mirrors/element-web
1
0
Fork 0
mirror of https://github.com/vector-im/element-web.git synced 2026-05-05 04:06:44 +02:00
Code Issues Projects Releases Wiki Activity

Add zizmor CI & make it happy (#2877)

Browse Source
This commit is contained in:
Michael Telatynski 2026-03-04 11:49:53 +00:00 committed by GitHub
parent 7b4209502c
commit 850553e468
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 74 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/backport.yml vendored
View File

@ -1,6 +1,8 @@
name: Backport
on:
pull_request_target:
# Privilege escalation necessary to enable backporting PRs from forks
# 🚨 We must not execute any checked out code here.
pull_request_target: # zizmor: ignore[dangerous-triggers]
types:
- closed
- labeled

8
.github/workflows/build_and_deploy.yaml vendored
View File

@ -79,7 +79,7 @@ jobs:
matrix:
arch: [x64, arm64]
uses: ./.github/workflows/build_windows.yaml
secrets: inherit
secrets: inherit # zizmor: ignore[secrets-inherit]
with:
sign: true
arch: ${{ matrix.arch }}
@ -90,7 +90,7 @@ jobs:
needs: prepare
name: macOS
uses: ./.github/workflows/build_macos.yaml
secrets: inherit
secrets: inherit # zizmor: ignore[secrets-inherit]
with:
sign: true
base-url: https://packages.element.io/${{ needs.prepare.outputs.packages-dir }}
@ -258,7 +258,7 @@ jobs:
${{ steps.deb.outputs.arm64 }}
- name: Publish amd64 deb to packages.element.io
uses: element-hq/packages.element.io@master
uses: element-hq/packages.element.io@master # zizmor: ignore[unpinned-uses]
if: needs.prepare.outputs.deploy == 'true' && needs.linux.result == 'success'
with:
file: ${{ steps.deb.outputs.amd64 }}
@ -268,7 +268,7 @@ jobs:
bucket-access-key: ${{ secrets.CF_R2_TOKEN }}
- name: Publish arm64 deb to packages.element.io
uses: element-hq/packages.element.io@master
uses: element-hq/packages.element.io@master # zizmor: ignore[unpinned-uses]
if: needs.prepare.outputs.deploy == 'true' && needs.linux.result == 'success'
with:
file: ${{ steps.deb.outputs.arm64 }}

2
.github/workflows/build_and_test.yaml vendored
View File

@ -54,6 +54,8 @@ jobs:
if: ${{ !cancelled() }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6

5
.github/workflows/build_linux.yaml vendored
View File

@ -109,6 +109,7 @@ jobs:
with:
repository: element-hq/element-desktop
ref: ${{ inputs.ref }}
persist-credentials: false
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
with:
@ -184,13 +185,15 @@ jobs:
fi
- name: Build App
run: pnpm build --publish never ${{ steps.config.outputs.build-args }} -l ${{ inputs.targets }}
run: pnpm build --publish never $BUILD_ARGS -l $TARGETS
env:
VARIANT_PATH: variant.json
# Only set for Nightly builds
VERSION: ${{ inputs.version }}
# Workaround for https://github.com/electron-userland/electron-builder/issues/5721
USE_HARD_LINKS: false
BUILD_ARGS: ${{ steps.config.outputs.build-args }}
TARGETS: ${{ inputs.targets }}
- name: Check native libraries
run: |

10
.github/workflows/build_macos.yaml vendored
View File

@ -83,6 +83,7 @@ jobs:
with:
repository: element-hq/element-desktop
ref: ${{ inputs.ref }}
persist-credentials: false
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
with:
@ -130,7 +131,7 @@ jobs:
- name: "[Signed] Build App"
if: inputs.sign != ''
run: |
pnpm build:universal --publish never -m ${{ inputs.targets }}
pnpm build:universal --publish never -m ${TARGETS}
env:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_ID: ${{ secrets.APPLE_ID }}
@ -140,6 +141,7 @@ jobs:
VARIANT_PATH: variant.json
# Only set for Nightly builds
VERSION: ${{ inputs.version }}
TARGETS: ${{ inputs.targets }}
- name: Check app was signed & notarised successfully
if: inputs.sign != ''
@ -152,10 +154,11 @@ jobs:
- name: "[Unsigned] Build App"
if: inputs.sign == ''
run: |
pnpm build:universal --publish never -m ${{ inputs.targets }}
pnpm build:universal --publish never -m ${TARGETS}
env:
CSC_IDENTITY_AUTO_DISCOVERY: false
VARIANT_PATH: variant.json
TARGETS: ${{ inputs.targets }}
- name: Generate releases.json
if: inputs.base-url
@ -163,7 +166,7 @@ jobs:
PKG_JSON_VERSION=$(cat package.json | jq -r .version)
LATEST=$(find dist -type f -iname "*-mac.zip" | xargs -0 -n1 -- basename)
# Encode spaces in the URL as Squirrel.Mac complains about bad JSON otherwise
URL="${{ inputs.base-url }}/update/macos/${LATEST// /%20}"
URL="${BASE_URL}/update/macos/${LATEST// /%20}"
jq -n --arg version "${VERSION:-$PKG_JSON_VERSION}" --arg url "$URL" '
{
@ -182,6 +185,7 @@ jobs:
' > dist/releases-legacy.json
env:
VERSION: ${{ inputs.version }}
BASE_URL: ${{ inputs.base-url }}
# We exclude mac-universal as the unpacked app takes forever to upload and zip and dmg already contains it
- name: Upload Artifacts

