diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9ffb7fce64b..e220b25a1a7 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -14,6 +14,8 @@ updates:
- "element-hq/element-android-reviewers"
ignore:
- dependency-name: "*"
+ cooldown:
+ default-days: 7
# Updates for Gradle dependencies used in the app
- package-ecosystem: gradle
directory: "/"
@@ -25,3 +27,5 @@ updates:
allow:
- dependency-name: "io.element.android:wysiwyg"
- dependency-name: "org.matrix.rustcomponents:crypto-android"
+ cooldown:
+ default-days: 7
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 88db81c5cf1..56c592630f2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,8 @@ on:
push:
branches: [ main, develop ]
+permissions: {}
+
# Enrich gradle.properties for CI/CD
env:
GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:MaxMetaspaceSize=1g" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false
@@ -24,23 +26,24 @@ jobs:
group: ${{ github.ref == 'refs/heads/develop' && format('integration-tests-develop-{0}-{1}', matrix.target, github.sha) || format('build-debug-{0}-{1}', matrix.target, github.ref) }}
cancel-in-progress: true
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# https://github.com/actions/checkout/issues/881
ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+ persist-credentials: false
- name: Use JDK 21
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '21'
- name: Configure gradle
- uses: gradle/actions/setup-gradle@v3
+ uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Assemble ${{ matrix.target }} debug apk
run: ./gradlew assemble${{ matrix.target }}Debug $CI_GRADLE_ARG_PROPERTIES
- name: Upload ${{ matrix.target }} debug APKs
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: vector-${{ matrix.target }}-debug
path: |
@@ -53,23 +56,24 @@ jobs:
group: ${{ github.ref == 'refs/head/main' && format('build-release-apk-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('build-release-apk-develop-{0}', github.sha) || format('build-debug-{0}', github.ref) }}
cancel-in-progress: ${{ github.ref != 'refs/head/main' }}
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# https://github.com/actions/checkout/issues/881
ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.ref }}
+ persist-credentials: false
- name: Use JDK 21
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '21'
- name: Configure gradle
- uses: gradle/actions/setup-gradle@v3
+ uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Assemble GPlay unsigned apk
run: ./gradlew clean assembleGplayRelease $CI_GRADLE_ARG_PROPERTIES
- name: Upload Gplay unsigned APKs
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: vector-gplay-release-unsigned
path: |
@@ -81,18 +85,20 @@ jobs:
steps:
- name: Obtain apk from artifact
id: download
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
with:
name: vector-gplay-release-unsigned
- name: Show apks in artifact
- run: ls -R ${{steps.download.outputs.download-path}}
+ run: ls -R ${STEPS_DOWNLOAD_OUTPUTS_DOWNLOAD_PATH}
+ env:
+ STEPS_DOWNLOAD_OUTPUTS_DOWNLOAD_PATH: ${{steps.download.outputs.download-path}}
- name: Execute exodus-standalone
uses: docker://exodusprivacy/exodus-standalone:latest
with:
# Don't fail when finding trackers so they can be reported later
args: /github/workspace/gplay/release/vector-gplay-universal-release-unsigned.apk -j -o /github/workspace/exodus.json -e 0
- name: Upload exodus json report
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: exodus.json
path: |
diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml
index 5eb2f1af3c1..7c92bf7327e 100644
--- a/.github/workflows/danger.yml
+++ b/.github/workflows/danger.yml
@@ -2,16 +2,20 @@ name: Danger CI
on: [pull_request]
+permissions: {}
+
jobs:
build:
runs-on: ubuntu-latest
name: Danger
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- run: |
npm install --save-dev @babel/plugin-transform-flow-strip-types
- name: Danger
- uses: danger/danger-js@11.2.6
+ uses: danger/danger-js@67ed2c1f42fd2fc198cc3c14b43c8f83351f4fe9 # 13.0.5
with:
args: "--dangerfile ./tools/danger/dangerfile.js"
env:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 1a27d491a03..ec4492623e0 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -4,19 +4,23 @@ on:
push:
branches: [ develop ]
+permissions: {}
+
jobs:
docs:
name: Generate and publish Android Matrix SDK documentation
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Build docs
run: ./gradlew dokkaHtml
- name: Deploy docs
- uses: peaceiris/actions-gh-pages@v3
+ uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./matrix-sdk-android/build/dokka/html
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
index 2c13615738b..3d49f8d7f59 100644
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@@ -4,11 +4,15 @@ on:
push:
branches: [ main, develop ]
+permissions: {}
+
jobs:
validation:
name: "Validation"
