Merge branch 'develop' into Allow-MSC4039-For-Element-Call

Author: BillCarsonFr

.github/workflows/build.yml

@@ -47,7 +47,7 @@ jobs:
               with:
                   persist-credentials: false
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   # Disable cache on Windows as it is slower than not caching

.github/workflows/build_desktop_and_test.yaml

@@ -57,7 +57,7 @@ jobs:
               with:
                   persist-credentials: false
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   cache: "pnpm"

.github/workflows/build_desktop_linux.yaml

@@ -73,7 +73,7 @@ jobs:
         # https://github.com/matrix-org/seshat/issues/135
         runs-on: ${{ inputs.runs-on || (inputs.arch == 'arm64' && 'ubuntu-22.04-arm' || 'ubuntu-22.04') }}
         env:
-            HAK_DOCKER_IMAGE: ghcr.io/element-hq/element-desktop-dockerbuild
+            HAK_DOCKER_IMAGE: ghcr.io/element-hq/element-web/desktop-build-env
         steps:
             - name: Resolve docker image tag for push
               if: github.event_name == 'push'
@@ -118,13 +118,13 @@ jobs:
 
             - name: Cache .hak
               id: cache
-              uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
+              uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
               with:
                   key: ${{ runner.os }}-${{ github.ref_name }}-${{ inputs.sqlcipher }}-${{ inputs.arch }}-${{ hashFiles('hakHash', 'electronVersion', 'dockerbuild/*') }}
                   path: |
                       apps/desktop/.hak
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   node-version-file: apps/desktop/.node-version

.github/workflows/build_desktop_macos.yaml

@@ -73,7 +73,7 @@ jobs:
         runs-on: macos-15 # M1
         environment: ${{ inputs.sign && 'Desktop Apple' || '' }}
         steps:
-            - uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1
+            - uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1
               with:
                   xcode-version: latest-stable
 
@@ -90,7 +90,7 @@ jobs:
 
             - name: Cache .hak
               id: cache
-              uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
+              uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
               with:
                   key: ${{ runner.os }}-${{ hashFiles('hakHash', 'electronVersion') }}
                   path: |
@@ -113,7 +113,7 @@ jobs:
             # https://github.com/electron-userland/electron-builder/issues/9511#issuecomment-3774092888
             - run: sudo pip3 install pyobjc-framework-Quartz
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   node-version-file: apps/desktop/.node-version
@@ -128,22 +128,21 @@ jobs:
               working-directory: apps/desktop
               run: pnpm run build:native:universal
 
-            # We split these because electron-builder gets upset if we set CSC_LINK even to an empty string
-            - name: "[Signed] Build App"
-              if: inputs.sign != ''
+            - name: "Build App"
               working-directory: apps/desktop
-              run: |
-                  pnpm run build:universal --publish never -m ${TARGETS}
+              run: pnpm run build:universal --publish never -m ${TARGETS}
               env:
-                  APPLE_TEAM_ID: ${{ vars.APPLE_TEAM_ID }}
-                  APPLE_ID: ${{ secrets.APPLE_ID }}
-                  APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-                  CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
-                  CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}
+                  # Code signing parameters
+                  CSC_IDENTITY_AUTO_DISCOVERY: ${{ inputs.sign != '' }}
+                  APPLE_TEAM_ID: ${{ case(inputs.sign != '', vars.APPLE_TEAM_ID, '') }}
+                  APPLE_ID: ${{ case(inputs.sign != '', secrets.APPLE_ID, '') }}
+                  APPLE_APP_SPECIFIC_PASSWORD: ${{ case(inputs.sign != '', secrets.APPLE_ID_PASSWORD, '') }}
+                  CSC_KEY_PASSWORD: ${{ case(inputs.sign != '', secrets.APPLE_CSC_KEY_PASSWORD, '') }}
+                  CSC_LINK: ${{ case(inputs.sign != '', secrets.APPLE_CSC_LINK, '') }}
                   VARIANT_PATH: variant.json
+                  TARGETS: ${{ inputs.targets }}
                   # Only set for Nightly builds
                   VERSION: ${{ inputs.version }}
-                  TARGETS: ${{ inputs.targets }}
 
             - name: Check app was signed & notarised successfully
               if: inputs.sign != ''
@@ -154,16 +153,6 @@ jobs:
                   spctl -a -vvv -t install /Volumes/Element/*.app
                   hdiutil detach /Volumes/Element
 
-            - name: "[Unsigned] Build App"
-              if: inputs.sign == ''
-              working-directory: apps/desktop
-              run: |
-                  pnpm run build:universal --publish never -m ${TARGETS}
-              env:
-                  CSC_IDENTITY_AUTO_DISCOVERY: false
-                  VARIANT_PATH: variant.json
-                  TARGETS: ${{ inputs.targets }}
-
             - name: Generate releases.json
               if: inputs.base-url
               working-directory: apps/desktop

.github/workflows/build_desktop_prepare.yaml

@@ -58,7 +58,7 @@ jobs:
               with:
                   persist-credentials: false
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   node-version-file: apps/desktop/.node-version

.github/workflows/build_desktop_test.yaml

@@ -41,7 +41,7 @@ jobs:
                   repository: ${{ github.repository == 'element-hq/element-web-pro' && 'element-hq/element-web' || github.repository }}
                   persist-credentials: false
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   node-version-file: apps/desktop/.node-version

.github/workflows/build_desktop_windows.yaml

@@ -121,7 +121,7 @@ jobs:
 
             - name: Cache .hak
               id: cache
-              uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
+              uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
               with:
                   key: ${{ runner.os }}-${{ inputs.arch }}-${{ hashFiles('hakHash', 'electronVersion') }}
                   path: |
@@ -152,7 +152,7 @@ jobs:
               env:
                   TARGET: ${{ steps.config.outputs.target }}
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   node-version-file: apps/desktop/.node-version

.github/workflows/build_develop.yml

@@ -32,7 +32,7 @@ jobs:
               with:
                   persist-credentials: false
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   cache: "pnpm"

.github/workflows/cd.yaml

@@ -1,12 +1,12 @@
 name: CD # Continuous Delivery
 on:
     push:
-        branches: [develop]
+        branches: [master, staging, develop]
 concurrency: ${{ github.workflow }}-${{ github.ref_name }}
 
 permissions: {}
 env:
-    NX_DEFAULT_OUTPUT_STYLE: static
+    NX_DEFAULT_OUTPUT_STYLE: stream-without-prefixes
 
 jobs:
     docker:
@@ -21,18 +21,8 @@ jobs:
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
               with:
-                  # We need to fetch all branches and commits so that Nx affected has a base to compare against.
-                  fetch-depth: 0
-                  # reduce the size of the checkout with tree filtering,
-                  # see https://github.blog/open-source/git/get-up-to-speed-with-partial-clone-and-shallow-clone/
-                  filter: tree:0
                   persist-credentials: false
 
-            - name: Prepare nx
-              uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4
-              with:
-                  main-branch-name: develop
-
             - name: Install Cosign
               uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
 
@@ -43,7 +33,7 @@ jobs:
               id: builder
               uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
-            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
               with:
                   node-version-file: package.json
@@ -59,21 +49,20 @@ jobs:
                   username: ${{ github.repository_owner }}
                   password: ${{ secrets.GITHUB_TOKEN }}
 
-            - run: pnpm nx affected -t docker:build
+            - run: pnpm nx run-many --nxBail -t docker:build
+              id: build
               env:
                   INPUT_PUSH: true
                   INPUT_LOAD: false
                   INPUT_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   INPUT_BUILDER: ${{ steps.builder.outputs.name }}
 
             - name: Sign the images with GitHub OIDC token
-              env:
-                  PATTERN: "^ghcr.io/element-hq/element-web*"
               run: |
-                  docker image ls --digests --format '{{.Repository}}@{{.Digest}}' | grep "$PATTERN" | while read -r TARGET; do
-                    # Check if digest is valid (not <none>)
-                    if [[ "$TARGET" != *"@<none>"* ]]; then
+                  shopt -s globstar
+
+                  for FILE in ./node_modules/.cache/nx-container/**/metadata; do
+                      TARGET=$(jq -r '(.["image.name"] | split(",") | last) + "@" + .["containerimage.digest"]' "$FILE")
                       echo "Signing $TARGET..."
                       cosign sign --yes "$TARGET"
-                    fi
                   done