Skip to content

Harden CI workflows with Zizmor and SHA versions #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kaylendog merged 7 commits into from
Mar 9, 2026
Merged

Harden CI workflows with Zizmor and SHA versions #230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
86f3ec0
ci: Pin action versions to commit SHAs
kaylendog Mar 9, 2026
c8ce078
ci: Use runner-provided `rustup` over external action
kaylendog Mar 9, 2026
c375298
ci: Configure granular workflow permissions
kaylendog Mar 9, 2026
5c193f3
ci: Add zizmor workflow
kaylendog Mar 9, 2026
8bb199c
ci: Format workflows
kaylendog Mar 9, 2026
68e22ea
ci: Correct go version in `tests.yaml`
kaylendog Mar 9, 2026
0695c10
ci: Remove explicit permissions since repo is public
kaylendog Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 13 additions & 9 deletions .github/workflows/single_sdk_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
# in the input. It runs single SDK only tests (e.g all JS clients _or_ all Rust clients, not a mixture).
name: "Complement Crypto"
run-name: "Running Complement-Crypto"
permissions: read-all

permissions: {}

on:
workflow_call:
inputs:
Expand Down Expand Up @@ -32,7 +34,9 @@ jobs:
# At this stage we don't know which repo we have just checked out. We will reference this repo
# if the workflow uses '.'
- name: Checkout repo
uses: actions/checkout@v3
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Resolve branches
shell: bash
# these env vars will be modified and used in subsequent steps
Expand Down Expand Up @@ -104,18 +108,18 @@ jobs:
docker pull mitmproxy/mitmproxy:10.1.5
docker tag ghcr.io/matrix-org/synapse-service:v1.117.0 homeserver:latest
- name: Setup | Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: "1.25"
- name: "Install Complement Dependencies"
shell: bash
run: |
go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest
go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@4c97682ab858d6bbd26fc020e255cb339c9c8119 # v2.5.0

# JS SDK only steps
- name: Setup | Node.js LTS
if: ${{ inputs.use_js_sdk != '' }}
uses: actions/setup-node@v3
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: "lts/*"
- name: "Install JS SDK"
Expand All @@ -128,9 +132,9 @@ jobs:
# which we then pass to rebuild_rust_sdk.sh
- name: Setup | Rust
if: ${{ inputs.use_rust_sdk != '' }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
run: |
rustup toolchain install stable
rustup default stable
- name: "Download Rust SDK" # no need to download rust SDK if we are using the local checkout.
if: ${{ inputs.use_rust_sdk != '' && inputs.use_rust_sdk != '.'}}
run: |
Expand Down Expand Up @@ -182,7 +186,7 @@ jobs:
RUST_SDK_LIB_RELATIVE: ${{ inputs.use_rust_sdk == '.' && '/target/debug' || '/complement-crypto/rust-sdk/target/debug'}}

- name: Upload logs
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: ${{ failure() }}
with:
name: Logs - ${{ inputs.use_js_sdk != '' && 'jssdk' || 'rust'}}
Expand Down
106 changes: 55 additions & 51 deletions .github/workflows/tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,64 +1,68 @@
name: Tests

permissions: {}

on:
push:
branches: [ 'main' ]
branches: ["main"]
pull_request:
workflow_dispatch:

jobs:
check-signoff:
if: "github.event_name == 'pull_request'"
uses: "matrix-org/backend-meta/.github/workflows/sign-off.yml@v2"
uses: matrix-org/backend-meta/.github/workflows/sign-off.yml@18beaf3c8e536108bd04d18e6c3dc40ba3931e28 # v2

js-latest-main:
name: Tests (JS only, latest)
uses: ./.github/workflows/single_sdk_tests.yml
with:
use_js_sdk: 'MATCHING_BRANCH'
use_complement_crypto: '.'
use_js_sdk: "MATCHING_BRANCH"
use_complement_crypto: "."

rust-latest-main:
name: Tests (Rust only, latest)
uses: ./.github/workflows/single_sdk_tests.yml
with:
use_rust_sdk: 'MATCHING_BRANCH'
use_complement_crypto: '.'
use_rust_sdk: "MATCHING_BRANCH"
use_complement_crypto: "."

complement:
name: Tests
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3 # Checkout crypto tests
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

