From 03a1d89785db8a6ee952c7a6e801c0eb99c71ab8 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 20 Nov 2024 15:44:02 +0000 Subject: [PATCH] Tighten GITHUB_TOKEN permissions Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/backport.yml | 2 ++ .github/workflows/build.yml | 1 + .github/workflows/build_debian.yaml | 1 + .github/workflows/build_develop.yml | 4 ++++ .github/workflows/dockerhub.yaml | 6 +++--- .github/workflows/docs.yml | 7 +++---- .github/workflows/end-to-end-tests-netlify.yaml | 4 +++- .github/workflows/end-to-end-tests.yaml | 2 ++ .github/workflows/issue_closed.yml | 1 + .github/workflows/localazy_download.yaml | 1 + .github/workflows/localazy_upload.yaml | 1 + .github/workflows/netlify.yaml | 4 +++- .github/workflows/pending-reviews.yaml | 1 + .github/workflows/playwright-image-updates.yaml | 3 +++ .github/workflows/pull_request.yaml | 1 + .github/workflows/pull_request_base_branch.yaml | 1 + .github/workflows/release-drafter.yml | 3 +++ .github/workflows/release-gitflow.yml | 1 + .github/workflows/release.yml | 6 ++++++ .github/workflows/release_prepare.yml | 1 + .github/workflows/sonarqube.yml | 5 +++++ .github/workflows/static_analysis.yaml | 2 ++ .github/workflows/sync-labels.yml | 3 +++ .github/workflows/tests.yml | 4 ++++ .github/workflows/triage-assigned.yml | 2 ++ .github/workflows/triage-incoming.yml | 2 ++ .github/workflows/triage-labelled.yml | 2 ++ .github/workflows/triage-move-review-requests.yml | 1 + .github/workflows/triage-stale-flaky-tests.yml | 1 + .github/workflows/triage-unlabelled.yml | 4 +++- .github/workflows/update-jitsi.yml | 1 + .github/workflows/update-topics.yaml | 1 + 32 files changed, 69 insertions(+), 10 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 7252c27b5f..5a11ad5bbd 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -7,6 +7,8 @@ on: branches: - develop +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: backport: name: Backport diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 55f5c1f4a3..381755b606 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,6 +10,7 @@ env: # These must be set for fetchdep.sh to get the right branch REPOSITORY: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }} +permissions: {} # No permissions required jobs: build: name: "Build on ${{ matrix.image }}" diff --git a/.github/workflows/build_debian.yaml b/.github/workflows/build_debian.yaml index 319dccd9f2..f46678512a 100644 --- a/.github/workflows/build_debian.yaml +++ b/.github/workflows/build_debian.yaml @@ -3,6 +3,7 @@ on: release: types: [published] concurrency: ${{ github.workflow }} +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: build: name: Build package diff --git a/.github/workflows/build_develop.yml b/.github/workflows/build_develop.yml index b4c96c4eef..c21ab831e6 100644 --- a/.github/workflows/build_develop.yml +++ b/.github/workflows/build_develop.yml @@ -9,6 +9,7 @@ on: concurrency: group: ${{ github.repository_owner }}-${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true +permissions: {} jobs: build: name: "Build & Deploy develop.element.io" @@ -16,6 +17,9 @@ jobs: if: github.repository == 'element-hq/element-web' runs-on: ubuntu-24.04 environment: develop + permissions: + checks: read + pages: write env: R2_BUCKET: "element-web-develop" R2_URL: ${{ vars.CF_R2_S3_API }} diff --git a/.github/workflows/dockerhub.yaml b/.github/workflows/dockerhub.yaml index 65457ab8f9..7911cf794a 100644 --- a/.github/workflows/dockerhub.yaml +++ b/.github/workflows/dockerhub.yaml @@ -7,14 +7,14 @@ on: # This job can take a while, and we have usage limits, so just publish develop only twice a day - cron: "0 7/12 * * *" concurrency: ${{ github.workflow }}-${{ github.ref_name }} - -permissions: - id-token: write # needed for signing the images with GitHub OIDC Token +permissions: {} jobs: buildx: name: Docker Buildx runs-on: ubuntu-24.04 environment: dockerhub + permissions: + id-token: write # needed for signing the images with GitHub OIDC Token steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index c3f08deb1d..6abcb925b2 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -5,10 +5,7 @@ on: branches: [develop] workflow_dispatch: {} -permissions: - contents: read - pages: write - id-token: write +permissions: {} concurrency: group: "pages" @@ -100,6 +97,8 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-24.04 + permissions: + pages: write needs: build steps: - name: Deploy to GitHub Pages diff --git a/.github/workflows/end-to-end-tests-netlify.yaml b/.github/workflows/end-to-end-tests-netlify.yaml index a15e02c9ee..f59513ca12 100644 --- a/.github/workflows/end-to-end-tests-netlify.yaml +++ b/.github/workflows/end-to-end-tests-netlify.yaml @@ -11,6 +11,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }} cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }} +permissions: {} + jobs: report: if: github.event.workflow_run.conclusion != 'cancelled' @@ -20,11 +22,11 @@ jobs: permissions: statuses: write deployments: write + actions: read steps: - name: Download HTML report uses: actions/download-artifact@v4 with: - github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} run-id: ${{ github.event.workflow_run.id }} name: html-report path: playwright-report diff --git a/.github/workflows/end-to-end-tests.yaml b/.github/workflows/end-to-end-tests.yaml index 1784dafe0e..1a31f75065 100644 --- a/.github/workflows/end-to-end-tests.yaml +++ b/.github/workflows/end-to-end-tests.yaml @@ -33,6 +33,8 @@ env: # fetchdep.sh needs to know our PR number PR_NUMBER: ${{ github.event.pull_request.number }} +permissions: {} # No permissions required + jobs: build: name: "Build Element-Web" diff --git a/.github/workflows/issue_closed.yml b/.github/workflows/issue_closed.yml index 191f345cc9..2cffae0011 100644 --- a/.github/workflows/issue_closed.yml +++ b/.github/workflows/issue_closed.yml @@ -4,6 +4,7 @@ on: issues: types: [closed] +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: tidy: name: Tidy closed issues diff --git a/.github/workflows/localazy_download.yaml b/.github/workflows/localazy_download.yaml index a880c3b2e4..435b8154ba 100644 --- a/.github/workflows/localazy_download.yaml +++ b/.github/workflows/localazy_download.yaml @@ -3,6 +3,7 @@ on: workflow_dispatch: {} schedule: - cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: download: uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main diff --git a/.github/workflows/localazy_upload.yaml b/.github/workflows/localazy_upload.yaml index 9ba79800db..8cb7743968 100644 --- a/.github/workflows/localazy_upload.yaml +++ b/.github/workflows/localazy_upload.yaml @@ -4,6 +4,7 @@ on: branches: [develop] paths: - "src/i18n/strings/en_EN.json" +permissions: {} # No permissions needed jobs: upload: uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main diff --git a/.github/workflows/netlify.yaml b/.github/workflows/netlify.yaml index 174c6579c3..bcaa9ce810 100644 --- a/.github/workflows/netlify.yaml +++ b/.github/workflows/netlify.yaml @@ -11,6 +11,9 @@ jobs: if: github.event.workflow_run.conclusion != 'cancelled' && github.event.workflow_run.event == 'pull_request' runs-on: ubuntu-24.04 environment: Netlify + permissions: + actions: read + deployments: write steps: - name: 📝 Create Deployment uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1 @@ -27,7 +30,6 @@ jobs: - name: 📥 Download artifact uses: actions/download-artifact@v4 with: - github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} run-id: ${{ github.event.workflow_run.id }} name: webapp path: webapp diff --git a/.github/workflows/pending-reviews.yaml b/.github/workflows/pending-reviews.yaml index 499da6a9b3..c96ed3f17e 100644 --- a/.github/workflows/pending-reviews.yaml +++ b/.github/workflows/pending-reviews.yaml @@ -6,6 +6,7 @@ on: #schedule: # - cron: "*/10 * * * *" concurrency: ${{ github.workflow }} +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: bot: name: Pending reviews bot diff --git a/.github/workflows/playwright-image-updates.yaml b/.github/workflows/playwright-image-updates.yaml index 1492adc736..1613b42dfb 100644 --- a/.github/workflows/playwright-image-updates.yaml +++ b/.github/workflows/playwright-image-updates.yaml @@ -3,9 +3,12 @@ on: workflow_dispatch: {} schedule: - cron: "0 6 * * *" # Every day at 6am UTC +permissions: {} jobs: update: runs-on: ubuntu-24.04 + permissions: + pull-requests: write steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 1f49adfcc4..9d440dcec7 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -4,6 +4,7 @@ on: types: [opened, edited, labeled, unlabeled, synchronize] merge_group: types: [checks_requested] +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: action: uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop diff --git a/.github/workflows/pull_request_base_branch.yaml b/.github/workflows/pull_request_base_branch.yaml index 04ad3f3106..6610ee4879 100644 --- a/.github/workflows/pull_request_base_branch.yaml +++ b/.github/workflows/pull_request_base_branch.yaml @@ -2,6 +2,7 @@ name: Pull Request Base Branch on: pull_request: types: [opened, edited, synchronize] +permissions: {} # No permissions required jobs: check_base_branch: name: Check PR base branch diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index d8afa80a9f..c4bf8e6ab3 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -4,6 +4,9 @@ on: branches: [staging] workflow_dispatch: {} concurrency: ${{ github.workflow }} +permissions: {} jobs: draft: + permissions: + contents: write uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop diff --git a/.github/workflows/release-gitflow.yml b/.github/workflows/release-gitflow.yml index 34232d420d..128c6a1e05 100644 --- a/.github/workflows/release-gitflow.yml +++ b/.github/workflows/release-gitflow.yml @@ -4,6 +4,7 @@ on: push: branches: [master] concurrency: ${{ github.repository }}-${{ github.workflow }} +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: merge: uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3a9c29e197..2ecc4a4662 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,9 +11,13 @@ on: - rc - final concurrency: ${{ github.workflow }} +permissions: {} jobs: release: uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop + permissions: + contents: write + issues: write secrets: ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} @@ -42,6 +46,8 @@ jobs: name: Post release checks needs: release runs-on: ubuntu-24.04 + permissions: + checks: read steps: - name: Wait for dockerhub uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork diff --git a/.github/workflows/release_prepare.yml b/.github/workflows/release_prepare.yml index 5fb969a1c6..b655bb4206 100644 --- a/.github/workflows/release_prepare.yml +++ b/.github/workflows/release_prepare.yml @@ -17,6 +17,7 @@ on: required: true type: boolean default: true +permissions: {} # Uses ELEMENT_BOT_TOKEN instead jobs: prepare: runs-on: ubuntu-24.04 diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d9b26c78e8..0ee457bac2 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -7,11 +7,16 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }} cancel-in-progress: true +permissions: {} jobs: sonarqube: name: 🩻 SonarQube if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group' uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop + permissions: + actions: read + statuses: write + id-token: write # sonar secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} diff --git a/.github/workflows/static_analysis.yaml b/.github/workflows/static_analysis.yaml index 87e5a70730..cdc34d9474 100644 --- a/.github/workflows/static_analysis.yaml +++ b/.github/workflows/static_analysis.yaml @@ -16,6 +16,8 @@ env: REPOSITORY: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }} +permissions: {} # No permissions required + jobs: ts_lint: name: "Typescript Syntax Check" diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index bb22292a64..fa1be485bb 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -8,6 +8,9 @@ on: - develop paths: - .github/labels.yml + +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: sync-labels: uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 59fefb2f80..4316966c7d 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -26,6 +26,8 @@ env: # fetchdep.sh needs to know our PR number PR_NUMBER: ${{ github.event.pull_request.number }} +permissions: {} + jobs: jest: name: Jest @@ -94,6 +96,8 @@ jobs: needs: jest if: always() runs-on: ubuntu-24.04 + permissions: + checks: write steps: - if: needs.jest.result != 'skipped' && needs.jest.result != 'success' run: exit 1 diff --git a/.github/workflows/triage-assigned.yml b/.github/workflows/triage-assigned.yml index 81d1dff80f..e43eb94618 100644 --- a/.github/workflows/triage-assigned.yml +++ b/.github/workflows/triage-assigned.yml @@ -4,6 +4,8 @@ on: issues: types: [assigned] +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: web-app-team: runs-on: ubuntu-24.04 diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index e63017dc3b..b084b4d55e 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -4,6 +4,8 @@ on: issues: types: [opened] +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: automate-project-columns: runs-on: ubuntu-24.04 diff --git a/.github/workflows/triage-labelled.yml b/.github/workflows/triage-labelled.yml index 0112f180c1..2cb05a8bcf 100644 --- a/.github/workflows/triage-labelled.yml +++ b/.github/workflows/triage-labelled.yml @@ -8,6 +8,8 @@ on: ELEMENT_BOT_TOKEN: required: true +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: apply_Z-Labs_label: name: Add Z-Labs label for features behind labs flags diff --git a/.github/workflows/triage-move-review-requests.yml b/.github/workflows/triage-move-review-requests.yml index 72d9786a4a..d3bcda270b 100644 --- a/.github/workflows/triage-move-review-requests.yml +++ b/.github/workflows/triage-move-review-requests.yml @@ -3,6 +3,7 @@ on: pull_request_target: types: [review_requested] +permissions: {} # Uses ELEMENT_BOT_TOKEN instead jobs: add_design_pr_to_project: name: Move PRs asking for design review to the design board diff --git a/.github/workflows/triage-stale-flaky-tests.yml b/.github/workflows/triage-stale-flaky-tests.yml index d339a136cd..90ba7c40f7 100644 --- a/.github/workflows/triage-stale-flaky-tests.yml +++ b/.github/workflows/triage-stale-flaky-tests.yml @@ -2,6 +2,7 @@ name: Close stale flaky issues on: schedule: - cron: "30 1 * * *" +permissions: {} jobs: close: runs-on: ubuntu-24.04 diff --git a/.github/workflows/triage-unlabelled.yml b/.github/workflows/triage-unlabelled.yml index 1cd1c80afc..efbf80eea9 100644 --- a/.github/workflows/triage-unlabelled.yml +++ b/.github/workflows/triage-unlabelled.yml @@ -3,11 +3,13 @@ name: Move unlabelled from needs info columns to triaged on: issues: types: [unlabeled] - +permissions: {} jobs: Move_Unabeled_Issue_On_Project_Board: name: Move no longer X-Needs-Info issues to Triaged runs-on: ubuntu-24.04 + permissions: + repository-projects: read if: > ${{ !contains(github.event.issue.labels.*.name, 'X-Needs-Info') }} diff --git a/.github/workflows/update-jitsi.yml b/.github/workflows/update-jitsi.yml index 68dbf22e63..bf0414e73a 100644 --- a/.github/workflows/update-jitsi.yml +++ b/.github/workflows/update-jitsi.yml @@ -4,6 +4,7 @@ on: workflow_dispatch: {} schedule: - cron: "0 3 * * 0" # 3am every Sunday +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: update: runs-on: ubuntu-24.04 diff --git a/.github/workflows/update-topics.yaml b/.github/workflows/update-topics.yaml index a984fc4f03..cd6c2fc553 100644 --- a/.github/workflows/update-topics.yaml +++ b/.github/workflows/update-topics.yaml @@ -15,6 +15,7 @@ on: required: true type: string concurrency: ${{ github.workflow }} +permissions: {} # No permissions required jobs: bot: name: Release topic update