diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 7252c27b5f..5a11ad5bbd 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -7,6 +7,8 @@ on: branches: - develop +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: backport: name: Backport diff --git a/.github/workflows/docs-pr-netlify.yaml b/.github/workflows/docs-pr-netlify.yaml index 94d2f7a83c..7365010fb8 100644 --- a/.github/workflows/docs-pr-netlify.yaml +++ b/.github/workflows/docs-pr-netlify.yaml @@ -5,16 +5,17 @@ on: workflows: ["Static Analysis"] types: - completed - +permissions: {} jobs: netlify: if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' runs-on: ubuntu-24.04 + permissions: + actions: read steps: - name: 📥 Download artifact uses: actions/download-artifact@v4 with: - github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} run-id: ${{ github.event.workflow_run.id }} name: docs path: docs diff --git a/.github/workflows/downstream-end-to-end-tests.yml b/.github/workflows/downstream-end-to-end-tests.yml index 6bbf336322..449491ef80 100644 --- a/.github/workflows/downstream-end-to-end-tests.yml +++ b/.github/workflows/downstream-end-to-end-tests.yml @@ -13,7 +13,7 @@ on: # #push: # branches: [develop, master] - +permissions: {} # No permissions required concurrency: group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }} cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }} diff --git a/.github/workflows/notify-downstream.yaml b/.github/workflows/notify-downstream.yaml index 8f5dc944b7..7139b90e60 100644 --- a/.github/workflows/notify-downstream.yaml +++ b/.github/workflows/notify-downstream.yaml @@ -3,6 +3,7 @@ on: push: branches: [develop] concurrency: ${{ github.workflow }}-${{ github.ref }} +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: notify-downstream: # Only respect triggers from our develop branch, ignore that of forks diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 7976109aed..47b83b440b 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -9,6 +9,7 @@ on: ELEMENT_BOT_TOKEN: required: true concurrency: ${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: changelog: name: Preview Changelog diff --git a/.github/workflows/release-drafter-workflow.yml b/.github/workflows/release-drafter-workflow.yml index af4a431c7c..239ad8144f 100644 --- a/.github/workflows/release-drafter-workflow.yml +++ b/.github/workflows/release-drafter-workflow.yml @@ -8,9 +8,12 @@ on: type: string required: false concurrency: release-drafter-action +permissions: {} jobs: draft: runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: 🧮 Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index e8fc784191..d54453df83 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -8,6 +8,9 @@ on: branches: [staging] workflow_dispatch: {} concurrency: ${{ github.workflow }} +permissions: {} jobs: draft: + permissions: + contents: write uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop diff --git a/.github/workflows/release-gitflow.yml b/.github/workflows/release-gitflow.yml index 569542b8cf..ff6a2ec33b 100644 --- a/.github/workflows/release-gitflow.yml +++ b/.github/workflows/release-gitflow.yml @@ -13,12 +13,14 @@ on: type: string required: false concurrency: ${{ github.workflow }} +permissions: {} # Uses ELEMENT_BOT_TOKEN jobs: merge: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 with: + # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN token: ${{ secrets.ELEMENT_BOT_TOKEN }} fetch-depth: 0 diff --git a/.github/workflows/release-make.yml b/.github/workflows/release-make.yml index 79bd1a9b5a..00075f415a 100644 --- a/.github/workflows/release-make.yml +++ b/.github/workflows/release-make.yml @@ -38,11 +38,14 @@ on: description: The number of expected assets, including signatures, excluding generated zip & tarball. type: number required: false +permissions: {} jobs: release: name: Release runs-on: ubuntu-24.04 environment: Release + permissions: + contents: write steps: - name: Load GPG key id: gpg @@ -65,6 +68,7 @@ jobs: - uses: actions/checkout@v4 with: ref: staging + # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN token: ${{ secrets.ELEMENT_BOT_TOKEN }} fetch-depth: 0 @@ -274,6 +278,8 @@ jobs: name: Post release steps needs: release runs-on: ubuntu-24.04 + permissions: + issues: write steps: - id: repository run: echo "REPO=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml index b313e7536b..4d7b892832 100644 --- a/.github/workflows/release-npm.yml +++ b/.github/workflows/release-npm.yml @@ -8,6 +8,7 @@ on: id: description: "The npm package@version string we published" value: ${{ jobs.npm.outputs.id }} +permissions: {} # No permissions required jobs: npm: name: Publish to npm diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index de3e4810cf..1f20a989c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,7 @@ on: type: boolean default: true concurrency: ${{ github.workflow }} +permissions: {} # No permissions required jobs: release: uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index b5630a6283..a97495e83b 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -5,19 +5,25 @@ on: secrets: SONAR_TOKEN: required: true + # No longer used ELEMENT_BOT_TOKEN: - required: true + required: false inputs: sharded: type: boolean required: false description: "Whether to combine multiple LCOV and jest-sonar-report files in coverage artifact" +permissions: {} jobs: sonarqube: runs-on: ubuntu-24.04 if: | github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group' + permissions: + actions: read + statuses: write + id-token: write # sonar steps: # We create the status here and then update it to success/failure in the `report` stage # This provides an easy link to this workflow_run from the PR before Sonarcloud is done. @@ -40,7 +46,6 @@ jobs: uses: actions/download-artifact@v4 if: ${{ !inputs.sharded }} with: - github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} run-id: ${{ github.event.workflow_run.id }} name: coverage path: coverage @@ -48,7 +53,6 @@ jobs: uses: actions/download-artifact@v4 if: inputs.sharded with: - github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} run-id: ${{ github.event.workflow_run.id }} pattern: coverage-* path: coverage diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d9b26c78e8..0b11be815e 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -7,10 +7,15 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }} cancel-in-progress: true +permissions: {} jobs: sonarqube: name: 🩻 SonarQube if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group' + permissions: + actions: read + statuses: write + id-token: write # sonar uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml index ec6ba4bbc7..c81583f05a 100644 --- a/.github/workflows/static_analysis.yml +++ b/.github/workflows/static_analysis.yml @@ -8,6 +8,7 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # No permissions needed jobs: ts_lint: name: "Typescript Syntax Check" diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index bb22292a64..97f250f435 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -8,6 +8,7 @@ on: - develop paths: - .github/labels.yml +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: sync-labels: uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 9dc700ef01..0146bb6873 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -10,6 +10,7 @@ concurrency: cancel-in-progress: true env: ENABLE_COVERAGE: ${{ github.event_name != 'merge_group' }} +permissions: {} # No permissions required jobs: jest: name: "Jest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})" @@ -77,6 +78,8 @@ jobs: name: Downstream test element-web if: github.event_name == 'merge_group' uses: element-hq/element-web/.github/workflows/tests.yml@develop + permissions: + statuses: write with: disable_coverage: true matrix-js-sdk-sha: ${{ github.sha }} @@ -84,6 +87,7 @@ jobs: complement-crypto: name: "Run Complement Crypto tests" if: github.event_name == 'merge_group' + permissions: read-all uses: matrix-org/complement-crypto/.github/workflows/single_sdk_tests.yml@main with: use_js_sdk: "." @@ -107,6 +111,8 @@ jobs: if: always() needs: - element-web + permissions: + statuses: write steps: - name: Skip SonarCloud on merge queues if: env.ENABLE_COVERAGE == 'false' diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index c8c677a85f..887f37defe 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -3,7 +3,7 @@ name: Move new issues into Issue triage board on: issues: types: [opened] - +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: automate-project-columns-next: runs-on: ubuntu-24.04 diff --git a/.github/workflows/triage-labelled.yml b/.github/workflows/triage-labelled.yml index e464e5b726..3809d30e2d 100644 --- a/.github/workflows/triage-labelled.yml +++ b/.github/workflows/triage-labelled.yml @@ -3,7 +3,7 @@ name: Move labelled issues to correct projects on: issues: types: [labeled] - +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: call-triage-labelled: uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop