Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add minimum required permissions for workflow token (#36200) 

* Add minimum required permissions to e2e-tests

* Add minimum token permission to more workflows
This commit is contained in:
Roy Ho 2023-01-02 09:28:11 -08:00 committed by GitHub
parent d4ce6faf1e
commit 16386238cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 193 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/actions/setup-woocommerce-monorepo/action.yml vendored
View File

@ -1,5 +1,6 @@
name: Setup WooCommerce Monorepo
description: Handles the installation, building, and caching of the projects within the monorepo.
permissions: {}
inputs:
install-filters:

5
.github/workflows/build-release-zip-file.yml vendored
View File

@ -6,10 +6,15 @@ on:
description: 'By default the zip file is generated from the branch the workflow runs from, but you can specify an explicit reference to use instead here (e.g. refs/tags/tag_name or refs/heads/release/x.x). The resulting file will be available as an artifact on the workflow run.'
required: false
default: ''
permissions: {}
jobs:
build:
name: Build release zip file
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3

5
.github/workflows/build-release.yml vendored
View File

@ -2,10 +2,15 @@ name: Build release asset
on:
release:
types: [published]
permissions: {}
jobs:
build:
name: Build release asset
runs-on: ubuntu-20.04
permissions:
contents: write
steps:
- uses: actions/checkout@v3

6
.github/workflows/cherry-pick.yml vendored
View File

@ -30,6 +30,8 @@ env:
GIT_AUTHOR_NAME: 'WooCommerce Bot'
GIT_AUTHOR_EMAIL: 'no-reply@woocommerce.com'
permissions: {}
jobs:
verify:
name: Verify
@ -122,6 +124,10 @@ jobs:
cherry-pick-run:
name: Run cherry pick tool
runs-on: ubuntu-20.04
permissions:
actions: write
contents: write
pull-requests: write
needs: [prep, check-release-branch-exists]
if: success()
steps:

5
.github/workflows/ci.yml vendored
View File

@ -12,11 +12,16 @@ defaults:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
test:
name: PHP ${{ matrix.php }} WP ${{ matrix.wp }}
timeout-minutes: 30
runs-on: ubuntu-20.04
permissions:
contents: read
continue-on-error: ${{ matrix.wp == 'nightly' }}
strategy:
fail-fast: false

4
.github/workflows/community-label.yml vendored
View File

@ -10,10 +10,14 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
verify:
name: Verify
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3

8
.github/workflows/cot-build-and-e2e-tests-daily.yml vendored
View File

@ -8,10 +8,14 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
cot-e2e-tests-run:
name: Runs E2E tests with COT enabled.
runs-on: ubuntu-20.04
permissions:
contents: read
env:
ALLURE_RESULTS_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/e2e-pw/allure-results
ALLURE_REPORT_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/e2e-pw/allure-report
@ -66,6 +70,8 @@ jobs:
cot-api-tests-run:
name: Runs API tests with COT enabled.
runs-on: ubuntu-20.04
permissions:
contents: read
env:
ALLURE_RESULTS_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/api-core-tests/api-test-report/allure-results
ALLURE_REPORT_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/api-core-tests/api-test-report/allure-report
@ -124,6 +130,8 @@ jobs:
contains( needs.*.result, 'failure' )
)
runs-on: ubuntu-20.04
permissions:
contents: read
needs: [cot-api-tests-run, cot-e2e-tests-run]
steps:
- name: Create dirs

8
.github/workflows/cot-pr-build-and-e2e-tests.yml vendored
View File

@ -8,11 +8,15 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
cot-e2e-tests-run:
name: Runs E2E tests with COT enabled.
if: "${{ github.event_name == 'workflow_dispatch' || github.event.label.name == 'focus: custom order tables' }}"
runs-on: ubuntu-20.04
permissions:
contents: read
env:
ALLURE_RESULTS_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/e2e-pw/allure-results
ALLURE_REPORT_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/e2e-pw/allure-report
@ -68,6 +72,8 @@ jobs:
name: Runs API tests with COT enabled.
if: "${{ github.event_name == 'workflow_dispatch' || github.event.label.name == 'focus: custom order tables' }}"
runs-on: ubuntu-20.04
permissions:
contents: read
env:
ALLURE_RESULTS_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/api-core-tests/api-test-report/allure-results
ALLURE_REPORT_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/api-core-tests/api-test-report/allure-report
@ -126,6 +132,8 @@ jobs:
contains( needs.*.result, 'failure' )
)
runs-on: ubuntu-20.04
permissions:
contents: read
needs: [cot-api-tests-run, cot-e2e-tests-run]
steps:
- name: Create dirs

