63129afe1 # v1.7.11
         with:
           args: "-color -verbose"
+
+  # Runs the Zizmor GitHub Action workflow file linter.
+  #
+  # See https://github.com/zizmorcore/zizmor
+  #
+  # This helps guard against supply chain attacks, unpinned dependencies, excessive permissions,
+  # dangerous triggers, credential leaks, and sophisticated security vulnerabilities.
+  zizmor:
+    name: Zizmor
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+
+      - name: Run zizmor
+        run: uvx zizmor@1.23.1 --persona=regular --format=sarif --strict-collection . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        with:
+          sarif_file: results.sarif
+          category: zizmor
+          wait-for-processing: false

.github/workflows/test-coverage.yml

@@ -11,15 +11,15 @@ on:
       - 'docker-compose.yml'
       - 'phpunit.xml.dist'
       - 'tests/phpunit/multisite.xml'
-  pull_request:
-    branches:
-      - trunk
-    paths:
-      - '.github/workflows/test-coverage.yml'
-      - '.github/workflows/reusable-phpunit-tests-v3.yml'
-      - 'docker-compose.yml'
-      - 'phpunit.xml.dist'
-      - 'tests/phpunit/multisite.xml'
+  # pull_request:
+  #   branches:
+  #     - trunk
+  #   paths:
+  #     - '.github/workflows/test-coverage.yml'
+  #     - '.github/workflows/reusable-phpunit-tests-v3.yml'
+  #     - 'docker-compose.yml'
+  #     - 'phpunit.xml.dist'
+  #     - 'tests/phpunit/multisite.xml'
   # Once daily at 00:00 UTC.
   schedule:
     - cron: '0 0 * * *'

README.md

@@ -97,6 +97,29 @@ npm run test:php -- --filter <test name>
 npm run test:php -- --group <group name or ticket number>
 ```
 
+#### To lint the workflow files
+
+GitHub Actions workflows operate in a privileged software supply chain environment, therefore the workflow files must be adhere to a high degree of quality and security standards.
+
+The YAML workflow files in the `.github/workflows` directory are statically scanned during GitHub Actions workflow runs using [Actionlint](https://github.com/rhysd/actionlint) and [Zizmor](https://github.com/zizmorcore/zizmor). If you're making changes to those files then you can install both these tools locally using a package manager for your operating system and then run them to lint the files.
+
+- [Actionlint installations instructions](https://github.com/rhysd/actionlint/blob/main/docs/install.md)
+- [Zizmor installation instructions](https://docs.zizmor.sh/installation/)
+
+To run Actionlint:
+
+```
+actionlint
+```
+
+To run Zizmor (note the trailing period):
+
+```
+zizmor .
+```
+
+The linting that happens during GitHub Actions workflow runs is connected to GitHub Code Scanning, so linting errors won't cause workflow runs to fail directly. Some linting issues that are reported locally may be ignored in the Code Scanning settings.
+
 #### Generating a code coverage report
 PHP code coverage reports are [generated daily](https://github.com/WordPress/wordpress-develop/actions/workflows/test-coverage.yml) and [submitted to Codecov.io](https://app.codecov.io/gh/WordPress/wordpress-develop).