Tighten GITHUB_TOKEN permissions
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>pull/28502/head
							parent
							
								
									5cdcf44b6f
								
							
						
					
					
						commit
						03a1d89785
					
				|  | @ -7,6 +7,8 @@ on: | |||
|         branches: | ||||
|             - develop | ||||
| 
 | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| 
 | ||||
| jobs: | ||||
|     backport: | ||||
|         name: Backport | ||||
|  |  | |||
|  | @ -10,6 +10,7 @@ env: | |||
|     # These must be set for fetchdep.sh to get the right branch | ||||
|     REPOSITORY: ${{ github.repository }} | ||||
|     PR_NUMBER: ${{ github.event.pull_request.number }} | ||||
| permissions: {} # No permissions required | ||||
| jobs: | ||||
|     build: | ||||
|         name: "Build on ${{ matrix.image }}" | ||||
|  |  | |||
|  | @ -3,6 +3,7 @@ on: | |||
|     release: | ||||
|         types: [published] | ||||
| concurrency: ${{ github.workflow }} | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     build: | ||||
|         name: Build package | ||||
|  |  | |||
|  | @ -9,6 +9,7 @@ on: | |||
| concurrency: | ||||
|     group: ${{ github.repository_owner }}-${{ github.workflow }}-${{ github.ref_name }} | ||||
|     cancel-in-progress: true | ||||
| permissions: {} | ||||
| jobs: | ||||
|     build: | ||||
|         name: "Build & Deploy develop.element.io" | ||||
|  | @ -16,6 +17,9 @@ jobs: | |||
|         if: github.repository == 'element-hq/element-web' | ||||
|         runs-on: ubuntu-24.04 | ||||
|         environment: develop | ||||
|         permissions: | ||||
|             checks: read | ||||
|             pages: write | ||||
|         env: | ||||
|             R2_BUCKET: "element-web-develop" | ||||
|             R2_URL: ${{ vars.CF_R2_S3_API }} | ||||
|  |  | |||
|  | @ -7,14 +7,14 @@ on: | |||
|         # This job can take a while, and we have usage limits, so just publish develop only twice a day | ||||
|         - cron: "0 7/12 * * *" | ||||
| concurrency: ${{ github.workflow }}-${{ github.ref_name }} | ||||
| 
 | ||||
| permissions: | ||||
|     id-token: write # needed for signing the images with GitHub OIDC Token | ||||
| permissions: {} | ||||
| jobs: | ||||
|     buildx: | ||||
|         name: Docker Buildx | ||||
|         runs-on: ubuntu-24.04 | ||||
|         environment: dockerhub | ||||
|         permissions: | ||||
|             id-token: write # needed for signing the images with GitHub OIDC Token | ||||
|         steps: | ||||
|             - uses: actions/checkout@v4 | ||||
|               with: | ||||
|  |  | |||
|  | @ -5,10 +5,7 @@ on: | |||
|         branches: [develop] | ||||
|     workflow_dispatch: {} | ||||
| 
 | ||||
| permissions: | ||||
|     contents: read | ||||
|     pages: write | ||||
|     id-token: write | ||||
| permissions: {} | ||||
| 
 | ||||
| concurrency: | ||||
|     group: "pages" | ||||
|  | @ -100,6 +97,8 @@ jobs: | |||
|             name: github-pages | ||||
|             url: ${{ steps.deployment.outputs.page_url }} | ||||
|         runs-on: ubuntu-24.04 | ||||
|         permissions: | ||||
|             pages: write | ||||
|         needs: build | ||||
|         steps: | ||||
|             - name: Deploy to GitHub Pages | ||||
|  |  | |||
|  | @ -11,6 +11,8 @@ concurrency: | |||
|     group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }} | ||||
|     cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }} | ||||
| 
 | ||||
| permissions: {} | ||||
| 
 | ||||
| jobs: | ||||
|     report: | ||||
|         if: github.event.workflow_run.conclusion != 'cancelled' | ||||
|  | @ -20,11 +22,11 @@ jobs: | |||
|         permissions: | ||||
|             statuses: write | ||||
|             deployments: write | ||||
|             actions: read | ||||
|         steps: | ||||
|             - name: Download HTML report | ||||
|               uses: actions/download-artifact@v4 | ||||
|               with: | ||||
|                   github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} | ||||
|                   run-id: ${{ github.event.workflow_run.id }} | ||||
|                   name: html-report | ||||
|                   path: playwright-report | ||||
|  |  | |||
|  | @ -33,6 +33,8 @@ env: | |||
|     # fetchdep.sh needs to know our PR number | ||||
|     PR_NUMBER: ${{ github.event.pull_request.number }} | ||||
| 
 | ||||
| permissions: {} # No permissions required | ||||
| 
 | ||||
| jobs: | ||||
|     build: | ||||
|         name: "Build Element-Web" | ||||
|  |  | |||
|  | @ -4,6 +4,7 @@ | |||
| on: | ||||
|     issues: | ||||
|         types: [closed] | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     tidy: | ||||
|         name: Tidy closed issues | ||||
|  |  | |||
|  | @ -3,6 +3,7 @@ on: | |||
|     workflow_dispatch: {} | ||||
|     schedule: | ||||
|         - cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     download: | ||||
|         uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main | ||||
|  |  | |||
|  | @ -4,6 +4,7 @@ on: | |||
|         branches: [develop] | ||||
|         paths: | ||||
|             - "src/i18n/strings/en_EN.json" | ||||
| permissions: {} # No permissions needed | ||||
| jobs: | ||||
|     upload: | ||||
|         uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main | ||||
|  |  | |||
|  | @ -11,6 +11,9 @@ jobs: | |||
|         if: github.event.workflow_run.conclusion != 'cancelled' && github.event.workflow_run.event == 'pull_request' | ||||
|         runs-on: ubuntu-24.04 | ||||
|         environment: Netlify | ||||
|         permissions: | ||||
|             actions: read | ||||
|             deployments: write | ||||
|         steps: | ||||
|             - name: 📝 Create Deployment | ||||
|               uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1 | ||||
|  | @ -27,7 +30,6 @@ jobs: | |||
|             - name: 📥 Download artifact | ||||
|               uses: actions/download-artifact@v4 | ||||
|               with: | ||||
|                   github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} | ||||
|                   run-id: ${{ github.event.workflow_run.id }} | ||||
|                   name: webapp | ||||
|                   path: webapp | ||||
|  |  | |||
|  | @ -6,6 +6,7 @@ on: | |||
|     #schedule: | ||||
|     #    - cron: "*/10 * * * *" | ||||
| concurrency: ${{ github.workflow }} | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     bot: | ||||
|         name: Pending reviews bot | ||||
|  |  | |||
|  | @ -3,9 +3,12 @@ on: | |||
|     workflow_dispatch: {} | ||||
|     schedule: | ||||
|         - cron: "0 6 * * *" # Every day at 6am UTC | ||||
| permissions: {} | ||||
| jobs: | ||||
|     update: | ||||
|         runs-on: ubuntu-24.04 | ||||
|         permissions: | ||||
|             pull-requests: write | ||||
|         steps: | ||||
|             - uses: actions/checkout@v4 | ||||
| 
 | ||||
|  |  | |||
|  | @ -4,6 +4,7 @@ on: | |||
|         types: [opened, edited, labeled, unlabeled, synchronize] | ||||
|     merge_group: | ||||
|         types: [checks_requested] | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     action: | ||||
|         uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop | ||||
|  |  | |||
|  | @ -2,6 +2,7 @@ name: Pull Request Base Branch | |||
| on: | ||||
|     pull_request: | ||||
|         types: [opened, edited, synchronize] | ||||
| permissions: {} # No permissions required | ||||
| jobs: | ||||
|     check_base_branch: | ||||
|         name: Check PR base branch | ||||
|  |  | |||
|  | @ -4,6 +4,9 @@ on: | |||
|         branches: [staging] | ||||
|     workflow_dispatch: {} | ||||
| concurrency: ${{ github.workflow }} | ||||
| permissions: {} | ||||
| jobs: | ||||
|     draft: | ||||
|         permissions: | ||||
|             contents: write | ||||
|         uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop | ||||
|  |  | |||
|  | @ -4,6 +4,7 @@ on: | |||
|     push: | ||||
|         branches: [master] | ||||
| concurrency: ${{ github.repository }}-${{ github.workflow }} | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     merge: | ||||
|         uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop | ||||
|  |  | |||
|  | @ -11,9 +11,13 @@ on: | |||
|                     - rc | ||||
|                     - final | ||||
| concurrency: ${{ github.workflow }} | ||||
| permissions: {} | ||||
| jobs: | ||||
|     release: | ||||
|         uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop | ||||
|         permissions: | ||||
|             contents: write | ||||
|             issues: write | ||||
|         secrets: | ||||
|             ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} | ||||
|             GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | ||||
|  | @ -42,6 +46,8 @@ jobs: | |||
|         name: Post release checks | ||||
|         needs: release | ||||
|         runs-on: ubuntu-24.04 | ||||
|         permissions: | ||||
|             checks: read | ||||
|         steps: | ||||
|             - name: Wait for dockerhub | ||||
|               uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork | ||||
|  |  | |||
|  | @ -17,6 +17,7 @@ on: | |||
|                 required: true | ||||
|                 type: boolean | ||||
|                 default: true | ||||
| permissions: {} # Uses ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     prepare: | ||||
|         runs-on: ubuntu-24.04 | ||||
|  |  | |||
|  | @ -7,11 +7,16 @@ on: | |||
| concurrency: | ||||
|     group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }} | ||||
|     cancel-in-progress: true | ||||
| permissions: {} | ||||
| jobs: | ||||
|     sonarqube: | ||||
|         name: 🩻 SonarQube | ||||
|         if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group' | ||||
|         uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop | ||||
|         permissions: | ||||
|             actions: read | ||||
|             statuses: write | ||||
|             id-token: write # sonar | ||||
|         secrets: | ||||
|             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||||
|             ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} | ||||
|  |  | |||
|  | @ -16,6 +16,8 @@ env: | |||
|     REPOSITORY: ${{ github.repository }} | ||||
|     PR_NUMBER: ${{ github.event.pull_request.number }} | ||||
| 
 | ||||
| permissions: {} # No permissions required | ||||
| 
 | ||||
| jobs: | ||||
|     ts_lint: | ||||
|         name: "Typescript Syntax Check" | ||||
|  |  | |||
|  | @ -8,6 +8,9 @@ on: | |||
|             - develop | ||||
|         paths: | ||||
|             - .github/labels.yml | ||||
| 
 | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| 
 | ||||
| jobs: | ||||
|     sync-labels: | ||||
|         uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop | ||||
|  |  | |||
|  | @ -26,6 +26,8 @@ env: | |||
|     # fetchdep.sh needs to know our PR number | ||||
|     PR_NUMBER: ${{ github.event.pull_request.number }} | ||||
| 
 | ||||
| permissions: {} | ||||
| 
 | ||||
| jobs: | ||||
|     jest: | ||||
|         name: Jest | ||||
|  | @ -94,6 +96,8 @@ jobs: | |||
|         needs: jest | ||||
|         if: always() | ||||
|         runs-on: ubuntu-24.04 | ||||
|         permissions: | ||||
|             checks: write | ||||
|         steps: | ||||
|             - if: needs.jest.result != 'skipped' && needs.jest.result != 'success' | ||||
|               run: exit 1 | ||||
|  |  | |||
|  | @ -4,6 +4,8 @@ on: | |||
|     issues: | ||||
|         types: [assigned] | ||||
| 
 | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| 
 | ||||
| jobs: | ||||
|     web-app-team: | ||||
|         runs-on: ubuntu-24.04 | ||||
|  |  | |||
|  | @ -4,6 +4,8 @@ on: | |||
|     issues: | ||||
|         types: [opened] | ||||
| 
 | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| 
 | ||||
| jobs: | ||||
|     automate-project-columns: | ||||
|         runs-on: ubuntu-24.04 | ||||
|  |  | |||
|  | @ -8,6 +8,8 @@ on: | |||
|             ELEMENT_BOT_TOKEN: | ||||
|                 required: true | ||||
| 
 | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| 
 | ||||
| jobs: | ||||
|     apply_Z-Labs_label: | ||||
|         name: Add Z-Labs label for features behind labs flags | ||||
|  |  | |||
|  | @ -3,6 +3,7 @@ on: | |||
|     pull_request_target: | ||||
|         types: [review_requested] | ||||
| 
 | ||||
| permissions: {} # Uses ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     add_design_pr_to_project: | ||||
|         name: Move PRs asking for design review to the design board | ||||
|  |  | |||
|  | @ -2,6 +2,7 @@ name: Close stale flaky issues | |||
| on: | ||||
|     schedule: | ||||
|         - cron: "30 1 * * *" | ||||
| permissions: {} | ||||
| jobs: | ||||
|     close: | ||||
|         runs-on: ubuntu-24.04 | ||||
|  |  | |||
|  | @ -3,11 +3,13 @@ name: Move unlabelled from needs info columns to triaged | |||
| on: | ||||
|     issues: | ||||
|         types: [unlabeled] | ||||
| 
 | ||||
| permissions: {} | ||||
| jobs: | ||||
|     Move_Unabeled_Issue_On_Project_Board: | ||||
|         name: Move no longer X-Needs-Info issues to Triaged | ||||
|         runs-on: ubuntu-24.04 | ||||
|         permissions: | ||||
|             repository-projects: read | ||||
|         if: > | ||||
|             ${{ | ||||
|             !contains(github.event.issue.labels.*.name, 'X-Needs-Info') }} | ||||
|  |  | |||
|  | @ -4,6 +4,7 @@ on: | |||
|     workflow_dispatch: {} | ||||
|     schedule: | ||||
|         - cron: "0 3 * * 0" # 3am every Sunday | ||||
| permissions: {} # We use ELEMENT_BOT_TOKEN instead | ||||
| jobs: | ||||
|     update: | ||||
|         runs-on: ubuntu-24.04 | ||||
|  |  | |||
|  | @ -15,6 +15,7 @@ on: | |||
|                 required: true | ||||
|                 type: string | ||||
| concurrency: ${{ github.workflow }} | ||||
| permissions: {} # No permissions required | ||||
| jobs: | ||||
|     bot: | ||||
|         name: Release topic update | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue
	
	 Michael Telatynski
						Michael Telatynski