Tighten GITHUB_TOKEN permissions

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

.github/workflows/backport.yml

@@ -7,6 +7,8 @@ on:
         branches:
             - develop
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
     backport:
         name: Backport

.github/workflows/build.yml

@@ -10,6 +10,7 @@ env:
     # These must be set for fetchdep.sh to get the right branch
     REPOSITORY: ${{ github.repository }}
     PR_NUMBER: ${{ github.event.pull_request.number }}
+permissions: {} # No permissions required
 jobs:
     build:
         name: "Build on ${{ matrix.image }}"

.github/workflows/build_debian.yaml

@@ -3,6 +3,7 @@ on:
     release:
         types: [published]
 concurrency: ${{ github.workflow }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     build:
         name: Build package

.github/workflows/build_develop.yml

@@ -9,6 +9,7 @@ on:
 concurrency:
     group: ${{ github.repository_owner }}-${{ github.workflow }}-${{ github.ref_name }}
     cancel-in-progress: true
+permissions: {}
 jobs:
     build:
         name: "Build & Deploy develop.element.io"
@@ -16,6 +17,9 @@ jobs:
         if: github.repository == 'element-hq/element-web'
         runs-on: ubuntu-24.04
         environment: develop
+        permissions:
+            checks: read
+            pages: write
         env:
             R2_BUCKET: "element-web-develop"
             R2_URL: ${{ vars.CF_R2_S3_API }}

.github/workflows/dockerhub.yaml

@@ -7,14 +7,14 @@ on:
         # This job can take a while, and we have usage limits, so just publish develop only twice a day
         - cron: "0 7/12 * * *"
 concurrency: ${{ github.workflow }}-${{ github.ref_name }}
-
-permissions:
-    id-token: write # needed for signing the images with GitHub OIDC Token
+permissions: {}
 jobs:
     buildx:
         name: Docker Buildx
         runs-on: ubuntu-24.04
         environment: dockerhub
+        permissions:
+            id-token: write # needed for signing the images with GitHub OIDC Token
         steps:
             - uses: actions/checkout@v4
               with:

.github/workflows/docs.yml

@@ -5,10 +5,7 @@ on:
         branches: [develop]
     workflow_dispatch: {}
 
-permissions:
-    contents: read
-    pages: write
-    id-token: write
+permissions: {}
 
 concurrency:
     group: "pages"
@@ -100,6 +97,8 @@ jobs:
             name: github-pages
             url: ${{ steps.deployment.outputs.page_url }}
         runs-on: ubuntu-24.04
+        permissions:
+            pages: write
         needs: build
         steps:
             - name: Deploy to GitHub Pages

.github/workflows/end-to-end-tests-netlify.yaml

@@ -11,6 +11,8 @@ concurrency:
     group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
     cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}
 
+permissions: {}
+
 jobs:
     report:
         if: github.event.workflow_run.conclusion != 'cancelled'
@@ -20,11 +22,11 @@ jobs:
         permissions:
             statuses: write
             deployments: write
+            actions: read
         steps:
             - name: Download HTML report
               uses: actions/download-artifact@v4
               with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
                   name: html-report
                   path: playwright-report

.github/workflows/end-to-end-tests.yaml

@@ -33,6 +33,8 @@ env:
     # fetchdep.sh needs to know our PR number
     PR_NUMBER: ${{ github.event.pull_request.number }}
 
+permissions: {} # No permissions required
+
 jobs:
     build:
         name: "Build Element-Web"

.github/workflows/issue_closed.yml

@@ -4,6 +4,7 @@
 on:
     issues:
         types: [closed]
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     tidy:
         name: Tidy closed issues

.github/workflows/localazy_download.yaml

@@ -3,6 +3,7 @@ on:
     workflow_dispatch: {}
     schedule:
         - cron: "0 6 * * 1,3,5" # Every Monday, Wednesday and Friday at 6am UTC
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     download:
         uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_download.yaml@main

.github/workflows/localazy_upload.yaml

@@ -4,6 +4,7 @@ on:
         branches: [develop]
         paths:
             - "src/i18n/strings/en_EN.json"
+permissions: {} # No permissions needed
 jobs:
     upload:
         uses: matrix-org/matrix-web-i18n/.github/workflows/localazy_upload.yaml@main

.github/workflows/netlify.yaml

@@ -11,6 +11,9 @@ jobs:
         if: github.event.workflow_run.conclusion != 'cancelled' && github.event.workflow_run.event == 'pull_request'
         runs-on: ubuntu-24.04
         environment: Netlify
+        permissions:
+            actions: read
+            deployments: write
         steps:
             - name: 📝 Create Deployment
               uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1
@@ -27,7 +30,6 @@ jobs:
             - name: 📥 Download artifact
               uses: actions/download-artifact@v4
               with:
-                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   run-id: ${{ github.event.workflow_run.id }}
                   name: webapp
                   path: webapp

.github/workflows/pending-reviews.yaml

@@ -6,6 +6,7 @@ on:
     #schedule:
     #    - cron: "*/10 * * * *"
 concurrency: ${{ github.workflow }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     bot:
         name: Pending reviews bot

.github/workflows/playwright-image-updates.yaml

@@ -3,9 +3,12 @@ on:
     workflow_dispatch: {}
     schedule:
         - cron: "0 6 * * *" # Every day at 6am UTC
+permissions: {}
 jobs:
     update:
         runs-on: ubuntu-24.04
+        permissions:
+            pull-requests: write
         steps:
             - uses: actions/checkout@v4
 

.github/workflows/pull_request.yaml

@@ -4,6 +4,7 @@ on:
         types: [opened, edited, labeled, unlabeled, synchronize]
     merge_group:
         types: [checks_requested]
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     action:
         uses: matrix-org/matrix-js-sdk/.github/workflows/pull_request.yaml@develop

.github/workflows/pull_request_base_branch.yaml

@@ -2,6 +2,7 @@ name: Pull Request Base Branch
 on:
     pull_request:
         types: [opened, edited, synchronize]
+permissions: {} # No permissions required
 jobs:
     check_base_branch:
         name: Check PR base branch

.github/workflows/release-drafter.yml

@@ -4,6 +4,9 @@ on:
         branches: [staging]
     workflow_dispatch: {}
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
     draft:
+        permissions:
+            contents: write
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop

.github/workflows/release-gitflow.yml

@@ -4,6 +4,7 @@ on:
     push:
         branches: [master]
 concurrency: ${{ github.repository }}-${{ github.workflow }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     merge:
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-gitflow.yml@develop

.github/workflows/release.yml

@@ -11,9 +11,13 @@ on:
                     - rc
                     - final
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
     release:
         uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop
+        permissions:
+            contents: write
+            issues: write
         secrets:
             ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
             GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
@@ -42,6 +46,8 @@ jobs:
         name: Post release checks
         needs: release
         runs-on: ubuntu-24.04
+        permissions:
+            checks: read
         steps:
             - name: Wait for dockerhub
               uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork

.github/workflows/release_prepare.yml

@@ -17,6 +17,7 @@ on:
                 required: true
                 type: boolean
                 default: true
+permissions: {} # Uses ELEMENT_BOT_TOKEN instead
 jobs:
     prepare:
         runs-on: ubuntu-24.04

.github/workflows/sonarqube.yml

@@ -7,11 +7,16 @@ on:
 concurrency:
     group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
     cancel-in-progress: true
+permissions: {}
 jobs:
     sonarqube:
         name: 🩻 SonarQube
         if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
         uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
         secrets:
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
             ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}

.github/workflows/static_analysis.yaml

@@ -16,6 +16,8 @@ env:
     REPOSITORY: ${{ github.repository }}
     PR_NUMBER: ${{ github.event.pull_request.number }}
 
+permissions: {} # No permissions required
+
 jobs:
     ts_lint:
         name: "Typescript Syntax Check"

.github/workflows/sync-labels.yml

@@ -8,6 +8,9 @@ on:
             - develop
         paths:
             - .github/labels.yml
+
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
     sync-labels:
         uses: element-hq/element-meta/.github/workflows/sync-labels.yml@develop

.github/workflows/tests.yml

@@ -26,6 +26,8 @@ env:
     # fetchdep.sh needs to know our PR number
     PR_NUMBER: ${{ github.event.pull_request.number }}
 
+permissions: {}
+
 jobs:
     jest:
         name: Jest
@@ -94,6 +96,8 @@ jobs:
         needs: jest
         if: always()
         runs-on: ubuntu-24.04
+        permissions:
+            checks: write
         steps:
             - if: needs.jest.result != 'skipped' && needs.jest.result != 'success'
               run: exit 1

.github/workflows/triage-assigned.yml

@@ -4,6 +4,8 @@ on:
     issues:
         types: [assigned]
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
     web-app-team:
         runs-on: ubuntu-24.04

.github/workflows/triage-incoming.yml

@@ -4,6 +4,8 @@ on:
     issues:
         types: [opened]
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
     automate-project-columns:
         runs-on: ubuntu-24.04

.github/workflows/triage-labelled.yml

@@ -8,6 +8,8 @@ on:
             ELEMENT_BOT_TOKEN:
                 required: true
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
     apply_Z-Labs_label:
         name: Add Z-Labs label for features behind labs flags

.github/workflows/triage-move-review-requests.yml

@@ -3,6 +3,7 @@ on:
     pull_request_target:
         types: [review_requested]
 
+permissions: {} # Uses ELEMENT_BOT_TOKEN instead
 jobs:
     add_design_pr_to_project:
         name: Move PRs asking for design review to the design board

.github/workflows/triage-stale-flaky-tests.yml

@@ -2,6 +2,7 @@ name: Close stale flaky issues
 on:
     schedule:
         - cron: "30 1 * * *"
+permissions: {}
 jobs:
     close:
         runs-on: ubuntu-24.04

.github/workflows/triage-unlabelled.yml

@@ -3,11 +3,13 @@ name: Move unlabelled from needs info columns to triaged
 on:
     issues:
         types: [unlabeled]
-
+permissions: {}
 jobs:
     Move_Unabeled_Issue_On_Project_Board:
         name: Move no longer X-Needs-Info issues to Triaged
         runs-on: ubuntu-24.04
+        permissions:
+            repository-projects: read
         if: >
             ${{
             !contains(github.event.issue.labels.*.name, 'X-Needs-Info') }}

.github/workflows/update-jitsi.yml

@@ -4,6 +4,7 @@ on:
     workflow_dispatch: {}
     schedule:
         - cron: "0 3 * * 0" # 3am every Sunday
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
     update:
         runs-on: ubuntu-24.04

.github/workflows/update-topics.yaml

@@ -15,6 +15,7 @@ on:
                 required: true
                 type: string
 concurrency: ${{ github.workflow }}
+permissions: {} # No permissions required
 jobs:
     bot:
         name: Release topic update