From 66255df940ce1bd76254ea6d570bdeff3667ca8a Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 17:20:14 +0200 Subject: [PATCH 01/28] Fix broad permissions in the docs.yaml workflow --- .github/workflows/docs.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 7236bf99d93..b2c18d46539 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -1,5 +1,8 @@ name: Deploy the documentation +permissions: + contents: read + on: push: branches: @@ -46,6 +49,8 @@ jobs: ################################################################################ pages-docs: name: GitHub Pages + permissions: + contents: write runs-on: ubuntu-latest needs: - pre From 9f1dbd079519a64cd4acede4939e331a41e06685 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 17:29:12 +0200 Subject: [PATCH 02/28] Fix broad permissions in the tests.yml workflow --- .github/workflows/tests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 45fa2b8cad2..367731cca42 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -7,6 +7,9 @@ on: merge_group: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true From 9dd90be6615321f71ff34c0aeeb0120f728b6e4f Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 20:19:09 +0200 Subject: [PATCH 03/28] Fix broad permissions in the twisted_trunk.yml workflow --- .github/workflows/twisted_trunk.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index 1b906f7f440..f0c520583cd 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -1,5 +1,8 @@ name: Twisted Trunk +permissions: + contents: read + on: schedule: - cron: 0 8 * * * @@ -169,6 +172,10 @@ jobs: - sytest - complement + permissions: + contents: read + issues: write + runs-on: ubuntu-latest steps: From 87ec3ce80e39f0fb4b3c931fe90d173b4229f84c Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 20:19:56 +0200 Subject: [PATCH 04/28] Fix broad permissions in the triage-incoming.yml workflow --- .github/workflows/triage-incoming.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index 1d291a319b8..51f70036638 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -4,6 +4,10 @@ on: issues: types: [ opened ] +permissions: + contents: read + issues: write + jobs: triage: uses: matrix-org/backend-meta/.github/workflows/triage-incoming.yml@18beaf3c8e536108bd04d18e6c3dc40ba3931e28 # v2.0.3 From c36cf13789d5c312f6707fe2b4862db4d8eea6e2 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 20:20:42 +0200 Subject: [PATCH 05/28] Fix broad permissions in the latest_deps.yml workflow --- .github/workflows/latest_deps.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml index 815593ffcd0..855f5ff81a5 100644 --- a/.github/workflows/latest_deps.yml +++ b/.github/workflows/latest_deps.yml @@ -17,6 +17,9 @@ on: - cron: 0 7 * * * workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -198,6 +201,10 @@ jobs: - sytest - complement + permissions: + contents: read + issues: write + runs-on: ubuntu-latest steps: From c04dfaa0907225956fe58b271f853c488fe9feea Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 20:24:39 +0200 Subject: [PATCH 06/28] Fix broad permissions in the schema.yaml workflow --- .github/workflows/schema.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/schema.yaml b/.github/workflows/schema.yaml index e36114d3542..c6f6c37faef 100644 --- a/.github/workflows/schema.yaml +++ b/.github/workflows/schema.yaml @@ -9,6 +9,9 @@ on: branches: ["develop", "release-*"] workflow_dispatch: +permissions: + contents: read + jobs: validate-schema: name: Ensure Synapse config schema is valid From 154b51a8dfccf84206cf3abf21ea978eea301a07 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 20:25:04 +0200 Subject: [PATCH 07/28] Fix broad permissions in the poetry_lockfile.yaml workflow --- .github/workflows/poetry_lockfile.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/poetry_lockfile.yaml b/.github/workflows/poetry_lockfile.yaml index 06545bd18a5..4d0fccf72f5 100644 --- a/.github/workflows/poetry_lockfile.yaml +++ b/.github/workflows/poetry_lockfile.yaml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: check-sdists: name: "Check locked dependencies have sdists" From bdac08f5a5ca97cbc8bc819a8a00fcc2a37f5933 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 20:26:01 +0200 Subject: [PATCH 08/28] Fix broad permissions in the fix_lint.yaml workflow --- .github/workflows/fix_lint.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/fix_lint.yaml b/.github/workflows/fix_lint.yaml index e0817698f40..6af1761fbb4 100644 --- a/.github/workflows/fix_lint.yaml +++ b/.github/workflows/fix_lint.yaml @@ -6,6 +6,9 @@ name: Attempt to automatically fix linting errors on: workflow_dispatch: +permissions: + contents: write + env: # We use nightly so that `fmt` correctly groups together imports, and # clippy correctly fixes up the benchmarks. From f38d4984929cb52cd96f36c2b297ae0ece799ecb Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 6 Jul 2026 20:26:27 +0200 Subject: [PATCH 09/28] Fix broad permissions in the docs-pr.yaml workflow --- .github/workflows/docs-pr.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docs-pr.yaml b/.github/workflows/docs-pr.yaml index e1a5b7be894..6f1948ae29e 100644 --- a/.github/workflows/docs-pr.yaml +++ b/.github/workflows/docs-pr.yaml @@ -8,6 +8,9 @@ on: - .github/workflows/docs-pr.yaml - scripts-dev/schema_versions.py +permissions: + contents: read + jobs: pages: name: GitHub Pages From 8dc9f8d04a8bb14f63c74c0f58d3353beba774bf Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 10:30:12 +0200 Subject: [PATCH 10/28] Make permissions block global in triage_labelled.yml --- .github/workflows/triage_labelled.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/triage_labelled.yml b/.github/workflows/triage_labelled.yml index 85d7be7b34a..780e77968a9 100644 --- a/.github/workflows/triage_labelled.yml +++ b/.github/workflows/triage_labelled.yml @@ -4,13 +4,14 @@ on: issues: types: [ labeled ] +permissions: + contents: read + jobs: move_needs_info: runs-on: ubuntu-latest if: > contains(github.event.issue.labels.*.name, 'X-Needs-Info') - permissions: - contents: read env: # This token must have the following scopes: ["repo:public_repo", "admin:org->read:org", "user->read:user", "project"] GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} From d33dc51dda580215bacc107b0676e18d1af3e827 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 11:09:30 +0200 Subject: [PATCH 11/28] Globally restrict permissions in docker.yml and relax only at job level --- .github/workflows/docker.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 39ddb619183..e19f67a71ca 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,12 +10,15 @@ on: permissions: contents: read - packages: write - id-token: write # needed for signing the images with GitHub OIDC Token + jobs: build: name: Build and push image for ${{ matrix.platform }} runs-on: ${{ matrix.runs_on }} + permissions: + contents: read + packages: write # needed to push the image to ghcr.io + id-token: write # needed for the vault and tailscale OIDC auth strategy: matrix: include: @@ -118,6 +121,9 @@ jobs: merge: name: Push merged images to ${{ matrix.repository }} runs-on: ubuntu-latest + permissions: + packages: write # needed to push the image to ghcr.io + id-token: write # needed for signing the images with GitHub OIDC Token, and for the vault and tailscale OIDC auth strategy: matrix: repository: From 62f1557348647594d2d8ad46f9feac4a5af06ff3 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 11:09:30 +0200 Subject: [PATCH 12/28] Add a global read-only permission block to push_complement_image.yml --- .github/workflows/push_complement_image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/push_complement_image.yml b/.github/workflows/push_complement_image.yml index 6f4c966cdc4..3dff05b49f3 100644 --- a/.github/workflows/push_complement_image.yml +++ b/.github/workflows/push_complement_image.yml @@ -17,6 +17,9 @@ on: - develop - master +permissions: + contents: read + # Only run this action once per pull request/branch; restart if a new commit arrives. # C.f. https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency # and https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context From 643182d28d53bfbfe068d45673d9fc38f4a0bde8 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 11:09:30 +0200 Subject: [PATCH 13/28] Fix code injection in the release-artifacts.yml workflow --- .github/workflows/release-artifacts.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index c6b9f60bafb..99bf72fef5d 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -204,8 +204,9 @@ jobs: - name: Attach to release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REF_NAME: ${{ github.ref_name }} run: | - gh release upload "${{ github.ref_name }}" \ + gh release upload "$REF_NAME" \ Sdist/* \ Wheel*/* \ debs.tar.xz \ From 4ebbe54cd5908613082d6da919737f5c6f47636d Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 09:26:29 +0000 Subject: [PATCH 14/28] Fix broad permissions in the release-artifacts.yml workflow --- .github/workflows/release-artifacts.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index 99bf72fef5d..aa05ec822a7 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -20,7 +20,7 @@ concurrency: cancel-in-progress: true permissions: - contents: write + contents: read jobs: get-distros: @@ -191,6 +191,8 @@ jobs: - build-wheels - build-sdist runs-on: ubuntu-latest + permissions: + contents: write # needed to upload the release artifacts steps: - name: Download all workflow run artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 From bb59b0e5c9b386de085b4ceb92a18b5a62a2a02d Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 09:26:50 +0000 Subject: [PATCH 15/28] Avoid interpolating expressions into scripts in the release-artifacts.yml workflow --- .github/workflows/release-artifacts.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index aa05ec822a7..b69f9120cb9 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -85,13 +85,15 @@ jobs: - name: Build the packages # see https://github.com/docker/build-push-action/issues/252 # for the cache magic here + env: + DISTRO: ${{ matrix.distro }} run: | ./src/scripts-dev/build_debian_packages.py \ --docker-build-arg=--cache-from=type=local,src=/tmp/.buildx-cache \ --docker-build-arg=--cache-to=type=local,mode=max,dest=/tmp/.buildx-cache-new \ --docker-build-arg=--progress=plain \ --docker-build-arg=--load \ - "${{ matrix.distro }}" + "$DISTRO" rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache @@ -212,4 +214,4 @@ jobs: Sdist/* \ Wheel*/* \ debs.tar.xz \ - --repo ${{ github.repository }} + --repo "$GITHUB_REPOSITORY" From 8ac0611f0ade177174f5409fe64d0efb50cd5fbb Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 09:27:09 +0000 Subject: [PATCH 16/28] Don't persist git credentials after checkout in CI workflows --- .github/workflows/complement_tests.yml | 1 + .github/workflows/docker.yml | 2 + .github/workflows/docs-pr.yaml | 3 ++ .github/workflows/docs.yaml | 1 + .github/workflows/latest_deps.yml | 8 ++++ .github/workflows/poetry_lockfile.yaml | 2 + .github/workflows/push_complement_image.yml | 3 ++ .github/workflows/release-artifacts.yml | 7 ++++ .github/workflows/schema.yaml | 4 ++ .github/workflows/tests.yml | 43 +++++++++++++++++++++ .github/workflows/triage_labelled.yml | 1 + .github/workflows/twisted_trunk.yml | 8 ++++ 12 files changed, 83 insertions(+) diff --git a/.github/workflows/complement_tests.yml b/.github/workflows/complement_tests.yml index a891802ac89..d01e2e95f94 100644 --- a/.github/workflows/complement_tests.yml +++ b/.github/workflows/complement_tests.yml @@ -42,6 +42,7 @@ jobs: uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: path: synapse + persist-credentials: false # Log Docker system info for debugging (compare with your local environment) and # tracking GitHub runner changes over time (can easily compare a run from last diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index e19f67a71ca..4cef089b759 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -35,6 +35,8 @@ jobs: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Extract version from pyproject.toml # Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see diff --git a/.github/workflows/docs-pr.yaml b/.github/workflows/docs-pr.yaml index 6f1948ae29e..88e838d322e 100644 --- a/.github/workflows/docs-pr.yaml +++ b/.github/workflows/docs-pr.yaml @@ -18,6 +18,7 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false # Fetch all history so that the schema_versions script works. fetch-depth: 0 @@ -54,6 +55,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup mdbook uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index b2c18d46539..418b87d90fa 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -57,6 +57,7 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false # Fetch all history so that the schema_versions script works. fetch-depth: 0 diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml index 855f5ff81a5..49b521894dd 100644 --- a/.github/workflows/latest_deps.yml +++ b/.github/workflows/latest_deps.yml @@ -46,6 +46,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master with: @@ -81,6 +83,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -155,6 +159,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -209,6 +215,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/poetry_lockfile.yaml b/.github/workflows/poetry_lockfile.yaml index 4d0fccf72f5..68659815c27 100644 --- a/.github/workflows/poetry_lockfile.yaml +++ b/.github/workflows/poetry_lockfile.yaml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' diff --git a/.github/workflows/push_complement_image.yml b/.github/workflows/push_complement_image.yml index 3dff05b49f3..314c2e12500 100644 --- a/.github/workflows/push_complement_image.yml +++ b/.github/workflows/push_complement_image.yml @@ -39,16 +39,19 @@ jobs: uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 if: github.event_name == 'workflow_dispatch' with: + persist-credentials: false ref: ${{ inputs.branch }} - name: Checkout clean copy of develop (scheduled build) uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 if: github.event_name == 'schedule' with: + persist-credentials: false ref: develop - name: Checkout clean copy of master (on-push) uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 if: github.event_name == 'push' with: + persist-credentials: false ref: master # We use `poetry` in `complement.sh` - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0 diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index b69f9120cb9..5e75847438f 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -28,6 +28,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -63,6 +65,7 @@ jobs: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false path: src - name: Set up Docker Buildx @@ -132,6 +135,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -170,6 +175,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10" diff --git a/.github/workflows/schema.yaml b/.github/workflows/schema.yaml index c6f6c37faef..c69ac6be974 100644 --- a/.github/workflows/schema.yaml +++ b/.github/workflows/schema.yaml @@ -18,6 +18,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -44,6 +46,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 367731cca42..66497ae6322 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -110,6 +110,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master with: @@ -130,6 +132,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -140,6 +144,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -153,6 +159,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Poetry uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0 @@ -175,6 +183,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -211,6 +221,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Check line endings run: scripts-dev/check_line_terminators.sh @@ -221,6 +233,7 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -238,6 +251,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -257,6 +272,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -275,6 +292,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -311,6 +330,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -330,6 +351,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: @@ -348,6 +371,8 @@ jobs: if: ${{ needs.changes.outputs.linting_readme == 'true' }} steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -397,6 +422,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" @@ -418,6 +445,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - run: sudo apt-get -qq install xmlsec1 - name: Set up PostgreSQL ${{ matrix.job.postgres-version }} if: ${{ matrix.job.postgres-version }} @@ -474,6 +503,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -537,6 +568,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false # Install libs necessary for PyPy to build binary wheels for dependencies - run: sudo apt-get -qq install xmlsec1 libxml2-dev libxslt-dev - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0 @@ -587,6 +620,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Prepare test blacklist run: cat sytest-blacklist .ci/worker-blacklist > synapse-blacklist-with-workers @@ -634,6 +669,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - run: sudo apt-get -qq install xmlsec1 postgresql-client - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0 with: @@ -677,6 +714,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Add PostgreSQL apt repository # We need a version of pg_dump that can handle the version of # PostgreSQL being tested against. The Ubuntu package repository lags @@ -730,6 +769,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -751,6 +792,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master diff --git a/.github/workflows/triage_labelled.yml b/.github/workflows/triage_labelled.yml index 780e77968a9..f3c7d8efad2 100644 --- a/.github/workflows/triage_labelled.yml +++ b/.github/workflows/triage_labelled.yml @@ -25,6 +25,7 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: + persist-credentials: false # Only clone the script file we care about, instead of the whole repo. sparse-checkout: .ci/scripts/triage_labelled_issue.sh diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index f0c520583cd..18f4fb349c3 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -46,6 +46,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -73,6 +75,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - run: sudo apt-get -qq install xmlsec1 - name: Install Rust @@ -119,6 +123,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master @@ -180,6 +186,8 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From ecdbe20e6c8e5603fe9fa00fa9ef9ada3d4de669 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 12:13:36 +0200 Subject: [PATCH 17/28] Explicitly ignore the artipacked zizmor lint for fix_lint.yaml --- .github/workflows/fix_lint.