Fix cypress checkout and use github actions environments (#8790)

* Fix cypress checkout and use github actions environments

* Harden github token for cypress.yaml

* Allow writing status checks

.github/workflows/cypress.yaml

@@ -10,6 +10,12 @@ jobs:
   cypress:
     if: github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      issues: read
+      pull-requests: read
+    environment: Cypress
     steps:
       # Wire up the status check for this workflow_run action
       - uses: haya14busa/action-workflow_run-status@967ed83efa565c257675ed70cfe5231f062ddd94 # v1.0.0
@@ -22,6 +28,13 @@ jobs:
           branch: ${{ github.event.workflow_run.head_branch }}
 
       - uses: actions/checkout@v2
+        with:
+          # XXX: We're checking out untrusted code in a secure context
+          # We need to be careful to not trust anything this code outputs/may do
+          # We need to check this out to access the cypress tests which are on the head branch
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_sha }}
+          persist-credentials: false
 
       # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
       # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
@@ -86,16 +99,34 @@ jobs:
             cypress/videos
             cypress/synapselogs
 
+      - name: Upload Benchmark
+        uses: actions/upload-artifact@v2
+        with:
+          name: cypress-benchmark
+          path: cypress/performance/measurements.json
+          retention-days: 1
+
+  store-benchmark:
+    needs: cypress
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event != 'pull_request'
+    permissions:
+      contents: write
+    steps:
+      - name: Download benchmark result
+        uses: actions/download-artifact@v3
+        with:
+          name: cypress-benchmark
+
       - name: Store benchmark result
-        if: github.event.workflow_run.event != 'pull_request'
         uses: matrix-org/github-action-benchmark@jsperfentry-5
         with:
           name: Cypress measurements
           tool: 'jsperformanceentry'
-          output-file-path: cypress/performance/measurements.json
+          output-file-path: measurements.json
           # The dashboard is available at https://matrix-org.github.io/matrix-react-sdk/cypress/bench/
           benchmark-data-dir-path: cypress/bench
           fail-on-alert: false
           comment-on-alert: false
-          github-token: ${{ secrets.DEPLOY_GH_PAGES }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           auto-push: ${{ github.event.workflow_run.event != 'pull_request' }}

.github/workflows/end-to-end-tests.yaml

@@ -53,5 +53,5 @@ jobs:
           benchmark-data-dir-path: dev/bench
           fail-on-alert: false
           comment-on-alert: false
-          github-token: ${{ secrets.DEPLOY_GH_PAGES }}
+          github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
           auto-push: ${{ github.ref == 'refs/heads/develop' }}

.github/workflows/netlify.yaml

@@ -10,6 +10,7 @@ jobs:
   deploy:
     if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
     runs-on: ubuntu-latest
+    environment: Netlify
     steps:
       - name: 📝 Create Deployment
         uses: bobheadxi/deployments@v1