runs-on: ubuntu-latest
# No concurrency required, this is a prerequisite to other actions and should run every time.
steps:
- - uses: actions/checkout@v4
- - uses: gradle/wrapper-validation-action@v1
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ - uses: gradle/wrapper-validation-action@f9c9c575b8b21b6485636a91ffecd10e558c62f6 # v3.5.0
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index ef731144554..514e3546563 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -6,6 +6,8 @@ on:
# Every nights at 4
- cron: "0 4 * * *"
+permissions: {}
+
env:
GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx6g -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:MaxMetaspaceSize=1g" -Dkotlin.incremental=false -XX:+UseG1GC
CI_GRADLE_ARG_PROPERTIES: --stacktrace -PpreDexEnable=false --max-workers 2 --no-daemon
@@ -15,18 +17,20 @@ jobs:
name: Build and publish nightly Gplay APK to Firebase
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python 3.8
- uses: actions/setup-python@v4
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.8
- name: Use JDK 21
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '21'
- name: Configure gradle
- uses: gradle/actions/setup-gradle@v3
+ uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Install towncrier
diff --git a/.github/workflows/post-pr.yml b/.github/workflows/post-pr.yml
index ab0d0da9bab..f7eaa2dcaab 100644
--- a/.github/workflows/post-pr.yml
+++ b/.github/workflows/post-pr.yml
@@ -8,6 +8,8 @@ on:
types: [closed]
branches: [develop]
+permissions: {}
+
# Enrich gradle.properties for CI/CD
env:
GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false
@@ -39,29 +41,31 @@ jobs:
api-level: [ 28 ]
# No concurrency required, runs every time on a schedule.
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python 3.8
- uses: actions/setup-python@v4
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.8
- name: Use JDK 21
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '21'
- name: Configure gradle
- uses: gradle/actions/setup-gradle@v3
+ uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Start synapse server
- uses: michaelkaye/setup-matrix-synapse@v1.0.5
+ uses: michaelkaye/setup-matrix-synapse@e080023c56271cab986b83db75edba570fafb88b # v1.0.6
with:
uploadLogs: true
httpPort: 8080
disableRateLimiting: true
public_baseurl: "http://10.0.2.2:8080/"
- name: Run sanity tests on API ${{ matrix.api-level }}
- uses: reactivecircus/android-emulator-runner@v2
+ uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0
with:
api-level: ${{ matrix.api-level }}
arch: x86
@@ -77,27 +81,10 @@ jobs:
adb logcat >> emulator.log &
./gradlew $CI_GRADLE_ARG_PROPERTIES connectedGplayDebugAndroidTest -Pandroid.testInstrumentationRunnerArguments.class=im.vector.app.ui.UiAllScreensSanityTest || (adb pull storage/emulated/0/Pictures/failure_screenshots && exit 1 )
- name: Upload Test Report Log
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: uitest-error-results
path: |
emulator.log
failure_screenshots/
-
-# Notify the channel about delayed failures
- notify:
- name: Notify matrix
- runs-on: ubuntu-latest
- needs:
- - should-i-run
- - ui-tests
- if: always() && (needs.should-i-run.result == 'success' ) && (needs.ui-tests.result != 'success')
- # No concurrency required, runs every time on a schedule.
