From 59d116eead07e3885396d1623eb1dfda3c9917bd Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Fri, 5 Sep 2025 19:11:00 +0100 Subject: [PATCH 01/21] Add more workflow file linting with Octoscan, Zizmor, and Poutine --- .github/workflows/reusable-workflow-lint.yml | 90 +++++++++++++++++++- 1 file changed, 86 insertions(+), 4 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 8a83830beb8fd..253843d3603dd 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -9,10 +9,6 @@ jobs: # # This helps guard against common mistakes including strong type checking for expressions (${{ }}), security checks, # `run:` script checking, glob syntax validation, and more. - # - # Performs the following steps: - # - Checks out the repository. - # - Runs actionlint. actionlint: name: Run actionlint runs-on: ubuntu-24.04 @@ -32,3 +28,89 @@ jobs: uses: docker://rhysd/actionlint@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # v1.7.7 with: args: "-color -verbose" + + # Runs the Octoscan GitHub Action workflow file linter. + # + # This helps guard against injection attacks, credential exposure, vulnerable actions, repository jacking, + # dangerous checkouts, and artifact security issues. + octoscan: + name: Octoscan + runs-on: ubuntu-24.04 + permissions: + security-events: write + actions: read + contents: read + timeout-minutes: 10 + steps: + - name: Checkout code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run octoscan + id: octoscan + uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 + with: + filter_triggers: '' + + - name: Upload SARIF file to GitHub + uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + with: + sarif_file: "${{steps.octoscan.outputs.sarif_output}}" + category: octoscan + + # Runs the Zizmor GitHub Action workflow file linter. + # + # This helps guard against supply chain attacks, unpinned dependencies, excessive permissions, + # dangerous triggers, credential leaks, and sophisticated security vulnerabilities. + zizmor: + name: Zizmor + runs-on: ubuntu-24.04 + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 + + - name: Run zizmor + run: uvx zizmor@1.12.0 --persona=auditor --format=sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + with: + sarif_file: results.sarif + category: zizmor + + # Runs the Poutine GitHub Action workflow file linter. + # + # This helps guard against CI/CD pipeline risks, supply chain vulnerabilities, excessive permissions, + # and dangerous build platform configurations. + poutine: + name: Poutine + runs-on: ubuntu-24.04 + permissions: + security-events: write + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run Poutine + uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 + + - name: Upload poutine SARIF file + uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + with: + sarif_file: results.sarif + category: poutine From b1191b9cf2262a14aa37c312ce10d347a6f8e9a8 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Fri, 5 Sep 2025 19:15:22 +0100 Subject: [PATCH 02/21] Docs. --- .github/workflows/reusable-workflow-lint.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 253843d3603dd..e9699dcc5d18d 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -7,6 +7,8 @@ permissions: {} jobs: # Runs the actionlint GitHub Action workflow file linter. # + # See https://github.com/rhysd/actionlint. + # # This helps guard against common mistakes including strong type checking for expressions (${{ }}), security checks, # `run:` script checking, glob syntax validation, and more. actionlint: @@ -22,8 +24,6 @@ jobs: persist-credentials: false show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} - # actionlint is static checker for GitHub Actions workflow files. - # See https://github.com/rhysd/actionlint. - name: Run actionlint uses: docker://rhysd/actionlint@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # v1.7.7 with: @@ -31,6 +31,8 @@ jobs: # Runs the Octoscan GitHub Action workflow file linter. # + # See https://github.com/synacktiv/octoscan + # # This helps guard against injection attacks, credential exposure, vulnerable actions, repository jacking, # dangerous checkouts, and artifact security issues. octoscan: @@ -61,6 +63,8 @@ jobs: # Runs the Zizmor GitHub Action workflow file linter. # + # See https://github.com/zizmorcore/zizmor + # # This helps guard against supply chain attacks, unpinned dependencies, excessive permissions, # dangerous triggers, credential leaks, and sophisticated security vulnerabilities. zizmor: @@ -92,6 +96,8 @@ jobs: # Runs the Poutine GitHub Action workflow file linter. # + # See https://github.com/boostsecurityio/poutine + # # This helps guard against CI/CD pipeline risks, supply chain vulnerabilities, excessive permissions, # and dangerous build platform configurations. poutine: From 7140777de42464f3cf909dd22f298e4632d9d8ee Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Fri, 5 Sep 2025 22:15:16 +0100 Subject: [PATCH 03/21] Disable some Octoscan rules. --- .github/workflows/reusable-workflow-lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index e9699dcc5d18d..c06d3bac71547 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -54,6 +54,7 @@ jobs: uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 with: filter_triggers: '' + disable_rules: 'local-action,runner-label' - name: Upload SARIF file to GitHub uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 From 73cbaeefeafbf3bd345d6324ed3488070ce441b3 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 00:54:01 +0100 Subject: [PATCH 04/21] Let's calm this down a bit. --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index c06d3bac71547..0b219c185bd2b 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -85,7 +85,7 @@ jobs: uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 - name: Run zizmor - run: uvx zizmor@1.12.0 --persona=auditor --format=sarif . > results.sarif + run: uvx zizmor@1.12.0 --persona=regular --format=sarif . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 3e3a0bb3bd773c5f46a2dfaf63d688b70a4864e4 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 01:32:59 +0100 Subject: [PATCH 05/21] The git credentials need to be retained, so make it explicit. --- .github/workflows/commit-built-file-changes.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index 32f3e9ea29ebd..4d74598d78807 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -131,6 +131,7 @@ jobs: path: 'pr-repo' show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} token: ${{ env.ACCESS_TOKEN }} + persist-credentials: true - name: Apply patch if: ${{ steps.artifact-check.outputs.exists == 'true' }} From 9cedc48547e24ffaff9bbbe1b640e3fcff623a9d Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 01:33:28 +0100 Subject: [PATCH 06/21] Make more use of environment variables. --- .github/workflows/commit-built-file-changes.yml | 4 ++-- .../workflows/reusable-cleanup-pull-requests.yml | 15 +++++++++++---- .github/workflows/reusable-phpunit-tests-v3.yml | 2 +- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index 4d74598d78807..25ce10ea0db36 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -136,7 +136,7 @@ jobs: - name: Apply patch if: ${{ steps.artifact-check.outputs.exists == 'true' }} working-directory: 'pr-repo' - run: git apply ${{ github.workspace }}/changes.diff + run: git apply "$GITHUB_WORKSPACE/changes.diff" - name: Display changes to versioned files if: ${{ steps.artifact-check.outputs.exists == 'true' }} @@ -150,7 +150,7 @@ jobs: GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} run: | git config user.name "wordpress-develop-pr-bot[bot]" - git config user.email ${{ env.GH_APP_ID }}+wordpress-develop-pr-bot[bot]@users.noreply.github.com + git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com" - name: Stage changes if: ${{ steps.artifact-check.outputs.exists == 'true' }} diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index e65c1e211fce3..1f7e21f9f5600 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -47,9 +47,11 @@ jobs: id: linked-prs if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + FIXED_LIST: ${{ steps.trac-tickets.outputs.fixed_list }} with: script: | - const fixedList = "${{ steps.trac-tickets.outputs.fixed_list }}".split(' ').filter(Boolean); + const fixedList = process.env.FIXED_LIST.split(' ').filter(Boolean); let prNumbers = []; for (const ticket of fixedList) { @@ -83,14 +85,19 @@ jobs: - name: Comment and close pull requests if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + PR_NUMBERS: ${{ steps.linked-prs.outputs.result }} + SVN_REVISION_NUMBER: ${{ steps.git-svn-id.outputs.svn_revision_number }} with: script: | - const prNumbers = ${{ steps.linked-prs.outputs.result }}; + const prNumbers = process.env.PR_NUMBERS; + const svnRevisionNumber = process.env.SVN_REVISION_NUMBER; + const githubSha = process.env.GITHUB_SHA; const commentBody = `A commit was made that fixes the Trac ticket referenced in the description of this pull request. - SVN changeset: [${{ steps.git-svn-id.outputs.svn_revision_number }}](https://core.trac.wordpress.org/changeset/${{ steps.git-svn-id.outputs.svn_revision_number }}) - GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${{ github.sha }} + SVN changeset: [${svnRevisionNumber}](https://core.trac.wordpress.org/changeset/${svnRevisionNumber}) + GitHub commit: https://github.com/WordPress/wordpress-develop/commit/${githubSha} This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.