letro/letro-ios
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases 2 Wiki Activity

Add zizmor checks on CI. (#5161)

Browse Source 
* Add zizmor checks on CI.

* Fix zizmor credentials warnings

* Add persist-credentials: false to action-cached-lfs-checkout too.

* Add empty permissions by default.

* Ignore pull_request_target failure and add a warning.
This commit is contained in:
Doug
2026-03-05 13:54:51 +00:00
committed by GitHub
parent 5e41016d5e
commit b1b0966cae
15 changed files with 100 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/accessibility_tests.yml vendored
View File

@@ -5,7 +5,9 @@ on:
schedule: schedule:
- cron: '0 2 * * 1-5' - cron: '0 2 * * 1-5'
permissions: {}
jobs: jobs:
tests: tests:
name: Tests name: Tests
@@ -19,6 +21,8 @@ jobs:
steps: steps:
- uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3 - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3
with:
persist-credentials: false
- name: Setup environment - name: Setup environment
run: source ci_scripts/ci_common.sh && setup_github_actions_environment run: source ci_scripts/ci_common.sh && setup_github_actions_environment
@@ -27,7 +31,7 @@ jobs:
run: swift run -q tools ci accessibility-tests run: swift run -q tools ci accessibility-tests
- name: Archive artifacts - name: Archive artifacts
uses: actions/upload-artifact@v7 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: failure() if: failure()
with: with:
name: Results name: Results

6
.github/workflows/automatic-calendar-version.yml vendored
View File

@@ -7,6 +7,8 @@ on:
- cron: '0 3 * * 2' - cron: '0 3 * * 2'
workflow_dispatch: workflow_dispatch:
permissions: {}
# Bumps the year and month, resetting the patch. # Bumps the year and month, resetting the patch.
# Patch bumps are handled by the release script. # Patch bumps are handled by the release script.
jobs: jobs:
@@ -18,7 +20,9 @@ jobs:
if: github.repository == 'element-hq/element-x-ios' if: github.repository == 'element-hq/element-x-ios'
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup environment - name: Setup environment
run: run:

10
.github/workflows/blocked.yml vendored
View File

@@ -1,7 +1,13 @@
name: Prevent blocked name: Prevent blocked
on: on:
pull_request_target: # Privilege escalation necessary to access PR context and set status checks
# 🚨 We must not execute any checked out code here, and be careful around use of user-controlled inputs.
pull_request_target: # zizmor: ignore[dangerous-triggers]
types: [opened, labeled, unlabeled, synchronize] types: [opened, labeled, unlabeled, synchronize]
permissions: {}
jobs: jobs:
prevent-blocked: prevent-blocked:
name: Prevent blocked name: Prevent blocked
@@ -10,7 +16,7 @@ jobs:
pull-requests: read pull-requests: read
steps: steps:
- name: Add notice - name: Add notice
uses: actions/github-script@v8 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
if: contains(github.event.pull_request.labels.*.name, 'X-Blocked') if: contains(github.event.pull_request.labels.*.name, 'X-Blocked')
with: with:
script: | script: |

6
.github/workflows/compound-ios.yml vendored
View File

@@ -16,6 +16,8 @@ on:
paths: paths:
- 'compound-ios/**' - 'compound-ios/**'
permissions: {}
jobs: jobs:
tests: tests:
@@ -30,6 +32,8 @@ jobs:
steps: steps:
- uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3 - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3
with:
persist-credentials: false
- name: Configure Xcode 26 - name: Configure Xcode 26
run: sudo xcode-select -s /Applications/Xcode_26.1.1.app run: sudo xcode-select -s /Applications/Xcode_26.1.1.app
@@ -54,7 +58,7 @@ jobs:
run: zip -r Logs/CompoundTests.xcresult.zip Logs/CompoundTests.xcresult/ run: zip -r Logs/CompoundTests.xcresult.zip Logs/CompoundTests.xcresult/
- name: Archive artifacts - name: Archive artifacts
uses: actions/upload-artifact@v7 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: failure() # We only care about artefacts if the tests fail if: failure() # We only care about artefacts if the tests fail
with: with:
name: test-results name: test-results

7
.github/workflows/danger.yml vendored
View File

@@ -4,6 +4,8 @@ on:
pull_request: pull_request:
types: [ labeled, synchronize, opened, reopened ] types: [ labeled, synchronize, opened, reopened ]
permissions: {}
jobs: jobs:
build: build:
name: Danger name: Danger
@@ -16,7 +18,10 @@ jobs:
cancel-in-progress: true cancel-in-progress: true
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Danger - name: Danger
uses: danger/swift@434d7c25f3b02d490a340b23f5e78dd15a5670bc # 3.22.1 uses: danger/swift@434d7c25f3b02d490a340b23f5e78dd15a5670bc # 3.22.1
env: env:

8
.github/workflows/integration-tests.yml vendored
View File

@@ -6,6 +6,8 @@ on:
workflow_dispatch: workflow_dispatch:
permissions: {}
jobs: jobs:
integration_tests: integration_tests:
name: Integration Tests name: Integration Tests
@@ -18,7 +20,9 @@ jobs:
cancel-in-progress: false cancel-in-progress: false
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup environment - name: Setup environment
run: run:
@@ -32,7 +36,7 @@ jobs:
INTEGRATION_TESTS_PASSWORD: ${{ secrets.INTEGRATION_TESTS_PASSWORD }} INTEGRATION_TESTS_PASSWORD: ${{ secrets.INTEGRATION_TESTS_PASSWORD }}
- name: Archive artifacts - name: Archive artifacts
uses: actions/upload-artifact@v7 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
# We only care about artefacts if the tests fail # We only care about artefacts if the tests fail
if: failure() if: failure()
with: with:

4
.github/workflows/post-release.yml vendored
View File

@@ -5,6 +5,8 @@ on:
tags: tags:
- 'release/**' - 'release/**'
permissions: {}
jobs: jobs:
post-release: post-release:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -13,7 +15,7 @@ jobs:
steps: steps:
- name: Trigger pipeline - name: Trigger pipeline
uses: actions/github-script@v8 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with: with:
github-token: ${{ secrets.ENTERPRISE_ACTIONS_TOKEN }} github-token: ${{ secrets.ENTERPRISE_ACTIONS_TOKEN }}
script: | script: |

4
.github/workflows/stale-issues.yml vendored
View File

@@ -4,13 +4,15 @@ on:
schedule: schedule:
- cron: "30 1 * * *" - cron: "30 1 * * *"
permissions: {}
jobs: jobs:
stale: stale:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
issues: write issues: write
steps: steps:
- uses: actions/stale@v10 - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with: with:
only-labels: "X-Needs-Info" only-labels: "X-Needs-Info"
days-before-issue-stale: 30 days-before-issue-stale: 30

6
.github/workflows/translations-pr.yml vendored
View File

@@ -5,6 +5,8 @@ on:
- cron: '0 3 * * 1' - cron: '0 3 * * 1'
workflow_dispatch: workflow_dispatch:
permissions: {}
jobs: jobs:
open-translations-pr: open-translations-pr:
runs-on: macos-15 runs-on: macos-15
@@ -14,7 +16,9 @@ jobs:
if: github.repository == 'element-hq/element-x-ios' if: github.repository == 'element-hq/element-x-ios'
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup environment - name: Setup environment
run: run:

6
.github/workflows/triage_incoming.yml vendored
View File

@@ -4,13 +4,15 @@ on:
issues: issues:
types: [opened] types: [opened]
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
add_to_triage: add_to_triage:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: > if: >
github.repository == 'element-hq/element-x-ios' github.repository == 'element-hq/element-x-ios'
steps: steps:
- uses: actions/add-to-project@main - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with: with:
project-url: https://github.com/orgs/element-hq/projects/81 project-url: https://github.com/orgs/element-hq/projects/81
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -22,7 +24,7 @@ jobs:
if: > if: >
github.repository == 'element-hq/element-x-ios' github.repository == 'element-hq/element-x-ios'
steps: steps:
- uses: actions/add-to-project@main - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with: with:
project-url: https://github.com/orgs/element-hq/projects/43 project-url: https://github.com/orgs/element-hq/projects/43
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}

12
.github/workflows/triage_labelled.yml vendored
View File

@@ -4,6 +4,8 @@ on:
issues: issues:
types: [labeled] types: [labeled]
permissions: {} # We use ELEMENT_BOT_TOKEN instead
jobs: jobs:
ex_plorers: ex_plorers:
name: Add labelled issues to X-Plorer project name: Add labelled issues to X-Plorer project
@@ -11,7 +13,7 @@ jobs:
if: > if: >
contains(github.event.issue.labels.*.name, 'Team: Element X Feature') contains(github.event.issue.labels.*.name, 'Team: Element X Feature')
steps: steps:
- uses: actions/add-to-project@main - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with: with:
project-url: https://github.com/orgs/element-hq/projects/73 project-url: https://github.com/orgs/element-hq/projects/73
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -22,7 +24,7 @@ jobs:
if: > if: >
contains(github.event.issue.labels.*.name, 'Team: Verticals Feature') contains(github.event.issue.labels.*.name, 'Team: Verticals Feature')
steps: steps:
- uses: actions/add-to-project@main - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with: with:
project-url: https://github.com/orgs/element-hq/projects/57 project-url: https://github.com/orgs/element-hq/projects/57
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -33,7 +35,7 @@ jobs:
if: > if: >
contains(github.event.issue.labels.*.name, 'Team: Element X Platform') contains(github.event.issue.labels.*.name, 'Team: Element X Platform')
steps: steps:
- uses: actions/add-to-project@main - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with: with:
project-url: https://github.com/orgs/element-hq/projects/43 project-url: https://github.com/orgs/element-hq/projects/43
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -45,7 +47,7 @@ jobs:
contains(github.event.issue.labels.*.name, 'Team: QA') || contains(github.event.issue.labels.*.name, 'Team: QA') ||
contains(github.event.issue.labels.*.name, 'X-Needs-Signoff') contains(github.event.issue.labels.*.name, 'X-Needs-Signoff')
steps: steps:
- uses: actions/add-to-project@main - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with: with:
project-url: https://github.com/orgs/element-hq/projects/69 project-url: https://github.com/orgs/element-hq/projects/69
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -56,7 +58,7 @@ jobs:
if: > if: >
contains(github.event.issue.labels.*.name, 'X-Needs-Signoff') contains(github.event.issue.labels.*.name, 'X-Needs-Signoff')
steps: steps:
- uses: actions/add-to-project@main - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with: with:
project-url: https://github.com/orgs/element-hq/projects/89 project-url: https://github.com/orgs/element-hq/projects/89
github-token: ${{ secrets.ELEMENT_BOT_TOKEN }} github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}

12
.github/workflows/ui_tests.yml vendored
View File

@@ -10,6 +10,8 @@ on:
schedule: schedule:
- cron: '0 2 * * 1-5' - cron: '0 2 * * 1-5'
permissions: {}
jobs: jobs:
tests: tests:
name: Tests name: Tests
@@ -27,6 +29,8 @@ jobs:
steps: steps:
- uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3 - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3
with:
persist-credentials: false
- name: Setup environment - name: Setup environment
run: source ci_scripts/ci_common.sh && setup_github_actions_environment run: source ci_scripts/ci_common.sh && setup_github_actions_environment
@@ -34,13 +38,15 @@ jobs:
- name: Run tests - name: Run tests
run: | run: |
args=(--device-type "${{ matrix.device }}") args=(--device-type "${{ matrix.device }}")
if [[ -n "${{ github.event.inputs.test_name }}" ]]; then if [[ -n "${GITHUB_EVENT_INPUTS_TEST_NAME}" ]]; then
args+=( --test-name "${{ github.event.inputs.test_name }}") args+=( --test-name "${GITHUB_EVENT_INPUTS_TEST_NAME}")
fi fi
swift run -q tools ci ui-tests "${args[@]}" swift run -q tools ci ui-tests "${args[@]}"
env:
GITHUB_EVENT_INPUTS_TEST_NAME: ${{ github.event.inputs.test_name }}
- name: Archive artifacts - name: Archive artifacts
uses: actions/upload-artifact@v7 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
# We only care about artefacts if the tests fail # We only care about artefacts if the tests fail
if: failure() if: failure()
with: with:

6
.github/workflows/unit_tests.yml vendored
View File

@@ -8,6 +8,8 @@ on:
pull_request: pull_request:
permissions: {}
jobs: jobs:
tests: tests:
name: Tests name: Tests
@@ -21,6 +23,8 @@ jobs:
steps: steps:
- uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3 - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3
with:
persist-credentials: false
- name: Setup environment - name: Setup environment
run: source ci_scripts/ci_common.sh && setup_github_actions_environment run: source ci_scripts/ci_common.sh && setup_github_actions_environment
@@ -29,7 +33,7 @@ jobs:
run: swift run -q tools ci unit-tests run: swift run -q tools ci unit-tests
- name: Archive artifacts - name: Archive artifacts
uses: actions/upload-artifact@v7 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
# We only care about artefacts if the tests fail # We only care about artefacts if the tests fail
if: failure() if: failure()
with: with:

5
.github/workflows/unit_tests_enterprise.yml vendored
View File

@@ -8,6 +8,8 @@ on:
pull_request: pull_request:
permissions: {}
jobs: jobs:
tests: tests:
name: Tests (Enterprise) name: Tests (Enterprise)
@@ -27,6 +29,7 @@ jobs:
with: with:
submodules: recursive submodules: recursive
token: ${{ secrets.ELEMENT_BOT_TOKEN }} token: ${{ secrets.ELEMENT_BOT_TOKEN }}
persist-credentials: false
- name: Setup environment - name: Setup environment
run: source ci_scripts/ci_common.sh && setup_github_actions_environment run: source ci_scripts/ci_common.sh && setup_github_actions_environment
@@ -38,7 +41,7 @@ jobs:
run: swift run -q tools ci unit-tests --skip-previews run: swift run -q tools ci unit-tests --skip-previews
- name: Archive artifacts - name: Archive artifacts
uses: actions/upload-artifact@v7 uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
# We only care about artefacts if the tests fail # We only care about artefacts if the tests fail
if: failure() if: failure()
with: with:

24
.github/workflows/zizmor.yml vendored Normal file
View File

@@ -0,0 +1,24 @@
name: GitHub Actions Security Analysis with zizmor 🌈
on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
permissions: {}
jobs:
zizmor:
name: Run zizmor 🌈
runs-on: ubuntu-latest
permissions:
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0