11
.github/workflows/build_prepare.yaml vendored
View File

@ -55,6 +55,8 @@ jobs:
nightly-version: ${{ steps.versions.outputs.nightly }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@ -84,7 +86,10 @@ jobs:
- name: Fetch Element Web (${{ inputs.version }})
if: steps.branch-matching.outcome == 'failure' || steps.branch-matching.outcome == 'skipped'
run: pnpm run fetch --noverify -d ${{ inputs.config }} ${{ inputs.version }}
run: pnpm run fetch --noverify -d ${CONFIG} ${VERSION}
env:
CONFIG: ${{ inputs.config }}
VERSION: ${{ inputs.version }}
- name: Copy variant config
run: cp "$CONFIG_DIR/build.json" variant.json
@ -159,13 +164,15 @@ jobs:
WEB_VERSION=${WEBAPP_VERSION:0:12}
JS_VERSION=${WEBAPP_VERSION:16:12}
echo "### Nightly build ${{ steps.versions.outputs.nightly }}" >> $GITHUB_STEP_SUMMARY
echo "### Nightly build ${NIGHTLY_VERSION}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Component | Version |" >> $GITHUB_STEP_SUMMARY
echo "| ----------- | ------- |" >> $GITHUB_STEP_SUMMARY
echo "| Bundle Hash | $BUNDLE_HASH |" >> $GITHUB_STEP_SUMMARY
echo "| Element Web | [$WEB_VERSION](https://github.com/element-hq/element-web/commit/$WEB_VERSION) |" >> $GITHUB_STEP_SUMMARY
echo "| JS SDK | [$JS_VERSION](https://github.com/matrix-org/matrix-js-sdk/commit/$JS_VERSION) |" >> $GITHUB_STEP_SUMMARY
env:
NIGHTLY_VERSION: ${{ steps.versions.outputs.nightly }}
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:

5
.github/workflows/build_test.yaml vendored
View File

@ -39,6 +39,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
repository: ${{ github.repository == 'element-hq/element-web-pro' && 'element-hq/element-desktop' || github.repository }}
persist-credentials: false
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@ -55,7 +56,9 @@ jobs:
path: dist
- name: Prepare for tests
run: ${{ inputs.prepare_cmd }}
# This is set by the caller of the reusable workflow, they have the ability to run the command they specify
# directly without our help so this is fine.
run: ${{ inputs.prepare_cmd }} # zizmor: ignore[template-injection]
if: inputs.prepare_cmd
- name: Expand executable path

17
.github/workflows/build_windows.yaml vendored
View File

@ -112,6 +112,7 @@ jobs:
with:
repository: element-hq/element-desktop
ref: ${{ inputs.ref }}
persist-credentials: false
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8
with:
@ -146,7 +147,9 @@ jobs:
run: |
rustup toolchain install stable --profile minimal --no-self-update
rustup default stable
rustup target add ${{ steps.config.outputs.target }}
rustup target add $env:TARGET
env:
TARGET: ${{ steps.config.outputs.target }}
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@ -187,7 +190,9 @@ jobs:
if: steps.cache.outputs.cache-hit != 'true'
run: |
refreshenv
pnpm build:native --target ${{ steps.config.outputs.target }}
pnpm build:native --target $env:TARGET
env:
TARGET: ${{ steps.config.outputs.target }}
- name: Install and configure eSigner CKA
run: |
@ -209,7 +214,7 @@ jobs:
# Configure - default credentials from https://www.ssl.com/guide/esigner-demo-credentials-and-certificates/
${{ env.INSTALL_DIR }}/eSignerCKATool.exe config `
-mode ${{ vars.ESIGNER_MODE || 'sandbox' }} `
-mode "$env:ESIGNER_MODE" `
-user "${{ secrets.ESIGNER_USER_NAME || 'esigner_demo' }}" `
-pass "${{ secrets.ESIGNER_USER_PASSWORD || 'esignerDemo#1' }}" `
-totp "${{ secrets.ESIGNER_USER_TOTP || 'RDXYgV9qju+6/7GnMf1vCbKexXVJmUVr+86Wq/8aIGg=' }}" `
@ -228,12 +233,14 @@ jobs:
echo "ED_SIGNTOOL_THUMBPRINT=$Thumbprint" >> $env:GITHUB_ENV
echo "ED_SIGNTOOL_SUBJECT_NAME=$SubjectName" >> $env:GITHUB_ENV
env:
ESIGNER_MODE: ${{ vars.ESIGNER_MODE || 'sandbox' }}
ESIGNER_URL: https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip
INSTALL_DIR: C:\Users\runneradmin\eSignerCKA
MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key
- name: Build App
run: pnpm build --publish never ${{ steps.config.outputs.build-args }} -w ${{ inputs.targets }}
run: pnpm build --publish never $BUILD_ARGS -w $TARGETS
shell: bash
env:
VARIANT_PATH: variant.json
# Only set for Nightly builds
@ -243,6 +250,8 @@ jobs:
# We just give the installer a static name, so you'll just see this in the 'about' dialog.
# Turns out if you use 0.0.0 here it makes Squirrel windows crash, so we use 0.0.1.
VERSION: ${{ inputs.version && format('0.0.1-nightly.{0}', inputs.version) || '' }}
BUILD_ARGS: ${{ steps.config.outputs.build-args }}
TARGETS: ${{ inputs.targets }}
- name: Trust eSigner sandbox cert
if: inputs.sign == ''

2
.github/workflows/dockerbuild.yaml vendored
View File

@ -20,6 +20,8 @@ jobs:
packages: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3

2
.github/workflows/localazy_download.yaml vendored
View File

@ -7,7 +7,7 @@ permissions:
pull-requests: write # needed to auto-approve PRs
jobs:
download:
uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main
uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@6eda3835118f3bc3fb658a1a3c20b7da9d16ae42
with:
packageManager: pnpm
secrets:

2
.github/workflows/localazy_upload.yaml vendored
View File

@ -7,6 +7,6 @@ on:
permissions: {} # No permissions needed
jobs:
upload:
uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main
uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@6eda3835118f3bc3fb658a1a3c20b7da9d16ae42
secrets:
LOCALAZY_WRITE_KEY: ${{ secrets.LOCALAZY_WRITE_KEY }}

6
.github/workflows/pull_request.yaml vendored
View File

@ -1,11 +1,13 @@
name: Pull Request
on:
pull_request_target:
# Privilege escalation necessary access members of the review teams
# 🚨 We must not execute any checked out code here, and be careful around use of user-controlled inputs.
pull_request_target: # zizmor: ignore[dangerous-triggers]
types: [opened, edited, labeled, unlabeled, synchronize]
permissions: {}
jobs:
action:
uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop
uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop # zizmor: ignore[unpinned-uses]
permissions:
pull-requests: write
secrets:

2
.github/workflows/release-drafter.yml vendored
View File

@ -7,7 +7,7 @@ concurrency: ${{ github.workflow }}
permissions: {}
jobs:
draft:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop
uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop # zizmor: ignore[unpinned-uses]
permissions:
contents: write
with:

2
.github/workflows/release-gitflow.yml vendored
View File

@ -7,6 +7,6 @@ concurrency: ${{ github.repository }}-${{ github.workflow }}
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs:
merge:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop
uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop # zizmor: ignore[unpinned-uses]
secrets:
ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}

2
.github/workflows/release.yml vendored
View File

@ -14,7 +14,7 @@ concurrency: ${{ github.workflow }}
permissions: {}
jobs:
release:
uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop
uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop # zizmor: ignore[unpinned-uses]
permissions:
contents: write
issues: write

13
.github/workflows/static_analysis.yaml vendored
View File

@ -10,6 +10,8 @@ jobs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@ -38,6 +40,8 @@ jobs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@ -55,8 +59,12 @@ jobs:
workflow_lint:
name: "Workflow Lint"
runs-on: ubuntu-24.04
permissions:
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@ -71,11 +79,16 @@ jobs:
- name: Run Linter
run: "pnpm lint:workflows"
- name: Run zizmor
uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
analyse_dead_code:
name: "Analyse Dead Code"
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6

2
.github/workflows/sync-labels.yml vendored
View File

@ -11,7 +11,7 @@ on:
permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs:
sync-labels:
uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop
uses: element-hq/element-meta/.github/workflows/sync-labels.yml@dac99c67f08f8f2a079e885ffb682a2f39cd3960
with:
LABELS: |
element-hq/element-web

2
.github/workflows/triage-incoming.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
automate-project-columns-next:
runs-on: ubuntu-24.04
steps:
- uses: actions/add-to-project@main
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with:
project-url: https://github.com/orgs/element-hq/projects/120
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}

4
.github/workflows/triage-labelled.yml vendored
View File

@ -8,5 +8,5 @@ permissions: {} # Uses ELEMENT_BOT_TOKEN
jobs:
call-triage-labelled:
uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop
secrets: inherit
uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop # zizmor: ignore[unpinned-uses]
secrets: inherit # zizmor: ignore[secrets-inherit]