CringeStudios/element-desktop
5
0
Fork 0
mirror of https://github.com/CringeStudios/element-desktop.git synced 2025-01-18 23:44:59 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Tighten GITHUB_TOKEN permissions (#2001)

Browse Source
This commit is contained in:
Michael Telatynski 2024-11-22 10:18:33 +00:00 committed by GitHub
parent bba1fa6d46
commit 1b8ee30693
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/backport.yml vendored
View File

@ -7,6 +7,8 @@ on:
branches: branches:
- develop - develop
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
backport: backport:
name: Backport name: Backport

3
.github/workflows/build_and_deploy.yaml vendored
View File

@ -41,9 +41,12 @@ run-name: Element ${{ inputs.mode != 'release' && github.event_name != 'release'
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
env: env:
R2_BUCKET: ${{ vars.R2_BUCKET }} R2_BUCKET: ${{ vars.R2_BUCKET }}
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs: jobs:
prepare: prepare:
uses: ./.github/workflows/build_prepare.yaml uses: ./.github/workflows/build_prepare.yaml
permissions:
contents: read
with: with:
config: element.io/${{ inputs.mode || (github.event_name == 'release' && 'release') || 'nightly' }} config: element.io/${{ inputs.mode || (github.event_name == 'release' && 'release') || 'nightly' }}
version: ${{ (inputs.mode != 'release' && github.event_name != 'release') && 'develop' || '' }} version: ${{ (inputs.mode != 'release' && github.event_name != 'release') && 'develop' || '' }}

3
.github/workflows/build_and_test.yaml vendored
View File

@ -6,9 +6,12 @@ on:
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: {} # No permissions required
jobs: jobs:
fetch: fetch:
uses: ./.github/workflows/build_prepare.yaml uses: ./.github/workflows/build_prepare.yaml
permissions:
contents: read
with: with:
config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }} config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }}
version: ${{ github.event.pull_request.base.ref == 'develop' && 'develop' || '' }} version: ${{ github.event.pull_request.base.ref == 'develop' && 'develop' || '' }}

1
.github/workflows/build_linux.yaml vendored
View File

@ -22,6 +22,7 @@ on:
description: "How to link sqlcipher, one of 'system' | 'static'" description: "How to link sqlcipher, one of 'system' | 'static'"
env: env:
SQLCIPHER_BUNDLED: ${{ inputs.sqlcipher == 'static' && '1' || '' }} SQLCIPHER_BUNDLED: ${{ inputs.sqlcipher == 'static' && '1' || '' }}
permissions: {} # No permissions required
jobs: jobs:
# We build the hak files on native infrastructure as matrix-seshat fails to cross-compile properly # We build the hak files on native infrastructure as matrix-seshat fails to cross-compile properly
# https://github.com/matrix-org/seshat/issues/135 # https://github.com/matrix-org/seshat/issues/135

1
.github/workflows/build_macos.yaml vendored
View File

@ -27,6 +27,7 @@ on:
type: string type: string
required: false required: false
description: "The URL to which the output will be deployed." description: "The URL to which the output will be deployed."
permissions: {} # No permissions required
jobs: jobs:
build: build:
runs-on: macos-14 # M1 runs-on: macos-14 # M1

3
.github/workflows/build_prepare.yaml vendored
View File

@ -41,11 +41,14 @@ on:
deploy: deploy:
description: "The relative path to the config file for this run" description: "The relative path to the config file for this run"
value: ${{ inputs.deploy }} value: ${{ inputs.deploy }}
permissions: {}
jobs: jobs:
prepare: prepare:
name: Prepare name: Prepare
environment: ${{ inputs.nightly && 'packages.element.io' || '' }} environment: ${{ inputs.nightly && 'packages.element.io' || '' }}
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read
outputs: outputs:
nightly-version: ${{ steps.versions.outputs.nightly }} nightly-version: ${{ steps.versions.outputs.nightly }}
steps: steps:

1
.github/workflows/build_windows.yaml vendored
View File

@ -28,6 +28,7 @@ on:
type: string type: string
required: false required: false
description: "Whether to sign & notarise the build, requires 'packages.element.io' environment" description: "Whether to sign & notarise the build, requires 'packages.element.io' environment"
permissions: {} # No permissions required
jobs: jobs:
build: build:
runs-on: windows-2022 runs-on: windows-2022

