Merge branch 'develop' into florianduros/rip-out-legacy-crypto/migrate-EventTile-isRoomEncrypted

2024-11-21 17:47:52 +01:00 · 2024-11-21 17:47:52 +01:00 · ce1f66813c
parent 45596d71a2 affa4e5211
commit ce1f66813c
32 changed files with 77 additions and 11 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -7,6 +7,8 @@ on:
        branches:
            - develop

+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
    backport:
        name: Backport
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -10,6 +10,7 @@ env:
    # These must be set for fetchdep.sh to get the right branch
    REPOSITORY: ${{ github.repository }}
    PR_NUMBER: ${{ github.event.pull_request.number }}
+permissions: {} # No permissions required
 jobs:
    build:
        name: "Build on ${{ matrix.image }}"
--- a/.github/workflows/build_debian.yaml
+++ b/.github/workflows/build_debian.yaml
@ -3,6 +3,7 @@ on:
    release:
        types: [published]
 concurrency: ${{ github.workflow }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    build:
        name: Build package
--- a/.github/workflows/build_develop.yml
+++ b/.github/workflows/build_develop.yml
@ -9,6 +9,7 @@ on:
 concurrency:
    group: ${{ github.repository_owner }}-${{ github.workflow }}-${{ github.ref_name }}
    cancel-in-progress: true
+permissions: {}
 jobs:
    build:
        name: "Build & Deploy develop.element.io"
@ -16,6 +17,9 @@ jobs:
        if: github.repository == 'element-hq/element-web'
        runs-on: ubuntu-24.04
        environment: develop
+        permissions:
+            checks: read
+            pages: write
        env:
            R2_BUCKET: "element-web-develop"
            R2_URL: ${{ vars.CF_R2_S3_API }}
--- a/.github/workflows/dockerhub.yaml
+++ b/.github/workflows/dockerhub.yaml
@ -7,14 +7,14 @@ on:
        # This job can take a while, and we have usage limits, so just publish develop only twice a day
        - cron: "0 7/12 * * *"
 concurrency: ${{ github.workflow }}-${{ github.ref_name }}
-
-permissions:
-    id-token: write # needed for signing the images with GitHub OIDC Token
+permissions: {}
 jobs:
    buildx:
        name: Docker Buildx
        runs-on: ubuntu-24.04
        environment: dockerhub
+        permissions:
+            id-token: write # needed for signing the images with GitHub OIDC Token
        steps:
            - uses: actions/checkout@v4
              with:
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@ -5,10 +5,7 @@ on:
        branches: [develop]
    workflow_dispatch: {}

-permissions:
-    contents: read
-    pages: write
-    id-token: write
+permissions: {}

 concurrency:
    group: "pages"
@ -100,6 +97,9 @@ jobs:
            name: github-pages
            url: ${{ steps.deployment.outputs.page_url }}
        runs-on: ubuntu-24.04
+        permissions:
+            pages: write
+            id-token: write
        needs: build
        steps:
            - name: Deploy to GitHub Pages
--- a/.github/workflows/end-to-end-tests-netlify.yaml
+++ b/.github/workflows/end-to-end-tests-netlify.yaml
@ -11,6 +11,8 @@ concurrency:
    group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
    cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}

+permissions: {}
+
 jobs:
    report:
        if: github.event.workflow_run.conclusion != 'cancelled'
@ -20,11 +22,12 @@ jobs:
        permissions:
            statuses: write
            deployments: write
+            actions: read
        steps:
            - name: Download HTML report
              uses: actions/download-artifact@v4
              with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
                  run-id: ${{ github.event.workflow_run.id }}
                  name: html-report
                  path: playwright-report
--- a/.github/workflows/end-to-end-tests.yaml
+++ b/.github/workflows/end-to-end-tests.yaml
@ -33,6 +33,8 @@ env:
    # fetchdep.sh needs to know our PR number
    PR_NUMBER: ${{ github.event.pull_request.number }}

