Merge pull request #3 from element-hq/af/nordeck-synapse-guest-module

Add Nordeck's Synapse Guest Module

.github/CODEOWNERS

@@ -1 +1,2 @@
 *                         @element-hq/element-web-reviewers
+synapse/                  @element-hq/server-products-developers

.github/workflows/publish-release-synapse-module.yml

@@ -0,0 +1,76 @@
+# This pipeline runs for every new tag. It will pull the docker container for
+# the commit hash of the tag, and will publish it as `:<tag-name>` and `latest`.
+name: Release Synapse Guest Module
+
+on:
+    push:
+        tags:
+            - "module/restricted-guests@*"
+
+jobs:
+    build:
+        name: Build
+        runs-on: ubuntu-latest
+        timeout-minutes: 15
+        permissions:
+            contents: read
+            packages: write
+            id-token: write
+        env:
+            DOCKER_IMAGE: ghcr.io/element-hq/synapse-guest-module
+        steps:
+            - name: Generate Docker metadata of the existing image
+              id: meta-existing-tag
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.DOCKER_IMAGE }}
+                  tags: |
+                      type=sha,prefix=
+
+            - name: Generate Docker metadata of the new image
+              id: meta-new-tags
+              uses: docker/metadata-action@v5
+              with:
+                  images: ${{ env.DOCKER_IMAGE }}
+                  labels: |
+                      org.opencontainers.image.title=Synapse Guest Module
+                      org.opencontainers.image.description=A synapse module to restrict the actions of guests
+                      org.opencontainers.image.vendor=New Vector Ltd.
+                  tags: |
+                      type=match,pattern=@element-hq/synapse-guest-module@(.*),group=1
+
+            - name: Generate Dockerfile
+              env:
+                  SOURCE_IMAGE: ${{ fromJSON(steps.meta-existing-tag.outputs.json).tags[0] }}
+              run: |
+                  echo "FROM $SOURCE_IMAGE" > Dockerfile
+
+            - name: Login to ghcr.io
+              uses: docker/login-action@v3
+              with:
+                  registry: ghcr.io
+                  username: ${{ github.repository_owner }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install Cosign
+              uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # @v3.5.0
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Build and push
+              id: build_and_push
+              uses: docker/build-push-action@v6
+              with:
+                  push: true
+                  context: .
+                  tags: ${{ steps.meta-new-tags.outputs.tags }}
+                  labels: ${{ steps.meta-new-tags.outputs.labels }}
+                  platforms: linux/amd64,linux/arm64,linux/s390x
+                  sbom: true
+                  provenance: true
+
+            - name: Sign the images with GitHub OIDC Token
+              env:
+                  DIGEST: ${{ steps.build_and_push.outputs.digest }}
+              run: cosign sign --yes "${DOCKER_IMAGE}@${DIGEST}"

.github/workflows/synapse-module.yml

@@ -0,0 +1,68 @@
+name: Test and build Synapse Guest Module
+
+on:
+    push:
+        branches:
+            - main
+    pull_request:
+
+jobs:
+    build-py:
+        name: Build Python
+        runs-on: ubuntu-latest
+        timeout-minutes: 15
+        defaults:
+            run:
+                working-directory: ./modules/restricted-guests/synapse/
+        env:
+            DOCKER_IMAGE: ghcr.io/element-hq/synapse-guest-module
+        steps:
+            - uses: actions/checkout@v4
+
+            - uses: actions/setup-python@v5
+              with:
+                  python-version: "3.11"
+
+            - run: python -m pip install tox
+
+            - name: lint
+              run: tox -e check_codestyle
+
+            - name: type checking and declarations
+              run: tox -e check_types
+
+            - name: Login to ghcr.io
+              uses: docker/login-action@v3
+              with:
+                  registry: ghcr.io
+                  username: ${{ github.repository_owner }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Generate Docker metadata
+              id: meta
+              uses: docker/metadata-action@v5
+              env:
+                  DOCKER_METADATA_PR_HEAD_SHA: true
+              with:
+                  images: ${{ env.DOCKER_IMAGE }}
+                  labels: |
+                      org.opencontainers.image.title=Synapse Guest Module
+                      org.opencontainers.image.description=A synapse module to restrict the actions of guests
+                      org.opencontainers.image.vendor=New Vector Ltd.
+                  tags: |
+                      type=sha,prefix=
+
+            - name: Docker build and push
+              uses: docker/build-push-action@v6
+              id: dockerBuild
+              with:
+                  push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'pull_request' && secrets.GH_APP_OS_APP_ID != '' }}
+                  context: modules/restricted-guests/synapse
+                  tags: ${{ steps.meta.outputs.tags }}
+                  labels: ${{ steps.meta.outputs.labels }}
+                  platforms: linux/amd64,linux/arm64,linux/s390x
+                  sbom: true
+                  provenance: true

.github/workflows/tests.yml

@@ -10,8 +10,8 @@ concurrency:
 permissions: {}
 
 jobs:
-    vitest:
-        name: Vitest
+    test:
+        name: Run tests & upload coverage reports
         runs-on: ubuntu-24.04-arm
         steps:
             - uses: actions/checkout@v4
@@ -21,17 +21,25 @@ jobs:
                   cache: "yarn"
                   node-version: "lts/*"
 
+            - uses: actions/setup-python@v5
+              with:
+                  python-version: "3.11"
+
             - name: Install Deps
               run: "yarn install --frozen-lockfile"
 
             - name: Run tests
-              run: yarn test --coverage
+              run: yarn test
+
+            - name: Fixup python coverage
+              run: sed -ie 's/filename="/filename="modules\/restricted-guests\/synapse\//' modules/restricted-guests/synapse/coverage.xml
 
             - name: Upload Artifact
               uses: actions/upload-artifact@v4
               with:
                   name: coverage
                   path: |
+                      modules/restricted-guests/synapse/coverage.xml
                       **/coverage
                       !**/coverage/lcov-report
                       !**/node_modules/**

.gitignore

@@ -130,6 +130,16 @@ dist
 .yarn/install-state.gz
 .pnp.*
 
+# Python
+.venv
+__pycache__/
+.tox/
+.coverage*
+coverage.*
+*.egg-info/
+_trial_temp/
+.mypy_cache/
+
 # Custom rules
 # Ignore all built libraries
 lib/

modules/restricted-guests/synapse/.dockerignore

@@ -0,0 +1,3 @@
+# ignore all files except the build folder
+*
+!/synapse_guest_module/*.py

modules/restricted-guests/synapse/CHANGELOG.md

@@ -0,0 +1,7 @@
+# @element-hq/synapse-guest-module
+
+## 1.0.0
+
+### Major Changes
+
+- Fork from [Nordeck's version](https://github.com/nordeck/element-web-modules/tree/main/packages/synapse-guest-module).

modules/restricted-guests/synapse/Dockerfile

@@ -0,0 +1,7 @@
+ARG DEBIAN_VERSION_NUMERIC=12
+FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}
+
+WORKDIR /src
+COPY synapse_guest_module /src/synapse_guest_module
+
+CMD ["cp", "-r", "/src/synapse_guest_module", "/modules"]