`; diff --git a/.github/workflows/reusable-phpunit-tests-v3.yml b/.github/workflows/reusable-phpunit-tests-v3.yml index bae7dd436f5a3..88d3bdd5d80d3 100644 --- a/.github/workflows/reusable-phpunit-tests-v3.yml +++ b/.github/workflows/reusable-phpunit-tests-v3.yml @@ -140,7 +140,7 @@ jobs: if: ${{ contains( fromJSON('["8.3", "8.4"]'), inputs.php ) }} env: PHP_VERSION: ${{ inputs.php }} - run: cp "tools/local-env/php-${{ env.PHP_VERSION }}-docker-compose.override.yml" docker-compose.override.yml + run: cp "tools/local-env/php-$PHP_VERSION-docker-compose.override.yml" docker-compose.override.yml - name: Set up Node.js uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 From 446a55b71b7535f4347e2194f3011395e5793026 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 01:33:53 +0100 Subject: [PATCH 07/21] Be more explicit about secrets. --- .github/workflows/install-testing.yml | 1 - .../workflows/local-docker-environment.yml | 1 - .github/workflows/phpunit-tests.yml | 20 ++++++++++++++----- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/install-testing.yml b/.github/workflows/install-testing.yml index ead2621da2ae5..0c79aac88811a 100644 --- a/.github/workflows/install-testing.yml +++ b/.github/workflows/install-testing.yml @@ -46,7 +46,6 @@ jobs: uses: ./.github/workflows/reusable-support-json-reader-v1.yml permissions: contents: read - secrets: inherit if: ${{ github.repository == 'WordPress/wordpress-develop' }} with: wp-version: ${{ inputs.wp-version }} diff --git a/.github/workflows/local-docker-environment.yml b/.github/workflows/local-docker-environment.yml index 9e9b1259ea60d..b4bae7b491b60 100644 --- a/.github/workflows/local-docker-environment.yml +++ b/.github/workflows/local-docker-environment.yml @@ -76,7 +76,6 @@ jobs: uses: ./.github/workflows/reusable-support-json-reader-v1.yml permissions: contents: read - secrets: inherit if: ${{ github.repository == 'WordPress/wordpress-develop' }} with: wp-version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }} diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index 420506d42265c..9da621e9d7d63 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -64,7 +64,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) ) }} strategy: fail-fast: false @@ -141,7 +143,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) ) }} strategy: fail-fast: false @@ -193,7 +197,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) ) }} strategy: fail-fast: false @@ -236,7 +242,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ startsWith( github.repository, 'WordPress/' ) && ( github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) ) }} strategy: fail-fast: false @@ -265,7 +273,9 @@ jobs: uses: ./.github/workflows/reusable-phpunit-tests-v3.yml permissions: contents: read - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + WPT_REPORT_API_KEY: ${{ secrets.WPT_REPORT_API_KEY }} if: ${{ ! startsWith( github.repository, 'WordPress/' ) && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }} strategy: fail-fast: false From eac6a9099d431a0c302bcc1e0b7d24d421194d1e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 01:34:01 +0100 Subject: [PATCH 08/21] Don't persist git credentials here. --- .github/workflows/reusable-check-built-files.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/reusable-check-built-files.yml b/.github/workflows/reusable-check-built-files.yml index 34d201398a376..1aa81ca9182fb 100644 --- a/.github/workflows/reusable-check-built-files.yml +++ b/.github/workflows/reusable-check-built-files.yml @@ -40,6 +40,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 From 76a3b2ea93bf2a8d20309ca51290f140b7b52ec5 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 01:49:42 +0100 Subject: [PATCH 09/21] Combine these two steps into one. --- .../reusable-cleanup-pull-requests.yml | 20 ++++--------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index 1f7e21f9f5600..687a9714e81ce 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -43,15 +43,17 @@ jobs: COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')" echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> "$GITHUB_OUTPUT" - - name: Find pull requests - id: linked-prs + - name: Find and close