Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
66255df
Fix broad permissions in the docs.yaml workflow
dkasak Jul 6, 2026
9f1dbd0
Fix broad permissions in the tests.yml workflow
dkasak Jul 6, 2026
9dd90be
Fix broad permissions in the twisted_trunk.yml workflow
dkasak Jul 6, 2026
87ec3ce
Fix broad permissions in the triage-incoming.yml workflow
dkasak Jul 6, 2026
c36cf13
Fix broad permissions in the latest_deps.yml workflow
dkasak Jul 6, 2026
c04dfaa
Fix broad permissions in the schema.yaml workflow
dkasak Jul 6, 2026
154b51a
Fix broad permissions in the poetry_lockfile.yaml workflow
dkasak Jul 6, 2026
bdac08f
Fix broad permissions in the fix_lint.yaml workflow
dkasak Jul 6, 2026
f38d498
Fix broad permissions in the docs-pr.yaml workflow
dkasak Jul 6, 2026
8dc9f8d
Make permissions block global in triage_labelled.yml
dkasak Jul 7, 2026
d33dc51
Globally restrict permissions in docker.yml and relax only at job level
dkasak Jul 7, 2026
62f1557
Add a global read-only permission block to push_complement_image.yml
dkasak Jul 7, 2026
643182d
Fix code injection in the release-artifacts.yml workflow
dkasak Jul 7, 2026
4ebbe54
Fix broad permissions in the release-artifacts.yml workflow
dkasak Jul 7, 2026
bb59b0e
Avoid interpolating expressions into scripts in the release-artifacts…
dkasak Jul 7, 2026
8ac0611
Don't persist git credentials after checkout in CI workflows
dkasak Jul 7, 2026
ecdbe20
Explicitly ignore the artipacked zizmor lint for fix_lint.yaml
dkasak Jul 7, 2026
8b3b4d8
Avoid interpolating expressions into scripts in CI workflows
dkasak Jul 7, 2026
8b7a318
Pin the postgres image version in tests.yml
dkasak Jul 7, 2026
ec7b7e1
Skip the docker layer cache when building debs from a tag
dkasak Jul 7, 2026
20cd995
Fix the mypy cache key in tests.yml
dkasak Jul 7, 2026
edcee32
Add a documented exception for zizmor's cache-poisoning for tests.yml
dkasak Jul 7, 2026
100401a
Fix broad permissions in the fix_lint.yaml workflow
dkasak Jul 7, 2026
5f03d47
Remove an unused issues permission from the triage-incoming.yml workflow
dkasak Jul 7, 2026
715270c
Document the permissions blocks in CI workflows
dkasak Jul 7, 2026
458fc2b
Avoid the remaining expression interpolations in CI workflow scripts
dkasak Jul 7, 2026
d685f64
Add a zizmor CI workflow to lint the GitHub Actions workflows
dkasak Jul 7, 2026
15e8acd
Add changelog entry
dkasak Jul 7, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/complement_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ jobs:
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
path: synapse
persist-credentials: false

# Log Docker system info for debugging (compare with your local environment) and
# tracking GitHub runner changes over time (can easily compare a run from last
Expand Down
23 changes: 16 additions & 7 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,15 @@ on:

permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token

jobs:
build:
name: Build and push image for ${{ matrix.platform }}
runs-on: ${{ matrix.runs_on }}
permissions:
contents: read
packages: write # needed to push the image to ghcr.io
id-token: write # needed for the vault and tailscale OIDC auth
strategy:
matrix:
include:
Expand All @@ -32,6 +35,8 @@ jobs:

- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Extract version from pyproject.toml
# Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
Expand Down Expand Up @@ -63,7 +68,7 @@ jobs:
- name: Compute vault jwt role name
id: vault-jwt-role
run: |
echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
echo "role_name=github_service_management_$( echo "$GITHUB_REPOSITORY" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"

- name: Get team registry token
id: import-secrets
Expand Down Expand Up @@ -102,10 +107,11 @@ jobs:
outputs: type=image,push-by-digest=true,name-canonical=true,push=true

- name: Export digest
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
mkdir -p "$RUNNER_TEMP/digests"
touch "$RUNNER_TEMP/digests/${DIGEST#sha256:}"

- name: Upload digest
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
Expand All @@ -118,6 +124,9 @@ jobs:
merge:
name: Push merged images to ${{ matrix.repository }}
runs-on: ubuntu-latest
permissions:
packages: write # needed to push the image to ghcr.io
id-token: write # needed for signing the images with GitHub OIDC Token, and for the vault and tailscale OIDC auth
strategy:
matrix:
repository:
Expand Down Expand Up @@ -160,7 +169,7 @@ jobs:
- name: Compute vault jwt role name
id: vault-jwt-role
run: |
echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
echo "role_name=github_service_management_$( echo "$GITHUB_REPOSITORY" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"

- name: Get team registry token
id: import-secrets
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/docs-pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,17 @@ on:
- .github/workflows/docs-pr.yaml
- scripts-dev/schema_versions.py

permissions:
contents: read

jobs:
pages:
name: GitHub Pages
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
# Fetch all history so that the schema_versions script works.
fetch-depth: 0

Expand Down Expand Up @@ -51,6 +55,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Setup mdbook
uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/docs.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Deploy the documentation

permissions:
contents: read

on:
push:
branches:
Expand Down Expand Up @@ -46,12 +49,15 @@ jobs:
################################################################################
pages-docs:
name: GitHub Pages
permissions:
contents: write # needed to push the built docs to the gh-pages branch
runs-on: ubuntu-latest
needs:
- pre
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
# Fetch all history so that the schema_versions script works.
fetch-depth: 0

Expand All @@ -61,7 +67,9 @@ jobs:
mdbook-version: '0.5.2'

- name: Set version of docs
run: echo 'window.SYNAPSE_VERSION = "${{ needs.pre.outputs.branch-version }}";' > ./docs/website_files/version.js
env:
BRANCH_VERSION: ${{ needs.pre.outputs.branch-version }}
run: echo "window.SYNAPSE_VERSION = \"$BRANCH_VERSION\";" > ./docs/website_files/version.js

- name: Setup python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/fix_lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ name: Attempt to automatically fix linting errors
on:
workflow_dispatch:

permissions:
contents: read

env:
# We use nightly so that `fmt` correctly groups together imports, and
# clippy correctly fixes up the benchmarks.
Expand All @@ -17,10 +20,14 @@ jobs:
fixup:
name: Fix up
runs-on: ubuntu-latest
permissions:
contents: write # needed to push the lint fixes back to the branch

steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
# zizmor: ignore[artipacked]
# The git-auto-commit-action step below reuses the GITHUB_TOKEN

- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
Expand Down
23 changes: 21 additions & 2 deletions .github/workflows/latest_deps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ on:
- cron: 0 7 * * *
workflow_dispatch:

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand All @@ -35,14 +38,18 @@ jobs:
should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }}
steps:
- id: check_condition
run: echo "should_run_workflow=${{ github.repository == 'element-hq/synapse' }}" >> "$GITHUB_OUTPUT"
env:
SHOULD_RUN_WORKFLOW: ${{ github.repository == 'element-hq/synapse' }}
run: echo "should_run_workflow=$SHOULD_RUN_WORKFLOW" >> "$GITHUB_OUTPUT"

mypy:
needs: check_repo
if: needs.check_repo.outputs.should_run_workflow == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
with:
Expand Down Expand Up @@ -78,6 +85,8 @@ jobs:

steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
Expand All @@ -88,11 +97,13 @@ jobs:
- run: sudo apt-get -qq install xmlsec1
- name: Set up PostgreSQL ${{ matrix.postgres-version }}
if: ${{ matrix.postgres-version }}
env:
POSTGRES_VERSION: ${{ matrix.postgres-version }}
run: |
docker run -d -p 5432:5432 \
-e POSTGRES_PASSWORD=postgres \
-e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \
postgres:${{ matrix.postgres-version }}
"postgres:$POSTGRES_VERSION"
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.x"
Expand Down Expand Up @@ -152,6 +163,8 @@ jobs:

steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
Expand Down Expand Up @@ -198,10 +211,16 @@ jobs:
- sytest
- complement

permissions:
contents: read # needed to check out the issue template
issues: write # needed for opening/editing an issue upon build failure

runs-on: ubuntu-latest

steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/poetry_lockfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,17 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
check-sdists:
name: "Check locked dependencies have sdists"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.x'
Expand Down
12 changes: 10 additions & 2 deletions .github/workflows/push_complement_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ on:
- develop
- master

permissions:
contents: read

# Only run this action once per pull request/branch; restart if a new commit arrives.
# C.f. https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency
# and https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context
Expand All @@ -30,22 +33,25 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
packages: write # needed to push the image to ghcr.io
steps:
- name: Checkout specific branch (debug build)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
if: github.event_name == 'workflow_dispatch'
with:
persist-credentials: false
ref: ${{ inputs.branch }}
- name: Checkout clean copy of develop (scheduled build)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
if: github.event_name == 'schedule'
with:
persist-credentials: false
ref: develop
- name: Checkout clean copy of master (on-push)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
if: github.event_name == 'push'
with:
persist-credentials: false
ref: master
# We use `poetry` in `complement.sh`
- uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
Expand All @@ -70,8 +76,10 @@ jobs:
- name: Run scripts-dev/complement.sh to generate complement-synapse:latest image.
run: scripts-dev/complement.sh --build-only
- name: Tag and push generated image
env:
TAGS: ${{ join(fromJson(steps.meta.outputs.json).tags, ' ') }}
run: |
for TAG in ${{ join(fromJson(steps.meta.outputs.json).tags, ' ') }}; do
for TAG in $TAGS; do
echo "tag and push $TAG"
# `localhost/complement-synapse` should match the image created by `scripts-dev/complement.sh`
docker tag localhost/complement-synapse $TAG
Expand Down
Loading
Loading