From 1c2fe7b63c2c1a8adbfff2723d013442749a67bb Mon Sep 17 00:00:00 2001 From: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> Date: Thu, 14 May 2026 17:09:18 -0400 Subject: [PATCH 1/3] chore(workflows): scope GitHub Actions permissions Co-authored-by: Cursor --- .github/workflows/auto-translate.yml | 8 +++++--- .../workflows/brand-plugin-test-playwright.yml | 18 +++++++++--------- .github/workflows/lint.yml | 6 ++++++ .github/workflows/newfold-prep-release.yml | 6 +++--- .github/workflows/satis-webhook.yml | 6 ++++++ .../unit-tests-and-coverage-report.yml | 11 ++++++++--- 6 files changed, 37 insertions(+), 18 deletions(-) diff --git a/.github/workflows/auto-translate.yml b/.github/workflows/auto-translate.yml index f3ee13b7..cd0b5ed4 100644 --- a/.github/workflows/auto-translate.yml +++ b/.github/workflows/auto-translate.yml @@ -12,15 +12,17 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: translate: name: 'Check and update translations' - permissions: - contents: write - pull-requests: write uses: newfold-labs/workflows/.github/workflows/reusable-translations.yml@main + permissions: + contents: write # Required for the reusable translations workflow to push the auto-translate branch and commits. + pull-requests: write # Required for gh pr list/update/create flows inside the reusable workflow (GITHUB_TOKEN). with: text_domain: 'wp-module-data' secrets: diff --git a/.github/workflows/brand-plugin-test-playwright.yml b/.github/workflows/brand-plugin-test-playwright.yml index 7e8d439c..2acd15a7 100644 --- a/.github/workflows/brand-plugin-test-playwright.yml +++ b/.github/workflows/brand-plugin-test-playwright.yml @@ -6,19 +6,19 @@ on: - main workflow_dispatch: -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: setup: name: Setup runs-on: ubuntu-latest - permissions: - contents: read + permissions: {} # No checkout or GitHub API usage; only derives the branch name from workflow ref env vars. outputs: branch: ${{ steps.extract_branch.outputs.branch }} steps: @@ -31,9 +31,9 @@ jobs: bluehost: name: Bluehost Build and Test Playwright needs: setup - permissions: - contents: read uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main + permissions: + contents: read # Required for the reusable workflow to clone this module and the brand plugin (GITHUB_TOKEN). with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -43,9 +43,9 @@ jobs: bluehost-dev: name: Bluehost Dev Build and Test Playwright needs: setup - permissions: - contents: read uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main + permissions: + contents: read # Required for the reusable workflow to clone this module and the brand plugin (GITHUB_TOKEN). with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 22db78fb..2169ca71 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,10 +15,16 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: phpcs: name: Run PHP Code Sniffer runs-on: ubuntu-latest + permissions: + contents: write # Required to checkout the repo and push PHPCBF fixes on main via git-auto-commit-action (github.token). steps: - name: Checkout diff --git a/.github/workflows/newfold-prep-release.yml b/.github/workflows/newfold-prep-release.yml index 352081a9..d5e3750c 100644 --- a/.github/workflows/newfold-prep-release.yml +++ b/.github/workflows/newfold-prep-release.yml @@ -21,10 +21,10 @@ jobs: # This job runs the newfold module-prep-release workflow for this module. prep-release: name: Prepare Release - permissions: - contents: write - pull-requests: write uses: newfold-labs/workflows/.github/workflows/reusable-module-prep-release.yml@main + permissions: + contents: write # Required for the reusable prep-release workflow to push the release branch and file bumps. + pull-requests: write # Required for gh pr list and opening the release pull request (GITHUB_TOKEN in reusable job). with: module-repo: ${{ github.repository }} module-branch: 'main' diff --git a/.github/workflows/satis-webhook.yml b/.github/workflows/satis-webhook.yml index 61a22a50..c459ae42 100644 --- a/.github/workflows/satis-webhook.yml +++ b/.github/workflows/satis-webhook.yml @@ -8,10 +8,16 @@ on: env: VERSION: ${GITHUB_REF#refs/tags/*} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: webhook: name: Send Webhook runs-on: ubuntu-latest + permissions: + contents: read # Required to checkout the repository (actions/checkout with GITHUB_TOKEN). steps: - name: Checkout diff --git a/.github/workflows/unit-tests-and-coverage-report.yml b/.github/workflows/unit-tests-and-coverage-report.yml index d5b81cc3..80eaf864 100644 --- a/.github/workflows/unit-tests-and-coverage-report.yml +++ b/.github/workflows/unit-tests-and-coverage-report.yml @@ -18,9 +18,14 @@ concurrency: group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.head_ref) || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: get-repo-name: runs-on: ubuntu-latest + permissions: {} # No checkout or GitHub API usage; only derives the repo name from github.repository. outputs: repository-name: ${{ steps.repo-name.outputs.name }} steps: @@ -32,10 +37,10 @@ jobs: unit-tests: needs: get-repo-name - permissions: - contents: write - pull-requests: write uses: newfold-labs/workflows/.github/workflows/reusable-codecoverage.yml@main + permissions: + contents: write # Required for the reusable codecoverage workflow to push coverage HTML to gh-pages. + pull-requests: write # Required for the reusable workflow to add PR comments (coverage via mshick/add-pr-comment). with: php-versions: '["7.4", "8.0", "8.1", "8.2", "8.3"]' coverage-php-version: '7.4' From fa2474a27a08698662c9271eb91fb7f00e0d0991 Mon Sep 17 00:00:00 2001 From: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> Date: Thu, 14 May 2026 17:10:58 -0400 Subject: [PATCH 2/3] chore(workflows): add timeout-minutes to jobs Co-authored-by: Cursor --- .github/workflows/auto-translate.yml | 1 + .github/workflows/brand-plugin-test-playwright.yml | 3 +++ .github/workflows/lint.yml | 1 + .github/workflows/newfold-prep-release.yml | 1 + .github/workflows/satis-webhook.yml | 1 + .github/workflows/unit-tests-and-coverage-report.yml | 2 ++ 6 files changed, 9 insertions(+) diff --git a/.github/workflows/auto-translate.yml b/.github/workflows/auto-translate.yml index cd0b5ed4..26c78ad2 100644 --- a/.github/workflows/auto-translate.yml +++ b/.github/workflows/auto-translate.yml @@ -19,6 +19,7 @@ permissions: {} jobs: translate: name: 'Check and update translations' + timeout-minutes: 120 uses: newfold-labs/workflows/.github/workflows/reusable-translations.yml@main permissions: contents: write # Required for the reusable translations workflow to push the auto-translate branch and commits. diff --git a/.github/workflows/brand-plugin-test-playwright.yml b/.github/workflows/brand-plugin-test-playwright.yml index 2acd15a7..f94e654e 100644 --- a/.github/workflows/brand-plugin-test-playwright.yml +++ b/.github/workflows/brand-plugin-test-playwright.yml @@ -18,6 +18,7 @@ jobs: setup: name: Setup runs-on: ubuntu-latest + timeout-minutes: 10 permissions: {} # No checkout or GitHub API usage; only derives the branch name from workflow ref env vars. outputs: branch: ${{ steps.extract_branch.outputs.branch }} @@ -31,6 +32,7 @@ jobs: bluehost: name: Bluehost Build and Test Playwright needs: setup + timeout-minutes: 120 uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main permissions: contents: read # Required for the reusable workflow to clone this module and the brand plugin (GITHUB_TOKEN). @@ -43,6 +45,7 @@ jobs: bluehost-dev: name: Bluehost Dev Build and Test Playwright needs: setup + timeout-minutes: 120 uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main permissions: contents: read # Required for the reusable workflow to clone this module and the brand plugin (GITHUB_TOKEN). diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2169ca71..6657863f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,6 +23,7 @@ jobs: phpcs: name: Run PHP Code Sniffer runs-on: ubuntu-latest + timeout-minutes: 30 permissions: contents: write # Required to checkout the repo and push PHPCBF fixes on main via git-auto-commit-action (github.token). steps: diff --git a/.github/workflows/newfold-prep-release.yml b/.github/workflows/newfold-prep-release.yml index d5e3750c..45d4a0e5 100644 --- a/.github/workflows/newfold-prep-release.yml +++ b/.github/workflows/newfold-prep-release.yml @@ -21,6 +21,7 @@ jobs: # This job runs the newfold module-prep-release workflow for this module. prep-release: name: Prepare Release + timeout-minutes: 60 uses: newfold-labs/workflows/.github/workflows/reusable-module-prep-release.yml@main permissions: contents: write # Required for the reusable prep-release workflow to push the release branch and file bumps. diff --git a/.github/workflows/satis-webhook.yml b/.github/workflows/satis-webhook.yml index c459ae42..59839035 100644 --- a/.github/workflows/satis-webhook.yml +++ b/.github/workflows/satis-webhook.yml @@ -16,6 +16,7 @@ jobs: webhook: name: Send Webhook runs-on: ubuntu-latest + timeout-minutes: 30 permissions: contents: read # Required to checkout the repository (actions/checkout with GITHUB_TOKEN). steps: diff --git