From 55312b7c6e14cc32a85860a055fa9803fd961783 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 12 May 2026 18:45:04 +0100 Subject: [PATCH 1/5] No need for this job to have write access to contents. --- .github/workflows/commit-built-file-changes.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index b6ba9935ba675..771be1f49772e 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -40,7 +40,9 @@ jobs: if: ${{ github.repository == 'wordpress/wordpress-develop' }} timeout-minutes: 10 permissions: - contents: write + # The actual `git push` is authenticated via a dedicated GitHub App installation token + # generated below, so `GITHUB_TOKEN` only needs read access to the triggering workflow's artifacts. + actions: read # Required to list and download the artifact uploaded by the triggering workflow run. steps: - name: Download artifact uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 From 9761ddc41a9ea060dc364e0fd95232ef5c828021 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 12 May 2026 18:47:33 +0100 Subject: [PATCH 2/5] No need to do a dance with this value, just read it directly from its environment variable. --- .github/workflows/commit-built-file-changes.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index 771be1f49772e..e61e54f1bae2b 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -95,18 +95,15 @@ jobs: GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }} run: | - echo "$GH_APP_PRIVATE_KEY" > private-key.pem - # Generate JWT JWT=$(python3 - <> "$GITHUB_ENV" - rm -f private-key.pem - - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ steps.artifact-check.outputs.exists == 'true' }} From ffb5abd79b0d38ba5af0f37f8059661b76a1e9b6 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 12 May 2026 18:48:32 +0100 Subject: [PATCH 3/5] Read this directly from its environment variable too. --- .github/workflows/commit-built-file-changes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index e61e54f1bae2b..5d5993dd0caaa 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -101,7 +101,7 @@ jobs: payload = { "iat": int(time.time()), "exp": int(time.time()) + 600, # 10-minute expiration - "iss": $GH_APP_ID + "iss": int(os.environ["GH_APP_ID"]), } print(jwt.encode(payload, os.environ["GH_APP_PRIVATE_KEY"], algorithm="RS256")) EOF From 0ea4e1e1b26cab330021913a60fbbda053276a30 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 12 May 2026 18:49:22 +0100 Subject: [PATCH 4/5] Pass the access token to the next step using output instead of setting it to an environment variable that's accessible by subsequent steps. --- .github/workflows/commit-built-file-changes.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index 5d5993dd0caaa..39b08d865f8bf 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -117,7 +117,7 @@ jobs: -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token') - echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV" + echo "access-token=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT" - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -127,7 +127,7 @@ jobs: ref: ${{ github.event.workflow_run.head_branch }} path: 'pr-repo' show-progress: ${{ runner.debug == '1' && 'true' || 'false' }} - token: ${{ env.ACCESS_TOKEN }} + token: ${{ steps.generate_token.outputs.access-token }} persist-credentials: true - name: Apply patch From 2c942d56bea5e5843a4b89375bf0c3f3f037cd7e Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 12 May 2026 18:52:54 +0100 Subject: [PATCH 5/5] The app ID is not a secret. --- .github/workflows/commit-built-file-changes.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/commit-built-file-changes.yml b/.github/workflows/commit-built-file-changes.yml index 39b08d865f8bf..8648db58da602 100644 --- a/.github/workflows/commit-built-file-changes.yml +++ b/.github/workflows/commit-built-file-changes.yml @@ -92,7 +92,7 @@ jobs: id: generate_token if: ${{ steps.artifact-check.outputs.exists == 'true' }} env: - GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} + GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }} GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }} run: | # Generate JWT @@ -144,7 +144,7 @@ jobs: if: ${{ steps.artifact-check.outputs.exists == 'true' }} working-directory: 'pr-repo' env: - GH_APP_ID: ${{ secrets.GH_PR_BUILT_FILES_APP_ID }} + GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }} run: | git config user.name "wordpress-develop-pr-bot[bot]" git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com"