From c36fff646e687d2798d4bbf606944462168f3f1c Mon Sep 17 00:00:00 2001 From: Benoit Marty Date: Thu, 5 Mar 2026 16:43:15 +0100 Subject: [PATCH] Setup zizmor and fix existing issue. --- .github/dependabot.yml | 4 + .github/workflows/build.yml | 28 ++-- .github/workflows/danger.yml | 8 +- .github/workflows/docs.yml | 8 +- .../workflows/gradle-wrapper-validation.yml | 8 +- .github/workflows/nightly.yml | 12 +- .github/workflows/post-pr.yml | 35 ++--- .github/workflows/quality.yml | 48 ++++-- .../workflows/sync-from-external-sources.yml | 18 ++- .github/workflows/tests.yml | 27 ++-- .github/workflows/triage-labelled.yml | 10 +- .../workflows/triage-move-review-requests.yml | 143 ------------------ .github/workflows/triage-priority-bugs.yml | 2 + .github/workflows/update-gradle-wrapper.yml | 8 +- .github/workflows/validate-lfs.yml | 5 +- 15 files changed, 138 insertions(+), 226 deletions(-) delete mode 100644 .github/workflows/triage-move-review-requests.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9ffb7fce64b..e220b25a1a7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,6 +14,8 @@ updates: - "element-hq/element-android-reviewers" ignore: - dependency-name: "*" + cooldown: + default-days: 7 # Updates for Gradle dependencies used in the app - package-ecosystem: gradle directory: "/" @@ -25,3 +27,5 @@ updates: allow: - dependency-name: "io.element.android:wysiwyg" - dependency-name: "org.matrix.rustcomponents:crypto-android" + cooldown: + default-days: 7 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 88db81c5cf1..56c592630f2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,8 @@ on: push: branches: [ main, develop ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:MaxMetaspaceSize=1g" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false @@ -24,23 +26,24 @@ jobs: group: ${{ github.ref == 'refs/heads/develop' && format('integration-tests-develop-{0}-{1}', matrix.target, github.sha) || format('build-debug-{0}-{1}', matrix.target, github.ref) }} cancel-in-progress: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # https://github.com/actions/checkout/issues/881 ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} + persist-credentials: false - name: Use JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' # See 'Supported distributions' for available options java-version: '21' - name: Configure gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 with: cache-read-only: ${{ github.ref != 'refs/heads/develop' }} - name: Assemble ${{ matrix.target }} debug apk run: ./gradlew assemble${{ matrix.target }}Debug $CI_GRADLE_ARG_PROPERTIES - name: Upload ${{ matrix.target }} debug APKs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: vector-${{ matrix.target }}-debug path: | @@ -53,23 +56,24 @@ jobs: group: ${{ github.ref == 'refs/head/main' && format('build-release-apk-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('build-release-apk-develop-{0}', github.sha) || format('build-debug-{0}', github.ref) }} cancel-in-progress: ${{ github.ref != 'refs/head/main' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # https://github.com/actions/checkout/issues/881 ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.ref }} + persist-credentials: false - name: Use JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' # See 'Supported distributions' for available options java-version: '21' - name: Configure gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 with: cache-read-only: ${{ github.ref != 'refs/heads/develop' }} - name: Assemble GPlay unsigned apk run: ./gradlew clean assembleGplayRelease $CI_GRADLE_ARG_PROPERTIES - name: Upload Gplay unsigned APKs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: vector-gplay-release-unsigned path: | @@ -81,18 +85,20 @@ jobs: steps: - name: Obtain apk from artifact id: download - uses: actions/download-artifact@v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: name: vector-gplay-release-unsigned - name: Show apks in artifact - run: ls -R ${{steps.download.outputs.download-path}} + run: ls -R ${STEPS_DOWNLOAD_OUTPUTS_DOWNLOAD_PATH} + env: + STEPS_DOWNLOAD_OUTPUTS_DOWNLOAD_PATH: ${{steps.download.outputs.download-path}} - name: Execute exodus-standalone uses: docker://exodusprivacy/exodus-standalone:latest with: # Don't fail when finding trackers so they can be reported later args: /github/workspace/gplay/release/vector-gplay-universal-release-unsigned.apk -j -o /github/workspace/exodus.json -e 0 - name: Upload exodus json report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: exodus.json path: | diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml index 5eb2f1af3c1..7c92bf7327e 100644 --- a/.github/workflows/danger.yml +++ b/.github/workflows/danger.yml @@ -2,16 +2,20 @@ name: Danger CI on: [pull_request] +permissions: {} + jobs: build: runs-on: ubuntu-latest name: Danger steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - run: | npm install --save-dev @babel/plugin-transform-flow-strip-types - name: Danger - uses: danger/danger-js@11.2.6 + uses: danger/danger-js@67ed2c1f42fd2fc198cc3c14b43c8f83351f4fe9 # 13.0.5 with: args: "--dangerfile ./tools/danger/dangerfile.js" env: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1a27d491a03..ec4492623e0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -4,19 +4,23 @@ on: push: branches: [ develop ] +permissions: {} + jobs: docs: name: Generate and publish Android Matrix SDK documentation runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Build docs run: ./gradlew dokkaHtml - name: Deploy docs - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./matrix-sdk-android/build/dokka/html diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml index 2c13615738b..3d49f8d7f59 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/gradle-wrapper-validation.yml @@ -4,11 +4,15 @@ on: push: branches: [ main, develop ] +permissions: {} + jobs: validation: name: "Validation" runs-on: ubuntu-latest # No concurrency required, this is a prerequisite to other actions and should run every time. steps: - - uses: actions/checkout@v4 - - uses: gradle/wrapper-validation-action@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: gradle/wrapper-validation-action@f9c9c575b8b21b6485636a91ffecd10e558c62f6 # v3.5.0 diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index ef731144554..514e3546563 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -6,6 +6,8 @@ on: # Every nights at 4 - cron: "0 4 * * *" +permissions: {} + env: GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx6g -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:MaxMetaspaceSize=1g" -Dkotlin.incremental=false -XX:+UseG1GC CI_GRADLE_ARG_PROPERTIES: --stacktrace -PpreDexEnable=false --max-workers 2 --no-daemon @@ -15,18 +17,20 @@ jobs: name: Build and publish nightly Gplay APK to Firebase runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python 3.8 - uses: actions/setup-python@v4 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.8 - name: Use JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' # See 'Supported distributions' for available options java-version: '21' - name: Configure gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 with: cache-read-only: ${{ github.ref != 'refs/heads/develop' }} - name: Install towncrier diff --git a/.github/workflows/post-pr.yml b/.github/workflows/post-pr.yml index ab0d0da9bab..f7eaa2dcaab 100644 --- a/.github/workflows/post-pr.yml +++ b/.github/workflows/post-pr.yml @@ -8,6 +8,8 @@ on: types: [closed] branches: [develop] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false @@ -39,29 +41,31 @@ jobs: api-level: [ 28 ] # No concurrency required, runs every time on a schedule. steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python 3.8 - uses: actions/setup-python@v4 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.8 - name: Use JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' # See 'Supported distributions' for available options java-version: '21' - name: Configure gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 with: cache-read-only: ${{ github.ref != 'refs/heads/develop' }} - name: Start synapse server - uses: michaelkaye/setup-matrix-synapse@v1.0.5 + uses: michaelkaye/setup-matrix-synapse@e080023c56271cab986b83db75edba570fafb88b # v1.0.6 with: uploadLogs: true httpPort: 8080 disableRateLimiting: true public_baseurl: "http://10.0.2.2:8080/" - name: Run sanity tests on API ${{ matrix.api-level }} - uses: reactivecircus/android-emulator-runner@v2 + uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0 with: api-level: ${{ matrix.api-level }} arch: x86 @@ -77,27 +81,10 @@ jobs: adb logcat >> emulator.log & ./gradlew $CI_GRADLE_ARG_PROPERTIES connectedGplayDebugAndroidTest -Pandroid.testInstrumentationRunnerArguments.class=im.vector.app.ui.UiAllScreensSanityTest || (adb pull storage/emulated/0/Pictures/failure_screenshots && exit 1 ) - name: Upload Test Report Log - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: always() with: name: uitest-error-results path: | emulator.log failure_screenshots/ - -# Notify the channel about delayed failures - notify: - name: Notify matrix - runs-on: ubuntu-latest - needs: - - should-i-run - - ui-tests - if: always() && (needs.should-i-run.result == 'success' ) && (needs.ui-tests.result != 'success') - # No concurrency required, runs every time on a schedule. - steps: - - uses: michaelkaye/matrix-hookshot-action@v1.0.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - hookshot_url: ${{ secrets.ELEMENT_ANDROID_HOOKSHOT_URL }} - text_template: "Post-merge validation of ${{ github.head_ref }} into ${{ github.base_ref }} by ${{ github.event.pull_request.merged_by.login }} failed: {{#each job_statuses }}{{#with this }}{{#if completed }} {{name}} {{conclusion}} at {{completed_at}}, {{/if}}{{/with}}{{/each}}" - html_template: "Post-merge validation of ${{ github.head_ref }} into ${{ github.base_ref }} by ${{ github.event.pull_request.merged_by.login }} failed: {{#each job_statuses }}{{#with this }}{{#if completed }}
{{icon conclusion}} {{name}} {{conclusion}} at {{completed_at}} [details]{{/if}}{{/with}}{{/each}}" diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index d821c369719..187d25fbca4 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -5,6 +5,8 @@ on: push: branches: [ main, develop ] +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:MaxMetaspaceSize=1g" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false @@ -15,7 +17,9 @@ jobs: name: Project Check Suite runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Run code quality check suite run: ./tools/check/check_code_quality.sh @@ -24,14 +28,16 @@ jobs: name: Knit runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Use JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' # See 'Supported distributions' for available options java-version: '21' - name: Configure gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 with: cache-read-only: ${{ github.ref != 'refs/heads/develop' }} - name: Run knit @@ -47,14 +53,16 @@ jobs: group: ${{ github.ref == 'refs/heads/main' && format('lint-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('lint-develop-{0}', github.sha) || format('lint-{0}', github.ref) }} cancel-in-progress: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Use JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' # See 'Supported distributions' for available options java-version: '21' - name: Configure gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 with: cache-read-only: ${{ github.ref != 'refs/heads/develop' }} - name: Run ktlint @@ -71,7 +79,7 @@ jobs: ./gradlew vector-app:lintFdroidRelease $CI_GRADLE_ARG_PROPERTIES - name: Upload reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: linting-report path: | @@ -84,7 +92,7 @@ jobs: yarn add danger-plugin-lint-report --dev - name: Danger lint if: always() - uses: danger/danger-js@11.2.6 + uses: danger/danger-js@67ed2c1f42fd2fc198cc3c14b43c8f83351f4fe9 # 13.0.5 with: args: "--dangerfile ./tools/danger/dangerfile-lint.js" env: @@ -101,21 +109,35 @@ jobs: group: ${{ github.ref == 'refs/heads/main' && format('dep-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('dep-develop-{0}', github.sha) || format('dep-{0}', github.ref) }} cancel-in-progress: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Use JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' # See 'Supported distributions' for available options java-version: '21' - name: Configure gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 with: cache-read-only: ${{ github.ref != 'refs/heads/develop' }} - name: Dependency analysis run: ./gradlew dependencyCheckAnalyze $CI_GRADLE_ARG_PROPERTIES - name: Upload dependency analysis if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: dependency-analysis path: build/reports/dependency-check-report.html + + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 + diff --git a/.github/workflows/sync-from-external-sources.yml b/.github/workflows/sync-from-external-sources.yml index 40dd71c3b06..ed9bcfd303f 100644 --- a/.github/workflows/sync-from-external-sources.yml +++ b/.github/workflows/sync-from-external-sources.yml @@ -5,6 +5,8 @@ on: # At 00:00 on every Monday UTC - cron: '0 0 * * 1' +permissions: {} + jobs: sync-emojis: runs-on: ubuntu-latest @@ -12,9 +14,11 @@ jobs: if: github.repository == 'element-hq/element-android' # No concurrency required, runs every time on a schedule. steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python 3.8 - uses: actions/setup-python@v4 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.8 - name: Install Prerequisite dependencies @@ -24,7 +28,7 @@ jobs: - name: Run Emoji script run: ./tools/import_emojis.py - name: Create Pull Request for Emojis - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: commit-message: Sync Emojis title: Sync Emojis @@ -39,9 +43,11 @@ jobs: if: github.repository == 'element-hq/element-android' # No concurrency required, runs every time on a schedule. steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python 3.8 - uses: actions/setup-python@v4 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.8 - name: Install Prerequisite dependencies @@ -50,7 +56,7 @@ jobs: - name: Run SAS String script run: ./tools/import_sas_strings.py - name: Create Pull Request for SAS Strings - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: commit-message: Sync SAS Strings title: Sync SAS Strings diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d090d805139..8177dadf940 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -3,6 +3,8 @@ name: Test on: workflow_dispatch: +permissions: {} + # Enrich gradle.properties for CI/CD env: GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false @@ -21,17 +23,18 @@ jobs: group: ${{ github.ref == 'refs/heads/main' && format('unit-tests-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('unit-tests-develop-{0}', github.sha) || format('unit-tests-{0}', github.ref) }} cancel-in-progress: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true fetch-depth: 0 + persist-credentials: false - name: Use JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' # See 'Supported distributions' for available options java-version: '21' - name: Configure gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 with: cache-read-only: ${{ github.ref != 'refs/heads/develop' }} gradle-home-cache-cleanup: ${{ github.ref == 'refs/heads/develop' }} @@ -41,17 +44,17 @@ jobs: - name: Archive Screenshot Results on Error if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: screenshot-results path: | **/out/failures/ **/build/reports/tests/*UnitTest/ - - uses: actions/setup-python@v4 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.8 - - uses: michaelkaye/setup-matrix-synapse@v1.0.5 + - uses: michaelkaye/setup-matrix-synapse@e080023c56271cab986b83db75edba570fafb88b # v1.0.6 with: uploadLogs: true httpPort: 8080 @@ -59,7 +62,7 @@ jobs: public_baseurl: "http://10.0.2.2:8080/" - name: Run all the codecoverage tests at once - uses: reactivecircus/android-emulator-runner@v2 + uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0 # continue-on-error: true with: api-level: ${{ matrix.api-level }} @@ -77,7 +80,7 @@ jobs: ./gradlew generateCoverageReport $CI_GRADLE_ARG_PROPERTIES # NB: continue-on-error marks steps.tests.conclusion = 'success' but leaves steps.tests.outcome = 'failure' ### - name: Run all the codecoverage tests at once (retry if emulator failed) - ### uses: reactivecircus/android-emulator-runner@v2 + ### uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0 ### if: always() && steps.tests.outcome == 'failure' # don't run if previous step succeeded. ### with: ### api-level: 28 @@ -94,7 +97,7 @@ jobs: ### ./gradlew generateCoverageReport $CI_GRADLE_ARG_PROPERTIES - name: Upload Integration Test Report Log - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: always() with: name: integration-test-error-results @@ -134,14 +137,14 @@ jobs: # group: ${{ github.ref == 'refs/heads/main' && format('unit-tests-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('unit-tests-develop-{0}', github.sha) || format('build-android-tests-{0}', github.ref) }} # cancel-in-progress: true # steps: -# - uses: actions/checkout@v4 +# - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # - name: Use JDK 21 -# uses: actions/setup-java@v4 +# uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 # with: # distribution: 'temurin' # See 'Supported distributions' for available options # java-version: '21' # - name: Configure gradle -# uses: gradle/actions/setup-gradle@v3 +# uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 # with: # cache-read-only: ${{ github.ref != 'refs/heads/develop' }} # - name: Build Android Tests diff --git a/.github/workflows/triage-labelled.yml b/.github/workflows/triage-labelled.yml index c5a37d3eafc..3aee9d54674 100644 --- a/.github/workflows/triage-labelled.yml +++ b/.github/workflows/triage-labelled.yml @@ -4,6 +4,8 @@ on: issues: types: [labeled] +permissions: {} + jobs: apply_Z-Labs_label: name: Add Z-Labs label for features behind labs flags @@ -20,7 +22,7 @@ jobs: contains(github.event.issue.labels.*.name, 'A-Tags') || contains(github.event.issue.labels.*.name, 'A-Rich-Text-Editor') steps: - - uses: actions/github-script@v5 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | github.rest.issues.addLabels({ @@ -37,7 +39,7 @@ jobs: contains(github.event.issue.labels.*.name, 'good first issue') || contains(github.event.issue.labels.*.name, 'Hacktoberfest') steps: - - uses: actions/github-script@v5 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | github.rest.issues.addLabels({ @@ -61,7 +63,7 @@ jobs: contains(github.event.issue.labels.*.name, 'O-Frequent')) || contains(github.event.issue.labels.*.name, 'A11y')) steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/18 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} @@ -72,7 +74,7 @@ jobs: if: > contains(github.event.issue.labels.*.name, 'X-Needs-Product') steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/28 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} diff --git a/.github/workflows/triage-move-review-requests.yml b/.github/workflows/triage-move-review-requests.yml deleted file mode 100644 index 7299f74f002..00000000000 --- a/.github/workflows/triage-move-review-requests.yml +++ /dev/null @@ -1,143 +0,0 @@ -name: Move pull requests asking for review to the relevant project -on: - pull_request_target: - types: [review_requested] - -jobs: - add_design_pr_to_project: - name: Move PRs asking for design review to the design board - runs-on: ubuntu-latest - # Skip in forks - if: github.repository == 'element-hq/element-android' - steps: - - uses: octokit/graphql-action@v2.x - id: find_team_members - with: - headers: '{"GraphQL-Features": "projects_next_graphql"}' - query: | - query find_team_members($team: String!) { - organization(login: "element-hq") { - team(slug: $team) { - members { - nodes { - login - } - } - } - } - } - team: ${{ env.TEAM }} - env: - TEAM: "design" - GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} - - id: any_matching_reviewers - run: | - # Fetch requested reviewers, and people who are on the team - echo '${{ tojson(fromjson(steps.find_team_members.outputs.data).organization.team.members.nodes[*].login) }}' | tee /tmp/team_members.json - echo '${{ tojson(github.event.pull_request.requested_reviewers[*].login) }}' | tee /tmp/reviewers.json - jq --raw-output .[] < /tmp/team_members.json | sort | tee /tmp/team_members.txt - jq --raw-output .[] < /tmp/reviewers.json | sort | tee /tmp/reviewers.txt - - # Fetch requested team reviewers, and the name of the team - echo '${{ tojson(github.event.pull_request.requested_teams[*].slug) }}' | tee /tmp/team_reviewers.json - jq --raw-output .[] < /tmp/team_reviewers.json | sort | tee /tmp/team_reviewers.txt - echo '${{ env.TEAM }}' | tee /tmp/team.txt - - # If either a reviewer matches a team member, or a team matches our team, say "true" - if [ $(join /tmp/team_members.txt /tmp/reviewers.txt | wc -l) != 0 ]; then - echo "::set-output name=match::true" - elif [ $(join /tmp/team.txt /tmp/team_reviewers.txt | wc -l) != 0 ]; then - echo "::set-output name=match::true" - else - echo "::set-output name=match::false" - fi - env: - TEAM: "design" - - uses: octokit/graphql-action@v2.x - id: add_to_project - if: steps.any_matching_reviewers.outputs.match == 'true' - with: - headers: '{"GraphQL-Features": "projects_next_graphql"}' - query: | - mutation add_to_project($projectid:ID!, $contentid:ID!) { - addProjectV2ItemById(input: {projectId: $projectid contentId: $contentid}) { - item { - id - } - } - } - projectid: ${{ env.PROJECT_ID }} - contentid: ${{ github.event.pull_request.node_id }} - env: - PROJECT_ID: "PVT_kwDOAM0swc0sUA" - TEAM: "design" - GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} - - add_product_pr_to_project: - name: Move PRs asking for product review to the product board - runs-on: ubuntu-latest - # Skip in forks - if: github.repository == 'element-hq/element-android' - steps: - - uses: octokit/graphql-action@v2.x - id: find_team_members - with: - headers: '{"GraphQL-Features": "projects_next_graphql"}' - query: | - query find_team_members($team: String!) { - organization(login: "element-hq") { - team(slug: $team) { - members { - nodes { - login - } - } - } - } - } - team: ${{ env.TEAM }} - env: - TEAM: "product" - GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} - - id: any_matching_reviewers - run: | - # Fetch requested reviewers, and people who are on the team - echo '${{ tojson(fromjson(steps.find_team_members.outputs.data).organization.team.members.nodes[*].login) }}' | tee /tmp/team_members.json - echo '${{ tojson(github.event.pull_request.requested_reviewers[*].login) }}' | tee /tmp/reviewers.json - jq --raw-output .[] < /tmp/team_members.json | sort | tee /tmp/team_members.txt - jq --raw-output .[] < /tmp/reviewers.json | sort | tee /tmp/reviewers.txt - - # Fetch requested team reviewers, and the name of the team - echo '${{ tojson(github.event.pull_request.requested_teams[*].slug) }}' | tee /tmp/team_reviewers.json - jq --raw-output .[] < /tmp/team_reviewers.json | sort | tee /tmp/team_reviewers.txt - echo '${{ env.TEAM }}' | tee /tmp/team.txt - - # If either a reviewer matches a team member, or a team matches our team, say "true" - if [ $(join /tmp/team_members.txt /tmp/reviewers.txt | wc -l) != 0 ]; then - echo "::set-output name=match::true" - elif [ $(join /tmp/team.txt /tmp/team_reviewers.txt | wc -l) != 0 ]; then - echo "::set-output name=match::true" - else - echo "::set-output name=match::false" - fi - env: - TEAM: "product" - - uses: octokit/graphql-action@v2.x - id: add_to_project - if: steps.any_matching_reviewers.outputs.match == 'true' - with: - headers: '{"GraphQL-Features": "projects_next_graphql"}' - query: | - mutation add_to_project($projectid:ID!, $contentid:ID!) { - addProjectV2ItemById(input: {projectId: $projectid contentId: $contentid}) { - item { - id - } - } - } - projectid: ${{ env.PROJECT_ID }} - contentid: ${{ github.event.pull_request.node_id }} - env: - PROJECT_ID: "PVT_kwDOAM0swc4AAg6N" - TEAM: "product" - GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} diff --git a/.github/workflows/triage-priority-bugs.yml b/.github/workflows/triage-priority-bugs.yml index 3e1093b5780..ed32a0d9a38 100644 --- a/.github/workflows/triage-priority-bugs.yml +++ b/.github/workflows/triage-priority-bugs.yml @@ -4,6 +4,8 @@ on: issues: types: [labeled, unlabeled] +permissions: {} + jobs: p1_issues_to_team_workboard: runs-on: ubuntu-latest diff --git a/.github/workflows/update-gradle-wrapper.yml b/.github/workflows/update-gradle-wrapper.yml index cb6f9e1c2c1..3cf01aa3333 100644 --- a/.github/workflows/update-gradle-wrapper.yml +++ b/.github/workflows/update-gradle-wrapper.yml @@ -4,15 +4,19 @@ on: schedule: - cron: "0 0 * * *" +permissions: {} + jobs: update-gradle-wrapper: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Update Gradle Wrapper - uses: gradle-update/update-gradle-wrapper-action@v1 + uses: gradle-update/update-gradle-wrapper-action@512b1875f3b6270828abfe77b247d5895a2da1e5 # v2.1.0 # Skip in forks if: github.repository == 'element-hq/element-android' with: diff --git a/.github/workflows/validate-lfs.yml b/.github/workflows/validate-lfs.yml index c52e3e4f6a9..78e6440de34 100644 --- a/.github/workflows/validate-lfs.yml +++ b/.github/workflows/validate-lfs.yml @@ -2,14 +2,17 @@ name: Validate Git LFS on: [pull_request] +permissions: {} + jobs: build: runs-on: ubuntu-latest name: Validate steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: 'true' + persist-credentials: false - run: | ./tools/validate_lfs.sh