Merge branch 'master' into v4.21.0

Author: kagg-design

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -31,6 +31,10 @@ jobs:
       WP_ADMIN_PASSWORD: admin
       WP_ADMIN_EMAIL: admin@test.test
 
+    if: |
+      github.event_name == 'push' ||
+      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true)
+
     runs-on: ${{ matrix.os }}
 
     name: PHP ${{ matrix.php-version }} on ${{ matrix.os }}
@@ -71,8 +75,12 @@ jobs:
           yarn lint
 
       - name: Install WP CLI
+        # Security: 1. Ensure wp-cli integrity via checksum.
         run: |
-          curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+          WPCLI_VERSION=2.12.0
+          curl -fsSL -o wp-cli.phar "https://github.com/wp-cli/wp-cli/releases/download/v${WPCLI_VERSION}/wp-cli-${WPCLI_VERSION}.phar"
+          curl -fsSL -o wp-cli.phar.sha256 "https://github.com/wp-cli/wp-cli/releases/download/v${WPCLI_VERSION}/wp-cli-${WPCLI_VERSION}.phar.sha256"
+          echo "$(cat wp-cli.phar.sha256)  wp-cli.phar" | sha256sum -c -
           chmod +x wp-cli.phar
           mkdir -p wp-cli
           sudo mv wp-cli.phar wp-cli/wp

.github/workflows/deploy-readme-assets-to-wp-org.yml

@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - trunk
+permissions:
+  actions: read
+  contents: read
 jobs:
   trunk:
     name: Push to trunk

.github/workflows/deploy-to-wp-org.yml

@@ -2,12 +2,18 @@ name: Deploy to WordPress.org
 on:
   release:
     types: [published]
+permissions:
+  actions: read
+  contents: write
 jobs:
   tag:
     name: New release
 
     runs-on: ubuntu-latest
 
+    # Security: 1. Check if user is authorized.
+    if: contains(fromJson('["kagg-design", "e271828-"]'), github.actor)
+
     env:
       SLUG: "hcaptcha-for-forms-and-more"