matrix/matrix-js-sdk
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-js-sdk.git synced 2025-08-09 10:22:46 +03:00
Code Activity

Tighten GITHUB_TOKEN permissions (#4538)

Browse Source 
* Tighten GITHUB_TOKEN permissions

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Tighten GITHUB_TOKEN permissions

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Iterate

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Fix permission

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

---------

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
This commit is contained in:
Michael Telatynski
2024-11-21 14:01:45 +00:00
committed by GitHub
parent 2dd4334e20
commit c87692d0aa
18 changed files with 46 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/backport.yml vendored
View File

@@ -7,6 +7,8 @@ on:
branches: branches:
- develop - develop
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
backport: backport:
name: Backport name: Backport

5
.github/workflows/docs-pr-netlify.yaml vendored
View File

@@ -5,16 +5,17 @@ on:
workflows: ["Static Analysis"] workflows: ["Static Analysis"]
types: types:
- completed - completed
permissions: {}
jobs: jobs:
netlify: netlify:
if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
actions: read
steps: steps:
- name: 📥 Download artifact - name: 📥 Download artifact
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
with: with:
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
run-id: ${{ github.event.workflow_run.id }} run-id: ${{ github.event.workflow_run.id }}
name: docs name: docs
path: docs path: docs

2
.github/workflows/downstream-end-to-end-tests.yml vendored
View File

@@ -13,7 +13,7 @@ on:
# #
#push: #push:
# branches: [develop, master] # branches: [develop, master]
permissions: {} # No permissions required
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }} group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }} cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}

1
.github/workflows/notify-downstream.yaml vendored
View File

@@ -3,6 +3,7 @@ on:
push: push:
branches: [develop] branches: [develop]
concurrency: ${{ github.workflow }}-${{ github.ref }} concurrency: ${{ github.workflow }}-${{ github.ref }}
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
notify-downstream: notify-downstream:
# Only respect triggers from our develop branch, ignore that of forks # Only respect triggers from our develop branch, ignore that of forks

1
.github/workflows/pull_request.yaml vendored
View File

@@ -9,6 +9,7 @@ on:
ELEMENT_BOT_TOKEN: ELEMENT_BOT_TOKEN:
required: true required: true
concurrency: ${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} concurrency: ${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
changelog: changelog:
name: Preview Changelog name: Preview Changelog

3
.github/workflows/release-drafter-workflow.yml vendored
View File

@@ -8,9 +8,12 @@ on:
type: string type: string
required: false required: false
concurrency: release-drafter-action concurrency: release-drafter-action
permissions: {}
jobs: jobs:
draft: draft:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: write
steps: steps:
- name: 🧮 Checkout code - name: 🧮 Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4

3
.github/workflows/release-drafter.yml vendored
View File

@@ -8,6 +8,9 @@ on:
branches: [staging] branches: [staging]
workflow_dispatch: {} workflow_dispatch: {}
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {}
jobs: jobs:
draft: draft:
permissions:
contents: write
uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop

2
.github/workflows/release-gitflow.yml vendored
View File

@@ -13,12 +13,14 @@ on:
type: string type: string
required: false required: false
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs: jobs:
merge: merge:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
# We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
token: ${{ secrets.ELEMENT_BOT_TOKEN }} token: ${{ secrets.ELEMENT_BOT_TOKEN }}
fetch-depth: 0 fetch-depth: 0

6
.github/workflows/release-make.yml vendored
View File

@@ -38,11 +38,14 @@ on:
description: The number of expected assets, including signatures, excluding generated zip & tarball. description: The number of expected assets, including signatures, excluding generated zip & tarball.
type: number type: number
required: false required: false
permissions: {}
jobs: jobs:
release: release:
name: Release name: Release
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
environment: Release environment: Release
permissions:
contents: write
steps: steps:
- name: Load GPG key - name: Load GPG key
id: gpg id: gpg
@@ -65,6 +68,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
ref: staging ref: staging
# We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
token: ${{ secrets.ELEMENT_BOT_TOKEN }} token: ${{ secrets.ELEMENT_BOT_TOKEN }}
fetch-depth: 0 fetch-depth: 0
@@ -274,6 +278,8 @@ jobs:
name: Post release steps name: Post release steps
needs: release needs: release
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
issues: write
steps: steps:
- id: repository - id: repository
run: echo "REPO=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT run: echo "REPO=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT

1
.github/workflows/release-npm.yml vendored
View File

@@ -8,6 +8,7 @@ on:
id: id:
description: "The npm package@version string we published" description: "The npm package@version string we published"
value: ${{ jobs.npm.outputs.id }} value: ${{ jobs.npm.outputs.id }}
permissions: {} # No permissions required
jobs: jobs:
npm: npm:
name: Publish to npm name: Publish to npm

1
.github/workflows/release.yml vendored
View File

@@ -21,6 +21,7 @@ on:
type: boolean type: boolean
default: true default: true
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {} # No permissions required
jobs: jobs:
release: release:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop

10
.github/workflows/sonarcloud.yml vendored
View File

@@ -5,19 +5,25 @@ on:
secrets: secrets:
SONAR_TOKEN: SONAR_TOKEN:
required: true required: true
# No longer used
ELEMENT_BOT_TOKEN: ELEMENT_BOT_TOKEN:
required: true required: false
inputs: inputs:
sharded: sharded:
type: boolean type: boolean
required: false required: false
description: "Whether to combine multiple LCOV and jest-sonar-report files in coverage artifact" description: "Whether to combine multiple LCOV and jest-sonar-report files in coverage artifact"
permissions: {}
jobs: jobs:
sonarqube: sonarqube:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
if: | if: |
github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.event != 'merge_group' github.event.workflow_run.event != 'merge_group'
permissions:
actions: read
statuses: write
id-token: write # sonar
steps: steps:
# We create the status here and then update it to success/failure in the `report` stage # We create the status here and then update it to success/failure in the `report` stage
# This provides an easy link to this workflow_run from the PR before Sonarcloud is done. # This provides an easy link to this workflow_run from the PR before Sonarcloud is done.
@@ -40,7 +46,6 @@ jobs:
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
if: ${{ !inputs.sharded }} if: ${{ !inputs.sharded }}
with: with:
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
run-id: ${{ github.event.workflow_run.id }} run-id: ${{ github.event.workflow_run.id }}
name: coverage name: coverage
path: coverage path: coverage
@@ -48,7 +53,6 @@ jobs:
uses: actions/download-artifact@v4 uses: actions/download-artifact@v4
if: inputs.sharded if: inputs.sharded
with: with:
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
run-id: ${{ github.event.workflow_run.id }} run-id: ${{ github.event.workflow_run.id }}
pattern: coverage-* pattern: coverage-*
path: coverage path: coverage

5
.github/workflows/sonarqube.yml vendored
View File

@@ -7,10 +7,15 @@ on:
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }} group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
sonarqube: sonarqube:
name: 🩻 SonarQube name: 🩻 SonarQube
if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group' if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
permissions:
actions: read
statuses: write
id-token: write # sonar
uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop
secrets: secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

1
.github/workflows/static_analysis.yml vendored
View File

@@ -8,6 +8,7 @@ on:
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: {} # No permissions needed
jobs: jobs:
ts_lint: ts_lint:
name: "Typescript Syntax Check" name: "Typescript Syntax Check"

1
.github/workflows/sync-labels.yml vendored
View File

@@ -8,6 +8,7 @@ on:
- develop - develop
paths: paths:
- .github/labels.yml - .github/labels.yml
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
sync-labels: sync-labels:
uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop

6
.github/workflows/tests.yml vendored
View File

@@ -10,6 +10,7 @@ concurrency:
cancel-in-progress: true cancel-in-progress: true
env: env:
ENABLE_COVERAGE: ${{ github.event_name != 'merge_group' }} ENABLE_COVERAGE: ${{ github.event_name != 'merge_group' }}
permissions: {} # No permissions required
jobs: jobs:
jest: jest:
name: "Jest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})" name: "Jest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})"
@@ -77,6 +78,8 @@ jobs:
name: Downstream test element-web name: Downstream test element-web
if: github.event_name == 'merge_group' if: github.event_name == 'merge_group'
uses: element-hq/element-web/.github/workflows/tests.yml@develop uses: element-hq/element-web/.github/workflows/tests.yml@develop
permissions:
statuses: write
with: with:
disable_coverage: true disable_coverage: true
matrix-js-sdk-sha: ${{ github.sha }} matrix-js-sdk-sha: ${{ github.sha }}
@@ -84,6 +87,7 @@ jobs:
complement-crypto: complement-crypto:
name: "Run Complement Crypto tests" name: "Run Complement Crypto tests"
if: github.event_name == 'merge_group' if: github.event_name == 'merge_group'
permissions: read-all
uses: matrix-org/complement-crypto/.github/workflows/single_sdk_tests.yml@main uses: matrix-org/complement-crypto/.github/workflows/single_sdk_tests.yml@main
with: with:
use_js_sdk: "." use_js_sdk: "."
@@ -107,6 +111,8 @@ jobs:
if: always() if: always()
needs: needs:
- element-web - element-web
permissions:
statuses: write
steps: steps:
- name: Skip SonarCloud on merge queues - name: Skip SonarCloud on merge queues
if: env.ENABLE_COVERAGE == 'false' if: env.ENABLE_COVERAGE == 'false'

2
.github/workflows/triage-incoming.yml vendored
View File

@@ -3,7 +3,7 @@ name: Move new issues into Issue triage board
on: on:
issues: issues:
types: [opened] types: [opened]
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
automate-project-columns-next: automate-project-columns-next:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04

2
.github/workflows/triage-labelled.yml vendored
View File

@@ -3,7 +3,7 @@ name: Move labelled issues to correct projects
on: on:
issues: issues:
types: [labeled] types: [labeled]
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
call-triage-labelled: call-triage-labelled:
uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop