diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eac6f45f0b..ab7042d449 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,8 @@ on: branches: - main +permissions: {} + env: RUSTFLAGS: -Dwarnings @@ -29,6 +31,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Install rustfmt and clippy run: rustup toolchain install $RUSTUP_TOOLCHAIN --profile minimal --component rustfmt --component clippy - name: Cache rust cargo artifacts @@ -49,6 +52,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Rebuild constants run: npm run build:core:constants - name: Check that constants are not changed @@ -61,6 +65,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: EmbarkStudios/cargo-deny-action@v2 with: arguments: --all-features --workspace @@ -74,6 +79,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Check provider database run: scripts/update-provider-database.sh @@ -86,6 +92,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Cache rust cargo artifacts uses: swatinem/rust-cache@v2 - name: Rustdoc @@ -111,6 +118,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Install Rust ${{ matrix.rust }} run: rustup toolchain install --profile minimal ${{ matrix.rust }} @@ -147,6 +155,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Cache rust cargo artifacts uses: swatinem/rust-cache@v2 @@ -171,6 +180,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Cache rust cargo artifacts uses: swatinem/rust-cache@v2 @@ -192,6 +202,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Install tox run: pip install tox @@ -234,6 +245,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Download libdeltachat.a uses: actions/download-artifact@v4 @@ -286,6 +298,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Install python uses: actions/setup-python@v5 diff --git a/.github/workflows/deltachat-rpc-server.yml b/.github/workflows/deltachat-rpc-server.yml index 4ed769b62a..db8f1d2265 100644 --- a/.github/workflows/deltachat-rpc-server.yml +++ b/.github/workflows/deltachat-rpc-server.yml @@ -17,6 +17,8 @@ on: release: types: [published] +permissions: {} + jobs: # Build a version statically linked against musl libc # to avoid problems with glibc version incompatibility. @@ -31,6 +33,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main @@ -55,6 +58,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main @@ -80,6 +84,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Setup rust target run: rustup target add ${{ matrix.arch }}-apple-darwin @@ -105,6 +110,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main @@ -132,6 +138,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main @@ -258,8 +265,9 @@ jobs: if: github.event_name == 'release' env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + REF_NAME: ${{ github.ref_name }} run: | - gh release upload ${{ github.ref_name }} \ + gh release upload "$REF_NAME" \ --repo ${{ github.repository }} \ bin/* dist/* @@ -280,6 +288,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: "3.11" @@ -385,8 +394,9 @@ jobs: if: github.event_name == 'release' env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + REF_NAME: ${{ github.ref_name }} run: | - gh release upload ${{ github.ref_name }} \ + gh release upload "$REF_NAME" \ --repo ${{ github.repository }} \ deltachat-rpc-server/npm-package/*.tgz diff --git a/.github/workflows/jsonrpc-client-npm-package.yml b/.github/workflows/jsonrpc-client-npm-package.yml index 9d53ae90e4..573eb28ffa 100644 --- a/.github/workflows/jsonrpc-client-npm-package.yml +++ b/.github/workflows/jsonrpc-client-npm-package.yml @@ -4,6 +4,8 @@ on: release: types: [published] +permissions: {} + jobs: pack-module: name: "Publish @deltachat/jsonrpc-client" @@ -15,6 +17,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: actions/setup-node@v4 with: diff --git a/.github/workflows/jsonrpc.yml b/.github/workflows/jsonrpc.yml index 0f5df0a2fa..cd4107cdae 100644 --- a/.github/workflows/jsonrpc.yml +++ b/.github/workflows/jsonrpc.yml @@ -6,6 +6,8 @@ on: pull_request: branches: [main] +permissions: {} + env: CARGO_TERM_COLOR: always RUST_MIN_STACK: "8388608" @@ -17,6 +19,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Use Node.js 18.x uses: actions/setup-node@v4 with: diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 72a84833cc..2c59bab55d 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -12,6 +12,8 @@ on: branches: - main +permissions: {} + jobs: format: name: check flake formatting @@ -20,6 +22,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - run: nix fmt @@ -80,6 +83,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - run: nix build .#${{ matrix.installable }} @@ -99,6 +103,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - run: nix build .#${{ matrix.installable }} diff --git a/.github/workflows/node-docs.yml b/.github/workflows/node-docs.yml index 8dd777d988..9522f30952 100644 --- a/.github/workflows/node-docs.yml +++ b/.github/workflows/node-docs.yml @@ -10,6 +10,8 @@ on: branches: - main +permissions: {} + jobs: generate: runs-on: ubuntu-latest @@ -17,6 +19,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Use Node.js 18.x uses: actions/setup-node@v4 diff --git a/.github/workflows/node-package.yml b/.github/workflows/node-package.yml index bd590296bb..95f14607b2 100644 --- a/.github/workflows/node-package.yml +++ b/.github/workflows/node-package.yml @@ -6,6 +6,8 @@ on: - "*" - "!py-*" +permissions: {} + jobs: prebuild: name: Prebuild @@ -17,6 +19,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: "18" @@ -78,6 +81,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: "18" @@ -142,6 +146,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: "18" diff --git a/.github/workflows/node-tests.yml b/.github/workflows/node-tests.yml index ae78784015..73b7fe7b9c 100644 --- a/.github/workflows/node-tests.yml +++ b/.github/workflows/node-tests.yml @@ -15,6 +15,8 @@ on: branches: - main +permissions: {} + jobs: tests: name: Tests @@ -26,6 +28,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: "18" diff --git a/.github/workflows/publish-deltachat-rpc-client-pypi.yml b/.github/workflows/publish-deltachat-rpc-client-pypi.yml index 986a949744..cdcbaced17 100644 --- a/.github/workflows/publish-deltachat-rpc-client-pypi.yml +++ b/.github/workflows/publish-deltachat-rpc-client-pypi.yml @@ -5,6 +5,8 @@ on: release: types: [published] +permissions: {} + jobs: build: name: Build distribution @@ -14,6 +16,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Install pypa/build run: python3 -m pip install build - name: Build a binary wheel and a source tarball diff --git a/.github/workflows/repl.yml b/.github/workflows/repl.yml index 0b8f38985c..9d23ed66ab 100644 --- a/.github/workflows/repl.yml +++ b/.github/workflows/repl.yml @@ -7,6 +7,8 @@ name: Build Windows REPL .exe on: workflow_dispatch: +permissions: {} + jobs: build_repl: name: Build REPL example @@ -15,6 +17,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - name: Build diff --git a/.github/workflows/upload-docs.yml b/.github/workflows/upload-docs.yml index df7a9ab843..096b0e72fc 100644 --- a/.github/workflows/upload-docs.yml +++ b/.github/workflows/upload-docs.yml @@ -6,6 +6,8 @@ on: - main - build_jsonrpc_docs_ci +permissions: {} + jobs: build-rs: runs-on: ubuntu-latest @@ -14,6 +16,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Build the documentation with cargo run: | cargo doc --package deltachat --no-deps --document-private-items @@ -31,6 +34,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false fetch-depth: 0 # Fetch history to calculate VCS version number. - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main @@ -50,6 +54,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false fetch-depth: 0 # Fetch history to calculate VCS version number. - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main @@ -72,6 +77,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false fetch-depth: 0 # Fetch history to calculate VCS version number. - name: Use Node.js uses: actions/setup-node@v4 diff --git a/.github/workflows/upload-ffi-docs.yml b/.github/workflows/upload-ffi-docs.yml index c79d61ed3d..8c2aab4059 100644 --- a/.github/workflows/upload-ffi-docs.yml +++ b/.github/workflows/upload-ffi-docs.yml @@ -9,6 +9,8 @@ on: branches: - main +permissions: {} + jobs: build: runs-on: ubuntu-latest @@ -17,6 +19,7 @@ jobs: - uses: actions/checkout@v4 with: show-progress: false + persist-credentials: false - name: Build the documentation with cargo run: | cargo doc --package deltachat_ffi --no-deps diff --git a/.github/workflows/zizmor-scan.yml b/.github/workflows/zizmor-scan.yml new file mode 100644 index 0000000000..cf780402c5 --- /dev/null +++ b/.github/workflows/zizmor-scan.yml @@ -0,0 +1,31 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor + run: uvx zizmor --format sarif . > results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor