Build/Test Tools: Improve the security and correctness of the GitHub Actions workflows files.

This includes removing use of dangerous inline GitHub Actions expressions, preventing word splitting, further tightening permissions, and generally improving many aspects of the workflows.

This also introduces a new workflow that runs Actionlint to detect incorrect and insecure code and configuration in workflow files.

Props johnbillion, swissspidy, flixos90, desrosj.

See #62221


git-svn-id: https://develop.svn.wordpress.org/trunk@59679 602fd350-edb4-49c9-b593-d223f7449a82

Author: johnbillion

.github/workflows/coding-standards.yml

@@ -107,6 +107,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });

.github/workflows/end-to-end-tests.yml

@@ -93,6 +93,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });

.github/workflows/failed-workflow.yml

@@ -38,7 +38,7 @@ jobs:
             const workflow_run = await github.rest.actions.getWorkflowRun({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              run_id: ${{ inputs.run_id }},
+              run_id: process.env.RUN_ID,
             });
 
             // Only rerun after the first run attempt.
@@ -49,6 +49,8 @@ jobs:
             const rerun = await github.rest.actions.reRunWorkflowFailedJobs({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              run_id: ${{ inputs.run_id }},
+              run_id: process.env.RUN_ID,
               enable_debug_logging: true
             });
+        env:
+          RUN_ID: ${{ inputs.run_id }}

.github/workflows/install-testing.yml

@@ -119,16 +119,20 @@ jobs:
         with:
           php-version: '${{ matrix.php }}'
           coverage: none
-          tools: wp-cli${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && ':2.4.0' || '' }}
+          tools: ${{ contains( fromJSON('["5.4", "5.5"]'), matrix.php ) && 'wp-cli:2.4.0' || 'wp-cli' }}
 
       - name: Download WordPress
-        run: wp core download ${{ inputs.wp-version && format( '--version={0}', inputs.wp-version ) || '--version=nightly' }}
+        run: wp core download --version="${WP_VERSION}"
+        env:
+          WP_VERSION: ${{ inputs.wp-version || 'nightly' }}
 
       - name: Create wp-config.php file
-        run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost=127.0.0.1:${{ job.services.database.ports['3306'] }}
+        run: wp config create --dbname=test_db --dbuser=root --dbpass=root --dbhost="127.0.0.1:${DB_PORT}"
+        env:
+          DB_PORT: ${{ job.services.database.ports['3306'] }}
 
       - name: Install WordPress
-        run: wp core ${{ matrix.multisite && 'multisite-' || '' }}install --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password [email protected] --skip-email
+        run: wp core ${{ matrix.multisite && 'multisite-install' || 'install' }} --url=http://localhost/ --title="Upgrade Test" --admin_user=admin --admin_password=password [email protected] --skip-email
 
   slack-notifications:
     name: Slack Notifications
@@ -175,6 +179,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });

.github/workflows/javascript-tests.yml

@@ -97,6 +97,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });

.github/workflows/local-docker-environment.yml

@@ -104,7 +104,6 @@ jobs:
       db-type: 'mysql'
       db-version: ${{ matrix.db-version }}
       memcached: ${{ matrix.memcached }}
-      tests-domain: ${{ matrix.tests-domain }}
 
   slack-notifications:
     name: Slack Notifications
@@ -151,6 +150,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });

.github/workflows/performance.yml

@@ -93,6 +93,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });

.github/workflows/php-compatibility.yml

@@ -94,6 +94,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });

.github/workflows/phpunit-tests.yml

@@ -144,7 +144,7 @@ jobs:
       multisite: ${{ matrix.multisite }}
       memcached: ${{ matrix.memcached }}
       phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }}
-      report: ${{ matrix.report || false }}
+      report: ${{ false }}
 
   #
   # Creates PHPUnit test jobs to test MariaDB and MySQL innovation releases.
@@ -193,7 +193,7 @@ jobs:
       multisite: ${{ matrix.multisite }}
       memcached: ${{ matrix.memcached }}
       phpunit-config: ${{ matrix.multisite && 'tests/phpunit/multisite.xml' || 'phpunit.xml.dist' }}
-      report: ${{ matrix.report || false }}
+      report: ${{ false }}
 
   #
   # Runs specific individual test groups.
@@ -263,6 +263,6 @@ jobs:
               workflow_id: 'failed-workflow.yml',
               ref: 'trunk',
               inputs: {
-                run_id: '${{ github.run_id }}'
+                run_id: context.runId,
               }
             });

.github/workflows/props-bot.yml

@@ -85,6 +85,8 @@ jobs:
             github.rest.issues.removeLabel({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              issue_number: '${{ github.event.number }}',
+              issue_number: process.env.ISSUE_NUMBER,
               name: 'props-bot'
             });
+        env:
+          ISSUE_NUMBER: ${{ github.event.number }}