Introduce the GitHub Actions Workflow Standards page#159
Conversation
dingo-d
left a comment
dingo-d
left a comment
There was a problem hiding this comment.
I had just one comment, otherwise looks good 👍🏼
|
@johnbillion You seem to be mixing two different tasks in this single PR:
As those are different decision points, with different justifications, could you please move the workflow changes to their own PR ? |
johnbillion
force-pushed
the
github-actions-standards
branch
from
ab12d32 to
9a907eb
Compare
Done: #161 |
desrosj
left a comment
desrosj
left a comment
There was a problem hiding this comment.
@johnbillion some small suggestions. Some may be a bit deeper than you're looking to go in this high-level guide, and some are stylistic preferences.
rodrigoprimo
left a comment
rodrigoprimo
left a comment
There was a problem hiding this comment.
Looks good to me overall. I left a couple of inline comments with questions about small things that caught my attention.
GaryJones
left a comment
GaryJones
left a comment
There was a problem hiding this comment.
Also, the PR body still says "This PR also fixes some issues in the qa.yml workflow file in this repo so it adheres to these standards.", even though that was moved out.
|
|
||
| GitHub Actions workflows operate in a highly privileged software supply chain environment. Workflows can access repository secrets, push code, create releases, publish packages, and interact with external services. A security weakness in a workflow file can have severe consequences. | ||
|
|
||
| WordPress uses two complementary linting tools to help maintain the quality and security of workflow files in the `.github/workflows` directory: [Actionlint](https://github.com/rhysd/actionlint) and [Zizmor](https://github.com/zizmorcore/zizmor). This page documents the tools and how contributors should address errors or warnings that they report. |
There was a problem hiding this comment.
The scope is undefined. The doc says “WordPress uses…” then only names wordpress-develop as an enforcement point. Does this apply to Gutenberg? Plugin/theme contributors? The wpcs-docs repo itself? The PR body hints at all of them, but the page should state its scope explicitly — otherwise it’s a guideline dressed as a standard.
There was a problem hiding this comment.
The end goal is to add enforcement of these practices org-wide to ensure all repositories remain secure. But that will take time.
That said, we could maybe add a section linking to the repositories enforcing this to date. Gutenberg runs a workflow, but I don't believe it is configured as a check that is required to pass currently. I could be wrong on that and would need to check.
| @@ -0,0 +1,185 @@ | |||
| # GitHub Actions Workflow Standards | |||
There was a problem hiding this comment.
There's a title vs content imbalance here. It's called “GitHub Actions Workflow Standards”, but the substance is almost entirely Zizmor audit findings rephrased. Actionlint gets one paragraph and zero concrete examples. Either rename it to something like “Workflow Security Standards”, or beef up the Actionlint side (common findings, shellcheck guidance, expression typing pitfalls).
For a document presented as the standard, I’d expect at least a mention of:
- timeout-minutes (DoS / runaway jobs)
- Concurrency controls (
concurrency:block) - GITHUB_TOKEN scoping vs PATs
- etc.
There was a problem hiding this comment.
Yep all fair points.
This document currently focuses on the security aspect of workflows, but in the future I fully expect it to be extended to include timeout-minutes, concurrency, use of reusable workflows, and maybe even use of npx and other software installation and dependency management concerns, but they're all out of scope for this first version.
The current objective is to provide a point of reference for workflow security hardening that repo maintainers can be pointed to.
johnbillion
moved this from In review
to In progress
in WordPress Project Build Tooling
6 participants
Work has been ongoing recently to improve the quality and security of GitHub Actions workflow files in the
wordpress-developandgutenbergrepos. Examples:While the Actionlint and Zizmor tools that we now use are great for surfacing problems in workflow files, we also need good user-facing documentation that provides guidance on addressing common issues and what automation is in place.
Members of the security team have been working on this page and it's already live at https://developer.wordpress.org/coding-standards/wordpress-coding-standards/github-actions/. It now needs to be moved into the docs repo alongside the other pages.