1
.github/workflows/dockerbuild.yaml vendored
View File

@ -9,6 +9,7 @@ concurrency: ${{ github.workflow }}-${{ github.ref_name }}
env: env:
REGISTRY: ghcr.io REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}-dockerbuild IMAGE_NAME: ${{ github.repository }}-dockerbuild
permissions: {}
jobs: jobs:
build: build:
name: Docker Build name: Docker Build

1
.github/workflows/localazy_download.yaml vendored
View File

@ -3,6 +3,7 @@ on:
workflow_dispatch: {} workflow_dispatch: {}
schedule: schedule:
- cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC - cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
download: download:
uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main

1
.github/workflows/localazy_upload.yaml vendored
View File

@ -4,6 +4,7 @@ on:
branches: [develop] branches: [develop]
paths: paths:
- "src/i18n/strings/en_EN.json" - "src/i18n/strings/en_EN.json"
permissions: {} # No permissions needed
jobs: jobs:
upload: upload:
uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main

3
.github/workflows/pull_request.yaml vendored
View File

@ -2,8 +2,11 @@ name: Pull Request
on: on:
pull_request_target: pull_request_target:
types: [opened, edited, labeled, unlabeled, synchronize] types: [opened, edited, labeled, unlabeled, synchronize]
permissions: {}
jobs: jobs:
action: action:
uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop
permissions:
pull-requests: read
secrets: secrets:
ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}

3
.github/workflows/release-drafter.yml vendored
View File

@ -4,8 +4,11 @@ on:
branches: [staging] branches: [staging]
workflow_dispatch: {} workflow_dispatch: {}
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {}
jobs: jobs:
draft: draft:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop
permissions:
contents: write
with: with:
include-changes: element-hq/element-web~$VERSION include-changes: element-hq/element-web~$VERSION

1
.github/workflows/release-gitflow.yml vendored
View File

@ -4,6 +4,7 @@ on:
push: push:
branches: [master] branches: [master]
concurrency: ${{ github.repository }}-${{ github.workflow }} concurrency: ${{ github.repository }}-${{ github.workflow }}
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs: jobs:
merge: merge:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop

6
.github/workflows/release.yml vendored
View File

@ -11,9 +11,13 @@ on:
- rc - rc
- final - final
concurrency: ${{ github.workflow }} concurrency: ${{ github.workflow }}
permissions: {}
jobs: jobs:
release: release:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop
permissions:
contents: write
issues: write
secrets: secrets:
ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
@ -27,6 +31,8 @@ jobs:
name: Post release checks name: Post release checks
needs: release needs: release
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
checks: read
steps: steps:
- name: Wait for desktop packaging - name: Wait for desktop packaging
uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork

3
.github/workflows/static_analysis.yaml vendored
View File

@ -3,6 +3,7 @@ on:
pull_request: {} pull_request: {}
push: push:
branches: [develop, master] branches: [develop, master]
permissions: {} # No permissions needed
jobs: jobs:
ts_lint: ts_lint:
name: "Typescript Syntax Check" name: "Typescript Syntax Check"
@ -25,6 +26,8 @@ jobs:
i18n_lint: i18n_lint:
name: "i18n Check" name: "i18n Check"
uses: matrix-org/matrix-web-i18n/.github/workflows/i18n_check.yml@main uses: matrix-org/matrix-web-i18n/.github/workflows/i18n_check.yml@main
permissions:
pull-requests: read
with: with:
hardcoded-words: "Element" hardcoded-words: "Element"

1
.github/workflows/sync-labels.yml vendored
View File

@ -8,6 +8,7 @@ on:
- develop - develop
paths: paths:
- .github/labels.yml - .github/labels.yml
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs: jobs:
sync-labels: sync-labels:
uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop

2
.github/workflows/triage-incoming.yml vendored
View File

@ -4,6 +4,8 @@ on:
issues: issues:
types: [opened] types: [opened]
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs: jobs:
automate-project-columns-next: automate-project-columns-next:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04

2
.github/workflows/triage-labelled.yml vendored
View File

@ -4,6 +4,8 @@ on:
issues: issues:
types: [labeled] types: [labeled]
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs: jobs:
call-triage-labelled: call-triage-labelled:
uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop

BIN
playwright/snapshots/launch/launch.spec.ts/App-launch-should-launch-and-render-the-welcome-view-successfully-and-support-seshat-1-linux.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.0 MiB

After

Width:  |  Height:  |  Size: 1.0 MiB