element-hq · benbz · Jul 1, 2025 · Jun 30, 2025 · Jun 30, 2025 · Jun 30, 2025
@@ -11,6 +11,9 @@ on:
     - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   action-validator:
     runs-on: ubuntu-latest
@@ -60,3 +63,21 @@ jobs:
           echo "$unpinned_actions"
           exit 1
         fi
+
+  explicit-permissions:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+
+    - name: Find workflows that have jobs that rely on the default permissions
+      run: |
+        workflows_with_implicit_permissions=$(
+          find .github/workflows -type f \( -iname \*.yaml -o -iname \*.yml \) -print0 \
+            | xargs -0 -I {} yq '{filename: ([.jobs.* | has("permissions")] | all) or (. | has("permissions"))}' {} \
+            | grep -E 'false$' || true)
+        if [ "$workflows_with_implicit_permissions" != "" ]; then
+          echo "There are workflows that have not set permissions either globally or for all jobs:"
+          echo "$workflows_with_implicit_permissions"
+          exit 1
+        fi
@@ -5,7 +5,6 @@
 name: Artifact Hub Metadata
 
 on:
-  pull_request:
   push:
     branches:
     - main
@@ -18,8 +17,6 @@ jobs:
       packages: write
     runs-on: ubuntu-latest
     steps:
-    # This will push the OCI artifact only on merges
-    # As the checkout will push the PR Target commit hash
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
 

@@ -10,6 +10,9 @@ on:
     - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # We build from source and commit all generated file changes so that we can see the impact in PRs
   # We want to ensure that the commit of built changes does happen, so fail if building creates changes
@@ -91,193 +94,3 @@ jobs:
         for checkov_values in charts/matrix-stack/ci/*checkov*values.yaml; do
           scripts/checkov.sh "$checkov_values"
         done
-
-  template-dyff:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write # required to post a comment to a pull request
-    steps:
-    - name: Checkout PR
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
-      with:
-        fetch-depth: 0
-
-    # helm template doesn't reliably order manifests within the same kind, so use yq to do it for us
-    - name: Generate manifests for PR
-      id: generate-manifests
-      run: |
-        mkdir -p "$RUNNER_TEMP/new"
-        for values in charts/matrix-stack/ci/*values.yaml; do
-          echo "Generating new templates with $values";
-          mkdir -p "$RUNNER_TEMP/new/$(basename "$values" ".yaml")"
-          helm template \
-              -n ess-ci \
-              -a monitoring.coreos.com/v1/ServiceMonitor \
-              -f "$values" charts/matrix-stack | \
-          yq ea '[.] | .[] | splitDoc' | \
-          yq -s "\"$RUNNER_TEMP/new/$(basename "$values" ".yaml")/\""' + ([.kind, .metadata.name] | join("-") | downcase) + ".yaml"'
-        done
-        echo "output_dir=$RUNNER_TEMP/new" | tee -a "$GITHUB_OUTPUT"
-
-    # We want the most recent common ancestor between the target & PR branches rather than the target branch itself
-    # There could have been more commits to the target branch since the PR branch was created and we don't want to see
-    # those changes in the dyff, only what this branch is doing.
-    - name: Determine most recent common ancestor of target and PR branches
-      id: merge-base
-      run: |
-        echo "merge-base=$(git merge-base ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})" | tee -a "$GITHUB_OUTPUT"
-
-    - name: Checkout target
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
-      with:
-        ref: ${{ steps.merge-base.outputs.merge-base }}
-
-    - name: Generate manifests for base
-      run: |
-        mkdir -p "$RUNNER_TEMP/old"
-        for values in charts/matrix-stack/ci/*values.yaml; do
-          echo "Generating old templates with $values";
-          mkdir -p "$RUNNER_TEMP/old/$(basename "$values" ".yaml")"
-          helm template \
-              -n ess-ci \
-              -a monitoring.coreos.com/v1/ServiceMonitor \
-              -f "$values" charts/matrix-stack | \
-          yq ea '[.] | .[] | splitDoc' | \
-          yq -s "\"$RUNNER_TEMP/old/$(basename "$values" ".yaml")/\""' + ([.kind, .metadata.name] | join("-") | downcase) + ".yaml"'
-        done
-
-    - name: Install dyff with asdf
-      uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302  # v4
-      with:
-        tool_versions: |
-          dyff 1.10.1
-
-    - name: Upload new manifests
-      id: upload-new
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
-      with:
-        name: new-manifests
-        path: ${{ steps.generate-manifests.outputs.output_dir }}
-        retention-days: 1
-
-    - name: dyff old and new manifests
-      id: dyff
-      shell: bash
-      env:
-        ARTIFACT_URL: ${{ steps.upload-new.outputs.artifact-url }}
-      run: |
-        echo "output_dir=$RUNNER_TEMP" | tee -a "$GITHUB_OUTPUT"
-        values_directories=$(find "$RUNNER_TEMP/old" "$RUNNER_TEMP/new" -maxdepth 1 -type d | sed -E 's|'"$RUNNER_TEMP"'/(old\|new)||' | sed -E 's|^/||' | sort | uniq)
-        header="# dyff of changes in rendered templates of CI manifests\n\n"
-        comment_body=""
-        while read -r values_dir; do
-          if [ -z "$values_dir" ]; then
-            continue
-          fi
-
-          templates_files=$(find "$RUNNER_TEMP/old" "$RUNNER_TEMP/new" -maxdepth 2 -name '*.yaml' | grep "$values_dir" | sed -E 's|'"$RUNNER_TEMP"'/(old\|new)/||' | sort | uniq)
-          comment_templates_body=""
-
-          while read -r templates_file; do
-            current_file="$(basename "$templates_file")"
-            if [[ "$current_file" == ".yaml" ]] && [ ! -s "$template_file" ]; then
-              continue
-            fi
-
-            if [ ! -f "$RUNNER_TEMP/old/$templates_file" ]; then
-              api_version=$(yq '.apiVersion' "$RUNNER_TEMP/new/$templates_file")
-              kind=$(yq '.kind' "$RUNNER_TEMP/new/$templates_file")
-              name=$(yq '.metadata.name' "$RUNNER_TEMP/new/$templates_file")
-              namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/new/$templates_file")
-              metadata=$(yq '.metadata' "$RUNNER_TEMP/new/$templates_file")
-              comment_templates_body+="@@ $current_file @@\n"
-              comment_templates_body+="# $api_version/$kind/$namespace/$name\n"
-              comment_templates_body+="! + one file added - the full content of the file is available in ${ARTIFACT_URL}\n"
-              comment_templates_body+="+ apiVersion: $api_version\n"
-              comment_templates_body+="+ kind: $kind\n"
-              comment_templates_body+="+ metadata:\n"
-              while IFS= read -r line; do
-                comment_templates_body+="+   $line\n"
-              done <<< "$metadata"
-              comment_templates_body+="\n\n"
-              continue
-            fi
-
-            if [ ! -f "$RUNNER_TEMP/new/$templates_file" ]; then
-              api_version=$(yq '.apiVersion' "$RUNNER_TEMP/old/$templates_file" )
-              kind=$(yq '.kind' "$RUNNER_TEMP/old/$templates_file")
-              name=$(yq '.metadata.name' "$RUNNER_TEMP/old/$templates_file")
-              namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/old/$templates_file")
-              metadata=$(yq '.metadata' "$RUNNER_TEMP/old/$templates_file")
-              comment_templates_body+="@@ $current_file @@\n"
-              comment_templates_body+="# $api_version/$kind/$namespace/$name\n"
-              comment_templates_body+="! - one file removed\n"
-              comment_templates_body+="- apiVersion: $api_version\n"
-              comment_templates_body+="- kind: $kind\n"
-              comment_templates_body+="- metadata:\n"
-              while IFS= read -r line; do
-                comment_templates_body+="-   $line\n"
-              done <<< "$metadata"
-              comment_templates_body+="\n\n"
-              continue
-            fi
-
-            exit_code=0
-            dyff_detail=$(dyff between --set-exit-code --omit-header --output=github "$RUNNER_TEMP/old/$templates_file" "$RUNNER_TEMP/new/$templates_file" 2>&1) || exit_code=$?
-            if [ $exit_code -ne 0 ]; then
-              if [[ "$dyff_detail" == *"failed to compare input files"* ]]; then
-                echo "failed with file $templates_file"
-                exit 1
-              fi
-
-              api_version=$(yq '.apiVersion' "$RUNNER_TEMP/new/$templates_file")
-              kind=$(yq '.kind' "$RUNNER_TEMP/new/$templates_file")
-              name=$(yq '.metadata.name' "$RUNNER_TEMP/new/$templates_file")
-              namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/new/$templates_file")
-              resource_metadata="# $api_version/$kind/$namespace/$name"
-              comment_templates_body+=$(sed -e "1d" -e "/^@@/a$resource_metadata" <<< "$dyff_detail")
-              comment_templates_body+="\n\n\n"
-            fi
-          done <<< "$templates_files"
-
-          if [[ -n "$comment_templates_body" ]]; then
-              comment_body+="<details><summary><b>$values_dir.yaml</b></summary>\n"
-              comment_body+='\n```diff\n'
-              comment_body+="$comment_templates_body"
-              comment_body+='```\n'
-              comment_body+="\n</details>\n"
-          fi
-
-        done <<< "$values_directories"
-
-        if [ -z "$comment_body" ]; then
-          comment_body="No changes in rendered templates"
-        fi
-
-        echo -e "$header$comment_body" | tee "$RUNNER_TEMP/dyff-output.md"
-
-    - name: Upload generated manifests
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
-      with:
-        name: dyff-templates
-        path: ${{ steps.dyff.outputs.output_dir }}
-        retention-days: 1
-
-    - name: Find dyff comment
-      if: github.event.pull_request.number != ''
-      uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e  # v3
-      id: find-dyff-comment
-      with:
-        issue-number: ${{ github.event.pull_request.number }}
-        comment-author: 'github-actions[bot]'
-        body-includes: 'dyff of changes in rendered templates'
-
-    - name: Create or update comment
-      if: github.event.pull_request.number != ''
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043  # v4
-      with:
-        comment-id: ${{ steps.find-dyff-comment.outputs.comment-id }}
-        issue-number: ${{ github.event.pull_request.number }}
-        body-path: ${{ runner.temp }}/dyff-output.md
-        edit-mode: replace
@@ -6,6 +6,9 @@ name: Changelog
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-newsfile:
     if: ${{ (github.base_ref == 'main'  || contains(github.base_ref, 'release-')) && github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' }}

