From 825d1341eef5cfb6c66d420a1f57fd312b99be1b Mon Sep 17 00:00:00 2001 From: Chuck Adams Date: Mon, 18 May 2026 08:24:55 -0600 Subject: [PATCH 1/6] don't use interpolations in if-statements Signed-off-by: Chuck Adams --- .github/workflows/generate-missing-i18n-files-pr.yml | 2 +- .github/workflows/generate-pot-pr.yml | 2 +- .github/workflows/publish-fair.yml | 2 +- .github/workflows/update-browserslist.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/generate-missing-i18n-files-pr.yml b/.github/workflows/generate-missing-i18n-files-pr.yml index 3ea20138..a0c32138 100644 --- a/.github/workflows/generate-missing-i18n-files-pr.yml +++ b/.github/workflows/generate-missing-i18n-files-pr.yml @@ -11,7 +11,7 @@ on: jobs: generate-missing-i18n-files: name: Generate missing i18n files PR - if: github.repository == ${{ github.event.repository.full_name }} + if: github.repository == github.event.repository.full_name permissions: contents: write pull-requests: write diff --git a/.github/workflows/generate-pot-pr.yml b/.github/workflows/generate-pot-pr.yml index f04f3a54..35c0c8a0 100644 --- a/.github/workflows/generate-pot-pr.yml +++ b/.github/workflows/generate-pot-pr.yml @@ -9,7 +9,7 @@ on: jobs: generate-pot: name: Generate POT PR - if: github.repository == ${{ github.event.repository.full_name }} + if: github.repository == github.event.repository.full_name permissions: contents: write pull-requests: write diff --git a/.github/workflows/publish-fair.yml b/.github/workflows/publish-fair.yml index f5dc0475..3c7d3d06 100644 --- a/.github/workflows/publish-fair.yml +++ b/.github/workflows/publish-fair.yml @@ -17,7 +17,7 @@ permissions: jobs: publish: runs-on: ubuntu-latest - if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} + if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/update-browserslist.yaml b/.github/workflows/update-browserslist.yaml index 1cae411b..4c49d21a 100644 --- a/.github/workflows/update-browserslist.yaml +++ b/.github/workflows/update-browserslist.yaml @@ -6,7 +6,7 @@ on: jobs: update-browserslist-regex: name: Update browserslist regex - if: github.repository == ${{ github.event.repository.full_name }} + if: github.repository == github.event.repository.full_name permissions: contents: write pull-requests: write From d00c6fd9ca2458ae6edbc90c87ee49398efa415b Mon Sep 17 00:00:00 2001 From: Chuck Adams Date: Mon, 18 May 2026 08:41:36 -0600 Subject: [PATCH 2/6] pin most workflow actions to sha hashes Signed-off-by: Chuck Adams --- .github/workflows/bump-version.yml | 4 ++-- .github/workflows/coding-standards.yml | 4 ++-- .github/workflows/generate-missing-i18n-files-pr.yml | 7 ++++--- .github/workflows/generate-pot-pr.yml | 7 ++++--- .github/workflows/phpunit-tests.yml | 6 +++--- .github/workflows/playground-to-pr.yml | 3 ++- .github/workflows/publish-fair.yml | 4 ++-- .github/workflows/releases.yml | 8 ++++---- .github/workflows/update-browserslist.yaml | 4 ++-- 9 files changed, 25 insertions(+), 22 deletions(-) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 4ebf9ab1..b3a2f932 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - name: Bump version run: | @@ -28,7 +28,7 @@ jobs: VERSION: ${{ inputs.version }} - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: branch: bump-version commit-message: "Bump version to ${{ inputs.version }}" diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index db1a255a..3dbe891e 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -27,10 +27,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - name: Setup cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: key: ${{ runner.os }}-${{ hashFiles('composer.json') }} # Note that lock file will change between runs. path: .cache diff --git a/.github/workflows/generate-missing-i18n-files-pr.yml b/.github/workflows/generate-missing-i18n-files-pr.yml index a0c32138..fae9dd8f 100644 --- a/.github/workflows/generate-missing-i18n-files-pr.yml +++ b/.github/workflows/generate-missing-i18n-files-pr.yml @@ -20,15 +20,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - name: Set up PHP environment - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 with: php-version: "7.4" - name: Setup WP-CLI - uses: godaddy-wordpress/setup-wp-cli@1 + uses: godaddy-wordpress/setup-wp-cli@1 # using tag, sha hash will not resolve + # uses: godaddy-wordpress/setup-wp-cli@7dee90ee27eb3510c0997111eb5c01de856c7a98 # 1.0.0 - name: Configure git user run: | diff --git a/.github/workflows/generate-pot-pr.yml b/.github/workflows/generate-pot-pr.yml index 35c0c8a0..a2a1933e 100644 --- a/.github/workflows/generate-pot-pr.yml +++ b/.github/workflows/generate-pot-pr.yml @@ -18,15 +18,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - name: Set up PHP environment - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 with: php-version: "7.4" - name: Setup WP-CLI - uses: godaddy-wordpress/setup-wp-cli@1 + uses: godaddy-wordpress/setup-wp-cli@1 # using tag, sha hash will not resolve + # uses: godaddy-wordpress/setup-wp-cli@7dee90ee27eb3510c0997111eb5c01de856c7a98 # 1.0.0 - name: Configure git user run: | diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index 0da409c3..5e3efc8f 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -74,10 +74,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@master + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - name: Setup MySQL with mysql_native_password - uses: shogo82148/actions-setup-mysql@v1 + uses: shogo82148/actions-setup-mysql@9c42ca180d5f1dd4dceb54c23c5eda0384f4d265 # v1.50.0 with: mysql-version: ${{ matrix.wp-version >= '5.0' && '8.0' || '5.6' }} my-cnf: | @@ -86,7 +86,7 @@ jobs: root-password: root - name: Set up PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 with: php-version: ${{ matrix.php-version }} coverage: none diff --git a/.github/workflows/playground-to-pr.yml b/.github/workflows/playground-to-pr.yml index fb07062d..e422ddee 100644 --- a/.github/workflows/playground-to-pr.yml +++ b/.github/workflows/playground-to-pr.yml @@ -9,7 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - name: add-comment - uses: actions/github-script@v7 + uses: actions/github-script@v7 # using tag, sha hash will not resolve + # uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: github-token: ${{ github.token }} script: | diff --git a/.github/workflows/publish-fair.yml b/.github/workflows/publish-fair.yml index 3c7d3d06..bbbfc797 100644 --- a/.github/workflows/publish-fair.yml +++ b/.github/workflows/publish-fair.yml @@ -20,7 +20,7 @@ jobs: if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 with: fetch-depth: 0 @@ -34,7 +34,7 @@ jobs: fi - name: Publish to FAIR - uses: fairpm/fair-pulse@v1 + uses: fairpm/fair-pulse@v1 # not using sha hash for now, it's our own action anyway with: version: ${{ steps.tag.outputs.tag }} artifact-name: ${{ github.event.repository.name }}-${{ steps.tag.outputs.tag }}.zip diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index ef2b9a82..cb00eb4e 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -15,10 +15,10 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@master + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - name: Set up PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 with: php-version: '8.2' tools: composer @@ -43,7 +43,7 @@ jobs: - name: Create Release id: create_release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -64,6 +64,6 @@ jobs: AWS_REQUEST_CHECKSUM_CALCULATION: 'WHEN_REQUIRED' - name: Build provenance attestation - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: /tmp/${{ github.event.repository.name }}-${{ steps.tag.outputs.tag }}.zip diff --git a/.github/workflows/update-browserslist.yaml b/.github/workflows/update-browserslist.yaml index 4c49d21a..3cb7341b 100644 --- a/.github/workflows/update-browserslist.yaml +++ b/.github/workflows/update-browserslist.yaml @@ -13,13 +13,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out source code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - name: Update browserslist run: ./bin/update-browsers.sh - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: branch: update-browserslist commit-message: "Update browser regex from browserslist" From be3c062685518df7e0e3af79bb5a60a0f8bd3dc2 Mon Sep 17 00:00:00 2001 From: Chuck Adams Date: Mon, 18 May 2026 08:48:28 -0600 Subject: [PATCH 3/6] add permissions where previously missing Signed-off-by: Chuck Adams --- .github/workflows/bump-version.yml | 4 ++++ .github/workflows/playground-to-pr.yml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index b3a2f932..413854f3 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -11,6 +11,10 @@ on: jobs: log-the-inputs: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 diff --git a/.github/workflows/playground-to-pr.yml b/.github/workflows/playground-to-pr.yml index e422ddee..1d03337b 100644 --- a/.github/workflows/playground-to-pr.yml +++ b/.github/workflows/playground-to-pr.yml @@ -4,6 +4,9 @@ on: pull_request_target: types: [opened] +permissions: + contents: read + jobs: add-comment-with-link: runs-on: ubuntu-latest From 030eb609de7df9a9eda9f2936040438281b49fc1 Mon Sep 17 00:00:00 2001 From: Chuck Adams Date: Mon, 18 May 2026 08:54:10 -0600 Subject: [PATCH 4/6] add persist-credentials to all checkout steps Signed-off-by: Chuck Adams --- .github/workflows/bump-version.yml | 2 ++ .github/workflows/coding-standards.yml | 2 ++ .github/workflows/generate-missing-i18n-files-pr.yml | 2 ++ .github/workflows/generate-pot-pr.yml | 2 ++ .github/workflows/phpunit-tests.yml | 2 ++ .github/workflows/publish-fair.yml | 1 + .github/workflows/releases.yml | 2 ++ .github/workflows/update-browserslist.yaml | 2 ++ 8 files changed, 15 insertions(+) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 413854f3..ddc02099 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + persist-credentials: true # needed to create PR - name: Bump version run: | diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 3dbe891e..f1ca52f2 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + persist-credentials: false - name: Setup cache uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 diff --git a/.github/workflows/generate-missing-i18n-files-pr.yml b/.github/workflows/generate-missing-i18n-files-pr.yml index fae9dd8f..18986185 100644 --- a/.github/workflows/generate-missing-i18n-files-pr.yml +++ b/.github/workflows/generate-missing-i18n-files-pr.