6
.github/workflows/mirrors.yml vendored
View File

@ -4,11 +4,15 @@ on:
branches: ["trunk", "release/**"]
workflow_dispatch:
permissions: {}
jobs:
build:
if: github.repository == 'woocommerce/woocommerce'
name: Build WooCommerce zip
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3
@ -35,6 +39,8 @@ jobs:
name: Push to Mirror
needs: [build]
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- name: Create directories
run: |

7
.github/workflows/nightly-builds.yml vendored
View File

@ -3,6 +3,9 @@ on:
schedule:
- cron: '0 0 * * *' # Run at 12 AM UTC.
workflow_dispatch:
permissions: {}
jobs:
build:
if: github.repository_owner == 'woocommerce'
@ -12,6 +15,8 @@ jobs:
matrix:
build: [trunk]
runs-on: ubuntu-20.04
permissions:
contents: write
steps:
- uses: actions/checkout@v3
with:
@ -40,6 +45,8 @@ jobs:
update:
name: Update nightly tag commit ref
runs-on: ubuntu-20.04
permissions:
contents: write
steps:
- name: Update nightly tag
uses: richardsimko/github-tag-action@v1.0.5

5
.github/workflows/package-release.yml vendored
View File

@ -6,10 +6,15 @@ on:
description: 'Enter a specific package to release, or releases separated by commas, ie @woocommerce/components,@woocommerce/number. Leaving this input blank will release all eligible packages.'
required: false
default: '-a'
permissions: {}
jobs:
release:
name: Run packages release script
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3

5
.github/workflows/post-release.yml vendored
View File

@ -9,10 +9,15 @@ env:
GIT_AUTHOR_NAME: 'WooCommerce Bot'
GIT_AUTHOR_EMAIL: 'no-reply@woocommerce.com'
permissions: {}
jobs:
changelog-version-update:
name: Update changelog and version
runs-on: ubuntu-20.04
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v3

12
.github/workflows/pr-build-and-e2e-tests.yml vendored
View File

@ -7,10 +7,14 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
e2e-tests-run:
name: Runs E2E tests.
runs-on: ubuntu-20.04
permissions:
contents: read
env:
ALLURE_RESULTS_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/e2e-pw/test-results/allure-results
ALLURE_REPORT_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/e2e-pw/test-results/allure-report
@ -79,6 +83,8 @@ jobs:
api-tests-run:
name: Runs API tests.
runs-on: ubuntu-20.04
permissions:
contents: read
env:
ALLURE_RESULTS_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/api-core-tests/test-results/allure-results
ALLURE_REPORT_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/api-core-tests/test-results/allure-report
@ -129,6 +135,8 @@ jobs:
k6-tests-run:
name: Runs k6 Performance tests
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3
@ -162,6 +170,10 @@ jobs:
)
runs-on: ubuntu-20.04
needs: [api-tests-run, e2e-tests-run]
permissions:
contents: read
issues: write
pull-requests: write
env:
E2E_GRAND_TOTAL: ${{needs.e2e-tests-run.outputs.E2E_GRAND_TOTAL}}
steps:

4
.github/workflows/pr-build-live-branch.yml vendored
View File

@ -7,10 +7,14 @@ concurrency:
group: build-${{ github.event_name == 'push' && github.run_id || 'pr' }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
build:
if: github.repository_owner == 'woocommerce'
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3

5
.github/workflows/pr-code-coverage.yml vendored
View File

@ -8,11 +8,16 @@ defaults:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
test:
name: Code coverage (PHP 7.4, WP Latest)
timeout-minutes: 30
runs-on: ubuntu-20.04
permissions:
contents: read
services:
database:
image: mysql:5.6

5
.github/workflows/pr-code-sniff.yml vendored
View File

@ -8,11 +8,16 @@ concurrency:
cancel-in-progress: true
env:
PHPCS: ./plugins/woocommerce/vendor/bin/phpcs # Run WooCommerce phpcs setup in phpcs-changed instead of default
permissions: {}
jobs:
test:
name: Code sniff (PHP 7.4, WP Latest)
timeout-minutes: 15
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3
with:

