From b1b0966cae5bdc3233bf0c983bac32580d3a3eef Mon Sep 17 00:00:00 2001 From: Doug <6060466+pixlwave@users.noreply.github.com> Date: Thu, 5 Mar 2026 13:54:51 +0000 Subject: [PATCH] Add zizmor checks on CI. (#5161) * Add zizmor checks on CI. * Fix zizmor credentials warnings * Add persist-credentials: false to action-cached-lfs-checkout too. * Add empty permissions by default. * Ignore pull_request_target failure and add a warning. --- .github/workflows/accessibility_tests.yml | 8 +++++-- .../workflows/automatic-calendar-version.yml | 6 ++++- .github/workflows/blocked.yml | 10 ++++++-- .github/workflows/compound-ios.yml | 6 ++++- .github/workflows/danger.yml | 7 +++++- .github/workflows/integration-tests.yml | 8 +++++-- .github/workflows/post-release.yml | 4 +++- .github/workflows/stale-issues.yml | 4 +++- .github/workflows/translations-pr.yml | 6 ++++- .github/workflows/triage_incoming.yml | 6 +++-- .github/workflows/triage_labelled.yml | 12 ++++++---- .github/workflows/ui_tests.yml | 12 +++++++--- .github/workflows/unit_tests.yml | 6 ++++- .github/workflows/unit_tests_enterprise.yml | 5 +++- .github/workflows/zizmor.yml | 24 +++++++++++++++++++ 15 files changed, 100 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/accessibility_tests.yml b/.github/workflows/accessibility_tests.yml index eeb68ed12..3bfcf8cb6 100644 --- a/.github/workflows/accessibility_tests.yml +++ b/.github/workflows/accessibility_tests.yml @@ -5,7 +5,9 @@ on: schedule: - cron: '0 2 * * 1-5' - + +permissions: {} + jobs: tests: name: Tests @@ -19,6 +21,8 @@ jobs: steps: - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3 + with: + persist-credentials: false - name: Setup environment run: source ci_scripts/ci_common.sh && setup_github_actions_environment @@ -27,7 +31,7 @@ jobs: run: swift run -q tools ci accessibility-tests - name: Archive artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: failure() with: name: Results diff --git a/.github/workflows/automatic-calendar-version.yml b/.github/workflows/automatic-calendar-version.yml index b4d97723a..e1fdcd41a 100644 --- a/.github/workflows/automatic-calendar-version.yml +++ b/.github/workflows/automatic-calendar-version.yml @@ -7,6 +7,8 @@ on: - cron: '0 3 * * 2' workflow_dispatch: +permissions: {} + # Bumps the year and month, resetting the patch. # Patch bumps are handled by the release script. jobs: @@ -18,7 +20,9 @@ jobs: if: github.repository == 'element-hq/element-x-ios' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup environment run: diff --git a/.github/workflows/blocked.yml b/.github/workflows/blocked.yml index 05eb83631..9edd23c75 100644 --- a/.github/workflows/blocked.yml +++ b/.github/workflows/blocked.yml @@ -1,7 +1,13 @@ name: Prevent blocked + on: - pull_request_target: + # Privilege escalation necessary to access PR context and set status checks + # 🚨 We must not execute any checked out code here, and be careful around use of user-controlled inputs. + pull_request_target: # zizmor: ignore[dangerous-triggers] types: [opened, labeled, unlabeled, synchronize] + +permissions: {} + jobs: prevent-blocked: name: Prevent blocked @@ -10,7 +16,7 @@ jobs: pull-requests: read steps: - name: Add notice - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 if: contains(github.event.pull_request.labels.*.name, 'X-Blocked') with: script: | diff --git a/.github/workflows/compound-ios.yml b/.github/workflows/compound-ios.yml index df130dc36..fcd23f0a2 100644 --- a/.github/workflows/compound-ios.yml +++ b/.github/workflows/compound-ios.yml @@ -16,6 +16,8 @@ on: paths: - 'compound-ios/**' +permissions: {} + jobs: tests: @@ -30,6 +32,8 @@ jobs: steps: - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3 + with: + persist-credentials: false - name: Configure Xcode 26 run: sudo xcode-select -s /Applications/Xcode_26.1.1.app @@ -54,7 +58,7 @@ jobs: run: zip -r Logs/CompoundTests.xcresult.zip Logs/CompoundTests.xcresult/ - name: Archive artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: failure() # We only care about artefacts if the tests fail with: name: test-results diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml index 80204eca0..4c4349fcc 100644 --- a/.github/workflows/danger.yml +++ b/.github/workflows/danger.yml @@ -4,6 +4,8 @@ on: pull_request: types: [ labeled, synchronize, opened, reopened ] +permissions: {} + jobs: build: name: Danger @@ -16,7 +18,10 @@ jobs: cancel-in-progress: true steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Danger uses: danger/swift@434d7c25f3b02d490a340b23f5e78dd15a5670bc # 3.22.1 env: diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 998e1f084..369816bd3 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -6,6 +6,8 @@ on: workflow_dispatch: +permissions: {} + jobs: integration_tests: name: Integration Tests @@ -18,7 +20,9 @@ jobs: cancel-in-progress: false steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup environment run: @@ -32,7 +36,7 @@ jobs: INTEGRATION_TESTS_PASSWORD: ${{ secrets.INTEGRATION_TESTS_PASSWORD }} - name: Archive artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 # We only care about artefacts if the tests fail if: failure() with: diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index 4c42f2485..d3638015f 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -5,6 +5,8 @@ on: tags: - 'release/**' +permissions: {} + jobs: post-release: runs-on: ubuntu-latest @@ -13,7 +15,7 @@ jobs: steps: - name: Trigger pipeline - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ secrets.ENTERPRISE_ACTIONS_TOKEN }} script: | diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index aeeebb3bf..1958e8008 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -4,13 +4,15 @@ on: schedule: - cron: "30 1 * * *" +permissions: {} + jobs: stale: runs-on: ubuntu-latest permissions: issues: write steps: - - uses: actions/stale@v10 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: only-labels: "X-Needs-Info" days-before-issue-stale: 30 diff --git a/.github/workflows/translations-pr.yml b/.github/workflows/translations-pr.yml index 08793e961..74348dd8c 100644 --- a/.github/workflows/translations-pr.yml +++ b/.github/workflows/translations-pr.yml @@ -5,6 +5,8 @@ on: - cron: '0 3 * * 1' workflow_dispatch: +permissions: {} + jobs: open-translations-pr: runs-on: macos-15 @@ -14,7 +16,9 @@ jobs: if: github.repository == 'element-hq/element-x-ios' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup environment run: diff --git a/.github/workflows/triage_incoming.yml b/.github/workflows/triage_incoming.yml index 7b38cb1a9..265e0f3fa 100644 --- a/.github/workflows/triage_incoming.yml +++ b/.github/workflows/triage_incoming.yml @@ -4,13 +4,15 @@ on: issues: types: [opened] +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: add_to_triage: runs-on: ubuntu-latest if: > github.repository == 'element-hq/element-x-ios' steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/81 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} @@ -22,7 +24,7 @@ jobs: if: > github.repository == 'element-hq/element-x-ios' steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/43 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} diff --git a/.github/workflows/triage_labelled.yml b/.github/workflows/triage_labelled.yml index df2a2a01d..d1816711c 100644 --- a/.github/workflows/triage_labelled.yml +++ b/.github/workflows/triage_labelled.yml @@ -4,6 +4,8 @@ on: issues: types: [labeled] +permissions: {} # We use ELEMENT_BOT_TOKEN instead + jobs: ex_plorers: name: Add labelled issues to X-Plorer project @@ -11,7 +13,7 @@ jobs: if: > contains(github.event.issue.labels.*.name, 'Team: Element X Feature') steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/73 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} @@ -22,7 +24,7 @@ jobs: if: > contains(github.event.issue.labels.*.name, 'Team: Verticals Feature') steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/57 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} @@ -33,7 +35,7 @@ jobs: if: > contains(github.event.issue.labels.*.name, 'Team: Element X Platform') steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/43 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} @@ -45,7 +47,7 @@ jobs: contains(github.event.issue.labels.*.name, 'Team: QA') || contains(github.event.issue.labels.*.name, 'X-Needs-Signoff') steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/69 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} @@ -56,7 +58,7 @@ jobs: if: > contains(github.event.issue.labels.*.name, 'X-Needs-Signoff') steps: - - uses: actions/add-to-project@main + - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 with: project-url: https://github.com/orgs/element-hq/projects/89 github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} diff --git a/.github/workflows/ui_tests.yml b/.github/workflows/ui_tests.yml index 8678411e3..162b26a36 100644 --- a/.github/workflows/ui_tests.yml +++ b/.github/workflows/ui_tests.yml @@ -10,6 +10,8 @@ on: schedule: - cron: '0 2 * * 1-5' +permissions: {} + jobs: tests: name: Tests @@ -27,6 +29,8 @@ jobs: steps: - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3 + with: + persist-credentials: false - name: Setup environment run: source ci_scripts/ci_common.sh && setup_github_actions_environment @@ -34,13 +38,15 @@ jobs: - name: Run tests run: | args=(--device-type "${{ matrix.device }}") - if [[ -n "${{ github.event.inputs.test_name }}" ]]; then - args+=( --test-name "${{ github.event.inputs.test_name }}") + if [[ -n "${GITHUB_EVENT_INPUTS_TEST_NAME}" ]]; then + args+=( --test-name "${GITHUB_EVENT_INPUTS_TEST_NAME}") fi swift run -q tools ci ui-tests "${args[@]}" + env: + GITHUB_EVENT_INPUTS_TEST_NAME: ${{ github.event.inputs.test_name }} - name: Archive artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 # We only care about artefacts if the tests fail if: failure() with: diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index e7a29966c..6be64635d 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -8,6 +8,8 @@ on: pull_request: +permissions: {} + jobs: tests: name: Tests @@ -21,6 +23,8 @@ jobs: steps: - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3 + with: + persist-credentials: false - name: Setup environment run: source ci_scripts/ci_common.sh && setup_github_actions_environment @@ -29,7 +33,7 @@ jobs: run: swift run -q tools ci unit-tests - name: Archive artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 # We only care about artefacts if the tests fail if: failure() with: diff --git a/.github/workflows/unit_tests_enterprise.yml b/.github/workflows/unit_tests_enterprise.yml index 40e9f35e4..efd71d001 100644 --- a/.github/workflows/unit_tests_enterprise.yml +++ b/.github/workflows/unit_tests_enterprise.yml @@ -8,6 +8,8 @@ on: pull_request: +permissions: {} + jobs: tests: name: Tests (Enterprise) @@ -27,6 +29,7 @@ jobs: with: submodules: recursive token: ${{ secrets.ELEMENT_BOT_TOKEN }} + persist-credentials: false - name: Setup environment run: source ci_scripts/ci_common.sh && setup_github_actions_environment @@ -38,7 +41,7 @@ jobs: run: swift run -q tools ci unit-tests --skip-previews - name: Archive artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 # We only care about artefacts if the tests fail if: failure() with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..c782955fe --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0