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + persist-credentials: true # needed to create PR - name: Set up PHP environment uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 diff --git a/.github/workflows/generate-pot-pr.yml b/.github/workflows/generate-pot-pr.yml index a2a1933e..7b467275 100644 --- a/.github/workflows/generate-pot-pr.yml +++ b/.github/workflows/generate-pot-pr.yml @@ -19,6 +19,8 @@ jobs: steps: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + persist-credentials: true # needed to create PR - name: Set up PHP environment uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 diff --git a/.github/workflows/phpunit-tests.yml b/.github/workflows/phpunit-tests.yml index 5e3efc8f..18b1b0a3 100644 --- a/.github/workflows/phpunit-tests.yml +++ b/.github/workflows/phpunit-tests.yml @@ -75,6 +75,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + persist-credentials: false - name: Setup MySQL with mysql_native_password uses: shogo82148/actions-setup-mysql@9c42ca180d5f1dd4dceb54c23c5eda0384f4d265 # v1.50.0 diff --git a/.github/workflows/publish-fair.yml b/.github/workflows/publish-fair.yml index bbbfc797..06de3a89 100644 --- a/.github/workflows/publish-fair.yml +++ b/.github/workflows/publish-fair.yml @@ -23,6 +23,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Get tag id: tag diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index cb00eb4e..4153223d 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + persist-credentials: false - name: Set up PHP uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 diff --git a/.github/workflows/update-browserslist.yaml b/.github/workflows/update-browserslist.yaml index 3cb7341b..d0375de0 100644 --- a/.github/workflows/update-browserslist.yaml +++ b/.github/workflows/update-browserslist.yaml @@ -14,6 +14,8 @@ jobs: steps: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + persist-credentials: true # needed to create PR - name: Update browserslist run: ./bin/update-browsers.sh From 68be6572dcb8c3a33b34b08f8c6eba544e785855 Mon Sep 17 00:00:00 2001 From: Chuck Adams Date: Mon, 18 May 2026 08:56:30 -0600 Subject: [PATCH 5/6] give playground action write access to issues Signed-off-by: Chuck Adams --- .github/workflows/playground-to-pr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/playground-to-pr.yml b/.github/workflows/playground-to-pr.yml index 1d03337b..b04b530d 100644 --- a/.github/workflows/playground-to-pr.yml +++ b/.github/workflows/playground-to-pr.yml @@ -6,6 +6,7 @@ on: permissions: contents: read + issues: write jobs: add-comment-with-link: From 21e97414d6a49b2af7e584afe8731f4c47575f30 Mon Sep 17 00:00:00 2001 From: Chuck Adams Date: Mon, 18 May 2026 10:15:28 -0600 Subject: [PATCH 6/6] use persist-credentials: true only where needed Signed-off-by: Chuck Adams --- .github/workflows/bump-version.yml | 3 ++- .github/workflows/generate-missing-i18n-files-pr.yml | 2 +- .github/workflows/generate-pot-pr.yml | 2 +- .github/workflows/update-browserslist.yaml | 3 ++- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index ddc02099..b91ffa2f 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -19,7 +19,7 @@ jobs: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 with: - persist-credentials: true # needed to create PR + persist-credentials: false - name: Bump version run: | @@ -33,6 +33,7 @@ jobs: env: VERSION: ${{ inputs.version }} + # TODO: use `gh pr new` instead - name: Create pull request uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: diff --git a/.github/workflows/generate-missing-i18n-files-pr.yml b/.github/workflows/generate-missing-i18n-files-pr.yml index 18986185..c34ab726 100644 --- a/.github/workflows/generate-missing-i18n-files-pr.yml +++ b/.github/workflows/generate-missing-i18n-files-pr.yml @@ -22,7 +22,7 @@ jobs: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 with: - persist-credentials: true # needed to create PR + persist-credentials: true # git cli needs this - name: Set up PHP environment uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 diff --git a/.github/workflows/generate-pot-pr.yml b/.github/workflows/generate-pot-pr.yml index 7b467275..86fa62de 100644 --- a/.github/workflows/generate-pot-pr.yml +++ b/.github/workflows/generate-pot-pr.yml @@ -20,7 +20,7 @@ jobs: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 with: - persist-credentials: true # needed to create PR + persist-credentials: true # git cli needs this - name: Set up PHP environment uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 diff --git a/.github/workflows/update-browserslist.yaml b/.github/workflows/update-browserslist.yaml index d0375de0..4340ac44 100644 --- a/.github/workflows/update-browserslist.yaml +++ b/.github/workflows/update-browserslist.yaml @@ -15,11 +15,12 @@ jobs: - name: Check out source code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 with: - persist-credentials: true # needed to create PR + persist-credentials: false - name: Update browserslist run: ./bin/update-browsers.sh + # TODO: use `gh pr new` instead - name: Create pull request uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: