OpenCloud
/
riot-web
mirror of https://github.com/vector-im/riot-web
1
0
Fork 0
Code Issues Releases Wiki Activity

Tighten GITHUB_TOKEN permissions 

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
pull/28502/head
Michael Telatynski 2024-11-20 15:44:02 +00:00
parent 5cdcf44b6f
commit 03a1d89785
No known key found for this signature in database
GPG Key ID: A2B008A5F49F5D0D
32 changed files with 69 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/backport.yml vendored
View File

@ -7,6 +7,8 @@ on:
branches: branches:
- develop - develop
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
backport: backport:
name: Backport name: Backport

1
.github/workflows/build.yml vendored
View File

@ -10,6 +10,7 @@ env:
# These must be set for fetchdep.sh to get the right branch # These must be set for fetchdep.sh to get the right branch
REPOSITORY: ${{ github.repository }} REPOSITORY: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
permissions: {} # No permissions required
jobs: jobs:
build: build:
name: "Build on ${{ matrix.image }}" name: "Build on ${{ matrix.image }}"

1
.github/workflows/build_debian.yaml vendored
View File

@ -3,6 +3,7 @@ on:
release: release:
types: [published] types: [published]
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
build: build:
name: Build package name: Build package

4
.github/workflows/build_develop.yml vendored
View File

@ -9,6 +9,7 @@ on:
concurrency: concurrency:
group: ${{ github.repository_owner }}-${{ github.workflow }}-${{ github.ref_name }} group: ${{ github.repository_owner }}-${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
build: build:
name: "Build & Deploy develop.element.io" name: "Build & Deploy develop.element.io"
@ -16,6 +17,9 @@ jobs:
if: github.repository == 'element-hq/element-web' if: github.repository == 'element-hq/element-web'
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
environment: develop environment: develop
permissions:
checks: read
pages: write
env: env:
R2_BUCKET: "element-web-develop" R2_BUCKET: "element-web-develop"
R2_URL: ${{ vars.CF_R2_S3_API }} R2_URL: ${{ vars.CF_R2_S3_API }}

6
.github/workflows/dockerhub.yaml vendored
View File

@ -7,14 +7,14 @@ on:
# This job can take a while, and we have usage limits, so just publish develop only twice a day # This job can take a while, and we have usage limits, so just publish develop only twice a day
- cron: "0 7/12 * * *" - cron: "0 7/12 * * *"
concurrency: ${{ github.workflow }}-${{ github.ref_name }} concurrency: ${{ github.workflow }}-${{ github.ref_name }}
permissions: {}
permissions:
id-token: write # needed for signing the images with GitHub OIDC Token
jobs: jobs:
buildx: buildx:
name: Docker Buildx name: Docker Buildx
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
environment: dockerhub environment: dockerhub
permissions:
id-token: write # needed for signing the images with GitHub OIDC Token
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:

7
.github/workflows/docs.yml vendored
View File

@ -5,10 +5,7 @@ on:
branches: [develop] branches: [develop]
workflow_dispatch: {} workflow_dispatch: {}
permissions: permissions: {}
contents: read
pages: write
id-token: write
concurrency: concurrency:
group: "pages" group: "pages"
@ -100,6 +97,8 @@ jobs:
name: github-pages name: github-pages
url: ${{ steps.deployment.outputs.page_url }} url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
pages: write
needs: build needs: build
steps: steps:
- name: Deploy to GitHub Pages - name: Deploy to GitHub Pages

4
.github/workflows/end-to-end-tests-netlify.yaml vendored
View File

@ -11,6 +11,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }} group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }} cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}
permissions: {}
jobs: jobs:
report: report:
if: github.event.workflow_run.conclusion != 'cancelled' if: github.event.workflow_run.conclusion != 'cancelled'
@ -20,11 +22,11 @@ jobs:
permissions: permissions:
statuses: write statuses: write
deployments: write deployments: write
actions: read
steps: steps:
- name: Download HTML report - name: Download HTML report
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
with: with:
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
run-id: ${{ github.event.workflow_run.id }} run-id: ${{ github.event.workflow_run.id }}
name: html-report name: html-report
path: playwright-report path: playwright-report

2
.github/workflows/end-to-end-tests.yaml vendored
View File

@ -33,6 +33,8 @@ env:
# fetchdep.sh needs to know our PR number # fetchdep.sh needs to know our PR number
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
permissions: {} # No permissions required
jobs: jobs:
build: build:
name: "Build Element-Web" name: "Build Element-Web"

1
.github/workflows/issue_closed.yml vendored
View File

@ -4,6 +4,7 @@
on: on:
issues: issues:
types: [closed] types: [closed]
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
tidy: tidy:
name: Tidy closed issues name: Tidy closed issues

1
.github/workflows/localazy_download.yaml vendored
View File

@ -3,6 +3,7 @@ on:
workflow_dispatch: {} workflow_dispatch: {}
schedule: schedule:
- cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC - cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
download: download:
uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main

1
.github/workflows/localazy_upload.yaml vendored
View File

@ -4,6 +4,7 @@ on:
branches: [develop] branches: [develop]
paths: paths:
- "src/i18n/strings/en_EN.json" - "src/i18n/strings/en_EN.json"
permissions: {} # No permissions needed
jobs: jobs:
upload: upload:
uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main

4
.github/workflows/netlify.yaml vendored
View File

@ -11,6 +11,9 @@ jobs:
if: github.event.workflow_run.conclusion != 'cancelled' && github.event.workflow_run.event == 'pull_request' if: github.event.workflow_run.conclusion != 'cancelled' && github.event.workflow_run.event == 'pull_request'
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
environment: Netlify environment: Netlify
permissions:
actions: read
deployments: write
steps: steps:
- name: 📝 Create Deployment - name: 📝 Create Deployment
uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1 uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1
@ -27,7 +30,6 @@ jobs:
- name: 📥 Download artifact - name: 📥 Download artifact
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
with: with:
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
run-id: ${{ github.event.workflow_run.id }} run-id: ${{ github.event.workflow_run.id }}
name: webapp name: webapp
path: webapp path: webapp

1
.github/workflows/pending-reviews.yaml vendored
View File

@ -6,6 +6,7 @@ on:
#schedule: #schedule:
# - cron: "*/10 * * * *" # - cron: "*/10 * * * *"
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
bot: bot:
name: Pending reviews bot name: Pending reviews bot

3
.github/workflows/playwright-image-updates.yaml vendored
View File

@ -3,9 +3,12 @@ on:
workflow_dispatch: {} workflow_dispatch: {}
schedule: schedule:
- cron: "0 6 * * *" # Every day at 6am UTC - cron: "0 6 * * *" # Every day at 6am UTC
permissions: {}
jobs: jobs:
update: update:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

1
.github/workflows/pull_request.yaml vendored
View File

@ -4,6 +4,7 @@ on:
types: [opened, edited, labeled, unlabeled, synchronize] types: [opened, edited, labeled, unlabeled, synchronize]
merge_group: merge_group:
types: [checks_requested] types: [checks_requested]
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
action: action:
uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop

1
.github/workflows/pull_request_base_branch.yaml vendored
View File

@ -2,6 +2,7 @@ name: Pull Request Base Branch
on: on:
pull_request: pull_request:
types: [opened, edited, synchronize] types: [opened, edited, synchronize]
permissions: {} # No permissions required
jobs: jobs:
check_base_branch: check_base_branch:
name: Check PR base branch name: Check PR base branch

3
.github/workflows/release-drafter.yml vendored
View File

@ -4,6 +4,9 @@ on:
branches: [staging] branches: [staging]
workflow_dispatch: {} workflow_dispatch: {}
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {}
jobs: jobs:
draft: draft:
permissions:
contents: write
uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop

1
.github/workflows/release-gitflow.yml vendored
View File

@ -4,6 +4,7 @@ on:
push: push:
branches: [master] branches: [master]
concurrency: ${{ github.repository }}-${{ github.workflow }} concurrency: ${{ github.repository }}-${{ github.workflow }}
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
merge: merge:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop

6
.github/workflows/release.yml vendored
View File

@ -11,9 +11,13 @@ on:
- rc - rc
- final - final
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {}
jobs: jobs:
release: release:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop
permissions:
contents: write
issues: write
secrets: secrets:
ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
@ -42,6 +46,8 @@ jobs:
name: Post release checks name: Post release checks
needs: release needs: release
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
checks: read
steps: steps:
- name: Wait for dockerhub - name: Wait for dockerhub
uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork

1
.github/workflows/release_prepare.yml vendored
View File

@ -17,6 +17,7 @@ on:
required: true required: true
type: boolean type: boolean
default: true default: true
permissions: {} # Uses ELEMENT_BOT_TOKEN instead
jobs: jobs:
prepare: prepare:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04

5
.github/workflows/sonarqube.yml vendored
View File

@ -7,11 +7,16 @@ on:
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }} group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
sonarqube: sonarqube:
name: 🩻 SonarQube name: 🩻 SonarQube
if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group' if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop
permissions:
actions: read
statuses: write
id-token: write # sonar
secrets: secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}

2
.github/workflows/static_analysis.yaml vendored
View File

@ -16,6 +16,8 @@ env:
REPOSITORY: ${{ github.repository }} REPOSITORY: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
permissions: {} # No permissions required
jobs: jobs:
ts_lint: ts_lint:
name: "Typescript Syntax Check" name: "Typescript Syntax Check"

3
.github/workflows/sync-labels.yml vendored
View File

@ -8,6 +8,9 @@ on:
- develop - develop
paths: paths:
- .github/labels.yml - .github/labels.yml
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
sync-labels: sync-labels:
uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop

4
.github/workflows/tests.yml vendored
View File

@ -26,6 +26,8 @@ env:
# fetchdep.sh needs to know our PR number # fetchdep.sh needs to know our PR number
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
permissions: {}
jobs: jobs:
jest: jest:
name: Jest name: Jest
@ -94,6 +96,8 @@ jobs:
needs: jest needs: jest
if: always() if: always()
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
checks: write
steps: steps:
- if: needs.jest.result != 'skipped' && needs.jest.result != 'success' - if: needs.jest.result != 'skipped' && needs.jest.result != 'success'
run: exit 1 run: exit 1

2
.github/workflows/triage-assigned.yml vendored
View File

@ -4,6 +4,8 @@ on:
issues: issues:
types: [assigned] types: [assigned]
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
web-app-team: web-app-team:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04

2
.github/workflows/triage-incoming.yml vendored
View File

@ -4,6 +4,8 @@ on:
issues: issues:
types: [opened] types: [opened]
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
automate-project-columns: automate-project-columns:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04

2
.github/workflows/triage-labelled.yml vendored
View File

@ -8,6 +8,8 @@ on:
ELEMENT_BOT_TOKEN: ELEMENT_BOT_TOKEN:
required: true required: true
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
apply_Z-Labs_label: apply_Z-Labs_label:
name: Add Z-Labs label for features behind labs flags name: Add Z-Labs label for features behind labs flags

1
.github/workflows/triage-move-review-requests.yml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request_target: pull_request_target:
types: [review_requested] types: [review_requested]
permissions: {} # Uses ELEMENT_BOT_TOKEN instead
jobs: jobs:
add_design_pr_to_project: add_design_pr_to_project:
name: Move PRs asking for design review to the design board name: Move PRs asking for design review to the design board

1
.github/workflows/triage-stale-flaky-tests.yml vendored
View File

@ -2,6 +2,7 @@ name: Close stale flaky issues
on: on:
schedule: schedule:
- cron: "30 1 * * *" - cron: "30 1 * * *"
permissions: {}
jobs: jobs:
close: close:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04

4
.github/workflows/triage-unlabelled.yml vendored
View File

@ -3,11 +3,13 @@ name: Move unlabelled from needs info columns to triaged
on: on:
issues: issues:
types: [unlabeled] types: [unlabeled]
permissions: {}
jobs: jobs:
Move_Unabeled_Issue_On_Project_Board: Move_Unabeled_Issue_On_Project_Board:
name: Move no longer X-Needs-Info issues to Triaged name: Move no longer X-Needs-Info issues to Triaged
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
repository-projects: read
if: > if: >
${{ ${{
!contains(github.event.issue.labels.*.name, 'X-Needs-Info') }} !contains(github.event.issue.labels.*.name, 'X-Needs-Info') }}

1
.github/workflows/update-jitsi.yml vendored
View File

@ -4,6 +4,7 @@ on:
workflow_dispatch: {} workflow_dispatch: {}
schedule: schedule:
- cron: "0 3 * * 0" # 3am every Sunday - cron: "0 3 * * 0" # 3am every Sunday
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
update: update:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04

1
.github/workflows/update-topics.yaml vendored
View File

@ -15,6 +15,7 @@ on:
required: true required: true
type: string type: string
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {} # No permissions required
jobs: jobs:
bot: bot:
name: Release topic update name: Release topic update