diff --git a/.github/workflows/auto-label-prs.yml b/.github/workflows/auto-label-prs.yml index d9f2136e1f..db7a3d3ddb 100644 --- a/.github/workflows/auto-label-prs.yml +++ b/.github/workflows/auto-label-prs.yml @@ -30,14 +30,18 @@ on: pull_request_target: types: [opened, synchronize, reopened, ready_for_review] -permissions: - contents: read - pull-requests: write +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} jobs: paths: if: github.repository == 'WordPress/wordpress-playground' runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read # Required for actions/labeler to read the configuration file. + pull-requests: write # Required to apply labels to pull requests. steps: # Pinned to a commit SHA, not a tag: this job runs with # pull-requests:write, so a moved tag would be a supply-chain @@ -50,6 +54,9 @@ jobs: package-and-type: if: github.repository == 'WordPress/wordpress-playground' runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + pull-requests: write # Required to apply labels to pull requests. steps: - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fb54a1b3dd..97d6d2e329 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,10 @@ on: - trunk pull_request: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # This step: # * Warms up the node_modules cache @@ -18,6 +22,9 @@ jobs: name: 'Lint and typecheck' if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -30,6 +37,9 @@ jobs: test-unit-asyncify: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. strategy: fail-fast: false matrix: @@ -79,6 +89,9 @@ jobs: test-unit-jspi: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. strategy: fail-fast: false matrix: @@ -130,6 +143,9 @@ jobs: os: [ubuntu-latest, windows-latest, macos-latest] continue-on-error: true runs-on: ${{ matrix.os }} + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. name: 'test-playground-cli (${{ matrix.os }})' steps: - uses: actions/checkout@v4 @@ -148,6 +164,9 @@ jobs: async-strategy: [asyncify, jspi] continue-on-error: true runs-on: ${{ matrix.os }} + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. name: 'test-file-locking-${{ matrix.async-strategy }} (${{ matrix.os }})' steps: - uses: actions/checkout@v4 @@ -161,6 +180,9 @@ jobs: test-e2e-php-wasm-web-jspi: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -171,6 +193,9 @@ jobs: test-e2e-php-wasm-web-asyncify: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -181,6 +206,9 @@ jobs: test-e2e: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. # Run as root to allow node to bind to port 80 steps: - uses: actions/checkout@v4 @@ -201,6 +229,9 @@ jobs: test-e2e-playwright: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. strategy: fail-fast: false matrix: @@ -282,6 +313,9 @@ jobs: test-e2e-personal-wp: runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -301,6 +335,9 @@ jobs: test-e2e-components: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -320,6 +357,9 @@ jobs: # Run MCP e2e tests independently from other tests because running a local version of the MCP server from TypeScript files requires Node 22+ test-e2e-mcp: runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -341,6 +381,9 @@ jobs: test-docs-api-reference: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -360,6 +403,9 @@ jobs: test-built-npm-packages: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -373,6 +419,9 @@ jobs: test-playground-client-types-rollup: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -388,6 +437,9 @@ jobs: test-running-unbuilt-playground-cli: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -400,6 +452,9 @@ jobs: test-php-wasm-cli-smoke: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -412,6 +467,9 @@ jobs: detect-compile-extension-helper-changes: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo and fetch commit history. outputs: changed: ${{ steps.changed.outputs.changed }} steps: @@ -447,6 +505,9 @@ jobs: needs: detect-compile-extension-helper-changes if: (github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request') && needs.detect-compile-extension-helper-changes.outputs.changed == 'true' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - name: Free up runner disk space shell: bash @@ -481,6 +542,8 @@ jobs: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -511,6 +574,9 @@ jobs: test-redis-extension: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. services: redis: image: redis:7-alpine @@ -539,6 +605,9 @@ jobs: test-memcached-extension: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. services: memcached: image: memcached:1.6-alpine @@ -562,6 +631,9 @@ jobs: build: if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request' runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to clone the repo. steps: - uses: actions/checkout@v4 with: @@ -592,8 +664,9 @@ jobs: # Grant GITHUB_TOKEN the permissions required to make a Pages deployment permissions: - pages: write # to deploy to Pages - id-token: write # to verify the deployment originates from an appropriate source + contents: read # Required to clone the repo. + pages: write # Required to deploy to GitHub Pages. + id-token: write # Required to verify the deployment originates from an appropriate source. # Deploy to the github-pages environment environment: @@ -602,6 +675,7 @@ jobs: # Specify runner + deployment step runs-on: ubuntu-latest + timeout-minutes: 30 steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/dependabot-lockfile.yml b/.github/workflows/dependabot-lockfile.yml index f7f2b4a358..1eae113635 100644 --- a/.github/workflows/dependabot-lockfile.yml +++ b/.github/workflows/dependabot-lockfile.yml @@ -4,14 +4,17 @@ on: pull_request: types: [opened, synchronize] -permissions: - contents: write - pull-requests: write +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} jobs: fix-lock: if: github.actor == 'dependabot[bot]' runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: write # Required to push the updated lockfile commit back to the branch. steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/deploy-cors-proxy.yml b/.github/workflows/deploy-cors-proxy.yml index 297d51beed..4a6384db96 100644 --- a/.github/workflows/deploy-cors-proxy.yml +++ b/.github/workflows/deploy-cors-proxy.yml @@ -6,6 +6,10 @@ on: concurrency: group: cors-proxy-deployment +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Check preconditions in a separate job because secrets aren't # available in job-level `if` conditions. @@ -27,6 +31,8 @@ jobs: github.actor == 'ashfame' ) runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: {} environment: name: cors-proxy-wp-cloud outputs: @@ -56,6 +62,9 @@ jobs: # Specify runner + deployment step runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: + contents: read # Required to clone the repo. environment: name: cors-proxy-wp-cloud steps: diff --git a/.github/workflows/deploy-my-wordpress-net.yml b/.github/workflows/deploy-my-wordpress-net.yml index 7905fb9d8f..73f841f899 100644 --- a/.github/workflows/deploy-my-wordpress-net.yml +++ b/.github/workflows/deploy-my-wordpress-net.yml @@ -9,6 +9,10 @@ on: concurrency: group: my-wordpress-net-deployment +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Check preconditions in a separate job because secrets aren't # available in job-level `if` conditions. @@ -29,6 +33,8 @@ jobs: github.actor == 'ashfame' ) runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: {} environment: name: my-wordpress-net-wp-cloud outputs: @@ -57,6 +63,9 @@ jobs: if: needs.check_preconditions.outputs.meets_deploy_preconditions == 'true' runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: + contents: read # Required to clone the repo. environment: name: my-wordpress-net-wp-cloud steps: diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index ffdab8245c..070b788385 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -9,6 +9,10 @@ on: concurrency: group: website-deployment +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: # Check preconditions in a separate job because secrets aren't # available in job-level `if` conditions. @@ -29,6 +33,8 @@ jobs: github.actor == 'ashfame' ) runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: {} environment: name: playground-wordpress-net-wp-cloud outputs: @@ -58,6 +64,9 @@ jobs: # Specify runner + deployment step runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: + contents: read # Required to clone the repo. environment: name: playground-wordpress-net-wp-cloud steps: diff --git a/.github/workflows/publish-devtools-extension.yml b/.github/workflows/publish-devtools-extension.yml index 7cf7f1274e..53c8c7e3af 100644 --- a/.github/workflows/publish-devtools-extension.yml +++ b/.github/workflows/publish-devtools-extension.yml @@ -13,6 +13,10 @@ on: - minor - major +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: publish: # Only run this workflow on the playground repo, from the trunk branch, and when triggered by a Playground maintainer @@ -31,8 +35,9 @@ jobs: ) runs-on: ubuntu-latest + timeout-minutes: 20 permissions: - contents: write + contents: write # Required to push the new tag and create the GitHub release. steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/publish-github-release.yml b/.github/workflows/publish-github-release.yml index 8baee00712..1e89e3be22 100644 --- a/.github/workflows/publish-github-release.yml +++ b/.github/workflows/publish-github-release.yml @@ -7,8 +7,9 @@ on: types: - completed -permissions: - contents: write +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} jobs: create-release: @@ -25,6 +26,9 @@ jobs: ) runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: + contents: write # Required to clone the repo, create the GitHub release, and push the tag. steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/publish-npm-packages.yml b/.github/workflows/publish-npm-packages.yml index f881c99d9d..4408883d05 100644 --- a/.github/workflows/publish-npm-packages.yml +++ b/.github/workflows/publish-npm-packages.yml @@ -15,9 +15,9 @@ on: # Auto-publish every Monday - cron: '0 9 * * 1' -permissions: - id-token: write - contents: write +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} concurrency: group: npm-release @@ -40,6 +40,12 @@ jobs: ) runs-on: ubuntu-latest + # Timeout is set to an hour as Lerna sequentially publishes a large number of packages + # and the workflow regularly takes more than 30 minutes to complete. + timeout-minutes: 60 + permissions: + id-token: write # Required for OIDC-based npm trusted publishing. + contents: write # Required to push the version bump commit and tags. environment: name: npm diff --git a/.github/workflows/publish-self-hosted-package-release.yml b/.github/workflows/publish-self-hosted-package-release.yml index 9782275043..c94ca06333 100644 --- a/.github/workflows/publish-self-hosted-package-release.yml +++ b/.github/workflows/publish-self-hosted-package-release.yml @@ -14,6 +14,10 @@ on: required: true default: 'patch' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: publish: # Only run this workflow on the playground repo, from the trunk branch, and when triggered by a Playground maintainer @@ -33,6 +37,11 @@ jobs: # Specify runner + deployment step runs-on: ubuntu-latest + # This workflow is currently disabled. This timeout is set to a high value in anticipation of the workflow + # being re-enabled and needing to run through the full deployment process. + timeout-minutes: 60 + permissions: + contents: write # Required to clone the repo, push version bump commits, and create tags. environment: name: self-hosted-packages steps: diff --git a/.github/workflows/refresh-sqlite-integration.yml b/.github/workflows/refresh-sqlite-integration.yml index ec6c37eb7a..4969fb520f 100644 --- a/.github/workflows/refresh-sqlite-integration.yml +++ b/.github/workflows/refresh-sqlite-integration.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '0 10 * * *' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: build_and_deploy: # Only run this workflow on the playground repo, from the trunk branch, and when triggered by a Playground maintainer @@ -22,6 +26,10 @@ jobs: ) runs-on: ubuntu-latest + timeout-minutes: 60 + permissions: + contents: write # Required to clone the repo and push the updated SQLite bundle commit. + actions: write # Required to trigger the deploy-website workflow via workflow_dispatch. environment: name: wordpress-assets concurrency: diff --git a/.github/workflows/refresh-wordpress-major-and-beta.yml b/.github/workflows/refresh-wordpress-major-and-beta.yml index f8afdda788..7caceb7c81 100644 --- a/.github/workflows/refresh-wordpress-major-and-beta.yml +++ b/.github/workflows/refresh-wordpress-major-and-beta.yml @@ -14,6 +14,10 @@ on: concurrency: group: refresh-wordpress-major-and-beta +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: build_wordpress_major_and_beta_push_to_github_and_deploy_website: # Only run this workflow on the playground repo, from the trunk branch, and when triggered by a Playground maintainer @@ -36,6 +40,9 @@ jobs: # Be conservative and set _some_ timeout to prevent a hanging # job from blocking the queue of scheduled runs. timeout-minutes: 120 + permissions: + contents: write # Required to clone the repo and push the rebuilt WordPress commit. + actions: write # Required to trigger the deploy-website workflow via workflow_dispatch. steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/refresh-wordpress-nightly.yml b/.github/workflows/refresh-wordpress-nightly.yml index fc07ba6bd0..f0142eda31 100644 --- a/.github/workflows/refresh-wordpress-nightly.yml +++ b/.github/workflows/refresh-wordpress-nightly.yml @@ -6,6 +6,10 @@ on: schedule: - cron: '0 8 * * *' +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: build_and_deploy: # Only run this workflow on the playground repo, from the trunk branch, and when triggered by a Playground maintainer @@ -23,6 +27,9 @@ jobs: ) runs-on: ubuntu-latest + timeout-minutes: 60 + permissions: + contents: write # Required to clone the repo and push the refreshed WordPress nightly commit. environment: name: wordpress-assets steps: diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml index 31c49a3c32..2e9a4f3cca 100644 --- a/.github/workflows/update-changelog.yml +++ b/.github/workflows/update-changelog.yml @@ -12,6 +12,10 @@ on: types: - completed +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: release: # Only run this workflow on the playground repo, from the trunk branch, and when triggered by a Playground maintainer @@ -31,6 +35,9 @@ jobs: # Specify runner + deployment step runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: + contents: write # Required to clone the repo, commit, and push the updated changelog. environment: name: wordpress-assets env: