diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index 3dc0cd15..64fa997d 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -21,6 +21,10 @@ on: # Allow manually triggering the workflow. workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + # Cancels all previous workflow runs for the same branch that have not yet completed. concurrency: # The concurrency group contains the workflow name and the branch name. @@ -31,6 +35,9 @@ jobs: checkcs: name: 'Check code style' runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read # Required to clone the repo. steps: - name: Checkout code diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml index 64cf4b12..7be965a7 100644 --- a/.github/workflows/end-to-end-tests.yml +++ b/.github/workflows/end-to-end-tests.yml @@ -6,11 +6,17 @@ on: - main pull_request: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: test: name: End-to-end Tests runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read # Required to clone the repo. steps: - name: Checkout repository diff --git a/.github/workflows/mysql-parser-extension-tests.yml b/.github/workflows/mysql-parser-extension-tests.yml index 3a2b77d7..45425bb8 100644 --- a/.github/workflows/mysql-parser-extension-tests.yml +++ b/.github/workflows/mysql-parser-extension-tests.yml @@ -19,11 +19,17 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: extension-tests: name: PHP ${{ matrix.php }} / ${{ matrix.coverage }} / ubuntu-latest runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. strategy: fail-fast: false matrix: diff --git a/.github/workflows/mysql-proxy-tests.yml b/.github/workflows/mysql-proxy-tests.yml index cb9b71e5..e24c36f3 100644 --- a/.github/workflows/mysql-proxy-tests.yml +++ b/.github/workflows/mysql-proxy-tests.yml @@ -6,11 +6,17 @@ on: - main pull_request: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: test: name: MySQL Proxy Tests runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read # Required to clone the repo. steps: - name: Checkout repository diff --git a/.github/workflows/phpunit-tests-run.yml b/.github/workflows/phpunit-tests-run.yml index f194feec..2eec8ee2 100644 --- a/.github/workflows/phpunit-tests-run.yml +++ b/.github/workflows/phpunit-tests-run.yml @@ -20,11 +20,17 @@ on: env: LOCAL_PHP: ${{ inputs.php }}-fpm +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: phpunit-tests: name: ${{ inputs.os }} runs-on: ${{ inputs.os }} timeout-minutes: 20 + permissions: + contents: read # Required to clone the repo. steps: - name: Checkout repository diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index b67233fb..23293087 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -6,12 +6,16 @@ on: - main pull_request: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: test: name: PHP ${{ matrix.php }} / SQLite ${{ matrix.sqlite || 'latest' }} uses: ./.github/workflows/phpunit-tests-run.yml permissions: - contents: read + contents: read # Required to clone the repo. secrets: inherit strategy: fail-fast: false diff --git a/.github/workflows/publish-wasm-extension-artifact.yml b/.github/workflows/publish-wasm-extension-artifact.yml index 3b93b8e6..f120039a 100644 --- a/.github/workflows/publish-wasm-extension-artifact.yml +++ b/.github/workflows/publish-wasm-extension-artifact.yml @@ -18,8 +18,9 @@ on: required: false default: '30' -permissions: - contents: write +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -30,6 +31,8 @@ jobs: name: Build shared Playground base image runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read # Required to clone the wordpress-playground repo. steps: - name: Check out wordpress-playground @@ -64,6 +67,8 @@ jobs: needs: base-image runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: read # Required to clone the repo. strategy: fail-fast: false max-parallel: 6 @@ -159,6 +164,8 @@ jobs: runs-on: ubuntu-latest needs: build timeout-minutes: 10 + permissions: + contents: write # Required to push the built extension to the gh-pages branch. steps: - name: Check out sqlite-database-integration diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 9e71734d..7df54551 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -9,6 +9,10 @@ concurrency: group: release-publish cancel-in-progress: false +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: publish-release: name: Build plugin and create GitHub release @@ -17,8 +21,10 @@ jobs: && github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release/') runs-on: ubuntu-latest + timeout-minutes: 10 permissions: - contents: write + contents: write # Required to clone the repo, create the GitHub release, and delete the release branch. + pull-requests: read # Required for gh api graphql queries that read pull request author data. outputs: tag: ${{ steps.version.outputs.tag }} prerelease: ${{ steps.version.outputs.prerelease }} @@ -130,6 +136,8 @@ jobs: needs: publish-release if: needs.publish-release.outputs.prerelease == 'false' uses: ./.github/workflows/release-wporg.yml + permissions: + contents: read # Required to clone the repo and download the release asset. with: tag: ${{ needs.publish-release.outputs.tag }} secrets: inherit diff --git a/.github/workflows/release-wporg.yml b/.github/workflows/release-wporg.yml index 096e5b36..a44ee372 100644 --- a/.github/workflows/release-wporg.yml +++ b/.github/workflows/release-wporg.yml @@ -17,13 +17,18 @@ concurrency: group: release-wporg cancel-in-progress: false +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: deploy: name: Deploy plugin to WordPress.org if: github.repository == 'WordPress/sqlite-database-integration' runs-on: ubuntu-latest + timeout-minutes: 10 permissions: - contents: read + contents: read # Required to clone the repo and download the release asset via gh. steps: - name: Checkout repository diff --git a/.github/workflows/verify-version.yml b/.github/workflows/verify-version.yml index 533f78be..dbc504ce 100644 --- a/.github/workflows/verify-version.yml +++ b/.github/workflows/verify-version.yml @@ -6,10 +6,17 @@ on: - trunk pull_request: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: verify-version: name: Assert release metadata is internally consistent runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/wasm-spike.yml b/.github/workflows/wasm-spike.yml index 7dc15d4b..9b390080 100644 --- a/.github/workflows/wasm-spike.yml +++ b/.github/workflows/wasm-spike.yml @@ -18,11 +18,17 @@ on: required: false default: 'trunk' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: base-image: name: Build shared Playground base image runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read # Required to clone the wordpress-playground repo. steps: - name: Check out wordpress-playground @@ -57,6 +63,8 @@ jobs: needs: base-image runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: read # Required to clone the repo. strategy: fail-fast: false max-parallel: 6 diff --git a/.github/workflows/wp-tests-end-to-end.yml b/.github/workflows/wp-tests-end-to-end.yml index 2b32a5a0..7b3637e4 100644 --- a/.github/workflows/wp-tests-end-to-end.yml +++ b/.github/workflows/wp-tests-end-to-end.yml @@ -6,11 +6,17 @@ on: - main pull_request: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: test: name: WordPress End-to-end Tests runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read # Required to clone the repo. steps: - name: Checkout repository diff --git a/.github/workflows/wp-tests-phpunit.yml b/.github/workflows/wp-tests-phpunit.yml index 08d9c53a..810b77b8 100644 --- a/.github/workflows/wp-tests-phpunit.yml +++ b/.github/workflows/wp-tests-phpunit.yml @@ -6,11 +6,17 @@ on: - main pull_request: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: test: name: WordPress PHPUnit Tests runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read # Required to clone the repo. steps: - name: Checkout repository @@ -35,6 +41,8 @@ jobs: name: WordPress PHPUnit Tests / Rust extension runs-on: ubuntu-latest timeout-minutes: 40 + permissions: + contents: read # Required to clone the repo. steps: - name: Checkout repository