a/.github/workflows/unit-tests-and-coverage-report.yml b/.github/workflows/unit-tests-and-coverage-report.yml index 80eaf864..1dcbbfa2 100644 --- a/.github/workflows/unit-tests-and-coverage-report.yml +++ b/.github/workflows/unit-tests-and-coverage-report.yml @@ -25,6 +25,7 @@ permissions: {} jobs: get-repo-name: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: {} # No checkout or GitHub API usage; only derives the repo name from github.repository. outputs: repository-name: ${{ steps.repo-name.outputs.name }} @@ -37,6 +38,7 @@ jobs: unit-tests: needs: get-repo-name + timeout-minutes: 120 uses: newfold-labs/workflows/.github/workflows/reusable-codecoverage.yml@main permissions: contents: write # Required for the reusable codecoverage workflow to push coverage HTML to gh-pages. From ff4c2678122369f4388f05a0bf46a54541070087 Mon Sep 17 00:00:00 2001 From: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> Date: Thu, 14 May 2026 17:56:11 -0400 Subject: [PATCH 3/3] chore(workflows): scope GitHub Actions permissions Co-authored-by: Cursor --- .github/workflows/auto-translate.yml | 2 +- .github/workflows/brand-plugin-test-playwright.yml | 4 ++-- .github/workflows/newfold-prep-release.yml | 2 +- .github/workflows/unit-tests-and-coverage-report.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/auto-translate.yml b/.github/workflows/auto-translate.yml index 26c78ad2..4f6181e9 100644 --- a/.github/workflows/auto-translate.yml +++ b/.github/workflows/auto-translate.yml @@ -20,10 +20,10 @@ jobs: translate: name: 'Check and update translations' timeout-minutes: 120 - uses: newfold-labs/workflows/.github/workflows/reusable-translations.yml@main permissions: contents: write # Required for the reusable translations workflow to push the auto-translate branch and commits. pull-requests: write # Required for gh pr list/update/create flows inside the reusable workflow (GITHUB_TOKEN). + uses: newfold-labs/workflows/.github/workflows/reusable-translations.yml@main with: text_domain: 'wp-module-data' secrets: diff --git a/.github/workflows/brand-plugin-test-playwright.yml b/.github/workflows/brand-plugin-test-playwright.yml index f94e654e..4cb5a018 100644 --- a/.github/workflows/brand-plugin-test-playwright.yml +++ b/.github/workflows/brand-plugin-test-playwright.yml @@ -33,9 +33,9 @@ jobs: name: Bluehost Build and Test Playwright needs: setup timeout-minutes: 120 - uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main permissions: contents: read # Required for the reusable workflow to clone this module and the brand plugin (GITHUB_TOKEN). + uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -46,9 +46,9 @@ jobs: name: Bluehost Dev Build and Test Playwright needs: setup timeout-minutes: 120 - uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main permissions: contents: read # Required for the reusable workflow to clone this module and the brand plugin (GITHUB_TOKEN). + uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} diff --git a/.github/workflows/newfold-prep-release.yml b/.github/workflows/newfold-prep-release.yml index 45d4a0e5..0ffbbf94 100644 --- a/.github/workflows/newfold-prep-release.yml +++ b/.github/workflows/newfold-prep-release.yml @@ -22,10 +22,10 @@ jobs: prep-release: name: Prepare Release timeout-minutes: 60 - uses: newfold-labs/workflows/.github/workflows/reusable-module-prep-release.yml@main permissions: contents: write # Required for the reusable prep-release workflow to push the release branch and file bumps. pull-requests: write # Required for gh pr list and opening the release pull request (GITHUB_TOKEN in reusable job). + uses: newfold-labs/workflows/.github/workflows/reusable-module-prep-release.yml@main with: module-repo: ${{ github.repository }} module-branch: 'main' diff --git a/.github/workflows/unit-tests-and-coverage-report.yml b/.github/workflows/unit-tests-and-coverage-report.yml index 1dcbbfa2..8eeba109 100644 --- a/.github/workflows/unit-tests-and-coverage-report.yml +++ b/.github/workflows/unit-tests-and-coverage-report.yml @@ -39,10 +39,10 @@ jobs: unit-tests: needs: get-repo-name timeout-minutes: 120 - uses: newfold-labs/workflows/.github/workflows/reusable-codecoverage.yml@main permissions: contents: write # Required for the reusable codecoverage workflow to push coverage HTML to gh-pages. pull-requests: write # Required for the reusable workflow to add PR comments (coverage via mshick/add-pr-comment). + uses: newfold-labs/workflows/.github/workflows/reusable-codecoverage.yml@main with: php-versions: '["7.4", "8.0", "8.1", "8.2", "8.3"]' coverage-php-version: '7.4'