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/fix_lint.yaml b/.github/workflows/fix_lint.yaml index 6af1761fbb4..909b045c3f0 100644 --- a/.github/workflows/fix_lint.yaml +++ b/.github/workflows/fix_lint.yaml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + # zizmor: ignore[artipacked] + # The git-auto-commit-action step below reuses the GITHUB_TOKEN - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master From 8b3b4d84234eb77f62ea69963be74291621a1192 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 10:55:42 +0000 Subject: [PATCH 18/28] Avoid interpolating expressions into scripts in CI workflows --- .github/workflows/docker.yml | 7 ++++--- .github/workflows/docs.yaml | 4 +++- .github/workflows/push_complement_image.yml | 4 +++- .github/workflows/twisted_trunk.yml | 6 ++++-- 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 4cef089b759..b777045043b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -107,10 +107,11 @@ jobs: outputs: type=image,push-by-digest=true,name-canonical=true,push=true - name: Export digest + env: + DIGEST: ${{ steps.build.outputs.digest }} run: | - mkdir -p ${{ runner.temp }}/digests - digest="${{ steps.build.outputs.digest }}" - touch "${{ runner.temp }}/digests/${digest#sha256:}" + mkdir -p "$RUNNER_TEMP/digests" + touch "$RUNNER_TEMP/digests/${DIGEST#sha256:}" - name: Upload digest uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 418b87d90fa..7aa664dc8e4 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -67,7 +67,9 @@ jobs: mdbook-version: '0.5.2' - name: Set version of docs - run: echo 'window.SYNAPSE_VERSION = "${{ needs.pre.outputs.branch-version }}";' > ./docs/website_files/version.js + env: + BRANCH_VERSION: ${{ needs.pre.outputs.branch-version }} + run: echo "window.SYNAPSE_VERSION = \"$BRANCH_VERSION\";" > ./docs/website_files/version.js - name: Setup python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 diff --git a/.github/workflows/push_complement_image.yml b/.github/workflows/push_complement_image.yml index 314c2e12500..b712a098cca 100644 --- a/.github/workflows/push_complement_image.yml +++ b/.github/workflows/push_complement_image.yml @@ -76,8 +76,10 @@ jobs: - name: Run scripts-dev/complement.sh to generate complement-synapse:latest image. run: scripts-dev/complement.sh --build-only - name: Tag and push generated image + env: + TAGS: ${{ join(fromJson(steps.meta.outputs.json).tags, ' ') }} run: | - for TAG in ${{ join(fromJson(steps.meta.outputs.json).tags, ' ') }}; do + for TAG in $TAGS; do echo "tag and push $TAG" # `localhost/complement-synapse` should match the image created by `scripts-dev/complement.sh` docker tag localhost/complement-synapse $TAG diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index 18f4fb349c3..2a6564ad8f7 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -60,9 +60,11 @@ jobs: python-version: "3.x" extras: "all" poetry-version: "2.4.1" - - run: | + - env: + TWISTED_REF: ${{ inputs.twisted_ref || 'trunk' }} + run: | poetry remove twisted - poetry add --extras tls git+https://github.com/twisted/twisted.git#${{ inputs.twisted_ref || 'trunk' }} + poetry add --extras tls "git+https://github.com/twisted/twisted.git#$TWISTED_REF" poetry install --no-interaction --extras "all test" - name: Remove unhelpful options from mypy config run: sed -e '/warn_unused_ignores = True/d' -e '/warn_redundant_casts = True/d' -i mypy.ini From 8b7a318a18d18b006d495cda2b7438ce7a028ee4 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 11:44:25 +0000 Subject: [PATCH 19/28] Pin the postgres image version in tests.yml --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 66497ae6322..61821994ef1 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -655,7 +655,7 @@ jobs: services: postgres: - image: postgres + image: postgres:17 ports: - 5432:5432 env: From ec7b7e131fc717b311f0be6df77587864bf36999 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 11:44:26 +0000 Subject: [PATCH 20/28] Skip the docker layer cache when building debs from a tag --- .github/workflows/release-artifacts.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index 5e75847438f..83004b3747c 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -73,6 +73,11 @@ jobs: uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Set up docker layer caching + # Skip the cache when building from a tag so that the released debs + # cannot be influenced by a poisoned cache. The lint cannot see the + # `if` condition, hence the ignore. + # zizmor: ignore[cache-poisoning] + if: ${{ !startsWith(github.ref, 'refs/tags/') }} uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /tmp/.buildx-cache From 20cd995f3b1205a68efbf4c1cf5321204aab491d Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 12:21:40 +0000 Subject: [PATCH 21/28] Fix the mypy cache key in tests.yml `github.context` isn't defined in this context, so the entire `github.context.sha` expression evaluates to an empty string. As the comment above it says, the recipe was cribbed from a TypeScript script where `github.context` *is* defined, unlike within a GHA workflow file. The correct replacement in a workflow file is `github.sha`. --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 61821994ef1..d4233e62dd2 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -211,7 +211,7 @@ jobs: with: path: | .mypy_cache - key: mypy-cache-${{ github.context.sha }} + key: mypy-cache-${{ github.sha }} restore-keys: mypy-cache- - name: Run mypy From edcee320318f7ed50a4dd89d8dab2cd997a3151f Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 14:28:02 +0200 Subject: [PATCH 22/28] Add a documented exception for zizmor's cache-poisoning for tests.yml --- .github/workflows/tests.yml | 4 ++++ .github/zizmor.yml | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d4233e62dd2..56060dfcbcd 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,5 +1,9 @@ name: Tests +# NOTE: .github/zizmor.yml carries a cache-poisoning exception for this entire +# file because this step doesn't publish anything at the moment. If this +# changes, the exception should be removed. + on: push: branches: ["develop", "release-*"] diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000000..894ff442a23 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,11 @@ +# Configuration for the zizmor GitHub Actions security scanner. +# See https://docs.zizmor.sh/configuration/ + +rules: + cache-poisoning: + # The cache-poisoning findings in tests.yml are all false positives. The + # findings are produced because its `push` trigger *could* belong to a + # publishing workflow, but it publishes nothing. Its only artifacts are + # test logs. + ignore: + - tests.yml From 100401a27e3dead2c988f9c0b786123549acb412 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 13:38:26 +0000 Subject: [PATCH 23/28] Fix broad permissions in the fix_lint.yaml workflow --- .github/workflows/fix_lint.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fix_lint.yaml b/.github/workflows/fix_lint.yaml index 909b045c3f0..86f7c629816 100644 --- a/.github/workflows/fix_lint.yaml +++ b/.github/workflows/fix_lint.yaml @@ -7,7 +7,7 @@ on: workflow_dispatch: permissions: - contents: write + contents: read env: # We use nightly so that `fmt` correctly groups together imports, and @@ -20,6 +20,8 @@ jobs: fixup: name: Fix up runs-on: ubuntu-latest + permissions: + contents: write # needed to push the lint fixes back to the branch steps: - name: Checkout repository From 5f03d47c7d9063e2d1e2f6f4ee2041affa69e73c Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 13:38:27 +0000 Subject: [PATCH 24/28] Remove an unused issues permission from the triage-incoming.yml workflow --- .github/workflows/triage-incoming.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index 51f70036638..93cc4181538 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -6,7 +6,6 @@ on: permissions: contents: read - issues: write jobs: triage: From 715270c4955967c37b697afb8b11080772961a77 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 13:41:57 +0000 Subject: [PATCH 25/28] Document the permissions blocks in CI workflows --- .github/workflows/docs.yaml | 2 +- .github/workflows/latest_deps.yml | 4 ++-- .github/workflows/push_complement_image.yml | 2 +- .github/workflows/twisted_trunk.yml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 7aa664dc8e4..37c103952c6 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -50,7 +50,7 @@ jobs: pages-docs: name: GitHub Pages permissions: - contents: write + contents: write # needed to push the built docs to the gh-pages branch runs-on: ubuntu-latest needs: - pre diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml index 49b521894dd..fa4eb8a9418 100644 --- a/.github/workflows/latest_deps.yml +++ b/.github/workflows/latest_deps.yml @@ -208,8 +208,8 @@ jobs: - complement permissions: - contents: read - issues: write + contents: read # needed to check out the issue template + issues: write # needed for opening/editing an issue upon build failure runs-on: ubuntu-latest diff --git a/.github/workflows/push_complement_image.yml b/.github/workflows/push_complement_image.yml index b712a098cca..a39653cc35b 100644 --- a/.github/workflows/push_complement_image.yml +++ b/.github/workflows/push_complement_image.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - packages: write + packages: write # needed to push the image to ghcr.io steps: - name: Checkout specific branch (debug build) uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index 2a6564ad8f7..0d1d741d81b 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -181,8 +181,8 @@ jobs: - complement permissions: - contents: read - issues: write + contents: read # needed to check out the issue template + issues: write # needed for opening/editing an issue upon build failure runs-on: ubuntu-latest From 458fc2bf380c97ad5bb10f38239f93d2dc2234f0 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 13:42:58 +0000 Subject: [PATCH 26/28] Avoid the remaining expression