Skip to content

Standardise configurations and harden GitHub Actions security #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GaryJones merged 3 commits into from
Dec 14, 2025
Merged

Standardise configurations and harden GitHub Actions security #136

GaryJones merged 3 commits into from
Dec 14, 2025

Conversation

@GaryJones
Copy link
Contributor

@GaryJones GaryJones commented Dec 14, 2025

This pull request enhances the plugin's development infrastructure with security hardening and standardisation.

Summary

  • Harden all GitHub Actions with pinned SHAs and security best practices
  • Add Dependabot for automated dependency management
  • Rename integrations.yml to integration.yml for consistency
  • Standardise .gitignore and .distignore
  • Update Composer scripts with consistent naming

Test plan

  • Verify all CI workflows run correctly
  • Check Dependabot configuration is valid
  • Verify integration tests still work

🤖 Generated with Claude Code

GaryJones and others added 3 commits December 13, 2025 01:25
@GaryJones @claude
ci: standardise configurations and harden GitHub Actions security
197ac0c 
Comprehensive standardisation to align with other Automattic plugins:

- Renames integrations.yml to integration.yml for consistent naming
- Adds Dependabot configuration for automated dependency updates
- Updates composer.json to use yoast/wp-test-utils instead of phpunit-polyfills
- Renames test-integration to test:integration for script naming consistency
- Pins all GitHub Actions to specific commit SHAs to prevent supply chain attacks
- Adds explicit permissions blocks (least privilege)
- Adds persist-credentials: false to checkout actions
- Fixes template injection vulnerabilities using environment variables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@GaryJones @claude
chore: standardise .gitignore and .distignore
b910ac9 
Updates .gitignore with section headers and adds .wp-env.override.json
exclusion. Updates .distignore with consistent patterns matching other
plugins in the organisation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@GaryJones @claude
fix: use correct composer script names (colon not hyphen)
7800e73 
Composer scripts use colons (test:integration) not hyphens.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@GaryJones GaryJones self-assigned this Dec 14, 2025
@GaryJones GaryJones added the type: maintenance Routine maintenance and code quality improvements label Dec 14, 2025
@GaryJones GaryJones merged commit c8144bc into develop Dec 14, 2025
8 checks passed
@GaryJones GaryJones deleted the standardize/configs-and-ci branch December 14, 2025 02:49
@GaryJones GaryJones added this to the Next milestone Dec 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GaryJones GaryJones

Labels

type: maintenance Routine maintenance and code quality improvements

Projects

None yet

Milestone

Next

Development

Successfully merging this pull request may close these issues.

2 participants

@GaryJones