#62221 GitHub Actions workflow hardening

[johnbillion]

What this does:

• Removes all usage of inline GitHub Actions expressions in scripts, either replacing them with environment variables or refactoring the affected code. Actions expressions are not safe to use inline inside scripts.
• Addresses all instances of missing quotes around variables in scripts to prevent word splitting.
• Adds some missing permissions: {} declarations to workflows and jobs.
• Introduces Actionlint for static analysis of workflow files. It detects syntax errors, semantic errors with expressions, inputs, outputs, and secrets, and includes several security checks.
• Fixes a few issues detected by Actionlint that don't relate to security, for example references to non-existent matrix values and inputs.
• Standardises on using maps for the environment properties in docker-compose.yml.
• Refactors and reformats a few areas of code for legibility and clarity.

Notes

This PR previously included additional static analysis of workflow files using Octoscan, Zizmor, and Poutine, but I've removed these and I'll be proposing them separately at a later date.

---

Trac ticket: https://core.trac.wordpress.org/ticket/62221

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props johnbillion, swissspidy, flixos90, desrosj.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[felixarntz]

@johnbillion Based on my limited GH Actions knowledge, this looks reasonable to me.

Since it covers all the different workflows, I think we need to do some extra post-commit verification though. Obviously all workflows should pass, but there are other aspects that we also need to test that wouldn't cause a workflow to fail - such as ensuring the performance data for each commit is still sent to the Code Vitals dashboard as expected.

[felixarntz]

This was just recently modified to fix a problem in https://core.trac.wordpress.org/changeset/59582. Your change looks right, but let's double-check that the commit data is still sent correctly after this has been committed to Core.

[felixarntz]

I'm not quite familiar with how this permissions element works in GH Actions. Makes sense that it's an empty default for security. But I'm curious, for what kind of steps or jobs would one need to override this?

[swissspidy]

Typically for any write action, like pushing changes to the repository or writing PR comments or changing labels.

By disabling that by default if not needed, this reduces risk of privilege escalation, where for example one can suddenly push changes to a repository through a workflow.

[desrosj]

There are some really fine-grained permissions available, so there's a good number of possibilities.

We also use contents: read permissions for the Slack notifications workflow so that the steps can read previous workflow runs and determine which message to send to Slack.

[desrosj]

Thanks for this, @johnbillion! Looks really great. I left mostly questions, some inline documentation additions, and a few suggestions. Feel free to commit after going through them!

[desrosj]

Do you know if this get picked up by Dependabot as currently configured? It's not clear in the docs.

[johnbillion]

Unclear. I'll add it to a list of a few things I've got to follow up on.

[johnbillion]

Committed in: https://core.trac.wordpress.org/changeset/59679

Follow-up commit: https://core.trac.wordpress.org/changeset/59681