+permissions: {} # No permissions required
+
 jobs:
    build:
        name: "Build Element-Web"
--- a/.github/workflows/issue_closed.yml
+++ b/.github/workflows/issue_closed.yml
@ -4,6 +4,7 @@
 on:
    issues:
        types: [closed]
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    tidy:
        name: Tidy closed issues
--- a/.github/workflows/localazy_download.yaml
+++ b/.github/workflows/localazy_download.yaml
@ -3,6 +3,7 @@ on:
    workflow_dispatch: {}
    schedule:
        - cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    download:
        uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main
--- a/.github/workflows/localazy_upload.yaml
+++ b/.github/workflows/localazy_upload.yaml
@ -4,6 +4,7 @@ on:
        branches: [develop]
        paths:
            - "src/i18n/strings/en_EN.json"
+permissions: {} # No permissions needed
 jobs:
    upload:
        uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main
--- a/.github/workflows/netlify.yaml
+++ b/.github/workflows/netlify.yaml
@ -11,6 +11,9 @@ jobs:
        if: github.event.workflow_run.conclusion != 'cancelled' && github.event.workflow_run.event == 'pull_request'
        runs-on: ubuntu-24.04
        environment: Netlify
+        permissions:
+            actions: read
+            deployments: write
        steps:
            - name: 📝 Create Deployment
              uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1
@ -27,7 +30,7 @@ jobs:
            - name: 📥 Download artifact
              uses: actions/download-artifact@v4
              with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
                  run-id: ${{ github.event.workflow_run.id }}
                  name: webapp
                  path: webapp
--- a/.github/workflows/pending-reviews.yaml
+++ b/.github/workflows/pending-reviews.yaml
@ -6,6 +6,7 @@ on:
    #schedule:
    #    - cron: "*/10 * * * *"
 concurrency: ${{ github.workflow }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    bot:
        name: Pending reviews bot
--- a/.github/workflows/playwright-image-updates.yaml
+++ b/.github/workflows/playwright-image-updates.yaml
@ -3,9 +3,12 @@ on:
    workflow_dispatch: {}
    schedule:
        - cron: "0 6 * * *" # Every day at 6am UTC
+permissions: {}
 jobs:
    update:
        runs-on: ubuntu-24.04
+        permissions:
+            pull-requests: write
        steps:
            - uses: actions/checkout@v4

--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@ -4,8 +4,11 @@ on:
        types: [opened, edited, labeled, unlabeled, synchronize]
    merge_group:
        types: [checks_requested]
+permissions: {}
 jobs:
    action:
        uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop
+        permissions:
+            pull-requests: read
        secrets:
            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
--- a/.github/workflows/pull_request_base_branch.yaml
+++ b/.github/workflows/pull_request_base_branch.yaml
@ -2,6 +2,7 @@ name: Pull Request Base Branch
 on:
    pull_request:
        types: [opened, edited, synchronize]
+permissions: {} # No permissions required
 jobs:
    check_base_branch:
        name: Check PR base branch
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@ -4,6 +4,9 @@ on:
        branches: [staging]
    workflow_dispatch: {}
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
    draft:
+        permissions:
+            contents: write
        uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop
--- a/.github/workflows/release-gitflow.yml
+++ b/.github/workflows/release-gitflow.yml
@ -4,6 +4,7 @@ on:
    push:
        branches: [master]
 concurrency: ${{ github.repository }}-${{ github.workflow }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    merge:
        uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -11,9 +11,13 @@ on:
                    - rc
                    - final
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
    release:
        uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop
+        permissions:
+            contents: write
+            issues: write
        secrets:
            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
            GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
@ -42,6 +46,8 @@ jobs:
        name: Post release checks
        needs: release
        runs-on: ubuntu-24.04
+        permissions:
+            checks: read
        steps:
            - name: Wait for dockerhub
              uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork
--- a/.github/workflows/release_prepare.yml
+++ b/.github/workflows/release_prepare.yml
@ -17,6 +17,7 @@ on:
                required: true
                type: boolean
                default: true
+permissions: {} # Uses ELEMENT_BOT_TOKEN instead
 jobs:
    prepare:
        runs-on: ubuntu-24.04
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@ -7,11 +7,16 @@ on:
 concurrency:
    group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
    cancel-in-progress: true
+permissions: {}
 jobs:
    sonarqube:
        name: 🩻 SonarQube
        if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
        uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
        secrets:
            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
--- a/.github/workflows/static_analysis.yaml
+++ b/.github/workflows/static_analysis.yaml
@ -16,6 +16,8 @@ env:
    REPOSITORY: ${{ github.repository }}
    PR_NUMBER: ${{ github.event.pull_request.number }}