pull requests if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: FIXED_LIST: ${{ steps.trac-tickets.outputs.fixed_list }} + SVN_REVISION_NUMBER: ${{ steps.git-svn-id.outputs.svn_revision_number }} with: script: | const fixedList = process.env.FIXED_LIST.split(' ').filter(Boolean); + const svnRevisionNumber = process.env.SVN_REVISION_NUMBER; + const githubSha = process.env.GITHUB_SHA; let prNumbers = []; for (const ticket of fixedList) { @@ -80,20 +82,6 @@ jobs: prNumbers.push(...result.search.nodes.map(pr => pr.number)); } - return prNumbers; - - - name: Comment and close pull requests - if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }} - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - env: - PR_NUMBERS: ${{ steps.linked-prs.outputs.result }} - SVN_REVISION_NUMBER: ${{ steps.git-svn-id.outputs.svn_revision_number }} - with: - script: | - const prNumbers = process.env.PR_NUMBERS; - const svnRevisionNumber = process.env.SVN_REVISION_NUMBER; - const githubSha = process.env.GITHUB_SHA; - const commentBody = `A commit was made that fixes the Trac ticket referenced in the description of this pull request. SVN changeset: [${svnRevisionNumber}](https://core.trac.wordpress.org/changeset/${svnRevisionNumber}) From 16f38dc825ffc9acf3ce24f1055cf1ab9293cd35 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 01:51:26 +0100 Subject: [PATCH 10/21] Temporarily disable this slow workflow. --- .github/workflows/test-coverage.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-coverage.yml b/.github/workflows/test-coverage.yml index dbf9b79b9393e..5bfcd1b9c0db4 100644 --- a/.github/workflows/test-coverage.yml +++ b/.github/workflows/test-coverage.yml @@ -11,15 +11,15 @@ on: - 'docker-compose.yml' - 'phpunit.xml.dist' - 'tests/phpunit/multisite.xml' - pull_request: - branches: - - trunk - paths: - - '.github/workflows/test-coverage.yml' - - '.github/workflows/reusable-phpunit-tests-v3.yml' - - 'docker-compose.yml' - - 'phpunit.xml.dist' - - 'tests/phpunit/multisite.xml' + # pull_request: + # branches: + # - trunk + # paths: + # - '.github/workflows/test-coverage.yml' + # - '.github/workflows/reusable-phpunit-tests-v3.yml' + # - 'docker-compose.yml' + # - 'phpunit.xml.dist' + # - 'tests/phpunit/multisite.xml' # Once daily at 00:00 UTC. schedule: - cron: '0 0 * * *' From 86976594f22c32cff868482bef19e8e15cb91505 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 18:42:23 +0100 Subject: [PATCH 11/21] No need to wait for SARIF processing. --- .github/workflows/reusable-workflow-lint.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 0b219c185bd2b..0565e5ef84a67 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -61,6 +61,7 @@ jobs: with: sarif_file: "${{steps.octoscan.outputs.sarif_output}}" category: octoscan + wait-for-processing: false # Runs the Zizmor GitHub Action workflow file linter. # @@ -94,6 +95,7 @@ jobs: with: sarif_file: results.sarif category: zizmor + wait-for-processing: false # Runs the Poutine GitHub Action workflow file linter. # @@ -121,3 +123,4 @@ jobs: with: sarif_file: results.sarif category: poutine + wait-for-processing: false From aa4b18d4740ba9e8ecc106203742074c75f4b2ee Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 18:42:46 +0100 Subject: [PATCH 12/21] Indentation. --- .github/workflows/reusable-workflow-lint.yml | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 0565e5ef84a67..c7a5e06999043 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -110,17 +110,17 @@ jobs: security-events: write contents: read steps: - - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - - name: Run Poutine - uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 + - name: Run Poutine + uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 - - name: Upload poutine SARIF file - uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 - with: - sarif_file: results.sarif - category: poutine - wait-for-processing: false + - name: Upload poutine SARIF file + uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + with: + sarif_file: results.sarif + category: poutine + wait-for-processing: false From 817f11847331eff6af8448ced1ce7a5af3af9ade Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sat, 6 Sep 2025 18:48:12 +0100 Subject: [PATCH 13/21] Instruct Zizmor to fail when it can't process collected actions or workflows. --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index c7a5e06999043..6c3442717cdb3 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -86,7 +86,7 @@ jobs: uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 - name: Run zizmor - run: uvx zizmor@1.12.0 --persona=regular --format=sarif . > results.sarif + run: uvx zizmor@1.12.0 --persona=regular --format=sarif --strict-collection . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 64b09bf86c96f76efe920c796795ce97652eaac7 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 7 Oct 2025 14:05:05 +0100 Subject: [PATCH 14/21] Update everything. --- .github/workflows/reusable-workflow-lint.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 6c3442717cdb3..101e114fd19bf 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -57,7 +57,7 @@ jobs: disable_rules: 'local-action,runner-label' - name: Upload SARIF file to GitHub - uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: sarif_file: "${{steps.octoscan.outputs.sarif_output}}" category: octoscan @@ -83,15 +83,15 @@ jobs: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@4959332f0f014c5280e7eac8b70c90cb574c9f9b # v6.6.0 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Run zizmor - run: uvx zizmor@1.12.0 --persona=regular --format=sarif --strict-collection . > results.sarif + run: uvx zizmor@1.14.2 --persona=regular --format=sarif --strict-collection . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: sarif_file: results.sarif category: zizmor @@ -119,7 +119,7 @@ jobs: uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 - name: Upload poutine SARIF file - uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 + uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: sarif_file: results.sarif category: poutine From e3062e97bc028c62692834b860a58af244f4333c Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 17 Mar 2026 16:46:16 +0000 Subject: [PATCH 15/21] Remove Poutine and Octoscan in favour of Actionlint and Zizmor. --- .github/workflows/reusable-workflow-lint.yml | 62 -------------------- 1 file changed, 62 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 2b54e064b0f33..123a7a67e772b 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -29,40 +29,6 @@ jobs: with: args: "-color -verbose" - # Runs the Octoscan GitHub Action workflow file linter. - # - # See https://github.com/synacktiv/octoscan - # - # This helps guard against injection attacks, credential exposure, vulnerable actions, repository jacking, - # dangerous checkouts, and artifact security issues. - octoscan: - name: Octoscan - runs-on: ubuntu-24.04 - permissions: - security-events: write - actions: read - contents: read - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - - - name: Run octoscan - id: octoscan - uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 - with: - filter_triggers: '' - disable_rules: 'local-action,runner-label' - - - name: Upload SARIF file to GitHub - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 - with: - sarif_file: "${{steps.octoscan.outputs.sarif_output}}" - category: octoscan - wait-for-processing: false - # Runs the Zizmor GitHub Action workflow file linter. # # See https://github.com/zizmorcore/zizmor @@ -96,31 +62,3 @@ jobs: sarif_file: results.sarif category: zizmor wait-for-processing: false - - # Runs the Poutine GitHub Action workflow file linter. - # - # See https://github.com/boostsecurityio/poutine - # - # This helps guard against CI/CD pipeline risks, supply chain vulnerabilities, excessive permissions, - # and dangerous build platform configurations. - poutine: - name: Poutine - runs-on: ubuntu-24.04 - permissions: - security-events: write - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - - - name: Run Poutine - uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2 - - - name: Upload poutine SARIF file - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 - with: - sarif_file: results.sarif - category: poutine - wait-for-processing: false From 501e970724321fc969ff84904acaca2502545573 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 17 Mar 2026 16:46:27 +0000 Subject: [PATCH 16/21] Add some docs about running locally. --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index 4c27999495f55..949c085e3aacb 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,29 @@ npm run test:php -- --filter npm run test:php -- --group ``` +#### To lint the workflow files + +GitHub Actions workflows operate in a privileged software supply chain environment, therefore the workflow files must be adhere to a high degree of quality and security standards. + +The YAML workflow files in the `.github/workflows` directory are statically scanned during GitHub Actions workflow runs using [Actionlint](https://github.com/rhysd/actionlint) and [Zizmor](https://github.com/zizmorcore/zizmor). If you're making changes to those files then you can install both these tools locally using a package manager for your operating system and then run them to lint the files. + +- [Actionlint installations instructions](https://github.com/rhysd/actionlint/blob/main/docs/install.md) +- [Zizmor installation instructions](https://docs.zizmor.sh/installation/) + +To run Actionlint: + +``` +actionlint +``` + +To run Zizmor (note the trailing period): + +``` +zizmor . +``` + +The linting that happens during GitHub Actions workflow runs is connected to GitHub Code Scanning, so linting errors won't cause workflow runs to fail directly. Some linting issues that are reported locally may be ignored in the Code Scanning settings. + #### Generating a code coverage report PHP code coverage reports are [generated daily](https://github.com/WordPress/wordpress-develop/actions/workflows/test-coverage.yml) and [submitted to Codecov.io](https://app.codecov.io/gh/WordPress/wordpress-develop). From 8ced8e408546bf9cf883976c6294fc3d327406a4 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 17 Mar 2026 17:03:09 +0000 Subject: [PATCH 17/21] Update everything. --- .github/workflows/reusable-workflow-lint.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 123a7a67e772b..b3b9d5a289d2f 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -25,7 +25,7 @@ jobs: show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} - name: Run actionlint - uses: docker://rhysd/actionlint@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # v1.7.7 + uses: docker://rhysd/actionlint@sha256:5457037ba91acd225478edac3d4b32e45cf6c10291e0dabbfd2491c63129afe1 # v1.7.11 with: args: "-color -verbose" @@ -44,20 +44,20 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Run zizmor - run: uvx zizmor@1.14.2 --persona=regular --format=sarif --strict-collection . > results.sarif + run: uvx zizmor@1.23.1 --persona=regular --format=sarif --strict-collection . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: results.sarif category: zizmor From fb82330f53ee828637242b865dfb12adffa5d619 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Wed, 15 Apr 2026 16:09:02 +0100 Subject: [PATCH 18/21] Update .github/workflows/reusable-workflow-lint.yml Co-authored-by: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> --- .github/workflows/reusable-workflow-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index b3b9d5a289d2f..1b8fae8b83c12 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -52,7 +52,7 @@ jobs: uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Run zizmor - run: uvx zizmor@1.23.1 --persona=regular --format=sarif --strict-collection . > results.sarif + run: uvx zizmor@1.24.1 --persona=regular --format=sarif --strict-collection . > results.sarif env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From d1962c2397f6087d417abc0dead00b5e44457607 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 20 Apr 2026 17:55:16 +0100 Subject: [PATCH 19/21] Apply suggestions from code review Co-authored-by: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> --- .github/workflows/reusable-cleanup-pull-requests.yml | 4 ++-- .github/workflows/reusable-workflow-lint.yml | 6 ++++++ README.md | 8 ++++---- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/reusable-cleanup-pull-requests.yml b/.github/workflows/reusable-cleanup-pull-requests.yml index e42d741be1b4e..cdce56001d16b 100644 --- a/.github/workflows/reusable-cleanup-pull-requests.yml +++ b/.github/workflows/reusable-cleanup-pull-requests.yml @@ -19,7 +19,7 @@ jobs: # - Parse fixed ticket numbers from the commit message. # - Parse the SVN revision from the commit message. # - Searches for pull requests referencing any fixed tickets. - # - Leaves a comment on each PR before closing. +# - Comments on pull requests referencing any fixed tickets before closing. close-prs: name: Find and close PRs runs-on: ubuntu-24.04 @@ -43,7 +43,7 @@ jobs: COMMIT_MESSAGE="$(echo "$COMMIT_MSG_RAW" | sed -n '$p')" echo "svn_revision_number=$(echo "$COMMIT_MESSAGE" | sed -n 's/.*git-svn-id: https:\/\/develop.svn.wordpress.org\/[^@]*@\([0-9]*\) .*/\1/p')" >> "$GITHUB_OUTPUT" - - name: Find and close pull requests + - name: Find, comment on, and close pull requests if: ${{ steps.trac-tickets.outputs.fixed_list != '' && steps.git-svn-id.outputs.svn_revision_number != '' }} uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 1b8fae8b83c12..8fc7661c7592b 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -35,6 +35,12 @@ jobs: # # This helps guard against supply chain attacks, unpinned dependencies, excessive permissions, # dangerous triggers, credential leaks, and sophisticated security vulnerabilities. + # + # Performs the following steps: + # - Checks out the repository. + # - Installs and configures uv. + # - Runs a zizmor scan. + # - Uploads the SARIF file to GitHub. zizmor: name: Zizmor runs-on: ubuntu-24.04 diff --git a/README.md b/README.md index 949c085e3aacb..5201a5180c1da 100644 --- a/README.md +++ b/README.md @@ -99,9 +99,9 @@ npm run test:php -- --group #### To lint the workflow files -GitHub Actions workflows operate in a privileged software supply chain environment, therefore the workflow files must be adhere to a high degree of quality and security standards. +GitHub Actions workflows operate in a privileged software supply chain environment, therefore all workflow files must adhere to a high degree of quality and security standards. -The YAML workflow files in the `.github/workflows` directory are statically scanned during GitHub Actions workflow runs using [Actionlint](https://github.com/rhysd/actionlint) and [Zizmor](https://github.com/zizmorcore/zizmor). If you're making changes to those files then you can install both these tools locally using a package manager for your operating system and then run them to lint the files. +All YAML workflow files within the `.github/workflows` directory are statically scanned when modified using [Actionlint](https://github.com/rhysd/actionlint) and [Zizmor](https://github.com/zizmorcore/zizmor). It's recommended that you install both of these tools locally using a package manager to run prior to submitting changes to workflow files. - [Actionlint installations instructions](https://github.com/rhysd/actionlint/blob/main/docs/install.md) - [Zizmor installation instructions](https://docs.zizmor.sh/installation/) @@ -112,13 +112,13 @@ To run Actionlint: actionlint ``` -To run Zizmor (note the trailing period): +To run Zizmor for all workflow files (note the trailing period): ``` zizmor . ``` -The linting that happens during GitHub Actions workflow runs is connected to GitHub Code Scanning, so linting errors won't cause workflow runs to fail directly. Some linting issues that are reported locally may be ignored in the Code Scanning settings. +**Note:** A workflow run failure will not occur when issues are detected by Zizmor. Instead, the generated report is submitted to GitHub Code Scanning and surfaced through a status check. Some locally reported issues may be ignored based on the repository's configured Code Scanning settings. #### Generating a code coverage report PHP code coverage reports are [generated daily](https://github.com/WordPress/wordpress-develop/actions/workflows/test-coverage.yml) and [submitted to Codecov.io](https://app.codecov.io/gh/WordPress/wordpress-develop). From 066e83c049c83dad9e6ef504a6920074951565bc Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Apr 2026 13:55:37 +0200 Subject: [PATCH 20/21] Remove this processing optimisation. --- .github/workflows/reusable-workflow-lint.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-lint.yml b/.github/workflows/reusable-workflow-lint.yml index 8fc7661c7592b..13fcde47f5731 100644 --- a/.github/workflows/reusable-workflow-lint.yml +++ b/.github/workflows/reusable-workflow-lint.yml @@ -67,4 +67,3 @@ jobs: with: sarif_file: results.sarif category: zizmor - wait-for-processing: false From 450a72108f82effd69ea17f91024c1e61dd5d815 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Apr 2026 13:59:39 +0200 Subject: [PATCH 21/21] Reinstate the test coverage workflow. --- .github/workflows/test-coverage.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-coverage.yml b/.github/workflows/test-coverage.yml index cf430db4f15e6..deb190eba9e9b 100644 --- a/.github/workflows/test-coverage.yml +++ b/.github/workflows/test-coverage.yml @@ -11,15 +11,15 @@ on: - 'docker-compose.yml' - 'phpunit.xml.dist' - 'tests/phpunit/multisite.xml' - # pull_request: - # branches: - # - trunk - # paths: - # - '.github/workflows/test-coverage.yml' - # - '.github/workflows/reusable-phpunit-tests-v3.yml' - # - 'docker-compose.yml' - # - 'phpunit.xml.dist' - # - 'tests/phpunit/multisite.xml' + pull_request: + branches: + - trunk + paths: + - '.github/workflows/test-coverage.yml' + - '.github/workflows/reusable-phpunit-tests-v3.yml' + - 'docker-compose.yml' + - 'phpunit.xml.dist' + - 'tests/phpunit/multisite.xml' # Once daily at 00:00 UTC. schedule: - cron: '0 0 * * *'