Tighten GITHUB_TOKEN permissions (#4538)

* Tighten GITHUB_TOKEN permissions

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Tighten GITHUB_TOKEN permissions

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Iterate

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Fix permission

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

---------

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

.github/workflows/backport.yml

@@ -7,6 +7,8 @@ on:
         branches:
             - develop
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
     backport:
         name: Backport

.github/workflows/docs-pr-netlify.yaml

@@ -5,16 +5,17 @@ on:
         workflows: ["Static Analysis"]
         types:
             - completed
-
+permissions: {}
 jobs:
     netlify:
         if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
         runs-on: ubuntu-24.04
+        permissions:
+            actions: read
         steps:
             - name: 📥 Download artifact
               uses: actions/download-artifact@v4
               with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
                   name: docs
                   path: docs

.github/workflows/downstream-end-to-end-tests.yml

@@ -13,7 +13,7 @@ on:
     #
     #push:
     #    branches: [develop, master]
-
+permissions: {} # No permissions required
 concurrency:
     group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
     cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}

.github/workflows/notify-downstream.yaml

@@ -3,6 +3,7 @@ on:
     push:
         branches: [develop]
 concurrency: ${{ github.workflow }}-${{ github.ref }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     notify-downstream:
         # Only respect triggers from our develop branch, ignore that of forks

.github/workflows/pull_request.yaml

@@ -9,6 +9,7 @@ on:
             ELEMENT_BOT_TOKEN:
                 required: true
 concurrency: ${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     changelog:
         name: Preview Changelog

.github/workflows/release-drafter-workflow.yml

@@ -8,9 +8,12 @@ on:
                 type: string
                 required: false
 concurrency: release-drafter-action
+permissions: {}
 jobs:
     draft:
         runs-on: ubuntu-24.04
+        permissions:
+            contents: write
         steps:
             - name: 🧮 Checkout code
               uses: actions/checkout@v4

.github/workflows/release-drafter.yml

@@ -8,6 +8,9 @@ on:
         branches: [staging]
     workflow_dispatch: {}
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
     draft:
+        permissions:
+            contents: write
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop

.github/workflows/release-gitflow.yml

@@ -13,12 +13,14 @@ on:
                 type: string
                 required: false
 concurrency: ${{ github.workflow }}
+permissions: {} # Uses ELEMENT_BOT_TOKEN
 jobs:
     merge:
         runs-on: ubuntu-24.04
         steps:
             - uses: actions/checkout@v4
               with:
+                  # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
                   token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   fetch-depth: 0
 

.github/workflows/release-make.yml

@@ -38,11 +38,14 @@ on:
                 description: The number of expected assets, including signatures, excluding generated zip & tarball.
                 type: number
                 required: false
+permissions: {}
 jobs:
     release:
         name: Release
         runs-on: ubuntu-24.04
         environment: Release
+        permissions:
+            contents: write
         steps:
             - name: Load GPG key
               id: gpg
@@ -65,6 +68,7 @@ jobs:
             - uses: actions/checkout@v4
               with:
                   ref: staging
+                  # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
                   token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   fetch-depth: 0
 
@@ -274,6 +278,8 @@ jobs:
         name: Post release steps
         needs: release
         runs-on: ubuntu-24.04
+        permissions:
+            issues: write
         steps:
             - id: repository
               run: echo "REPO=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT

.github/workflows/release-npm.yml

@@ -8,6 +8,7 @@ on:
             id:
                 description: "The npm package@version string we published"
                 value: ${{ jobs.npm.outputs.id }}
+permissions: {} # No permissions required
 jobs:
     npm:
         name: Publish to npm

.github/workflows/release.yml

@@ -21,6 +21,7 @@ on:
                 type: boolean
                 default: true
 concurrency: ${{ github.workflow }}
+permissions: {} # No permissions required
 jobs:
     release:
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop

.github/workflows/sonarcloud.yml

@@ -5,19 +5,25 @@ on:
         secrets:
             SONAR_TOKEN:
                 required: true
+            # No longer used
             ELEMENT_BOT_TOKEN:
-                required: true
+                required: false
         inputs:
             sharded:
                 type: boolean
                 required: false
                 description: "Whether to combine multiple LCOV and jest-sonar-report files in coverage artifact"
+permissions: {}
 jobs:
     sonarqube:
         runs-on: ubuntu-24.04
         if: |
             github.event.workflow_run.conclusion == 'success' &&
             github.event.workflow_run.event != 'merge_group'
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
         steps:
             # We create the status here and then update it to success/failure in the `report` stage
             # This provides an easy link to this workflow_run from the PR before Sonarcloud is done.
@@ -40,7 +46,6 @@ jobs:
               uses: actions/download-artifact@v4
               if: ${{ !inputs.sharded }}
               with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
                   name: coverage
                   path: coverage
@@ -48,7 +53,6 @@ jobs:
               uses: actions/download-artifact@v4
               if: inputs.sharded
               with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
                   pattern: coverage-*
                   path: coverage

.github/workflows/sonarqube.yml

@@ -7,10 +7,15 @@ on:
 concurrency:
     group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
     cancel-in-progress: true
+permissions: {}
 jobs:
     sonarqube:
         name: 🩻 SonarQube
         if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
         uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop
         secrets:
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/static_analysis.yml

@@ -8,6 +8,7 @@ on:
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
+permissions: {} # No permissions needed
 jobs:
     ts_lint:
         name: "Typescript Syntax Check"

.github/workflows/sync-labels.yml

@@ -8,6 +8,7 @@ on:
             - develop
         paths:
             - .github/labels.yml
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     sync-labels:
         uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop

.github/workflows/tests.yml

@@ -10,6 +10,7 @@ concurrency:
     cancel-in-progress: true
 env:
     ENABLE_COVERAGE: ${{ github.event_name != 'merge_group' }}
+permissions: {} # No permissions required
 jobs:
     jest:
         name: "Jest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})"
@@ -77,6 +78,8 @@ jobs:
         name: Downstream test element-web
         if: github.event_name == 'merge_group'
         uses: element-hq/element-web/.github/workflows/tests.yml@develop
+        permissions:
+            statuses: write
         with:
             disable_coverage: true
             matrix-js-sdk-sha: ${{ github.sha }}
@@ -84,6 +87,7 @@ jobs:
     complement-crypto:
         name: "Run Complement Crypto tests"
         if: github.event_name == 'merge_group'
+        permissions: read-all
         uses: matrix-org/complement-crypto/.github/workflows/single_sdk_tests.yml@main
         with:
             use_js_sdk: "."
@@ -107,6 +111,8 @@ jobs:
         if: always()
         needs:
             - element-web
+        permissions:
+            statuses: write
         steps:
             - name: Skip SonarCloud on merge queues
               if: env.ENABLE_COVERAGE == 'false'

.github/workflows/triage-incoming.yml

@@ -3,7 +3,7 @@ name: Move new issues into Issue triage board
 on:
     issues:
         types: [opened]
-
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     automate-project-columns-next:
         runs-on: ubuntu-24.04

.github/workflows/triage-labelled.yml

@@ -3,7 +3,7 @@ name: Move labelled issues to correct projects
 on:
     issues:
         types: [labeled]
-
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     call-triage-labelled:
         uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop