GitHub Actions workflow updates#2471
Conversation
johnbillion
requested review from
mukeshpanchal27,
thelovekesh and
westonruter
as code owners
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
There was a problem hiding this comment.
Pull request overview
This PR updates GitHub Actions workflows to use explicit, reduced permissions and add job timeouts to prevent runaway workflow execution.
Changes:
- Adds top-level
permissions: {}defaults to several workflows. - Adds or documents job-level permissions for checkout, artifacts, deployments, CodeQL, and cancellation actions.
- Adds
timeout-minutesvalues to jobs that did not previously define them.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/spell-check.yml |
Adds default-deny permissions, checkout read permission, and timeout. |
.github/workflows/props-bot.yml |
Clarifies existing job permission comments. |
.github/workflows/pr-validation.yml |
Adds default-deny permissions and job timeouts. |
.github/workflows/plugin-check.yml |
Adds timeouts and documents job-level permissions. |
.github/workflows/php-test-plugins.yml |
Adds default-deny permissions and explicit job scopes. |
.github/workflows/php-lint.yml |
Adds default-deny permissions and explicit job scopes. |
.github/workflows/js-lint.yml |
Adds default-deny permissions and explicit job scopes. |
.github/workflows/e2e-test.yml |
Adds default-deny permissions and checkout read scope. |
.github/workflows/deploy-plugins.yml |
Adds timeouts and adjusts deployment/release permission scopes. |
.github/workflows/codeql-analysis.yml |
Adds CodeQL job timeout and documents security-events permission. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## trunk #2471 +/- ##
=======================================
Coverage 69.33% 69.33%
=======================================
Files 90 90
Lines 7749 7749
=======================================
Hits 5373 5373
Misses 2376 2376
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
johnbillion
added
the
[Type] Enhancement
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| permissions: | ||
| contents: read # Required to clone the repo. |
There was a problem hiding this comment.
safe to keep but not required for public repos.
There was a problem hiding this comment.
With permissions: {} being set at the workflow level, I think the idea here is to be explicit instead of relying on an implicit fallback.
It's also good to have just in case the workflow's overall permissions change for some reason, or someone creates a private fork or mirror (which does happen for some of the important repositories in the WordPress org).
There was a problem hiding this comment.
Yeah it also facilitates contributors running the workflows on a private fork. See:
| timeout-minutes: 20 | ||
| permissions: | ||
| contents: read # Required to clone the repo. | ||
| actions: write # Required by styfle/cancel-workflow-action to cancel prior runs. |
There was a problem hiding this comment.
unrelated to this, but need to audit third-party actions here.
styfle/cancel-workflow-action should be replaced with concurrency.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true # or expression which evaluates to true/false
There was a problem hiding this comment.
@thelovekesh Good call out. I will resolve my review comment stating the same.
| name: Check [Type] Label | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| permissions: {} |
There was a problem hiding this comment.
maybe redundant given permission are already disabled on workflow level?
There was a problem hiding this comment.
In my opinion, it's good to leave this and be explicit just in case the workflow-level permissions are changed unintentionally/unknowingly. @johnbillion what do you think?
There was a problem hiding this comment.
Yeah the idea here is to be as explicit as possible. Defence in depth, etc.
| name: Check Milestone | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| permissions: {} |
This is not required for downloading artifacts from the same workflow run.
There was a problem hiding this comment.
This looks good. The only thing I want to follow up on is confirming the Looks like that comment was confirmed incorrect since I looked last. This is good to go.props-bot.yml permissions. There was some Copilot feedback in another repository that I want to validate.
Updated: |
This updates the GitHub Actions workflow files to:
Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".
References
Use of AI
Claude Code was used to create the initial changes. All permissions and timeouts changes were reviewed and adjusted by me where necessary.