element-hq · t3chguy · Nov 22, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 21, 2024
@@ -7,6 +7,8 @@ on:
         branches:
             - develop
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
     backport:
         name: Backport

@@ -41,9 +41,12 @@ run-name: Element ${{ inputs.mode != 'release' && github.event_name != 'release'
 concurrency: ${{ github.workflow }}
 env:
     R2_BUCKET: ${{ vars.R2_BUCKET }}
+permissions: {} # Uses ELEMENT_BOT_TOKEN
 jobs:
     prepare:
         uses: ./.github/workflows/build_prepare.yaml
+        permissions:
+            contents: read
         with:
             config: element.io/${{ inputs.mode || (github.event_name == 'release' && 'release') || 'nightly' }}
             version: ${{ (inputs.mode != 'release' && github.event_name != 'release') && 'develop' || '' }}

@@ -6,9 +6,12 @@ on:
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
+permissions: {} # No permissions required
 jobs:
     fetch:
         uses: ./.github/workflows/build_prepare.yaml
+        permissions:
+            contents: read
         with:
             config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }}
             version: ${{ github.event.pull_request.base.ref == 'develop' && 'develop' || '' }}

@@ -22,6 +22,7 @@ on:
                 description: "How to link sqlcipher, one of 'system' | 'static'"
 env:
     SQLCIPHER_BUNDLED: ${{ inputs.sqlcipher == 'static' && '1' || '' }}
+permissions: {} # No permissions required
 jobs:
     # We build the hak files on native infrastructure as matrix-seshat fails to cross-compile properly
     # https://github.com/matrix-org/seshat/issues/135

@@ -27,6 +27,7 @@ on:
                 type: string
                 required: false
                 description: "The URL to which the output will be deployed."
+permissions: {} # No permissions required
 jobs:
     build:
         runs-on: macos-14 # M1

@@ -41,11 +41,14 @@ on:
             deploy:
                 description: "The relative path to the config file for this run"
                 value: ${{ inputs.deploy }}
+permissions: {}
 jobs:
     prepare:
         name: Prepare
         environment: ${{ inputs.nightly && 'packages.element.io' || '' }}
         runs-on: ubuntu-24.04
+        permissions:
+            contents: read
         outputs:
             nightly-version: ${{ steps.versions.outputs.nightly }}
         steps:

@@ -28,6 +28,7 @@ on:
                 type: string
                 required: false
                 description: "Whether to sign & notarise the build, requires 'packages.element.io' environment"
+permissions: {} # No permissions required
 jobs:
     build:
         runs-on: windows-2022

@@ -9,6 +9,7 @@ concurrency: ${{ github.workflow }}-${{ github.ref_name }}
 env:
     REGISTRY: ghcr.io
     IMAGE_NAME: ${{ github.repository }}-dockerbuild
+permissions: {}
 jobs:
     build:
         name: Docker Build

@@ -3,6 +3,7 @@ on:
     workflow_dispatch: {}
     schedule:
         - cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     download:
         uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main

@@ -4,6 +4,7 @@ on:
         branches: [develop]
         paths:
             - "src/i18n/strings/en_EN.json"
+permissions: {} # No permissions needed
 jobs:
     upload:
         uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main

@@ -2,6 +2,7 @@ name: Pull Request
 on:
     pull_request_target:
         types: [opened, edited, labeled, unlabeled, synchronize]
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     action:
         uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop

@@ -4,8 +4,11 @@ on:
         branches: [staging]
     workflow_dispatch: {}
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
     draft:
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop
+        permissions:
+            contents: write
         with:
             include-changes: element-hq/element-web~$VERSION
@@ -4,6 +4,7 @@ on:
     push:
         branches: [master]
 concurrency: ${{ github.repository }}-${{ github.workflow }}
+permissions: {} # Uses ELEMENT_BOT_TOKEN
 jobs:
     merge:
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop

@@ -11,9 +11,13 @@ on:
                     - rc
                     - final
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
     release:
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop
+        permissions:
+            contents: write
+            issues: write
         secrets:
             ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
             GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
@@ -27,6 +31,8 @@ jobs:
         name: Post release checks
         needs: release
         runs-on: ubuntu-24.04
+        permissions:
+            checks: read
         steps:
             - name: Wait for desktop packaging
               uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork

@@ -3,6 +3,7 @@ on:
     pull_request: {}
     push:
         branches: [develop, master]
+permissions: {} # No permissions needed
 jobs:
     ts_lint:
         name: "Typescript Syntax Check"
@@ -25,6 +26,8 @@ jobs:
     i18n_lint:
         name: "i18n Check"
         uses: matrix-org/matrix-web-i18n/.github/workflows/i18n_check.yml@main
+        permissions:
+            pull-requests: read
         with:
             hardcoded-words: "Element"
 

@@ -8,6 +8,7 @@ on:
             - develop
         paths:
             - .github/labels.yml
+permissions: {} # Uses ELEMENT_BOT_TOKEN
 jobs:
     sync-labels:
         uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop

@@ -4,6 +4,8 @@ on:
     issues:
         types: [opened]
 
+permissions: {} # Uses ELEMENT_BOT_TOKEN
+
 jobs:
     automate-project-columns-next:
         runs-on: ubuntu-24.04

@@ -4,6 +4,8 @@ on:
     issues:
         types: [labeled]
 
+permissions: {} # Uses ELEMENT_BOT_TOKEN
+
 jobs:
     call-triage-labelled:
         uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop