Tighten GITHUB_TOKEN permissions (#4538)

t3chguy · web-flow · commit c87692d0aa3b · 2024-11-21T14:01:45.000Z
* Tighten GITHUB_TOKEN permissions

Signed-off-by: Michael Telatynski &lt;7t3chguy@gmail.com&gt;

* Tighten GITHUB_TOKEN permissions

Signed-off-by: Michael Telatynski &lt;7t3chguy@gmail.com&gt;

* Iterate

Signed-off-by: Michael Telatynski &lt;7t3chguy@gmail.com&gt;

* Fix permission

Signed-off-by: Michael Telatynski &lt;7t3chguy@gmail.com&gt;

---------

Signed-off-by: Michael Telatynski &lt;7t3chguy@gmail.com&gt;
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -7,6 +7,8 @@ on:
         branches:
             - develop
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
     backport:
         name: Backport
diff --git a/.github/workflows/docs-pr-netlify.yaml b/.github/workflows/docs-pr-netlify.yaml
@@ -5,16 +5,17 @@ on:
         workflows: ["Static Analysis"]
         types:
             - completed
-
+permissions: {}
 jobs:
     netlify:
         if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
         runs-on: ubuntu-24.04
+        permissions:
+            actions: read
         steps:
             - name: 📥 Download artifact
               uses: actions/download-artifact@v4
               with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
                   name: docs
                   path: docs
diff --git a/.github/workflows/downstream-end-to-end-tests.yml b/.github/workflows/downstream-end-to-end-tests.yml
@@ -13,7 +13,7 @@ on:
     #
     #push:
     #    branches: [develop, master]
-
+permissions: {} # No permissions required
 concurrency:
     group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
     cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}
diff --git a/.github/workflows/notify-downstream.yaml b/.github/workflows/notify-downstream.yaml
@@ -3,6 +3,7 @@ on:
     push:
         branches: [develop]
 concurrency: ${{ github.workflow }}-${{ github.ref }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     notify-downstream:
         # Only respect triggers from our develop branch, ignore that of forks
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -9,6 +9,7 @@ on:
             ELEMENT_BOT_TOKEN:
                 required: true
 concurrency: ${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     changelog:
         name: Preview Changelog
diff --git a/.github/workflows/release-drafter-workflow.yml b/.github/workflows/release-drafter-workflow.yml
@@ -8,9 +8,12 @@ on:
                 type: string
                 required: false
 concurrency: release-drafter-action
+permissions: {}
 jobs:
     draft:
         runs-on: ubuntu-24.04
+        permissions:
+            contents: write
         steps:
             - name: 🧮 Checkout code
               uses: actions/checkout@v4
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -8,6 +8,9 @@ on:
         branches: [staging]
     workflow_dispatch: {}
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
     draft:
+        permissions:
+            contents: write
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop
diff --git a/.github/workflows/release-gitflow.yml b/.github/workflows/release-gitflow.yml
@@ -13,12 +13,14 @@ on:
                 type: string
                 required: false
 concurrency: ${{ github.workflow }}
+permissions: {} # Uses ELEMENT_BOT_TOKEN
 jobs:
     merge:
         runs-on: ubuntu-24.04
         steps:
             - uses: actions/checkout@v4
               with:
+                  # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
                   token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   fetch-depth: 0
 
diff --git a/.github/workflows/release-make.yml b/.github/workflows/release-make.yml
@@ -38,11 +38,14 @@ on:
                 description: The number of expected assets, including signatures, excluding generated zip & tarball.
                 type: number
                 required: false
+permissions: {}
 jobs:
     release:
         name: Release
         runs-on: ubuntu-24.04
         environment: Release
+        permissions:
+            contents: write
         steps:
             - name: Load GPG key
               id: gpg
@@ -65,6 +68,7 @@ jobs:
             - uses: actions/checkout@v4
               with:
                   ref: staging
+                  # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
                   token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   fetch-depth: 0
 