5
.github/workflows/pr-highlight-changes.yml vendored
View File

@ -1,9 +1,14 @@
name: Highlight templates changes
on: pull_request
permissions: {}
jobs:
analyze:
name: Check pull request changes to highlight
runs-on: ubuntu-20.04
permissions:
contents: read
outputs:
results: ${{ steps.results.outputs.results }}
steps:

5
.github/workflows/pr-lint-monorepo.yml vendored
View File

@ -6,10 +6,15 @@ on:
concurrency:
group: changelogger-${{ github.event_name }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
changelogger_used:
name: Changelogger use
runs-on: ubuntu-20.04
permissions:
contents: read
timeout-minutes: 15
steps:
- uses: actions/checkout@v3

4
.github/workflows/pr-lint-test-js.yml vendored
View File

@ -5,10 +5,14 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
lint-test-js:
name: Lint and Test JS
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3

5
.github/workflows/pr-project-label.yml vendored
View File

@ -8,9 +8,14 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
label_project:
runs-on: ubuntu-20.04
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/labeler@v3
with:

5
.github/workflows/pr-smoke-test.yml vendored
View File

@ -9,11 +9,16 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
prcheck:
name: Smoke test a pull request.
if: "${{ contains(github.event.label.name, 'run: smoke tests') }}"
runs-on: ubuntu-20.04
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v3

4
.github/workflows/pr-unit-tests.yml vendored
View File

@ -8,11 +8,15 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
test:
name: PHP ${{ matrix.php }} WP ${{ matrix.wp }}
timeout-minutes: 30
runs-on: ubuntu-20.04
permissions:
contents: read
continue-on-error: ${{ matrix.wp == 'nightly' }}
strategy:
fail-fast: false

6
.github/workflows/prepare-package-release.yml vendored
View File

@ -6,10 +6,16 @@ on:
description: 'Enter a specific package to release, or packages separated by commas, ie @woocommerce/components,@woocommerce/number. Leaving this input to the default "-a" will prepare to release all eligible packages.'
required: false
default: '-a'
permissions: {}
jobs:
prepare:
name: Run prepare script
runs-on: ubuntu-20.04
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v3

4
.github/workflows/prime-cache.yml vendored
View File

@ -9,10 +9,14 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
prime:
name: Prime cache
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3

4
.github/workflows/pull-request-post-merge-processing.yml vendored
View File

@ -3,11 +3,15 @@ on:
pull_request_target:
types: [closed]
permissions: {}
jobs:
process-pull-request-after-merge:
name: "Process a pull request after it's merged"
if: github.event.pull_request.merged == true
runs-on: ubuntu-20.04
permissions:
pull-requests: write
steps:
- name: "Get the action scripts"
run: |

5
.github/workflows/release-changelog.yml vendored
View File

@ -15,9 +15,14 @@ env:
GIT_AUTHOR_NAME: 'WooCommerce Bot'
GIT_AUTHOR_EMAIL: 'no-reply@woocommerce.com'
permissions: {}
jobs:
create-changelog-prs:
runs-on: ubuntu-20.04
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v3

9
.github/workflows/release-code-freeze.yml vendored
View File

@ -20,6 +20,8 @@ env:
GIT_AUTHOR_NAME: 'WooCommerce Bot'
GIT_AUTHOR_EMAIL: 'no-reply@woocommerce.com'
permissions: {}
jobs:
verify-code-freeze:
name: 'Verify that today is the day of the code freeze'
@ -57,6 +59,8 @@ jobs:
maybe-create-next-milestone-and-release-branch:
name: 'Maybe create next milestone and release branch'
runs-on: ubuntu-20.04
permissions:
contents: read
needs: verify-code-freeze
if: needs.verify-code-freeze.outputs.freeze == 0
outputs:
@ -84,6 +88,9 @@ jobs:
prep-trunk:
name: Preps trunk for next development cycle
runs-on: ubuntu-20.04
permissions:
contents: read
pull-requests: write
needs: maybe-create-next-milestone-and-release-branch
steps:
- name: Checkout code
@ -151,6 +158,8 @@ jobs:
trigger-changelog-action:
name: 'Trigger changelog action'
runs-on: ubuntu-20.04
permissions:
actions: write
needs: maybe-create-next-milestone-and-release-branch
steps:
- name: 'Trigger changelog action'