interpolations in CI workflow scripts --- .github/workflows/docker.yml | 4 ++-- .github/workflows/latest_deps.yml | 8 ++++++-- .github/workflows/tests.yml | 4 +++- .github/workflows/twisted_trunk.yml | 4 +++- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b777045043b..a507d31bead 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -68,7 +68,7 @@ jobs: - name: Compute vault jwt role name id: vault-jwt-role run: | - echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" + echo "role_name=github_service_management_$( echo "$GITHUB_REPOSITORY" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" - name: Get team registry token id: import-secrets @@ -169,7 +169,7 @@ jobs: - name: Compute vault jwt role name id: vault-jwt-role run: | - echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" + echo "role_name=github_service_management_$( echo "$GITHUB_REPOSITORY" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" - name: Get team registry token id: import-secrets diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml index fa4eb8a9418..52e46b46e0f 100644 --- a/.github/workflows/latest_deps.yml +++ b/.github/workflows/latest_deps.yml @@ -38,7 +38,9 @@ jobs: should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} steps: - id: check_condition - run: echo "should_run_workflow=${{ github.repository == 'element-hq/synapse' }}" >> "$GITHUB_OUTPUT" + env: + SHOULD_RUN_WORKFLOW: ${{ github.repository == 'element-hq/synapse' }} + run: echo "should_run_workflow=$SHOULD_RUN_WORKFLOW" >> "$GITHUB_OUTPUT" mypy: needs: check_repo @@ -95,11 +97,13 @@ jobs: - run: sudo apt-get -qq install xmlsec1 - name: Set up PostgreSQL ${{ matrix.postgres-version }} if: ${{ matrix.postgres-version }} + env: + POSTGRES_VERSION: ${{ matrix.postgres-version }} run: | docker run -d -p 5432:5432 \ -e POSTGRES_PASSWORD=postgres \ -e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \ - postgres:${{ matrix.postgres-version }} + "postgres:$POSTGRES_VERSION" - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 56060dfcbcd..ee5b1a6b61f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -456,13 +456,15 @@ jobs: if: ${{ matrix.job.postgres-version }} # 1. Mount postgres data files onto a tmpfs in-memory filesystem to reduce overhead of docker's overlayfs layer. # 2. Expose the unix socket for postgres. This removes latency of using docker-proxy for connections. + env: + POSTGRES_VERSION: ${{ matrix.job.postgres-version }} run: | docker run -d -p 5432:5432 \ --tmpfs /var/lib/postgres:rw,size=6144m \ --mount 'type=bind,src=/var/run/postgresql,dst=/var/run/postgresql' \ -e POSTGRES_PASSWORD=postgres \ -e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \ - postgres:${{ matrix.job.postgres-version }} + "postgres:$POSTGRES_VERSION" - name: Install Rust uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index 0d1d741d81b..b88dacd840c 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -37,7 +37,9 @@ jobs: should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} steps: - id: check_condition - run: echo "should_run_workflow=${{ github.repository == 'element-hq/synapse' }}" >> "$GITHUB_OUTPUT" + env: + SHOULD_RUN_WORKFLOW: ${{ github.repository == 'element-hq/synapse' }} + run: echo "should_run_workflow=$SHOULD_RUN_WORKFLOW" >> "$GITHUB_OUTPUT" mypy: needs: check_repo From d685f64fe5ba7d52f86754272feb1212c45897cc Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 14:40:47 +0000 Subject: [PATCH 27/28] Add a zizmor CI workflow to lint the GitHub Actions workflows --- .github/workflows/zizmor.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000000..eb32fecb11c --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +# Lint GitHub Actions workflows using zizmor (https://docs.zizmor.sh/). +# +# The job fails on any finding; false positives can be ignored via +# `.github/zizmor.yml` or inline `# zizmor: ignore[rule]` comments. + +name: Lint GitHub Actions workflows + +on: + push: + branches: ["develop", "release-*"] + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 + with: + # Fail the job on findings instead of uploading them to GitHub + # code scanning, so that this works without GitHub Advanced Security. + advanced-security: false From 15e8acd055778e0f7f52da9398473f2b9924de19 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Tue, 7 Jul 2026 10:25:18 +0200 Subject: [PATCH 28/28] Add changelog entry --- changelog.d/19914.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/19914.misc diff --git a/changelog.d/19914.misc b/changelog.d/19914.misc new file mode 100644 index 00000000000..029c3dd5016 --- /dev/null +++ b/changelog.d/19914.misc @@ -0,0 +1 @@ +Harden the CI workflows and enforce this with a new zizmor lint workflow. Also fix a cache key calculation in one of the steps along the way. Contributed by Denis Kasak (@dkasak).