From 850553e468a30cdcdcea1e53eba397de10c5d0d1 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 4 Mar 2026 11:49:53 +0000 Subject: [PATCH] Add zizmor CI & make it happy (#2877) --- .github/workflows/backport.yml | 4 +++- .github/workflows/build_and_deploy.yaml | 8 ++++---- .github/workflows/build_and_test.yaml | 2 ++ .github/workflows/build_linux.yaml | 5 ++++- .github/workflows/build_macos.yaml | 10 +++++++--- .github/workflows/build_prepare.yaml | 11 +++++++++-- .github/workflows/build_test.yaml | 5 ++++- .github/workflows/build_windows.yaml | 17 +++++++++++++---- .github/workflows/dockerbuild.yaml | 2 ++ .github/workflows/localazy_download.yaml | 2 +- .github/workflows/localazy_upload.yaml | 2 +- .github/workflows/pull_request.yaml | 6 ++++-- .github/workflows/release-drafter.yml | 2 +- .github/workflows/release-gitflow.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/static_analysis.yaml | 13 +++++++++++++ .github/workflows/sync-labels.yml | 2 +- .github/workflows/triage-incoming.yml | 2 +- .github/workflows/triage-labelled.yml | 4 ++-- 19 files changed, 74 insertions(+), 27 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 5a11ad5bbd..c770fb248a 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -1,6 +1,8 @@ name: Backport on: - pull_request_target: + # Privilege escalation necessary to enable backporting PRs from forks + # 🚨 We must not execute any checked out code here. + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - closed - labeled diff --git a/.github/workflows/build_and_deploy.yaml b/.github/workflows/build_and_deploy.yaml index 5568f0e617..9829094bfb 100644 --- a/.github/workflows/build_and_deploy.yaml +++ b/.github/workflows/build_and_deploy.yaml @@ -79,7 +79,7 @@ jobs: matrix: arch: [x64, arm64] uses: ./.github/workflows/build_windows.yaml - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] with: sign: true arch: ${{ matrix.arch }} @@ -90,7 +90,7 @@ jobs: needs: prepare name: macOS uses: ./.github/workflows/build_macos.yaml - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] with: sign: true base-url: https://packages.element.io/${{ needs.prepare.outputs.packages-dir }} @@ -258,7 +258,7 @@ jobs: ${{ steps.deb.outputs.arm64 }} - name: Publish amd64 deb to packages.element.io - uses: element-hq/packages.element.io@master + uses: element-hq/packages.element.io@master # zizmor: ignore[unpinned-uses] if: needs.prepare.outputs.deploy == 'true' && needs.linux.result == 'success' with: file: ${{ steps.deb.outputs.amd64 }} @@ -268,7 +268,7 @@ jobs: bucket-access-key: ${{ secrets.CF_R2_TOKEN }} - name: Publish arm64 deb to packages.element.io - uses: element-hq/packages.element.io@master + uses: element-hq/packages.element.io@master # zizmor: ignore[unpinned-uses] if: needs.prepare.outputs.deploy == 'true' && needs.linux.result == 'success' with: file: ${{ steps.deb.outputs.arm64 }} diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 740832518a..402382fbc0 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -54,6 +54,8 @@ jobs: if: ${{ !cancelled() }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index ae8a0ac5f8..da3becfd98 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -109,6 +109,7 @@ jobs: with: repository: element-hq/element-desktop ref: ${{ inputs.ref }} + persist-credentials: false - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: @@ -184,13 +185,15 @@ jobs: fi - name: Build App - run: pnpm build --publish never ${{ steps.config.outputs.build-args }} -l ${{ inputs.targets }} + run: pnpm build --publish never $BUILD_ARGS -l $TARGETS env: VARIANT_PATH: variant.json # Only set for Nightly builds VERSION: ${{ inputs.version }} # Workaround for https://github.com/electron-userland/electron-builder/issues/5721 USE_HARD_LINKS: false + BUILD_ARGS: ${{ steps.config.outputs.build-args }} + TARGETS: ${{ inputs.targets }} - name: Check native libraries run: | diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index d8e4e33c5a..e032003a5d 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -83,6 +83,7 @@ jobs: with: repository: element-hq/element-desktop ref: ${{ inputs.ref }} + persist-credentials: false - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: @@ -130,7 +131,7 @@ jobs: - name: "[Signed] Build App" if: inputs.sign != '' run: | - pnpm build:universal --publish never -m ${{ inputs.targets }} + pnpm build:universal --publish never -m ${TARGETS} env: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_ID: ${{ secrets.APPLE_ID }} @@ -140,6 +141,7 @@ jobs: VARIANT_PATH: variant.json # Only set for Nightly builds VERSION: ${{ inputs.version }} + TARGETS: ${{ inputs.targets }} - name: Check app was signed & notarised successfully if: inputs.sign != '' @@ -152,10 +154,11 @@ jobs: - name: "[Unsigned] Build App" if: inputs.sign == '' run: | - pnpm build:universal --publish never -m ${{ inputs.targets }} + pnpm build:universal --publish never -m ${TARGETS} env: CSC_IDENTITY_AUTO_DISCOVERY: false VARIANT_PATH: variant.json + TARGETS: ${{ inputs.targets }} - name: Generate releases.json if: inputs.base-url @@ -163,7 +166,7 @@ jobs: PKG_JSON_VERSION=$(cat package.json | jq -r .version) LATEST=$(find dist -type f -iname "*-mac.zip" | xargs -0 -n1 -- basename) # Encode spaces in the URL as Squirrel.Mac complains about bad JSON otherwise - URL="${{ inputs.base-url }}/update/macos/${LATEST// /%20}" + URL="${BASE_URL}/update/macos/${LATEST// /%20}" jq -n --arg version "${VERSION:-$PKG_JSON_VERSION}" --arg url "$URL" ' { @@ -182,6 +185,7 @@ jobs: ' > dist/releases-legacy.json env: VERSION: ${{ inputs.version }} + BASE_URL: ${{ inputs.base-url }} # We exclude mac-universal as the unpacked app takes forever to upload and zip and dmg already contains it - name: Upload Artifacts diff --git a/.github/workflows/build_prepare.yaml b/.github/workflows/build_prepare.yaml index cf7b85aff1..c156f1e679 100644 --- a/.github/workflows/build_prepare.yaml +++ b/.github/workflows/build_prepare.yaml @@ -55,6 +55,8 @@ jobs: nightly-version: ${{ steps.versions.outputs.nightly }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -84,7 +86,10 @@ jobs: - name: Fetch Element Web (${{ inputs.version }}) if: steps.branch-matching.outcome == 'failure' || steps.branch-matching.outcome == 'skipped' - run: pnpm run fetch --noverify -d ${{ inputs.config }} ${{ inputs.version }} + run: pnpm run fetch --noverify -d ${CONFIG} ${VERSION} + env: + CONFIG: ${{ inputs.config }} + VERSION: ${{ inputs.version }} - name: Copy variant config run: cp "$CONFIG_DIR/build.json" variant.json @@ -159,13 +164,15 @@ jobs: WEB_VERSION=${WEBAPP_VERSION:0:12} JS_VERSION=${WEBAPP_VERSION:16:12} - echo "### Nightly build ${{ steps.versions.outputs.nightly }}" >> $GITHUB_STEP_SUMMARY + echo "### Nightly build ${NIGHTLY_VERSION}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "| Component | Version |" >> $GITHUB_STEP_SUMMARY echo "| ----------- | ------- |" >> $GITHUB_STEP_SUMMARY echo "| Bundle Hash | $BUNDLE_HASH |" >> $GITHUB_STEP_SUMMARY echo "| Element Web | [$WEB_VERSION](https://github.com/element-hq/element-web/commit/$WEB_VERSION) |" >> $GITHUB_STEP_SUMMARY echo "| JS SDK | [$JS_VERSION](https://github.com/matrix-org/matrix-js-sdk/commit/$JS_VERSION) |" >> $GITHUB_STEP_SUMMARY + env: + NIGHTLY_VERSION: ${{ steps.versions.outputs.nightly }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: diff --git a/.github/workflows/build_test.yaml b/.github/workflows/build_test.yaml index 2cf1970095..7f8811405b 100644 --- a/.github/workflows/build_test.yaml +++ b/.github/workflows/build_test.yaml @@ -39,6 +39,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: ${{ github.repository == 'element-hq/element-web-pro' && 'element-hq/element-desktop' || github.repository }} + persist-credentials: false - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -55,7 +56,9 @@ jobs: path: dist - name: Prepare for tests - run: ${{ inputs.prepare_cmd }} + # This is set by the caller of the reusable workflow, they have the ability to run the command they specify + # directly without our help so this is fine. + run: ${{ inputs.prepare_cmd }} # zizmor: ignore[template-injection] if: inputs.prepare_cmd - name: Expand executable path diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index 04cdd7dfb5..71a8c6faa0 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -112,6 +112,7 @@ jobs: with: repository: element-hq/element-desktop ref: ${{ inputs.ref }} + persist-credentials: false - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 with: @@ -146,7 +147,9 @@ jobs: run: | rustup toolchain install stable --profile minimal --no-self-update rustup default stable - rustup target add ${{ steps.config.outputs.target }} + rustup target add $env:TARGET + env: + TARGET: ${{ steps.config.outputs.target }} - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -187,7 +190,9 @@ jobs: if: steps.cache.outputs.cache-hit != 'true' run: | refreshenv - pnpm build:native --target ${{ steps.config.outputs.target }} + pnpm build:native --target $env:TARGET + env: + TARGET: ${{ steps.config.outputs.target }} - name: Install and configure eSigner CKA run: | @@ -209,7 +214,7 @@ jobs: # Configure - default credentials from https://www.ssl.com/guide/esigner-demo-credentials-and-certificates/ ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config ` - -mode ${{ vars.ESIGNER_MODE || 'sandbox' }} ` + -mode "$env:ESIGNER_MODE" ` -user "${{ secrets.ESIGNER_USER_NAME || 'esigner_demo' }}" ` -pass "${{ secrets.ESIGNER_USER_PASSWORD || 'esignerDemo#1' }}" ` -totp "${{ secrets.ESIGNER_USER_TOTP || 'RDXYgV9qju+6/7GnMf1vCbKexXVJmUVr+86Wq/8aIGg=' }}" ` @@ -228,12 +233,14 @@ jobs: echo "ED_SIGNTOOL_THUMBPRINT=$Thumbprint" >> $env:GITHUB_ENV echo "ED_SIGNTOOL_SUBJECT_NAME=$SubjectName" >> $env:GITHUB_ENV env: + ESIGNER_MODE: ${{ vars.ESIGNER_MODE || 'sandbox' }} ESIGNER_URL: https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip INSTALL_DIR: C:\Users\runneradmin\eSignerCKA MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key - name: Build App - run: pnpm build --publish never ${{ steps.config.outputs.build-args }} -w ${{ inputs.targets }} + run: pnpm build --publish never $BUILD_ARGS -w $TARGETS + shell: bash env: VARIANT_PATH: variant.json # Only set for Nightly builds @@ -243,6 +250,8 @@ jobs: # We just give the installer a static name, so you'll just see this in the 'about' dialog. # Turns out if you use 0.0.0 here it makes Squirrel windows crash, so we use 0.0.1. VERSION: ${{ inputs.version && format('0.0.1-nightly.{0}', inputs.version) || '' }} + BUILD_ARGS: ${{ steps.config.outputs.build-args }} + TARGETS: ${{ inputs.targets }} - name: Trust eSigner sandbox cert if: inputs.sign == '' diff --git a/.github/workflows/dockerbuild.yaml b/.github/workflows/dockerbuild.yaml index a3475ba16f..8aa62412f1 100644 --- a/.github/workflows/dockerbuild.yaml +++ b/.github/workflows/dockerbuild.yaml @@ -20,6 +20,8 @@ jobs: packages: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 diff --git a/.github/workflows/localazy_download.yaml b/.github/workflows/localazy_download.yaml index 0a135451ce..730c680c73 100644 --- a/.github/workflows/localazy_download.yaml +++ b/.github/workflows/localazy_download.yaml @@ -7,7 +7,7 @@ permissions: pull-requests: write # needed to auto-approve PRs jobs: download: - uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main + uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@6eda3835118f3bc3fb658a1a3c20b7da9d16ae42 with: packageManager: pnpm secrets: diff --git a/.github/workflows/localazy_upload.yaml b/.github/workflows/localazy_upload.yaml index 8cb7743968..2185f36eac 100644 --- a/.github/workflows/localazy_upload.yaml +++ b/.github/workflows/localazy_upload.yaml @@ -7,6 +7,6 @@ on: permissions: {} # No permissions needed jobs: upload: - uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main + uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@6eda3835118f3bc3fb658a1a3c20b7da9d16ae42 secrets: LOCALAZY_WRITE_KEY: ${{ secrets.LOCALAZY_WRITE_KEY }} diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 3d9633f3fa..685874e1a1 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -1,11 +1,13 @@ name: Pull Request on: - pull_request_target: + # Privilege escalation necessary access members of the review teams + # 🚨 We must not execute any checked out code here, and be careful around use of user-controlled inputs. + pull_request_target: # zizmor: ignore[dangerous-triggers] types: [opened, edited, labeled, unlabeled, synchronize] permissions: {} jobs: action: - uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop + uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop # zizmor: ignore[unpinned-uses] permissions: pull-requests: write secrets: diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 6d3bf514f0..84c7666ce1 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -7,7 +7,7 @@ concurrency: ${{ github.workflow }} permissions: {} jobs: draft: - uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop + uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop # zizmor: ignore[unpinned-uses] permissions: contents: write with: diff --git a/.github/workflows/release-gitflow.yml b/.github/workflows/release-gitflow.yml index 8192a0fce4..ac6fc8d80c 100644 --- a/.github/workflows/release-gitflow.yml +++ b/.github/workflows/release-gitflow.yml @@ -7,6 +7,6 @@ concurrency: ${{ github.repository }}-${{ github.workflow }} permissions: {} # Uses ELEMENT_BOT_TOKEN jobs: merge: - uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop + uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop # zizmor: ignore[unpinned-uses] secrets: ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8bb438f946..387a9335e7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ concurrency: ${{ github.workflow }} permissions: {} jobs: release: - uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop + uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop # zizmor: ignore[unpinned-uses] permissions: contents: write issues: write diff --git a/.github/workflows/static_analysis.yaml b/.github/workflows/static_analysis.yaml index 0a422fc743..36d40023bf 100644 --- a/.github/workflows/static_analysis.yaml +++ b/.github/workflows/static_analysis.yaml @@ -10,6 +10,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -38,6 +40,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -55,8 +59,12 @@ jobs: workflow_lint: name: "Workflow Lint" runs-on: ubuntu-24.04 + permissions: + security-events: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -71,11 +79,16 @@ jobs: - name: Run Linter run: "pnpm lint:workflows" + - name: Run zizmor + uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 + analyse_dead_code: name: "Analyse Dead Code" runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 54090effb1..f162ae41e0 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -11,7 +11,7 @@ on: permissions: {} # Uses ELEMENT_BOT_TOKEN jobs: sync-labels: - uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop + uses: element-hq/element-meta/.github/workflows/sync-labels.yml@dac99c67f08f8f2a079e885ffb682a2f39cd3960 with: LABELS: | element-hq/element-web diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml index 5b5c74a539..9571b78f06 100644 --- a/.github/workflows/triage-incoming.yml +++ b/.github/workflows/triage-incoming.yml @@ -10,7 +10,7 @@ jobs: automate-project-columns-next: runs-on: ubuntu-24.04 steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/120 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} diff --git a/.github/workflows/triage-labelled.yml b/.github/workflows/triage-labelled.yml index e4f03fa831..69d3977807 100644 --- a/.github/workflows/triage-labelled.yml +++ b/.github/workflows/triage-labelled.yml @@ -8,5 +8,5 @@ permissions: {} # Uses ELEMENT_BOT_TOKEN jobs: call-triage-labelled: - uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop - secrets: inherit + uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop # zizmor: ignore[unpinned-uses] + secrets: inherit # zizmor: ignore[secrets-inherit]