- steps:
- - uses: michaelkaye/matrix-hookshot-action@v1.0.0
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- hookshot_url: ${{ secrets.ELEMENT_ANDROID_HOOKSHOT_URL }}
- text_template: "Post-merge validation of ${{ github.head_ref }} into ${{ github.base_ref }} by ${{ github.event.pull_request.merged_by.login }} failed: {{#each job_statuses }}{{#with this }}{{#if completed }} {{name}} {{conclusion}} at {{completed_at}}, {{/if}}{{/with}}{{/each}}"
- html_template: "Post-merge validation of ${{ github.head_ref }} into ${{ github.base_ref }} by ${{ github.event.pull_request.merged_by.login }} failed: {{#each job_statuses }}{{#with this }}{{#if completed }}
{{icon conclusion}} {{name}} {{conclusion}} at {{completed_at}} [details]{{/if}}{{/with}}{{/each}}"
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index d821c369719..187d25fbca4 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -5,6 +5,8 @@ on:
push:
branches: [ main, develop ]
+permissions: {}
+
# Enrich gradle.properties for CI/CD
env:
GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:MaxMetaspaceSize=1g" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false
@@ -15,7 +17,9 @@ jobs:
name: Project Check Suite
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Run code quality check suite
run: ./tools/check/check_code_quality.sh
@@ -24,14 +28,16 @@ jobs:
name: Knit
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Use JDK 21
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '21'
- name: Configure gradle
- uses: gradle/actions/setup-gradle@v3
+ uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Run knit
@@ -47,14 +53,16 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && format('lint-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('lint-develop-{0}', github.sha) || format('lint-{0}', github.ref) }}
cancel-in-progress: true
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Use JDK 21
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '21'
- name: Configure gradle
- uses: gradle/actions/setup-gradle@v3
+ uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Run ktlint
@@ -71,7 +79,7 @@ jobs:
./gradlew vector-app:lintFdroidRelease $CI_GRADLE_ARG_PROPERTIES
- name: Upload reports
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: linting-report
path: |
@@ -84,7 +92,7 @@ jobs:
yarn add danger-plugin-lint-report --dev
- name: Danger lint
if: always()
- uses: danger/danger-js@11.2.6
+ uses: danger/danger-js@67ed2c1f42fd2fc198cc3c14b43c8f83351f4fe9 # 13.0.5
with:
args: "--dangerfile ./tools/danger/dangerfile-lint.js"
env:
@@ -101,21 +109,35 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && format('dep-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('dep-develop-{0}', github.sha) || format('dep-{0}', github.ref) }}
cancel-in-progress: true
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Use JDK 21
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '21'
- name: Configure gradle
- uses: gradle/actions/setup-gradle@v3
+ uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Dependency analysis
run: ./gradlew dependencyCheckAnalyze $CI_GRADLE_ARG_PROPERTIES
- name: Upload dependency analysis
if: always()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: dependency-analysis
path: build/reports/dependency-check-report.html
+
+ zizmor:
+ name: Run zizmor
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+ steps:
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+ - uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+
diff --git a/.github/workflows/sync-from-external-sources.yml b/.github/workflows/sync-from-external-sources.yml
index 40dd71c3b06..ed9bcfd303f 100644
--- a/.github/workflows/sync-from-external-sources.yml
+++ b/.github/workflows/sync-from-external-sources.yml
@@ -5,6 +5,8 @@ on:
# At 00:00 on every Monday UTC
- cron: '0 0 * * 1'
+permissions: {}
+
jobs:
sync-emojis:
runs-on: ubuntu-latest
@@ -12,9 +14,11 @@ jobs:
if: github.repository == 'element-hq/element-android'
# No concurrency required, runs every time on a schedule.
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python 3.8
- uses: actions/setup-python@v4
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.8
- name: Install Prerequisite dependencies
@@ -24,7 +28,7 @@ jobs:
- name: Run Emoji script
run: ./tools/import_emojis.py
- name: Create Pull Request for Emojis
- uses: peter-evans/create-pull-request@v5
+ uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
with:
commit-message: Sync Emojis
title: Sync Emojis
@@ -39,9 +43,11 @@ jobs:
if: github.repository == 'element-hq/element-android'