@@ -11,6 +11,9 @@ on:
     - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest

@@ -17,12 +17,11 @@ env:
   REGISTRY_IMAGE: ghcr.io/${{ github.repository }}/matrix-tools
   GO_VERSION: "1.24"
 
-permissions:
-  contents: read
-  packages: read
-
 jobs:
   tests:
+    permissions:
+      contents: read
+      packages: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
@@ -60,6 +59,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
 
     - name: Login to GHCR
+      if: ${{ github.ref_type == 'tag' }}
       uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3
       with:
         registry: ghcr.io

@@ -13,7 +13,6 @@ on:
 
 permissions:
   contents: read
-  packages: read
 
 env:
   DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -68,15 +67,9 @@ jobs:
       run: |
         echo "$(poetry env info -p)/bin" >> "${GITHUB_PATH}"
 
-    - name: Login to GHCR
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-
     - name: Login to Dockerhub
       uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3
+      if: ${{ github.repository == 'element-hq/ess-helm' }}
       with:
         registry: docker.io
         username: ${{ secrets.DOCKERHUB_USERNAME }}

@@ -50,6 +50,7 @@ jobs:
         fi
 
     - name: Login to GitHub Container Registry
+      if: ${{ github.event_name != 'pull_request' }}
       uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3
       with:
         registry: ghcr.io
@@ -75,7 +76,9 @@ jobs:
         cd charts/matrix-stack
         helm package .
 
-        helm push matrix-stack-*.tgz oci://ghcr.io/${{ github.repository }}
+    - name: Helm push
+      if: ${{ github.event_name != 'pull_request' }}
+      run: helm push matrix-stack-*.tgz oci://ghcr.io/${{ github.repository }}
 
     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
       with:

@@ -11,6 +11,9 @@ on:
     - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     runs-on: ubuntu-latest

@@ -0,0 +1,47 @@
+# Copyright 2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+name: dyff of rendered templates - comment
+on:
+  workflow_run:
+    workflows: ["dyff of rendered templates"]
+    types:
+    - completed
+
+jobs:
+  manage-comment:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    if: github.event.workflow_run.conclusion == 'success'
+    steps:
+    - name: Download dyff of templates
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        name: dyff-templates
+        run-id: ${{ github.event.workflow_run.id }}
+
+    - name: Unpack artifact
+      id: artifacts
+      run: |
+        unzip dyff-templates -d "${{ runner.temp }}"
+        # This is already formatted as pr-number=<pr number>
+        cat "${{ runner.temp }}/pr-number.txt" >> "$GITHUB_OUTPUT"
+
+    - name: Find dyff comment
+      uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e  # v3
+      id: find-dyff-comment
+      with:
+        issue-number: ${{ steps.artifacts.outputs.pr-number }}
+        comment-author: 'github-actions[bot]'
+        body-includes: 'dyff of changes in rendered templates'
+
+    - name: Create or update comment
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043  # v4
+      with:
+        comment-id: ${{ steps.artifacts.outputs.pr-number }}
+        issue-number: ${{ github.event.pull_request.number }}
+        body-path: ${{ runner.temp }}/dyff-output.md
+        edit-mode: replace