diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 7252c27..5a11ad5 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -7,6 +7,8 @@ on: branches: - develop +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: backport: name: Backport diff --git a/.github/workflows/build_and_deploy.yaml b/.github/workflows/build_and_deploy.yaml index 8aed0bc..b81f05f 100644 --- a/.github/workflows/build_and_deploy.yaml +++ b/.github/workflows/build_and_deploy.yaml @@ -41,9 +41,12 @@ run-name: Element ${{ inputs.mode != 'release' && github.event_name != 'release' concurrency: ${{ github.workflow }} env: R2_BUCKET: ${{ vars.R2_BUCKET }} +permissions: {} # Uses ELEMENT_BOT_TOKEN jobs: prepare: uses: ./.github/workflows/build_prepare.yaml + permissions: + contents: read with: config: element.io/${{ inputs.mode || (github.event_name == 'release' && 'release') || 'nightly' }} version: ${{ (inputs.mode != 'release' && github.event_name != 'release') && 'develop' || '' }} diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 4667fca..6527f91 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -6,9 +6,12 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # No permissions required jobs: fetch: uses: ./.github/workflows/build_prepare.yaml + permissions: + contents: read with: config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }} version: ${{ github.event.pull_request.base.ref == 'develop' && 'develop' || '' }} diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index d937c5b..c5d05cc 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -22,6 +22,7 @@ on: description: "How to link sqlcipher, one of 'system' | 'static'" env: SQLCIPHER_BUNDLED: ${{ inputs.sqlcipher == 'static' && '1' || '' }} +permissions: {} # No permissions required jobs: # We build the hak files on native infrastructure as matrix-seshat fails to cross-compile properly # https://github.com/matrix-org/seshat/issues/135 diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index c92d853..b1b423e 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -27,6 +27,7 @@ on: type: string required: false description: "The URL to which the output will be deployed." +permissions: {} # No permissions required jobs: build: runs-on: macos-14 # M1 diff --git a/.github/workflows/build_prepare.yaml b/.github/workflows/build_prepare.yaml index fe84da2..8d54c85 100644 --- a/.github/workflows/build_prepare.yaml +++ b/.github/workflows/build_prepare.yaml @@ -41,11 +41,14 @@ on: deploy: description: "The relative path to the config file for this run" value: ${{ inputs.deploy }} +permissions: {} jobs: prepare: name: Prepare environment: ${{ inputs.nightly && 'packages.element.io' || '' }} runs-on: ubuntu-24.04 + permissions: + contents: read outputs: nightly-version: ${{ steps.versions.outputs.nightly }} steps: diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index 36d569f..1224ee6 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -28,6 +28,7 @@ on: type: string required: false description: "Whether to sign & notarise the build, requires 'packages.element.io' environment" +permissions: {} # No permissions required jobs: build: runs-on: windows-2022 diff --git a/.github/workflows/dockerbuild.yaml b/.github/workflows/dockerbuild.yaml index b439b13..cd2d251 100644 --- a/.github/workflows/dockerbuild.yaml +++ b/.github/workflows/dockerbuild.yaml @@ -9,6 +9,7 @@ concurrency: ${{ github.workflow }}-${{ github.ref_name }} env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }}-dockerbuild +permissions: {} jobs: build: name: Docker Build diff --git a/.github/workflows/localazy_download.yaml b/.github/workflows/localazy_download.yaml index a880c3b..435b815 100644 --- a/.github/workflows/localazy_download.yaml +++ b/.github/workflows/localazy_download.yaml @@ -3,6 +3,7 @@ on: workflow_dispatch: {} schedule: - cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC +permissions: {} # We use ELEMENT_BOT_TOKEN instead jobs: download: uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main diff --git a/.github/workflows/localazy_upload.yaml b/.github/workflows/localazy_upload.yaml index 9ba7980..8cb7743 100644 --- a/.github/workflows/localazy_upload.yaml +++ b/.github/workflows/localazy_upload.yaml @@ -4,6 +4,7 @@ on: branches: [develop] paths: - "src/i18n/strings/en_EN.json" +permissions: {} # No permissions needed jobs: upload: uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 1c25477..e07173e 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -2,8 +2,11 @@ name: Pull Request on: pull_request_target: types: [opened, edited, labeled, unlabeled, synchronize] +permissions: {} jobs: action: uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop + permissions: + pull-requests: read secrets: ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 5801402..6d3bf51 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -4,8 +4,11 @@ on: branches: [staging] workflow_dispatch: {} concurrency: ${{ github.workflow }} +permissions: {} jobs: draft: uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop + permissions: + contents: write with: include-changes: element-hq/element-web~$VERSION diff --git a/.github/workflows/release-gitflow.yml b/.github/workflows/release-gitflow.yml index a4d6f75..8192a0f 100644 --- a/.github/workflows/release-gitflow.yml +++ b/.github/workflows/release-gitflow.yml @@ -4,6 +4,7 @@ on: push: branches: [master] concurrency: ${{ github.repository }}-${{ github.workflow }} +permissions: {} # Uses ELEMENT_BOT_TOKEN jobs: merge: uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba43fa3..fb6db27 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,9 +11,13 @@ on: - rc - final concurrency: ${{ github.workflow }} +permissions: {} jobs: release: uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop + permissions: + contents: write + issues: write secrets: ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} @@ -27,6 +31,8 @@ jobs: name: Post release checks needs: release runs-on: ubuntu-24.04 + permissions: + checks: read steps: - name: Wait for desktop packaging uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork diff --git a/.github/workflows/static_analysis.yaml b/.github/workflows/static_analysis.yaml index ef3dc52..5812b9b 100644 --- a/.github/workflows/static_analysis.yaml +++ b/.github/workflows/static_analysis.yaml @@ -3,6 +3,7 @@ on: pull_request: {} push: branches: [develop, master] +permissions: {} # No permissions needed jobs: ts_lint: name: "Typescript Syntax Check" @@ -25,6 +26,8 @@ jobs: i18n_lint: name: "i18n Check" uses: matrix-org/matrix-web-i18n/.github/workflows/i18n_check.yml@main + permissions: + pull-requests: read with: hardcoded-words: "Element" diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 29c955c..54090ef 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -8,6 +8,7 @@ on: - develop paths: - .github/labels.yml +permissions: {} # Uses ELEMENT_BOT_TOKEN jobs: sync-labels: uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index c8c677a..5b5c74a 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -4,6 +4,8 @@ on: issues: types: [opened] +permissions: {} # Uses ELEMENT_BOT_TOKEN + jobs: automate-project-columns-next: runs-on: ubuntu-24.04 diff --git a/.github/workflows/triage-labelled.yml b/.github/workflows/triage-labelled.yml index db8671d..e4f03fa 100644 --- a/.github/workflows/triage-labelled.yml +++ b/.github/workflows/triage-labelled.yml @@ -4,6 +4,8 @@ on: issues: types: [labeled] +permissions: {} # Uses ELEMENT_BOT_TOKEN + jobs: call-triage-labelled: uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop diff --git a/playwright/snapshots/launch/launch.spec.ts/App-launch-should-launch-and-render-the-welcome-view-successfully-and-support-seshat-1-linux.png b/playwright/snapshots/launch/launch.spec.ts/App-launch-should-launch-and-render-the-welcome-view-successfully-and-support-seshat-1-linux.png index 022b00b..48ac90b 100644 Binary files a/playwright/snapshots/launch/launch.spec.ts/App-launch-should-launch-and-render-the-welcome-view-successfully-and-support-seshat-1-linux.png and b/playwright/snapshots/launch/launch.spec.ts/App-launch-should-launch-and-render-the-welcome-view-successfully-and-support-seshat-1-linux.png differ