# Install Node, Go and Rust, along with gotestfmt
- name: Setup | Node.js LTS
uses: actions/setup-node@v3
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: "lts/*"
cache: 'yarn'
cache: "yarn"
cache-dependency-path: "internal/api/js/js-sdk/yarn.lock"
- name: Setup | Go
uses: actions/setup-go@v4
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: '1.21'
go-version: "1.25"
- name: Setup | Rust
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
run: |
rustup toolchain install stable
rustup default stable
- name: Checkout matrix-rust-sdk
run: |
BRANCH=$(./.github/workflows/resolve_branch.sh matrix-org/matrix-rust-sdk)
mkdir rust-sdk
wget -O archive.tar.gz "https://github.com/matrix-org/matrix-rust-sdk/archive/$BRANCH.tar.gz"
zcat < archive.tar.gz | git get-tar-commit-id # useful for debugging
tar -xz --strip-components=1 -C rust-sdk < archive.tar.gz
- uses: Swatinem/rust-cache@v2
- uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
with:
workspaces: "rust-sdk"
- name: "Install Complement Dependencies"
run: |
go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest
go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@4c97682ab858d6bbd26fc020e255cb339c9c8119 # v2.5.0

# Install whatever version of the JS SDK is in package.json
- name: Build JS SDK
Expand All @@ -81,38 +85,38 @@ jobs:
docker tag ghcr.io/matrix-org/synapse-service:v1.117.0 homeserver:latest

# Build homeserver image, honouring branch names
#- name: "Checkout corresponding Synapse branch"
#shell: bash
#run: |
#mkdir -p homeserver
#
## Attempt to use the version of the homeserver which best matches the
## current build.
##
## 1. If we are not on complement's default branch, check if there's a
## similarly named branch (GITHUB_HEAD_REF for pull requests,
## otherwise GITHUB_REF).
## 2. otherwise, use the default homeserver branch ("HEAD")
#
#for BRANCH_NAME in "$GITHUB_HEAD_REF" "${GITHUB_REF#refs/heads/}" "HEAD"; do
## Skip empty branch names, merge commits, and our default branch.
## (If we are on complement's default branch, we want to fall through to the HS's default branch
## rather than using the HS's 'master'/'main').
#case "$BRANCH_NAME" in
#"" | refs/pull/* | main | master)
#continue
#;;
#esac
#(wget -O - "https://github.com/matrix-org/synapse/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C homeserver) && break
#done
## Build the base Synapse dockerfile and then build a Complement-specific image from that base.
#- run: |
#docker build -t matrixdotorg/synapse:latest -f docker/Dockerfile .
#docker build -t matrixdotorg/synapse-workers:latest -f docker/Dockerfile-workers .
#docker build -t homeserver -f docker/complement/Dockerfile docker/complement
#working-directory: homeserver
#env:
#DOCKER_BUILDKIT: 1
#- name: "Checkout corresponding Synapse branch"
#shell: bash
#run: |
#mkdir -p homeserver
#
## Attempt to use the version of the homeserver which best matches the
## current build.
##
## 1. If we are not on complement's default branch, check if there's a
## similarly named branch (GITHUB_HEAD_REF for pull requests,
## otherwise GITHUB_REF).
## 2. otherwise, use the default homeserver branch ("HEAD")
#
#for BRANCH_NAME in "$GITHUB_HEAD_REF" "${GITHUB_REF#refs/heads/}" "HEAD"; do
## Skip empty branch names, merge commits, and our default branch.
## (If we are on complement's default branch, we want to fall through to the HS's default branch
## rather than using the HS's 'master'/'main').
#case "$BRANCH_NAME" in
#"" | refs/pull/* | main | master)
#continue
#;;
#esac
#(wget -O - "https://github.com/matrix-org/synapse/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C homeserver) && break
#done
## Build the base Synapse dockerfile and then build a Complement-specific image from that base.
#- run: |
#docker build -t matrixdotorg/synapse:latest -f docker/Dockerfile .
#docker build -t matrixdotorg/synapse-workers:latest -f docker/Dockerfile-workers .
#docker build -t homeserver -f docker/complement/Dockerfile docker/complement
#working-directory: homeserver
#env:
#DOCKER_BUILDKIT: 1
- name: "Run Complement-Crypto unit tests"
env:
COMPLEMENT_BASE_IMAGE: homeserver
Expand Down Expand Up @@ -161,10 +165,10 @@ jobs:
DOCKER_BUILDKIT: 1

- name: Upload logs
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: ${{ always() }} # do this even if the tests fail
with:
name: Logs - ${{ job.status }}
path: |
./**/logs/*
./**/mitm.dump
./**/logs/*
./**/mitm.dump
25 changes: 25 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Analyse workflows with zizmor

on:
push:
branches: ["main"]
pull_request:
branches: ["**"]

permissions: {}

jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
Loading