Merge pull request #867 from Automattic/security/harden-github-workflows

Author: GaryJones

.distignore

@@ -1,22 +1,47 @@
 # Directories
 /.git/
 /.github/
+/.claude/
+/.phpunit.cache/
+/artifacts/
 /bin/
+/dist/
+/documentation/
 /node_modules/
 /tests/
 /vendor/
 
-# Files
+# Development configuration
 .distignore
 .editorconfig
 .gitattributes
 .gitignore
+.nvmrc
 .phpcs.xml.dist
+.prettierignore
+.prettierrc
+.svnignore
 .wp-env.json
 .wp-env.override.json
-CHANGELOG.md
+
+# Build tooling
+babel.config.js
+eslint.config.js
+jest.config.js
+playwright.config.js
+webpack.config.js
+
+# Package management
 composer.json
 composer.lock
 package.json
 package-lock.json
+
+# Documentation (not needed in plugin distribution)
+CHANGELOG.md
+CONTRIBUTING.md
+PUBLISHING.md
+SECURITY.md
+
+# Test configuration
 phpunit.xml.dist

.github/workflows/deploy.yml

@@ -0,0 +1,57 @@
+name: Deploy to WordPress.org
+
+on:
+  release:
+    types: [released]
+  workflow_dispatch:
+
+# Workflow-level permissions set to none; jobs declare their own minimal permissions
+permissions: {}
+
+jobs:
+  release:
+    name: Deploy to WordPress.org
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # Required to upload release assets to the GitHub release
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Set up Node.js
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        with:
+          node-version: '20'
+          # Disabled to prevent cache poisoning in release workflows
+          package-manager-cache: false
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build assets
+        run: npm run build
+
+      - name: Install SVN
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y subversion
+
+      - name: Deploy to WordPress.org
+        uses: 10up/action-wordpress-plugin-deploy@54bd289b8525fd23a5c365ec369185f2966529c2 # v2.3.0
+        with:
+          generate-zip: true
+        env:
+          SLUG: edit-flow
+          SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
+          SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
+
+      - name: Upload release asset
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        with:
+          files: ${{ github.workspace }}/${{ github.event.repository.name }}.zip
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/php-lint.yml

@@ -23,12 +23,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
         with:
           php-version: '8.2'
           tools: composer, cs2pr

.gitignore

@@ -4,6 +4,8 @@ wordpress
 vendor
 composer.lock
 build/
+dist/
+**/lib/dist/
 
 # Test files
 .phpunit.cache/