diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c2f9f2d0..e8990146 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -6,16 +6,24 @@ on: pull_request: workflow_dispatch: +permissions: {} + jobs: check-signoff: if: "github.event_name == 'pull_request'" - uses: "matrix-org/backend-meta/.github/workflows/sign-off.yml@v2" + permissions: + pull-requests: read + uses: matrix-org/backend-meta/.github/workflows/sign-off.yml@18beaf3c8e536108bd04d18e6c3dc40ba3931e28 # v2 complement-internal: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6.0.3 # Checkout complement - - uses: actions/setup-go@v6.5.0 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version-file: go.mod - name: "Run internal Complement tests" @@ -35,6 +43,8 @@ jobs: complement: name: Complement (${{ matrix.homeserver }}) runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false # ensure if synapse fails we keep running dendrite and vice-versa matrix: @@ -54,9 +64,11 @@ jobs: timeout: 10m steps: - - uses: actions/checkout@v6.0.3 # Checkout complement + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - - uses: actions/setup-go@v6.5.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version-file: go.mod @@ -66,7 +78,7 @@ jobs: # servers which listen on random high numbered ports. - name: "Install Complement Dependencies" run: | - go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest + go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0 mkdir .gotestfmt/github -p cp .ci/complement_package.gotpl .gotestfmt/github/package.gotpl gotestfmt -help diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 00000000..c28b744f --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,24 @@ +# Taken from https://github.com/zizmorcore/zizmor-action/blob/f72bf176f67e8007f87b16d80f9880ece648aa65/README.md +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7