2
.github/workflows/smoke-test-daily-site-check.yml vendored
View File

@ -3,6 +3,8 @@ on:
schedule:
- cron: '25 7 * * *'
permissions: {}
jobs:
ping_site:
runs-on: ubuntu-20.04

12
.github/workflows/smoke-test-daily.yml vendored
View File

@ -14,10 +14,14 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
e2e-tests:
name: E2E tests on nightly build
runs-on: ubuntu-20.04
permissions:
contents: read
env:
ADMIN_PASSWORD: ${{ secrets.SMOKE_TEST_ADMIN_PASSWORD }}
ADMIN_USER: ${{ secrets.SMOKE_TEST_ADMIN_USER }}
@ -77,6 +81,8 @@ jobs:
api-tests:
name: API tests on nightly build
runs-on: ubuntu-20.04
permissions:
contents: read
needs: [e2e-tests]
if: success() || failure()
env:
@ -121,6 +127,8 @@ jobs:
k6-tests:
name: k6 tests on nightly build
runs-on: ubuntu-20.04
permissions:
contents: read
needs: [api-tests]
if: success() || failure()
steps:
@ -171,6 +179,8 @@ jobs:
test-plugins:
name: Smoke tests on trunk with ${{ matrix.plugin }} plugin installed
runs-on: ubuntu-20.04
permissions:
contents: read
env:
USE_WP_ENV: 1
ALLURE_RESULTS_DIR: ${{ github.workspace }}/plugins/woocommerce/tests/e2e-pw/allure-results
@ -244,6 +254,8 @@ jobs:
( success() || failure() ) &&
! github.event.pull_request.head.repo.fork
runs-on: ubuntu-20.04
permissions:
contents: read
needs: [test-plugins, k6-tests]
steps:
- name: Create dirs

9
.github/workflows/smoke-test-release.yml vendored
View File

@ -5,10 +5,15 @@ on:
release_id:
description: 'WooCommerce Release Id'
required: true
permissions: {}
jobs:
login-run:
name: Daily smoke test on release.
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- uses: actions/checkout@v3
with:
@ -49,6 +54,8 @@ jobs:
test-wp-version:
name: Smoke test on L-${{ matrix.wp }} WordPress version
runs-on: ubuntu-20.04
permissions:
contents: read
strategy:
matrix:
wp: ['1', '2']
@ -104,6 +111,8 @@ jobs:
test-plugins:
name: Smoke tests with ${{ matrix.plugin }} plugin installed
runs-on: ubuntu-20.04
permissions:
contents: read
strategy:
fail-fast: false
matrix:

6
.github/workflows/stalebot.yml vendored
View File

@ -3,11 +3,17 @@ on:
schedule:
- cron: '21 0 * * *'
permissions: {}
jobs:
stale:
if: |
! contains(github.event.issue.labels.*.name, 'type: enhancement')
runs-on: ubuntu-20.04
permissions:
contents: read
issues: write
pull-requests: write
steps:
- uses: actions/stale@v3
with:

5
.github/workflows/syncpack.yml vendored
View File

@ -6,9 +6,14 @@ on:
- trunk
paths:
- '**/package.json'
permissions: {}
jobs:
syncpack:
runs-on: ubuntu-latest
permissions:
contents: read
name: syncpack
steps:
- name: 'Checkout'

5
.github/workflows/triage-label.yml vendored
View File

@ -4,9 +4,14 @@ on:
issues:
types: opened
permissions: {}
jobs:
add_label:
runs-on: ubuntu-20.04
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@v3
- uses: actions-ecosystem/action-add-labels@v1

3
.github/workflows/triage-replies.yml vendored
View File

@ -3,6 +3,9 @@ on:
issues:
types:
- labeled
permissions: {}
jobs:
add-dev-comment:
if: "github.event.label.name == 'needs: developer feedback'"

4
.github/workflows/update-feedback-labels.yml vendored
View File

@ -1,6 +1,8 @@
name: 'Update contributor feedback labels on comment'
on: 'issue_comment'
permissions: {}
jobs:
feedback:
if: |
@ -10,6 +12,8 @@ jobs:
github.event.issue.state == 'open' &&
contains(github.event.issue.labels.*.name, 'needs: author feedback')
runs-on: ubuntu-20.04
permissions:
issues: write
steps:
- name: Add has feedback
uses: actions-ecosystem/action-add-labels@v1