diff --git a/.github/workflows/complement_tests.yml b/.github/workflows/complement_tests.yml index a891802ac89..d01e2e95f94 100644 --- a/.github/workflows/complement_tests.yml +++ b/.github/workflows/complement_tests.yml @@ -42,6 +42,7 @@ jobs: uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: path: synapse + persist-credentials: false # Log Docker system info for debugging (compare with your local environment) and # tracking GitHub runner changes over time (can easily compare a run from last diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 39ddb619183..a507d31bead 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,12 +10,15 @@ on: permissions: contents: read - packages: write - id-token: write # needed for signing the images with GitHub OIDC Token + jobs: build: name: Build and push image for ${{ matrix.platform }} runs-on: ${{ matrix.runs_on }} + permissions: + contents: read + packages: write # needed to push the image to ghcr.io + id-token: write # needed for the vault and tailscale OIDC auth strategy: matrix: include: @@ -32,6 +35,8 @@ jobs: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Extract version from pyproject.toml # Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see @@ -63,7 +68,7 @@ jobs: - name: Compute vault jwt role name id: vault-jwt-role run: | - echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" + echo "role_name=github_service_management_$( echo "$GITHUB_REPOSITORY" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" - name: Get team registry token id: import-secrets @@ -102,10 +107,11 @@ jobs: outputs: type=image,push-by-digest=true,name-canonical=true,push=true - name: Export digest + env: + DIGEST: ${{ steps.build.outputs.digest }} run: | - mkdir -p ${{ runner.temp }}/digests - digest="${{ steps.build.outputs.digest }}" - touch "${{ runner.temp }}/digests/${digest#sha256:}" + mkdir -p "$RUNNER_TEMP/digests" + touch "$RUNNER_TEMP/digests/${DIGEST#sha256:}" - name: Upload digest uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -118,6 +124,9 @@ jobs: merge: name: Push merged images to ${{ matrix.repository }} runs-on: ubuntu-latest + permissions: + packages: write # needed to push the image to ghcr.io + id-token: write # needed for signing the images with GitHub OIDC Token, and for the vault and tailscale OIDC auth strategy: matrix: repository: @@ -160,7 +169,7 @@ jobs: - name: Compute vault jwt role name id: vault-jwt-role run: | - echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" + echo "role_name=github_service_management_$( echo "$GITHUB_REPOSITORY" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" - name: Get team registry token id: import-secrets diff --git a/.github/workflows/docs-pr.yaml b/.github/workflows/docs-pr.yaml index e1a5b7be894..88e838d322e 100644 --- a/.github/workflows/docs-pr.yaml +++ b/.github/workflows/docs-pr.yaml @@ -8,6 +8,9 @@ on: - .github/workflows/docs-pr.yaml - scripts-dev/schema_versions.py +permissions: + contents: read + jobs: pages: name: GitHub Pages @@ -15,6 +18,7 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false # Fetch all history so that the schema_versions script works. fetch-depth: 0 @@ -51,6 +55,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup mdbook uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 7236bf99d93..37c103952c6 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -1,5 +1,8 @@ name: Deploy the documentation +permissions: + contents: read + on: push: branches: @@ -46,12 +49,15 @@ jobs: ################################################################################ pages-docs: name: GitHub Pages + permissions: + contents: write # needed to push the built docs to the gh-pages branch runs-on: ubuntu-latest needs: - pre steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false # Fetch all history so that the schema_versions script works. fetch-depth: 0 @@ -61,7 +67,9 @@ jobs: mdbook-version: '0.5.2' - name: Set version of docs - run: echo 'window.SYNAPSE_VERSION = "${{ needs.pre.outputs.branch-version }}";' > ./docs/website_files/version.js + env: + BRANCH_VERSION: ${{ needs.pre.outputs.branch-version }} + run: echo "window.SYNAPSE_VERSION = \"$BRANCH_VERSION\";" > ./docs/website_files/version.js - name: Setup python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 diff --git a/.github/workflows/fix_lint.yaml b/.github/workflows/fix_lint.yaml index e0817698f40..86f7c629816 100644 --- a/.github/workflows/fix_lint.yaml +++ b/.github/workflows/fix_lint.yaml @@ -6,6 +6,9 @@ name: Attempt to automatically fix linting errors on: workflow_dispatch: +permissions: + contents: read + env: # We use nightly so that `fmt` correctly groups together imports, and # clippy correctly fixes up the benchmarks. @@ -17,10 +20,14 @@ jobs: fixup: name: Fix up runs-on: ubuntu-latest + permissions: + contents: write # needed to push the lint fixes back to the branch steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + # zizmor: ignore[artipacked] + # The git-auto-commit-action step below reuses the GITHUB_TOKEN - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml index 815593ffcd0..52e46b46e0f 100644 --- a/.github/workflows/latest_deps.yml +++ b/.github/workflows/latest_deps.yml @@ -17,6 +17,9 @@ on: - cron: 0 7 * * * workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -35,7 +38,9 @@ jobs: should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} steps: - id: check_condition - run: echo "should_run_workflow=${{ github.repository == 'element-hq/synapse' }}" >> "$GITHUB_OUTPUT" + env: + SHOULD_RUN_WORKFLOW: ${{ github.repository == 'element-hq/synapse' }} + run: echo "should_run_workflow=$SHOULD_RUN_WORKFLOW" >> "$GITHUB_OUTPUT" mypy: needs: check_repo @@ -43,6 +48,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master with: @@ -78,6 +85,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -88,11 +97,13 @@ jobs: - run: sudo apt-get -qq install xmlsec1 - name: Set up PostgreSQL ${{ matrix.postgres-version }} if: ${{ matrix.postgres-version }} + env: + POSTGRES_VERSION: ${{ matrix.postgres-version }} run: | docker run -d -p 5432:5432 \ -e POSTGRES_PASSWORD=postgres \ -e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \ - postgres:${{ matrix.postgres-version }} + "postgres:$POSTGRES_VERSION" - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -152,6 +163,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -198,10 +211,16 @@ jobs: - sytest - complement + permissions: + contents: read # needed to check out the issue template + issues: write # needed for opening/editing an issue upon build failure + runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/poetry_lockfile.yaml b/.github/workflows/poetry_lockfile.yaml index 06545bd18a5..68659815c27 100644 --- a/.github/workflows/poetry_lockfile.yaml +++ b/.github/workflows/poetry_lockfile.yaml @@ -11,12 +11,17 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: check-sdists: name: "Check locked dependencies have sdists" runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' diff --git a/.github/workflows/push_complement_image.yml b/.github/workflows/push_complement_image.yml index 6f4c966cdc4..a39653cc35b 100644 --- a/.github/workflows/push_complement_image.yml +++ b/.github/workflows/push_complement_image.yml @@ -17,6 +17,9 @@ on: - develop - master +permissions: + contents: read + # Only run this action once per pull request/branch; restart if a new commit arrives. # C.f. https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency # and https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context @@ -30,22 +33,25 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - packages: write + packages: write # needed to push the image to ghcr.io steps: - name: Checkout specific branch (debug build) uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 if: github.event_name == 'workflow_dispatch' with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Checkout clean copy of develop (scheduled build) uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 if: github.event_name == 'schedule' with: + persist-credentials: false ref: develop - name: Checkout clean copy of master (on-push) uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 if: github.event_name == 'push' with: + persist-credentials: false ref: master # We use `poetry` in `complement.sh` - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0 @@ -70,8 +76,10 @@ jobs: - name: Run scripts-dev/complement.sh to generate complement-synapse:latest image. run: scripts-dev/complement.sh --build-only - name: Tag and push generated image + env: + TAGS: ${{ join(fromJson(steps.meta.outputs.json).tags, ' ') }} run: | - for TAG in ${{ join(fromJson(steps.meta.outputs.json).tags, ' ') }}; do + for TAG in $TAGS; do echo "tag and push $TAG" # `localhost/complement-synapse` should match the image created by `scripts-dev/complement.sh` docker tag localhost/complement-synapse $TAG diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index c6b9f60bafb..83004b3747c 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -20,7 +20,7 @@ concurrency: cancel-in-progress: true permissions: - contents: write + contents: read jobs: get-distros: @@ -28,6 +28,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -63,6 +65,7 @@ jobs: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false path: src - name: Set up Docker Buildx @@ -70,6 +73,11 @@ jobs: uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Set up docker layer caching + # Skip the cache when building from a tag so that the released debs + # cannot be influenced by a poisoned cache. The lint cannot see the + # `if` condition, hence the ignore. + # zizmor: ignore[cache-poisoning] + if: ${{ !startsWith(github.ref, 'refs/tags/') }} uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /tmp/.buildx-cache @@ -85,13 +93,15 @@ jobs: - name: Build the packages # see https://github.com/docker/build-push-action/issues/252 # for the cache magic here + env: + DISTRO: ${{ matrix.distro }} run: | ./src/scripts-dev/build_debian_packages.py \ --docker-build-arg=--cache-from=type=local,src=/tmp/.buildx-cache \ --docker-build-arg=--cache-to=type=local,mode=max,dest=/tmp/.buildx-cache-new \ --docker-build-arg=--progress=plain \ --docker-build-arg=--load \ - "${{ matrix.distro }}" + "$DISTRO" rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache @@ -130,6 +140,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -168,6 +180,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10" @@ -191,6 +205,8 @@ jobs: - build-wheels - build-sdist runs-on: ubuntu-latest + permissions: + contents: write # needed to upload the release artifacts steps: - name: Download all workflow run artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -204,9 +220,10 @@ jobs: - name: Attach to release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REF_NAME: ${{ github.ref_name }} run: | - gh release upload "${{ github.ref_name }}" \ + gh release upload "$REF_NAME" \ Sdist/* \ Wheel*/* \ debs.tar.xz \ - --repo ${{ github.repository }} + --repo "$GITHUB_REPOSITORY" diff --git a/.github/workflows/schema.yaml b/.github/workflows/schema.yaml index e36114d3542..c69ac6be974 100644 --- a/.github/workflows/schema.yaml +++ b/.github/workflows/schema.yaml @@ -9,12 +9,17 @@ on: branches: ["develop", "release-*"] workflow_dispatch: +permissions: + contents: read + jobs: validate-schema: name: Ensure Synapse config schema is valid runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -41,6 +46,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 45fa2b8cad2..ee5b1a6b61f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,5 +1,9 @@ name: Tests +# NOTE: .github/zizmor.yml carries a cache-poisoning exception for this entire +# file because this step doesn't publish anything at the moment. If this +# changes, the exception should be removed. + on: push: branches: ["develop", "release-*"] @@ -7,6 +11,9 @@ on: merge_group: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -107,6 +114,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master with: @@ -127,6 +136,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -137,6 +148,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -150,6 +163,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Poetry uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0 @@ -172,6 +187,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -198,7 +215,7 @@ jobs: with: path: | .mypy_cache - key: mypy-cache-${{ github.context.sha }} + key: mypy-cache-${{ github.sha }} restore-keys: mypy-cache- - name: Run mypy @@ -208,6 +225,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Check line endings run: scripts-dev/check_line_terminators.sh @@ -218,6 +237,7 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -235,6 +255,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -254,6 +276,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -272,6 +296,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -308,6 +334,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -327,6 +355,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: @@ -345,6 +375,8 @@ jobs: if: ${{ needs.changes.outputs.linting_readme == 'true' }} steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -394,6 +426,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -415,18 +449,22 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - run: sudo apt-get -qq install xmlsec1 - name: Set up PostgreSQL ${{ matrix.job.postgres-version }} if: ${{ matrix.job.postgres-version }} # 1. Mount postgres data files onto a tmpfs in-memory filesystem to reduce overhead of docker's overlayfs layer. # 2. Expose the unix socket for postgres. This removes latency of using docker-proxy for connections. + env: + POSTGRES_VERSION: ${{ matrix.job.postgres-version }} run: | docker run -d -p 5432:5432 \ --tmpfs /var/lib/postgres:rw,size=6144m \ --mount 'type=bind,src=/var/run/postgresql,dst=/var/run/postgresql' \ -e POSTGRES_PASSWORD=postgres \ -e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \ - postgres:${{ matrix.job.postgres-version }} + "postgres:$POSTGRES_VERSION" - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -471,6 +509,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -534,6 +574,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false # Install libs necessary for PyPy to build binary wheels for dependencies - run: sudo apt-get -qq install xmlsec1 libxml2-dev libxslt-dev - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0 @@ -584,6 +626,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Prepare test blacklist run: cat sytest-blacklist .ci/worker-blacklist > synapse-blacklist-with-workers @@ -617,7 +661,7 @@ jobs: services: postgres: - image: postgres + image: postgres:17 ports: - 5432:5432 env: @@ -631,6 +675,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - run: sudo apt-get -qq install xmlsec1 postgresql-client - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0 with: @@ -674,6 +720,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Add PostgreSQL apt repository # We need a version of pg_dump that can handle the version of # PostgreSQL being tested against. The Ubuntu package repository lags @@ -727,6 +775,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -748,6 +798,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index 1d291a319b8..93cc4181538 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -4,6 +4,9 @@ on: issues: types: [ opened ] +permissions: + contents: read + jobs: triage: uses: matrix-org/backend-meta/.github/workflows/triage-incoming.yml@18beaf3c8e536108bd04d18e6c3dc40ba3931e28 # v2.0.3 diff --git a/.github/workflows/triage_labelled.yml b/.github/workflows/triage_labelled.yml index 85d7be7b34a..f3c7d8efad2 100644 --- a/.github/workflows/triage_labelled.yml +++ b/.github/workflows/triage_labelled.yml @@ -4,13 +4,14 @@ on: issues: types: [ labeled ] +permissions: + contents: read + jobs: move_needs_info: runs-on: ubuntu-latest if: > contains(github.event.issue.labels.*.name, 'X-Needs-Info') - permissions: - contents: read env: # This token must have the following scopes: ["repo:public_repo", "admin:org->read:org", "user->read:user", "project"] GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} @@ -24,6 +25,7 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false # Only clone the script file we care about, instead of the whole repo. sparse-checkout: .ci/scripts/triage_labelled_issue.sh diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index 1b906f7f440..b88dacd840c 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -1,5 +1,8 @@ name: Twisted Trunk +permissions: + contents: read + on: schedule: - cron: 0 8 * * * @@ -34,7 +37,9 @@ jobs: should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} steps: - id: check_condition - run: echo "should_run_workflow=${{ github.repository == 'element-hq/synapse' }}" >> "$GITHUB_OUTPUT" + env: + SHOULD_RUN_WORKFLOW: ${{ github.repository == 'element-hq/synapse' }} + run: echo "should_run_workflow=$SHOULD_RUN_WORKFLOW" >> "$GITHUB_OUTPUT" mypy: needs: check_repo @@ -43,6 +48,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -55,9 +62,11 @@ jobs: python-version: "3.x" extras: "all" poetry-version: "2.4.1" - - run: | + - env: + TWISTED_REF: ${{ inputs.twisted_ref || 'trunk' }} + run: | poetry remove twisted - poetry add --extras tls git+https://github.com/twisted/twisted.git#${{ inputs.twisted_ref || 'trunk' }} + poetry add --extras tls "git+https://github.com/twisted/twisted.git#$TWISTED_REF" poetry install --no-interaction --extras "all test" - name: Remove unhelpful options from mypy config run: sed -e '/warn_unused_ignores = True/d' -e '/warn_redundant_casts = True/d' -i mypy.ini @@ -70,6 +79,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - run: sudo apt-get -qq install xmlsec1 - name: Install Rust @@ -116,6 +127,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -169,10 +182,16 @@ jobs: - sytest - complement + permissions: + contents: read # needed to check out the issue template + issues: write # needed for opening/editing an issue upon build failure + runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000000..eb32fecb11c --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +# Lint GitHub Actions workflows using zizmor (https://docs.zizmor.sh/). +# +# The job fails on any finding; false positives can be ignored via +# `.github/zizmor.yml` or inline `# zizmor: ignore[rule]` comments. + +name: Lint GitHub Actions workflows + +on: + push: + branches: ["develop", "release-*"] + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 + with: + # Fail the job on findings instead of uploading them to GitHub + # code scanning, so that this works without GitHub Advanced Security. + advanced-security: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000000..894ff442a23 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,11 @@ +# Configuration for the zizmor GitHub Actions security scanner. +# See https://docs.zizmor.sh/configuration/ + +rules: + cache-poisoning: + # The cache-poisoning findings in tests.yml are all false positives. The + # findings are produced because its `push` trigger *could* belong to a + # publishing workflow, but it publishes nothing. Its only artifacts are + # test logs. + ignore: + - tests.yml diff --git a/changelog.d/19914.misc b/changelog.d/19914.misc new file mode 100644 index 00000000000..029c3dd5016 --- /dev/null +++ b/changelog.d/19914.misc @@ -0,0 +1 @@ +Harden the CI workflows and enforce this with a new zizmor lint workflow. Also fix a cache key calculation in one of the steps along the way. Contributed by Denis Kasak (@dkasak).