# No concurrency required, runs every time on a schedule.
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Set up Python 3.8
- uses: actions/setup-python@v4
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.8
- name: Install Prerequisite dependencies
@@ -50,7 +56,7 @@ jobs:
- name: Run SAS String script
run: ./tools/import_sas_strings.py
- name: Create Pull Request for SAS Strings
- uses: peter-evans/create-pull-request@v5
+ uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
with:
commit-message: Sync SAS Strings
title: Sync SAS Strings
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index d090d805139..8177dadf940 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -3,6 +3,8 @@ name: Test
on:
workflow_dispatch:
+permissions: {}
+
# Enrich gradle.properties for CI/CD
env:
GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false
@@ -21,17 +23,18 @@ jobs:
group: ${{ github.ref == 'refs/heads/main' && format('unit-tests-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('unit-tests-develop-{0}', github.sha) || format('unit-tests-{0}', github.ref) }}
cancel-in-progress: true
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
lfs: true
fetch-depth: 0
+ persist-credentials: false
- name: Use JDK 21
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '21'
- name: Configure gradle
- uses: gradle/actions/setup-gradle@v3
+ uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
gradle-home-cache-cleanup: ${{ github.ref == 'refs/heads/develop' }}
@@ -41,17 +44,17 @@ jobs:
- name: Archive Screenshot Results on Error
if: failure()
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: screenshot-results
path: |
**/out/failures/
**/build/reports/tests/*UnitTest/
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.8
- - uses: michaelkaye/setup-matrix-synapse@v1.0.5
+ - uses: michaelkaye/setup-matrix-synapse@e080023c56271cab986b83db75edba570fafb88b # v1.0.6
with:
uploadLogs: true
httpPort: 8080
@@ -59,7 +62,7 @@ jobs:
public_baseurl: "http://10.0.2.2:8080/"
- name: Run all the codecoverage tests at once
- uses: reactivecircus/android-emulator-runner@v2
+ uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0
# continue-on-error: true
with:
api-level: ${{ matrix.api-level }}
@@ -77,7 +80,7 @@ jobs:
./gradlew generateCoverageReport $CI_GRADLE_ARG_PROPERTIES
# NB: continue-on-error marks steps.tests.conclusion = 'success' but leaves steps.tests.outcome = 'failure'
### - name: Run all the codecoverage tests at once (retry if emulator failed)
- ### uses: reactivecircus/android-emulator-runner@v2
+ ### uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0
### if: always() && steps.tests.outcome == 'failure' # don't run if previous step succeeded.
### with:
### api-level: 28
@@ -94,7 +97,7 @@ jobs:
### ./gradlew generateCoverageReport $CI_GRADLE_ARG_PROPERTIES
- name: Upload Integration Test Report Log
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: integration-test-error-results
@@ -134,14 +137,14 @@ jobs:
# group: ${{ github.ref == 'refs/heads/main' && format('unit-tests-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('unit-tests-develop-{0}', github.sha) || format('build-android-tests-{0}', github.ref) }}
# cancel-in-progress: true
# steps:
-# - uses: actions/checkout@v4
+# - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# - name: Use JDK 21
-# uses: actions/setup-java@v4
+# uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
# with:
# distribution: 'temurin' # See 'Supported distributions' for available options
# java-version: '21'
# - name: Configure gradle
-# uses: gradle/actions/setup-gradle@v3
+# uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
# with:
# cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
# - name: Build Android Tests
diff --git a/.github/workflows/triage-labelled.yml b/.github/workflows/triage-labelled.yml
index c5a37d3eafc..3aee9d54674 100644
--- a/.github/workflows/triage-labelled.yml
+++ b/.github/workflows/triage-labelled.yml
@@ -4,6 +4,8 @@ on:
issues:
types: [labeled]
+permissions: {}
+
jobs:
apply_Z-Labs_label:
name: Add Z-Labs label for features behind labs flags
@@ -20,7 +22,7 @@ jobs:
contains(github.event.issue.labels.*.name, 'A-Tags') ||
contains(github.event.issue.labels.*.name, 'A-Rich-Text-Editor')
steps:
- - uses: actions/github-script@v5
+ - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
github.rest.issues.addLabels({
@@ -37,7 +39,7 @@ jobs:
contains(github.event.issue.labels.*.name, 'good first issue') ||
contains(github.event.issue.labels.*.name, 'Hacktoberfest')
steps:
- - uses: actions/github-script@v5
+ - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
github.rest.issues.addLabels({
@@ -61,7 +63,7 @@ jobs:
contains(github.event.issue.labels.*.name, 'O-Frequent')) ||
contains(github.event.issue.labels.*.name, 'A11y'))
steps:
- - uses: actions/add-to-project@main
+ - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with:
project-url: https://github.com/orgs/element-hq/projects/18
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -72,7 +74,7 @@ jobs:
if: >
contains(github.event.issue.labels.*.name, 'X-Needs-Product')
steps:
- - uses: actions/add-to-project@main
+ - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with:
project-url: https://github.com/orgs/element-hq/projects/28
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
diff --git a/.github/workflows/triage-move-review-requests.yml b/.github/workflows/triage-move-review-requests.yml
deleted file mode 100644
index 7299f74f002..00000000000
--- a/.github/workflows/triage-move-review-requests.yml
+++ /dev/null
@@ -1,143 +0,0 @@
-name: Move pull requests asking for review to the relevant project
-on:
- pull_request_target:
- types: [review_requested]
-
-jobs:
- add_design_pr_to_project:
- name: Move PRs asking for design review to the design board
- runs-on: ubuntu-latest
- # Skip in forks
- if: github.repository == 'element-hq/element-android'
- steps:
- - uses: octokit/graphql-action@v2.x
- id: find_team_members
- with:
- headers: '{"GraphQL-Features": "projects_next_graphql"}'
- query: |
- query find_team_members($team: String!) {
- organization(login: "element-hq") {
- team(slug: $team) {
- members {
- nodes {
- login
- }
- }
- }
- }
- }
- team: ${{ env.TEAM }}
- env:
- TEAM: "design"
- GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
- - id: any_matching_reviewers
- run: |
- # Fetch requested reviewers, and people who are on the team
- echo '${{ tojson(fromjson(steps.find_team_members.outputs.data).organization.team.members.nodes[*].login) }}' | tee /tmp/team_members.json
- echo '${{ tojson(github.event.pull_request.requested_reviewers[*].login) }}' | tee /tmp/reviewers.json
- jq --raw-output .[] < /tmp/team_members.json | sort | tee /tmp/team_members.txt
- jq --raw-output .[] < /tmp/reviewers.json | sort | tee /tmp/reviewers.txt
-
- # Fetch requested team reviewers, and the name of the team
- echo '${{ tojson(github.event.pull_request.requested_teams[*].slug) }}' | tee /tmp/team_reviewers.json
- jq --raw-output .[] < /tmp/team_reviewers.json | sort | tee /tmp/team_reviewers.txt
- echo '${{ env.TEAM }}' | tee /tmp/team.txt
-
- # If either a reviewer matches a team member, or a team matches our team, say "true"
- if [ $(join /tmp/team_members.txt /tmp/reviewers.txt | wc -l) != 0 ]; then
- echo "::set-output name=match::true"
- elif [ $(join /tmp/team.txt /tmp/team_reviewers.txt | wc -l) != 0 ]; then
- echo "::set-output name=match::true"
- else
- echo "::set-output name=match::false"
- fi
- env:
- TEAM: "design"
- - uses: octokit/graphql-action@v2.x
- id: add_to_project
- if: steps.any_matching_reviewers.outputs.match == 'true'
- with:
- headers: '{"GraphQL-Features": "projects_next_graphql"}'
- query: |
- mutation add_to_project($projectid:ID!, $contentid:ID!) {
- addProjectV2ItemById(input: {projectId: $projectid contentId: $contentid}) {
- item {
- id
- }
- }
- }
- projectid: ${{ env.PROJECT_ID }}
- contentid: ${{ github.event.pull_request.node_id }}