@@ -274,6 +278,8 @@ jobs:
         name: Post release steps
         needs: release
         runs-on: ubuntu-24.04
+        permissions:
+            issues: write
         steps:
             - id: repository
               run: echo "REPO=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
@@ -8,6 +8,7 @@ on:
             id:
                 description: "The npm package@version string we published"
                 value: ${{ jobs.npm.outputs.id }}
+permissions: {} # No permissions required
 jobs:
     npm:
         name: Publish to npm
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,6 +21,7 @@ on:
                 type: boolean
                 default: true
 concurrency: ${{ github.workflow }}
+permissions: {} # No permissions required
 jobs:
     release:
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -5,19 +5,25 @@ on:
         secrets:
             SONAR_TOKEN:
                 required: true
+            # No longer used
             ELEMENT_BOT_TOKEN:
-                required: true
+                required: false
         inputs:
             sharded:
                 type: boolean
                 required: false
                 description: "Whether to combine multiple LCOV and jest-sonar-report files in coverage artifact"
+permissions: {}
 jobs:
     sonarqube:
         runs-on: ubuntu-24.04
         if: |
             github.event.workflow_run.conclusion == 'success' &&
             github.event.workflow_run.event != 'merge_group'
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
         steps:
             # We create the status here and then update it to success/failure in the `report` stage
             # This provides an easy link to this workflow_run from the PR before Sonarcloud is done.
@@ -40,15 +46,13 @@ jobs:
               uses: actions/download-artifact@v4
               if: ${{ !inputs.sharded }}
               with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
                   name: coverage
                   path: coverage
             - name: 📥 Download sharded artifacts
               uses: actions/download-artifact@v4
               if: inputs.sharded
               with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
                   pattern: coverage-*
                   path: coverage
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
@@ -7,10 +7,15 @@ on:
 concurrency:
     group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
     cancel-in-progress: true
+permissions: {}
 jobs:
     sonarqube:
         name: 🩻 SonarQube
         if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
         uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop
         secrets:
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml
@@ -8,6 +8,7 @@ on:
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
+permissions: {} # No permissions needed
 jobs:
     ts_lint:
         name: "Typescript Syntax Check"
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
@@ -8,6 +8,7 @@ on:
             - develop
         paths:
             - .github/labels.yml
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     sync-labels:
         uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -10,6 +10,7 @@ concurrency:
     cancel-in-progress: true
 env:
     ENABLE_COVERAGE: ${{ github.event_name != 'merge_group' }}
+permissions: {} # No permissions required
 jobs:
     jest:
         name: "Jest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})"
@@ -77,13 +78,16 @@ jobs:
         name: Downstream test element-web
         if: github.event_name == 'merge_group'
         uses: element-hq/element-web/.github/workflows/tests.yml@develop
+        permissions:
+            statuses: write
         with:
             disable_coverage: true
             matrix-js-sdk-sha: ${{ github.sha }}
 
     complement-crypto:
         name: "Run Complement Crypto tests"
         if: github.event_name == 'merge_group'
+        permissions: read-all
         uses: matrix-org/complement-crypto/.github/workflows/single_sdk_tests.yml@main
         with:
             use_js_sdk: "."
@@ -107,6 +111,8 @@ jobs:
         if: always()
         needs:
             - element-web
+        permissions:
+            statuses: write
         steps:
             - name: Skip SonarCloud on merge queues
               if: env.ENABLE_COVERAGE == 'false'
diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml
@@ -3,7 +3,7 @@ name: Move new issues into Issue triage board
 on:
     issues:
         types: [opened]
-
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     automate-project-columns-next:
         runs-on: ubuntu-24.04
diff --git a/.github/workflows/triage-labelled.yml b/.github/workflows/triage-labelled.yml
@@ -3,7 +3,7 @@ name: Move labelled issues to correct projects
 on:
     issues:
         types: [labeled]
-
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     call-triage-labelled:
         uses: element-hq/element-web/.github/workflows/triage-labelled.yml@develop

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ on:`
`13`	`13`	`#`
`14`	`14`	`#push:`
`15`	`15`	`# branches: [develop, master]`
`16`		`-`
	`16`	`+permissions: {} # No permissions required`
`17`	`17`	`concurrency:`
`18`	`18`	`group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch \|\| github.run_id }}`
`19`	`19`	`cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}`