Tighten permissions. (#439)

kagg-design · hCaptcha GHA · web-flow · commit 0c7570591cc9 · 2025-12-03T06:46:31.000-05:00
* Tighten permissions.

* Update ci.yml.

* Update create-zip.yml.

* Ensure wp-cli integrity via checksum.

* Do not run CI on internal PRs.

* Fix tests for running with WP 6.9.

* Fix weird cron bug in tests with WP 6.9.

* Update changelog from readme.txt

* Revert test changes in readme.txt and changelog.txt.

* Check if the user is authorized in the deploy action.

---------

Co-authored-by: hCaptcha GHA &lt;gha@hcaptcha.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,7 +1,13 @@
 name: hCaptcha CI
 on: [ push, pull_request ]
+
+# 1. SECURITY: Default to read-only permissions for the workflow
+permissions:
+  actions: read
+  contents: read
+
 concurrency:
-  group: ${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -25,6 +31,10 @@ jobs:
       WP_ADMIN_PASSWORD: admin
       WP_ADMIN_EMAIL: admin@test.test
 
+    if: |
+      github.event_name == 'push' ||
+      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true)
+
     runs-on: ${{ matrix.os }}
 
     name: PHP ${{ matrix.php-version }} on ${{ matrix.os }}
@@ -35,10 +45,8 @@ jobs:
         with:
           path: ${{ env.wp-plugin-directory }}
 
-      - name: Update changelog
-        if: ${{ matrix.php-version == '8.4' }}
-        working-directory: ${{ env.wp-plugin-directory }}
-        run: .github/scripts/update-changelog.sh
+      # MOVED: The "Update changelog" step has been moved to the specific job below
+      # to prevent giving 'contents: write' permissions to this testing job.
 
       - name: Setup PHP
         uses: hCaptcha/setup-php@42a9487ddd45db247decea2acf7de871a8178226
@@ -67,8 +75,12 @@ jobs:
           yarn lint
 
       - name: Install WP CLI
+        # Security: 1. Ensure wp-cli integrity via checksum.
         run: |
-          curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+          WPCLI_VERSION=2.12.0
+          curl -fsSL -o wp-cli.phar "https://github.com/wp-cli/wp-cli/releases/download/v${WPCLI_VERSION}/wp-cli-${WPCLI_VERSION}.phar"
+          curl -fsSL -o wp-cli.phar.sha256 "https://github.com/wp-cli/wp-cli/releases/download/v${WPCLI_VERSION}/wp-cli-${WPCLI_VERSION}.phar.sha256"
+          echo "$(cat wp-cli.phar.sha256)  wp-cli.phar" | sha256sum -c -
           chmod +x wp-cli.phar
           mkdir -p wp-cli
           sudo mv wp-cli.phar wp-cli/wp
@@ -115,3 +127,30 @@ jobs:
         if: ${{ matrix.php-version == '8.4' }}
         working-directory: ${{ env.wp-plugin-directory }}
         run: yarn jest
+
+  update_changelog:
+    name: Update Changelog
+    runs-on: ubuntu-latest
+
+    # 2. SECURITY: Only run on PUSH, never on Pull Requests
+    if: github.event_name == 'push'
+    needs: cs_and_tests
+
+    # 3. SECURITY: Grant write permission ONLY to this job
+    permissions:
+      contents: write
+
+    env:
+      wp-plugin-directory: wordpress/wp-content/plugins/hcaptcha-wordpress-plugin
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: ${{ env.wp-plugin-directory }}
+          # Check out the branch ref to ensure we can push back to it
+          ref: ${{ github.ref }}
+
+      - name: Update changelog
+        working-directory: ${{ env.wp-plugin-directory }}
+        run: .github/scripts/update-changelog.sh
diff --git a/.github/workflows/create-zip.yml b/.github/workflows/create-zip.yml
@@ -1,19 +1,22 @@
-name: Create zip file
+name: Create zip
 
 on:
   push:
   workflow_dispatch:
 
 permissions:
+  actions: read
   contents: write
 
 jobs:
   build-zip:
     name: New zip file
     runs-on: ubuntu-latest
 
-    if: >
-      (github.event_name == 'workflow_dispatch' || contains(github.event.head_commit.message, '[zip]'))
+    # Security: 1. Check for [zip] tag. 2. Check if user is authorized.
+    if: |
+      (github.event_name == 'workflow_dispatch' || contains(github.event.head_commit.message, '[zip]')) &&
+      contains(fromJson('["kagg-design", "e271828-"]'), github.actor)
 
     env:
       SLUG: "hcaptcha-for-forms-and-more"
diff --git a/.github/workflows/deploy-readme-assets-to-wp-org.yml b/.github/workflows/deploy-readme-assets-to-wp-org.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - trunk
+permissions:
+  actions: read
+  contents: read
 jobs:
   trunk:
     name: Push to trunk
diff --git a/.github/workflows/deploy-to-wp-org.yml b/.github/workflows/deploy-to-wp-org.yml
@@ -2,12 +2,18 @@ name: Deploy to WordPress.org
 on:
   release:
     types: [published]
+permissions:
+  actions: read
+  contents: write
 jobs:
   tag:
     name: New release
 
     runs-on: ubuntu-latest
 
+    # Security: 1. Check if user is authorized.
+    if: contains(fromJson('["kagg-design", "e271828-"]'), github.actor)
+
     env:
       SLUG: "hcaptcha-for-forms-and-more"
 
diff --git a/tests/php/integration/Admin/NotificationsTest.php b/tests/php/integration/Admin/NotificationsTest.php
@@ -670,7 +670,7 @@ public function test_admin_enqueue_scripts(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaNotificationsObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaNotificationsObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 
 		$subject = new Notifications();
diff --git a/tests/php/integration/Admin/WhatsNewTest.php b/tests/php/integration/Admin/WhatsNewTest.php
@@ -99,7 +99,7 @@ public function test_enqueue_assets(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaWhatsNewObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaWhatsNewObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 
 		$subject = new WhatsNew();
diff --git a/tests/php/integration/FluentForm/FormTest.php b/tests/php/integration/FluentForm/FormTest.php
@@ -531,6 +531,7 @@ public function test_print_footer_scripts(): void {
 <script type="text/javascript" id="$fluent_forms_conversational_script-js-extra">
 /* <![CDATA[ */
 var $fluent_forms_conversational_object = $fluent_forms_conversational_json;
+//# sourceURL=fluent_forms_conversational_form-js-extra
 /* ]]> */
 </script>
 HTML;
@@ -550,7 +551,7 @@ public function test_print_footer_scripts(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaFluentFormObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaFluentFormObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 		$args           = [
 			'action' => 'hcaptcha_fluentform',
@@ -593,7 +594,7 @@ public function test_admin_enqueue_scripts(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaFluentFormObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaFluentFormObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 
 		$subject = Mockery::mock( Form::class )->makePartial();
diff --git a/tests/php/integration/Formidable/FormTest.php b/tests/php/integration/Formidable/FormTest.php
@@ -273,7 +273,7 @@ public function test_admin_enqueue_scripts(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaFormidableFormsObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaFormidableFormsObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 
 		$subject = Mockery::mock( Form::class )->makePartial();
diff --git a/tests/php/integration/Forminator/FormTest.php b/tests/php/integration/Forminator/FormTest.php
@@ -261,7 +261,7 @@ public function test_admin_enqueue_scripts(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaForminatorObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaForminatorObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 
 		$subject = Mockery::mock( Form::class )->makePartial();
diff --git a/tests/php/integration/GravityForms/FieldTest.php b/tests/php/integration/GravityForms/FieldTest.php
@@ -317,7 +317,7 @@ public function test_enqueue_admin_script(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaGravityFormsObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaGravityFormsObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 
 		self::assertFalse( wp_script_is( Field::ADMIN_HANDLE ) );
diff --git a/tests/php/integration/HCaptchaWPTestCase.php b/tests/php/integration/HCaptchaWPTestCase.php
@@ -64,7 +64,7 @@ static function ( $form_fields, $instance ) {
 	 */
 	public function tearDown(): void {
 		// phpcs:ignore WordPress.Security.NonceVerification.Missing
-		unset( $_POST, $_SERVER['REQUEST_URI'], $_SERVER['HTTP_CLIENT_IP'] );
+		unset( $_POST, $_SERVER['HTTP_CLIENT_IP'] );
 
 		delete_option( 'hcaptcha_settings' );
 		hcaptcha()->init_hooks();
diff --git a/tests/php/integration/Jetpack/BaseTest.php b/tests/php/integration/Jetpack/BaseTest.php
@@ -245,7 +245,7 @@ public function test_editor_enqueue_scripts(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaJetpackObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaJetpackObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 
 		$subject = new Form();
diff --git a/tests/php/integration/Mailchimp/FormTest.php b/tests/php/integration/Mailchimp/FormTest.php
@@ -244,7 +244,7 @@ public function test_preview_scripts(): void {
 		$expected_extra = [
 			'group' => 1,
 			// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-			'data'  => 'var HCaptchaMailchimpObject = ' . json_encode( $params ) . ';',
+			'data'  => 'var HCaptchaMailchimpObject = ' . json_encode( $params, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';',
 		];
 
 		$subject = Mockery::mock( Form::class )->makePartial();
diff --git a/tests/php/integration/ProtectContent/ProtectContentTest.php b/tests/php/integration/ProtectContent/ProtectContentTest.php
@@ -349,10 +349,11 @@ function scrollHandler(){if(!scrolled){scrolled=!0;return}
 document.addEventListener('hCaptchaBeforeAPI',function(){const delay=-100;if(delay>=0){timerId=setTimeout(load,delay)}
 const options={passive:!0};window.addEventListener('touchstart',load,options);document.body.addEventListener('mouseenter',load);document.body.addEventListener('click',load);window.addEventListener('keydown',load);window.addEventListener('scroll',scrollHandler,options)})})()
 </script>
-<script type="text/javascript" src="http://test.test/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6" id="wp-hooks-js"></script>
+<script type="text/javascript" src="http://test.test/wp-includes/js/dist/hooks.min.js?ver=dd5603f07f9220ed27f1" id="wp-hooks-js"></script>
 <script type="text/javascript" id="hcaptcha-js-extra">
 /* <![CDATA[ */
 var HCaptchaMainObject = {"params":"{\"sitekey\":\"10000000-ffff-ffff-ffff-000000000001\",\"theme\":\"\",\"size\":\"\",\"hl\":\"en\"}"};
+//# sourceURL=hcaptcha-js-extra
 /* ]]> */
 </script>
 <script type="text/javascript" src="http://test.test/wp-content/plugins/hcaptcha-wordpress-plugin/assets/js/apps/hcaptcha.js?ver=$current_version" id="hcaptcha-js"></script>
