diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index ebad0d4a98..010bce863b 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -11,7 +11,7 @@ on:
permissions:
contents: read
packages: write
-
+ id-token: write # needed for signing the images with GitHub OIDC Token
jobs:
build:
runs-on: ubuntu-latest
@@ -29,6 +29,9 @@ jobs:
- name: Inspect builder
run: docker buildx inspect
+ - name: Install Cosign
+ uses: sigstore/cosign-installer@v3.3.0
+
- name: Checkout repository
uses: actions/checkout@v4
@@ -58,7 +61,7 @@ jobs:
with:
images: |
docker.io/matrixdotorg/synapse
- ghcr.io/matrix-org/synapse
+ ghcr.io/element-hq/synapse
flavor: |
latest=false
tags: |
@@ -68,6 +71,7 @@ jobs:
type=pep440,pattern={{raw}}
- name: Build and push all platforms
+ id: build-and-push
uses: docker/build-push-action@v5
with:
push: true
@@ -82,3 +86,14 @@ jobs:
# https://github.com/rust-lang/cargo/issues/10583
build-args: |
CARGO_NET_GIT_FETCH_WITH_CLI=true
+
+ - name: Sign the images with GitHub OIDC Token
+ env:
+ DIGEST: ${{ steps.build-and-push.outputs.digest }}
+ TAGS: ${{ steps.set-tag.outputs.tags }}
+ run: |
+ images=""
+ for tag in ${TAGS}; do
+ images+="${tag}@${DIGEST} "
+ done
+ cosign sign --yes ${images}
diff --git a/.github/workflows/docs-pr.yaml b/.github/workflows/docs-pr.yaml
index 9cf3d340a4..52b0f8802d 100644
--- a/.github/workflows/docs-pr.yaml
+++ b/.github/workflows/docs-pr.yaml
@@ -24,7 +24,7 @@ jobs:
mdbook-version: '0.4.17'
- name: Setup python
- uses: actions/setup-python@v4
+ uses: actions/setup-python@v5
with:
python-version: "3.x"
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 31b9dbe3fe..d611fdc924 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -60,8 +60,11 @@ jobs:
with:
mdbook-version: '0.4.17'
+ - name: Set version of docs
+ run: echo 'window.SYNAPSE_VERSION = "${{ needs.pre.outputs.branch-version }}";' > ./docs/website_files/version.js
+
- name: Setup python
- uses: actions/setup-python@v4
+ uses: actions/setup-python@v5
with:
python-version: "3.x"
diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml
index cb801afcbf..f40342f951 100644
--- a/.github/workflows/latest_deps.yml
+++ b/.github/workflows/latest_deps.yml
@@ -23,7 +23,7 @@ concurrency:
jobs:
check_repo:
- # Prevent this workflow from running on any fork of Synapse other than matrix-org/synapse, as it is
+ # Prevent this workflow from running on any fork of Synapse other than element-hq/synapse, as it is
# only useful to the Synapse core team.
# All other workflow steps depend on this one, thus if 'should_run_workflow' is not 'true', the rest
# of the workflow will be skipped as well.
@@ -32,7 +32,7 @@ jobs:
should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }}
steps:
- id: check_condition
- run: echo "should_run_workflow=${{ github.repository == 'matrix-org/synapse' }}" >> "$GITHUB_OUTPUT"
+ run: echo "should_run_workflow=${{ github.repository == 'element-hq/synapse' }}" >> "$GITHUB_OUTPUT"
mypy:
needs: check_repo
@@ -86,7 +86,7 @@ jobs:
-e POSTGRES_PASSWORD=postgres \
-e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \
postgres:${{ matrix.postgres-version }}
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: "3.x"
- run: pip install .[all,test]
@@ -200,7 +200,7 @@ jobs:
- name: Prepare Complement's Prerequisites
run: synapse/.ci/scripts/setup_complement_prerequisites.sh
- - uses: actions/setup-go@v4
+ - uses: actions/setup-go@v5
with:
cache-dependency-path: complement/go.sum
go-version-file: complement/go.mod
diff --git a/.github/workflows/poetry_lockfile.yaml b/.github/workflows/poetry_lockfile.yaml
index 4dd0f7d41f..496e536b93 100644
--- a/.github/workflows/poetry_lockfile.yaml
+++ b/.github/workflows/poetry_lockfile.yaml
@@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: '3.x'
- run: pip install tomli
diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml
index 8019f4c250..baf4b62292 100644
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@@ -28,7 +28,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: '3.x'
- id: set-distros
@@ -74,7 +74,7 @@ jobs:
${{ runner.os }}-buildx-
- name: Set up python
- uses: actions/setup-python@v4
+ uses: actions/setup-python@v5
with:
python-version: '3.x'
@@ -123,7 +123,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
# setup-python@v4 doesn't impose a default python version. Need to use 3.x
# here, because `python` on osx points to Python 2.7.
@@ -168,7 +168,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: '3.10'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index a1f714da23..f22ca5f7e6 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -102,7 +102,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: "3.x"
- run: "pip install 'click==8.1.1' 'GitPython>=3.1.20'"
@@ -112,7 +112,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: "3.x"
- run: .ci/scripts/check_lockfile.py
@@ -194,7 +194,7 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: "3.x"
- run: "pip install 'towncrier>=18.6.0rc1'"
@@ -297,7 +297,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: "3.x"
- id: get-matrix
@@ -384,7 +384,7 @@ jobs:
sudo apt-get -qq install build-essential libffi-dev python-dev \
libxml2-dev libxslt-dev xmlsec1 zlib1g-dev libjpeg-dev libwebp-dev
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@v5
with:
python-version: '3.8'
@@ -636,7 +636,7 @@ jobs:
- name: Prepare Complement's Prerequisites
run: synapse/.ci/scripts/setup_complement_prerequisites.sh
- - uses: actions/setup-go@v4
+ - uses: actions/setup-go@v5
with:
cache-dependency-path: complement/go.sum
go-version-file: complement/go.mod
diff --git a/.github/workflows/triage-incoming.yml b/.github/workflows/triage-incoming.yml
index 24dac47bf2..7a369b77fe 100644
--- a/.github/workflows/triage-incoming.yml
+++ b/.github/workflows/triage-incoming.yml
@@ -7,9 +7,8 @@ on:
jobs:
triage:
uses: matrix-org/backend-meta/.github/workflows/triage-incoming.yml@v2
- with:
+ with:
project_id: 'PVT_kwDOAIB0Bs4AFDdZ'
content_id: ${{ github.event.issue.node_id }}
- secrets:
+ secrets:
github_access_token: ${{ secrets.ELEMENT_BOT_TOKEN }}
-
diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml
index 1011a15390..428180fffd 100644
--- a/.github/workflows/twisted_trunk.yml
+++ b/.github/workflows/twisted_trunk.yml
@@ -22,17 +22,17 @@ concurrency:
jobs:
check_repo:
- # Prevent this workflow from running on any fork of Synapse other than matrix-org/synapse, as it is
+ # Prevent this workflow from running on any fork of Synapse other than element-hq/synapse, as it is
# only useful to the Synapse core team.
# All other workflow steps depend on this one, thus if 'should_run_workflow' is not 'true', the rest
# of the workflow will be skipped as well.
- if: github.repository == 'matrix-org/synapse'
+ if: github.repository == 'element-hq/synapse'
runs-on: ubuntu-latest
outputs:
should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }}
steps:
- id: check_condition
- run: echo "should_run_workflow=${{ github.repository == 'matrix-org/synapse' }}" >> "$GITHUB_OUTPUT"
+ run: echo "should_run_workflow=${{ github.repository == 'element-hq/synapse' }}" >> "$GITHUB_OUTPUT"
mypy:
needs: check_repo
@@ -171,7 +171,7 @@ jobs:
- name: Prepare Complement's Prerequisites
run: synapse/.ci/scripts/setup_complement_prerequisites.sh
- - uses: actions/setup-go@v4
+ - uses: actions/setup-go@v5
with:
cache-dependency-path: complement/go.sum
go-version-file: complement/go.mod
|
