From 3038c38155bd655ba190f9ba7273eb6a11771dee Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 3 May 2026 13:06:07 +0100 Subject: [PATCH 1/2] Tighten up the GitHub Actions workflow permissions. --- .github/workflows/cs.yml | 6 ++++++ .github/workflows/label-merge-conflicts.yml | 4 ++++ .github/workflows/lint.yml | 4 ++++ .github/workflows/quicktest.yml | 4 ++++ .github/workflows/reusable-update-cacert.yml | 6 ++++++ .github/workflows/test.yml | 4 ++++ .github/workflows/update-cacert-cron.yml | 5 +++++ .github/workflows/update-cacert.yml | 6 ++++++ .github/workflows/update-website.yml | 11 ++++++++--- 9 files changed, 47 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index f0f632d50..131e548f6 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -13,10 +13,14 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: actionlint: #---------------------------------------------------------------------- name: 'Check GHA workflows' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout code @@ -41,6 +45,8 @@ jobs: phpcs: #---------------------------------------------------------------------- name: 'PHPCS' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout code diff --git a/.github/workflows/label-merge-conflicts.yml b/.github/workflows/label-merge-conflicts.yml index e3518a36f..bc9d9649c 100644 --- a/.github/workflows/label-merge-conflicts.yml +++ b/.github/workflows/label-merge-conflicts.yml @@ -13,10 +13,14 @@ on: - synchronize - reopened +permissions: {} + jobs: check-prs: runs-on: ubuntu-latest if: github.repository_owner == 'WordPress' + permissions: + pull-requests: write name: Check PRs for merge conflicts diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8db30b3c8..7f7272b3b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,9 +13,13 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: lint: #---------------------------------------------------------------------- runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 97e275cc3..58f4e486c 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -13,11 +13,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: #### QUICK TEST STAGE #### # Runs the tests against select PHP versions for pushes to arbitrary branches. quicktest: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: diff --git a/.github/workflows/reusable-update-cacert.yml b/.github/workflows/reusable-update-cacert.yml index 9ea93edfe..98c6fd0e7 100644 --- a/.github/workflows/reusable-update-cacert.yml +++ b/.github/workflows/reusable-update-cacert.yml @@ -3,11 +3,17 @@ name: Certificates on: workflow_call: +permissions: {} + jobs: certificate-check: name: "Check for updated certificate bundle" runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: - name: Determine branches to use id: branches diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d534d57f6..b99e70f14 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,10 +14,14 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: #### TEST STAGE #### test: runs-on: ubuntu-latest + permissions: + contents: read strategy: # Keys: diff --git a/.github/workflows/update-cacert-cron.yml b/.github/workflows/update-cacert-cron.yml index b37d842e0..d13948b1d 100644 --- a/.github/workflows/update-cacert-cron.yml +++ b/.github/workflows/update-cacert-cron.yml @@ -11,9 +11,14 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: certificate-check: # Don't run the cron job on forks. if: ${{ github.event.repository.fork == false }} + permissions: + contents: write + pull-requests: write uses: ./.github/workflows/reusable-update-cacert.yml diff --git a/.github/workflows/update-cacert.yml b/.github/workflows/update-cacert.yml index b3e600923..b6262c188 100644 --- a/.github/workflows/update-cacert.yml +++ b/.github/workflows/update-cacert.yml @@ -24,6 +24,12 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: certificate-check: + permissions: + contents: write + pull-requests: write + uses: ./.github/workflows/reusable-update-cacert.yml diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index 5bcca3e97..26e490e77 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -21,9 +21,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - pull-requests: write - contents: write +permissions: {} jobs: prepare: @@ -32,6 +30,9 @@ jobs: if: github.repository == 'WordPress/Requests' runs-on: ubuntu-latest + permissions: + contents: read + steps: # By default use the `stable` branch as the published docs should always # reflect the latest release. @@ -91,6 +92,10 @@ jobs: if: github.repository == 'WordPress/Requests' runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: # PRs based on the "pull request" event trigger will contain changes from the # current `develop` branch, so should not be published as the website should From f4e1d45fea4275b020837b6bfe3248ce3aa8ca41 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 5 May 2026 11:19:11 +0100 Subject: [PATCH 2/2] Add inline docs to the permissions directives. --- .github/workflows/cs.yml | 6 ++++-- .github/workflows/label-merge-conflicts.yml | 4 +++- .github/workflows/lint.yml | 4 +++- .github/workflows/quicktest.yml | 4 +++- .github/workflows/reusable-update-cacert.yml | 6 ++++-- .github/workflows/test.yml | 4 +++- .github/workflows/update-cacert-cron.yml | 6 ++++-- .github/workflows/update-cacert.yml | 6 ++++-- .github/workflows/update-website.yml | 8 +++++--- 9 files changed, 33 insertions(+), 15 deletions(-) diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index 131e548f6..7e5f8a5c8 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: @@ -20,7 +22,7 @@ jobs: name: 'Check GHA workflows' runs-on: ubuntu-latest permissions: - contents: read + contents: read # Needed to clone the repo. steps: - name: Checkout code @@ -46,7 +48,7 @@ jobs: name: 'PHPCS' runs-on: ubuntu-latest permissions: - contents: read + contents: read # Needed to clone the repo. steps: - name: Checkout code diff --git a/.github/workflows/label-merge-conflicts.yml b/.github/workflows/label-merge-conflicts.yml index bc9d9649c..f2dbe3c53 100644 --- a/.github/workflows/label-merge-conflicts.yml +++ b/.github/workflows/label-merge-conflicts.yml @@ -13,6 +13,8 @@ on: - synchronize - reopened +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: @@ -20,7 +22,7 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'WordPress' permissions: - pull-requests: write + pull-requests: write # Needed to add and remove labels on the PR. name: Check PRs for merge conflicts diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7f7272b3b..3f7bbfafc 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,13 +13,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: lint: #---------------------------------------------------------------------- runs-on: ubuntu-latest permissions: - contents: read + contents: read # Needed to clone the repo. strategy: matrix: diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index 58f4e486c..92f055a07 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: @@ -21,7 +23,7 @@ jobs: quicktest: runs-on: ubuntu-latest permissions: - contents: read + contents: read # Needed to clone the repo. strategy: matrix: diff --git a/.github/workflows/reusable-update-cacert.yml b/.github/workflows/reusable-update-cacert.yml index 98c6fd0e7..ad04bf4c8 100644 --- a/.github/workflows/reusable-update-cacert.yml +++ b/.github/workflows/reusable-update-cacert.yml @@ -3,6 +3,8 @@ name: Certificates on: workflow_call: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: @@ -11,8 +13,8 @@ jobs: runs-on: ubuntu-latest permissions: - contents: write - pull-requests: write + contents: write # Needed to push commits to a branch in the repo. + pull-requests: write # Needed to create a PR. steps: - name: Determine branches to use diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b99e70f14..0999b9199 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,6 +14,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: @@ -21,7 +23,7 @@ jobs: test: runs-on: ubuntu-latest permissions: - contents: read + contents: read # Needed to clone the repo. strategy: # Keys: diff --git a/.github/workflows/update-cacert-cron.yml b/.github/workflows/update-cacert-cron.yml index d13948b1d..b263b73a2 100644 --- a/.github/workflows/update-cacert-cron.yml +++ b/.github/workflows/update-cacert-cron.yml @@ -11,6 +11,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: @@ -18,7 +20,7 @@ jobs: # Don't run the cron job on forks. if: ${{ github.event.repository.fork == false }} permissions: - contents: write - pull-requests: write + contents: write # Needed to push commits to a branch in the repo. + pull-requests: write # Needed to create a PR. uses: ./.github/workflows/reusable-update-cacert.yml diff --git a/.github/workflows/update-cacert.yml b/.github/workflows/update-cacert.yml index b6262c188..6439c4fab 100644 --- a/.github/workflows/update-cacert.yml +++ b/.github/workflows/update-cacert.yml @@ -24,12 +24,14 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: certificate-check: permissions: - contents: write - pull-requests: write + contents: write # Needed to push commits to a branch in the repo. + pull-requests: write # Needed to create a PR. uses: ./.github/workflows/reusable-update-cacert.yml diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml index 26e490e77..b9ff2e21e 100644 --- a/.github/workflows/update-website.yml +++ b/.github/workflows/update-website.yml @@ -21,6 +21,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: @@ -31,7 +33,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: read # Needed to clone the repo. steps: # By default use the `stable` branch as the published docs should always @@ -93,8 +95,8 @@ jobs: runs-on: ubuntu-latest permissions: - contents: write - pull-requests: write + contents: write # Needed to push commits to a branch in the repo. + pull-requests: write # Needed to create a PR. steps: # PRs based on the "pull request" event trigger will contain changes from the