- env:
- PROJECT_ID: "PVT_kwDOAM0swc0sUA"
- TEAM: "design"
- GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
-
- add_product_pr_to_project:
- name: Move PRs asking for product review to the product board
- runs-on: ubuntu-latest
- # Skip in forks
- if: github.repository == 'element-hq/element-android'
- steps:
- - uses: octokit/graphql-action@v2.x
- id: find_team_members
- with:
- headers: '{"GraphQL-Features": "projects_next_graphql"}'
- query: |
- query find_team_members($team: String!) {
- organization(login: "element-hq") {
- team(slug: $team) {
- members {
- nodes {
- login
- }
- }
- }
- }
- }
- team: ${{ env.TEAM }}
- env:
- TEAM: "product"
- GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
- - id: any_matching_reviewers
- run: |
- # Fetch requested reviewers, and people who are on the team
- echo '${{ tojson(fromjson(steps.find_team_members.outputs.data).organization.team.members.nodes[*].login) }}' | tee /tmp/team_members.json
- echo '${{ tojson(github.event.pull_request.requested_reviewers[*].login) }}' | tee /tmp/reviewers.json
- jq --raw-output .[] < /tmp/team_members.json | sort | tee /tmp/team_members.txt
- jq --raw-output .[] < /tmp/reviewers.json | sort | tee /tmp/reviewers.txt
-
- # Fetch requested team reviewers, and the name of the team
- echo '${{ tojson(github.event.pull_request.requested_teams[*].slug) }}' | tee /tmp/team_reviewers.json
- jq --raw-output .[] < /tmp/team_reviewers.json | sort | tee /tmp/team_reviewers.txt
- echo '${{ env.TEAM }}' | tee /tmp/team.txt
-
- # If either a reviewer matches a team member, or a team matches our team, say "true"
- if [ $(join /tmp/team_members.txt /tmp/reviewers.txt | wc -l) != 0 ]; then
- echo "::set-output name=match::true"
- elif [ $(join /tmp/team.txt /tmp/team_reviewers.txt | wc -l) != 0 ]; then
- echo "::set-output name=match::true"
- else
- echo "::set-output name=match::false"
- fi
- env:
- TEAM: "product"
- - uses: octokit/graphql-action@v2.x
- id: add_to_project
- if: steps.any_matching_reviewers.outputs.match == 'true'
- with:
- headers: '{"GraphQL-Features": "projects_next_graphql"}'
- query: |
- mutation add_to_project($projectid:ID!, $contentid:ID!) {
- addProjectV2ItemById(input: {projectId: $projectid contentId: $contentid}) {
- item {
- id
- }
- }
- }
- projectid: ${{ env.PROJECT_ID }}
- contentid: ${{ github.event.pull_request.node_id }}
- env:
- PROJECT_ID: "PVT_kwDOAM0swc4AAg6N"
- TEAM: "product"
- GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
diff --git a/.github/workflows/triage-priority-bugs.yml b/.github/workflows/triage-priority-bugs.yml
index 3e1093b5780..ed32a0d9a38 100644
--- a/.github/workflows/triage-priority-bugs.yml
+++ b/.github/workflows/triage-priority-bugs.yml
@@ -4,6 +4,8 @@ on:
issues:
types: [labeled, unlabeled]
+permissions: {}
+
jobs:
p1_issues_to_team_workboard:
runs-on: ubuntu-latest
diff --git a/.github/workflows/update-gradle-wrapper.yml b/.github/workflows/update-gradle-wrapper.yml
index cb6f9e1c2c1..3cf01aa3333 100644
--- a/.github/workflows/update-gradle-wrapper.yml
+++ b/.github/workflows/update-gradle-wrapper.yml
@@ -4,15 +4,19 @@ on:
schedule:
- cron: "0 0 * * *"
+permissions: {}
+
jobs:
update-gradle-wrapper:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
- name: Update Gradle Wrapper
- uses: gradle-update/update-gradle-wrapper-action@v1
+ uses: gradle-update/update-gradle-wrapper-action@512b1875f3b6270828abfe77b247d5895a2da1e5 # v2.1.0
# Skip in forks
if: github.repository == 'element-hq/element-android'
with:
diff --git a/.github/workflows/validate-lfs.yml b/.github/workflows/validate-lfs.yml
index c52e3e4f6a9..78e6440de34 100644
--- a/.github/workflows/validate-lfs.yml
+++ b/.github/workflows/validate-lfs.yml
@@ -2,14 +2,17 @@ name: Validate Git LFS
on: [pull_request]
+permissions: {}
+
jobs:
build:
runs-on: ubuntu-latest
name: Validate
steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
lfs: 'true'
+ persist-credentials: false
- run: |
./tools/validate_lfs.sh