From 86f3ec0d305fa4b46319c65de5d056589f52f480 Mon Sep 17 00:00:00 2001 From: Skye Elliot Date: Mon, 9 Mar 2026 12:57:15 +0000 Subject: [PATCH 1/7] ci: Pin action versions to commit SHAs --- .github/workflows/single_sdk_tests.yml | 12 +++++++----- .github/workflows/tests.yaml | 16 +++++++++------- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/.github/workflows/single_sdk_tests.yml b/.github/workflows/single_sdk_tests.yml index 14efe67..fc310ad 100644 --- a/.github/workflows/single_sdk_tests.yml +++ b/.github/workflows/single_sdk_tests.yml @@ -32,7 +32,9 @@ jobs: # At this stage we don't know which repo we have just checked out. We will reference this repo # if the workflow uses '.' - name: Checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Resolve branches shell: bash # these env vars will be modified and used in subsequent steps @@ -104,18 +106,18 @@ jobs: docker pull mitmproxy/mitmproxy:10.1.5 docker tag ghcr.io/matrix-org/synapse-service:v1.117.0 homeserver:latest - name: Setup | Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: "1.25" - name: "Install Complement Dependencies" shell: bash run: | - go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest + go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@4c97682ab858d6bbd26fc020e255cb339c9c8119 # v2.5.0 # JS SDK only steps - name: Setup | Node.js LTS if: ${{ inputs.use_js_sdk != '' }} - uses: actions/setup-node@v3 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: "lts/*" - name: "Install JS SDK" @@ -182,7 +184,7 @@ jobs: RUST_SDK_LIB_RELATIVE: ${{ inputs.use_rust_sdk == '.' && '/target/debug' || '/complement-crypto/rust-sdk/target/debug'}} - name: Upload logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: ${{ failure() }} with: name: Logs - ${{ inputs.use_js_sdk != '' && 'jssdk' || 'rust'}} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 42230f3..b0ab9e3 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -9,7 +9,7 @@ on: jobs: check-signoff: if: "github.event_name == 'pull_request'" - uses: "matrix-org/backend-meta/.github/workflows/sign-off.yml@v2" + uses: matrix-org/backend-meta/.github/workflows/sign-off.yml@18beaf3c8e536108bd04d18e6c3dc40ba3931e28 # v2 js-latest-main: name: Tests (JS only, latest) @@ -29,17 +29,19 @@ jobs: name: Tests runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 # Checkout crypto tests + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Install Node, Go and Rust, along with gotestfmt - name: Setup | Node.js LTS - uses: actions/setup-node@v3 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: "lts/*" cache: 'yarn' cache-dependency-path: "internal/api/js/js-sdk/yarn.lock" - name: Setup | Go - uses: actions/setup-go@v4 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: '1.21' - name: Setup | Rust @@ -53,12 +55,12 @@ jobs: wget -O archive.tar.gz "https://github.com/matrix-org/matrix-rust-sdk/archive/$BRANCH.tar.gz" zcat < archive.tar.gz | git get-tar-commit-id # useful for debugging tar -xz --strip-components=1 -C rust-sdk < archive.tar.gz - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 with: workspaces: "rust-sdk" - name: "Install Complement Dependencies" run: | - go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest + go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@4c97682ab858d6bbd26fc020e255cb339c9c8119 # v2.5.0 # Install whatever version of the JS SDK is in package.json - name: Build JS SDK @@ -161,7 +163,7 @@ jobs: DOCKER_BUILDKIT: 1 - name: Upload logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: ${{ always() }} # do this even if the tests fail with: name: Logs - ${{ job.status }} From c8ce078659ddca54b52ed8f0f73d69917a9fedcc Mon Sep 17 00:00:00 2001 From: Skye Elliot Date: Mon, 9 Mar 2026 12:58:16 +0000 Subject: [PATCH 2/7] ci: Use runner-provided `rustup` over external action --- .github/workflows/single_sdk_tests.yml | 6 +++--- .github/workflows/tests.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/single_sdk_tests.yml b/.github/workflows/single_sdk_tests.yml index fc310ad..672053b 100644 --- a/.github/workflows/single_sdk_tests.yml +++ b/.github/workflows/single_sdk_tests.yml @@ -130,9 +130,9 @@ jobs: # which we then pass to rebuild_rust_sdk.sh - name: Setup | Rust if: ${{ inputs.use_rust_sdk != '' }} - uses: dtolnay/rust-toolchain@stable - with: - toolchain: stable + run: | + rustup toolchain install stable + rustup default stable - name: "Download Rust SDK" # no need to download rust SDK if we are using the local checkout. if: ${{ inputs.use_rust_sdk != '' && inputs.use_rust_sdk != '.'}} run: | diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index b0ab9e3..6c1d0dd 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -45,9 +45,9 @@ jobs: with: go-version: '1.21' - name: Setup | Rust - uses: dtolnay/rust-toolchain@stable - with: - toolchain: stable + run: | + rustup toolchain install stable + rustup default stable - name: Checkout matrix-rust-sdk run: | BRANCH=$(./.github/workflows/resolve_branch.sh matrix-org/matrix-rust-sdk) From c375298cf5e1dbd5c4ea1447dd80394a6a397ba3 Mon Sep 17 00:00:00 2001 From: Skye Elliot Date: Mon, 9 Mar 2026 12:58:48 +0000 Subject: [PATCH 3/7] ci: Configure granular workflow permissions --- .github/workflows/single_sdk_tests.yml | 6 +++++- .github/workflows/tests.yaml | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/single_sdk_tests.yml b/.github/workflows/single_sdk_tests.yml index 672053b..3ba6da2 100644 --- a/.github/workflows/single_sdk_tests.yml +++ b/.github/workflows/single_sdk_tests.yml @@ -4,7 +4,11 @@ # in the input. It runs single SDK only tests (e.g all JS clients _or_ all Rust clients, not a mixture). name: "Complement Crypto" run-name: "Running Complement-Crypto" -permissions: read-all + +permissions: + contents: read + actions: read + on: workflow_call: inputs: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 6c1d0dd..67d227d 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,5 +1,9 @@ name: Tests +permissions: + contents: read + actions: read + on: push: branches: [ 'main' ] From 5c193f3fd6f59abeebdd586118a7ae9c918168ca Mon Sep 17 00:00:00 2001 From: Skye Elliot Date: Mon, 9 Mar 2026 12:59:06 +0000 Subject: [PATCH 4/7] ci: Add zizmor workflow --- .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..87d22ba --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +name: Analyse workflows with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 From 8bb199ceed75c7ba1045642d96dfcf2c2bfcce17 Mon Sep 17 00:00:00 2001 From: Skye Elliot Date: Mon, 9 Mar 2026 12:59:46 +0000 Subject: [PATCH 5/7] ci: Format workflows --- .github/workflows/tests.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 67d227d..8331725 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -6,7 +6,7 @@ permissions: on: push: - branches: [ 'main' ] + branches: ["main"] pull_request: workflow_dispatch: @@ -19,15 +19,15 @@ jobs: name: Tests (JS only, latest) uses: ./.github/workflows/single_sdk_tests.yml with: - use_js_sdk: 'MATCHING_BRANCH' - use_complement_crypto: '.' + use_js_sdk: "MATCHING_BRANCH" + use_complement_crypto: "." rust-latest-main: name: Tests (Rust only, latest) uses: ./.github/workflows/single_sdk_tests.yml with: - use_rust_sdk: 'MATCHING_BRANCH' - use_complement_crypto: '.' + use_rust_sdk: "MATCHING_BRANCH" + use_complement_crypto: "." complement: name: Tests @@ -42,12 +42,12 @@ jobs: uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: "lts/*" - cache: 'yarn' + cache: "yarn" cache-dependency-path: "internal/api/js/js-sdk/yarn.lock" - name: Setup | Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: - go-version: '1.21' + go-version: "1.21" - name: Setup | Rust run: | rustup toolchain install stable @@ -172,5 +172,5 @@ jobs: with: name: Logs - ${{ job.status }} path: | - ./**/logs/* - ./**/mitm.dump + ./**/logs/* + ./**/mitm.dump From 68e22ea197b3628c6aeba8a1d7401fbb6a505896 Mon Sep 17 00:00:00 2001 From: Skye Elliot Date: Mon, 9 Mar 2026 12:59:59 +0000 Subject: [PATCH 6/7] ci: Correct go version in `tests.yaml` --- .github/workflows/tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 8331725..d740954 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -47,7 +47,7 @@ jobs: - name: Setup | Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: - go-version: "1.21" + go-version: "1.25" - name: Setup | Rust run: | rustup toolchain install stable From 0695c105cfbda7f1057873888a5d39b58ac5887d Mon Sep 17 00:00:00 2001 From: Skye Elliot Date: Mon, 9 Mar 2026 16:39:58 +0000 Subject: [PATCH 7/7] ci: Remove explicit permissions since repo is public --- .github/workflows/single_sdk_tests.yml | 4 +- .github/workflows/tests.yaml | 68 +++++++++++++------------- 2 files changed, 34 insertions(+), 38 deletions(-) diff --git a/.github/workflows/single_sdk_tests.yml b/.github/workflows/single_sdk_tests.yml index 3ba6da2..6b2459b 100644 --- a/.github/workflows/single_sdk_tests.yml +++ b/.github/workflows/single_sdk_tests.yml @@ -5,9 +5,7 @@ name: "Complement Crypto" run-name: "Running Complement-Crypto" -permissions: - contents: read - actions: read +permissions: {} on: workflow_call: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index d740954..8d3dc4f 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,8 +1,6 @@ name: Tests -permissions: - contents: read - actions: read +permissions: {} on: push: @@ -87,38 +85,38 @@ jobs: docker tag ghcr.io/matrix-org/synapse-service:v1.117.0 homeserver:latest # Build homeserver image, honouring branch names - #- name: "Checkout corresponding Synapse branch" - #shell: bash - #run: | - #mkdir -p homeserver -# - ## Attempt to use the version of the homeserver which best matches the - ## current build. - ## - ## 1. If we are not on complement's default branch, check if there's a - ## similarly named branch (GITHUB_HEAD_REF for pull requests, - ## otherwise GITHUB_REF). - ## 2. otherwise, use the default homeserver branch ("HEAD") -# - #for BRANCH_NAME in "$GITHUB_HEAD_REF" "${GITHUB_REF#refs/heads/}" "HEAD"; do - ## Skip empty branch names, merge commits, and our default branch. - ## (If we are on complement's default branch, we want to fall through to the HS's default branch - ## rather than using the HS's 'master'/'main'). - #case "$BRANCH_NAME" in - #"" | refs/pull/* | main | master) - #continue - #;; - #esac - #(wget -O - "https://github.com/matrix-org/synapse/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C homeserver) && break - #done - ## Build the base Synapse dockerfile and then build a Complement-specific image from that base. - #- run: | - #docker build -t matrixdotorg/synapse:latest -f docker/Dockerfile . - #docker build -t matrixdotorg/synapse-workers:latest -f docker/Dockerfile-workers . - #docker build -t homeserver -f docker/complement/Dockerfile docker/complement - #working-directory: homeserver - #env: - #DOCKER_BUILDKIT: 1 + #- name: "Checkout corresponding Synapse branch" + #shell: bash + #run: | + #mkdir -p homeserver + # + ## Attempt to use the version of the homeserver which best matches the + ## current build. + ## + ## 1. If we are not on complement's default branch, check if there's a + ## similarly named branch (GITHUB_HEAD_REF for pull requests, + ## otherwise GITHUB_REF). + ## 2. otherwise, use the default homeserver branch ("HEAD") + # + #for BRANCH_NAME in "$GITHUB_HEAD_REF" "${GITHUB_REF#refs/heads/}" "HEAD"; do + ## Skip empty branch names, merge commits, and our default branch. + ## (If we are on complement's default branch, we want to fall through to the HS's default branch + ## rather than using the HS's 'master'/'main'). + #case "$BRANCH_NAME" in + #"" | refs/pull/* | main | master) + #continue + #;; + #esac + #(wget -O - "https://github.com/matrix-org/synapse/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C homeserver) && break + #done + ## Build the base Synapse dockerfile and then build a Complement-specific image from that base. + #- run: | + #docker build -t matrixdotorg/synapse:latest -f docker/Dockerfile . + #docker build -t matrixdotorg/synapse-workers:latest -f docker/Dockerfile-workers . + #docker build -t homeserver -f docker/complement/Dockerfile docker/complement + #working-directory: homeserver + #env: + #DOCKER_BUILDKIT: 1 - name: "Run Complement-Crypto unit tests" env: COMPLEMENT_BASE_IMAGE: homeserver