+permissions: {} # No permissions required
+
 jobs:
    ts_lint:
        name: "Typescript Syntax Check"
@ -37,6 +39,8 @@ jobs:
    i18n_lint:
        name: "i18n Check"
        uses: matrix-org/matrix-web-i18n/.github/workflows/i18n_check.yml@main
+        permissions:
+            pull-requests: read
        with:
            hardcoded-words: "Element"
            allowed-hardcoded-keys: |
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@ -8,6 +8,9 @@ on:
            - develop
        paths:
            - .github/labels.yml
+
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
    sync-labels:
        uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -26,6 +26,8 @@ env:
    # fetchdep.sh needs to know our PR number
    PR_NUMBER: ${{ github.event.pull_request.number }}

+permissions: {}
+
 jobs:
    jest:
        name: Jest
@ -94,13 +96,15 @@ jobs:
        needs: jest
        if: always()
        runs-on: ubuntu-24.04
+        permissions:
+            statuses: write
        steps:
            - if: needs.jest.result != 'skipped' && needs.jest.result != 'success'
              run: exit 1

            - name: Skip SonarCloud in merge queue
              if: github.event_name == 'merge_group' || inputs.disable_coverage == 'true'
-              uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
+              uses: guibranco/github-status-action-v2@1f26a0237cd1a57626fbb5a0eb2494c9b8797d07
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: success
--- a/.github/workflows/triage-assigned.yml
+++ b/.github/workflows/triage-assigned.yml
@ -4,6 +4,8 @@ on:
    issues:
        types: [assigned]

+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
    web-app-team:
        runs-on: ubuntu-24.04
--- a/.github/workflows/triage-incoming.yml
+++ b/.github/workflows/triage-incoming.yml
@ -4,6 +4,8 @@ on:
    issues:
        types: [opened]

+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
    automate-project-columns:
        runs-on: ubuntu-24.04
--- a/.github/workflows/triage-labelled.yml
+++ b/.github/workflows/triage-labelled.yml
@ -8,6 +8,8 @@ on:
            ELEMENT_BOT_TOKEN:
                required: true

+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
    apply_Z-Labs_label:
        name: Add Z-Labs label for features behind labs flags
--- a/.github/workflows/triage-move-review-requests.yml
+++ b/.github/workflows/triage-move-review-requests.yml
@ -3,6 +3,7 @@ on:
    pull_request_target:
        types: [review_requested]

+permissions: {} # Uses ELEMENT_BOT_TOKEN instead
 jobs:
    add_design_pr_to_project:
        name: Move PRs asking for design review to the design board
--- a/.github/workflows/triage-stale-flaky-tests.yml
+++ b/.github/workflows/triage-stale-flaky-tests.yml
@ -2,6 +2,7 @@ name: Close stale flaky issues
 on:
    schedule:
        - cron: "30 1 * * *"
+permissions: {}
 jobs:
    close:
        runs-on: ubuntu-24.04
--- a/.github/workflows/triage-unlabelled.yml
+++ b/.github/workflows/triage-unlabelled.yml
@ -3,11 +3,13 @@ name: Move unlabelled from needs info columns to triaged
 on:
    issues:
        types: [unlabeled]
-
+permissions: {}
 jobs:
    Move_Unabeled_Issue_On_Project_Board:
        name: Move no longer X-Needs-Info issues to Triaged
        runs-on: ubuntu-24.04
+        permissions:
+            repository-projects: read
        if: >
            ${{
            !contains(github.event.issue.labels.*.name, 'X-Needs-Info') }}
--- a/.github/workflows/update-jitsi.yml
+++ b/.github/workflows/update-jitsi.yml
@ -4,6 +4,7 @@ on:
    workflow_dispatch: {}
    schedule:
        - cron: "0 3 * * 0" # 3am every Sunday
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    update:
        runs-on: ubuntu-24.04
--- a/.github/workflows/update-topics.yaml
+++ b/.github/workflows/update-topics.yaml
@ -15,6 +15,7 @@ on:
                required: true
                type: string
 concurrency: ${{ github.workflow }}
+permissions: {} # No permissions required
 jobs:
    bot:
        name: Release topic update