Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Nordeck's Synapse Guest Module #3

Open
wants to merge 25 commits into
base: main
Choose a base branch
from
Open

Add Nordeck's Synapse Guest Module #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
01af446
Squashed 'modules/restricted-guests/synapse/' content from commit 0cf…
AndrewFerr Feb 4, 2025
7ff5188
Merge commit '01af446be7cbd63b38f2fe35c2c9a25fac4fdef8' as 'modules/r…
AndrewFerr Feb 4, 2025
a912199
synapse guest module: update copyright
AndrewFerr Feb 4, 2025
dc1c1d3
synapse guest module: copy upstream's publish job
AndrewFerr Feb 4, 2025
7ca2b8d
synapse guest module: update org name & docs
AndrewFerr Feb 4, 2025
a1f4170
Run lint-staged on all new files
AndrewFerr Feb 5, 2025
4ae7e6f
Ignore Python output files
AndrewFerr Feb 5, 2025
bda1363
synapse guest module: add to yarn workspaces
AndrewFerr Feb 5, 2025
33429bf
Import CI job from upstream
AndrewFerr Feb 5, 2025
efedfc4
Use CI job for only synapse guest module
AndrewFerr Feb 5, 2025
47f9cc3
Run lint-staged on synapse-module.yml
AndrewFerr Feb 5, 2025
ca3c6e8
Set code owner for synapse directories
AndrewFerr Feb 5, 2025
a48dc51
Change scoped tag for releases
AndrewFerr Feb 5, 2025
e9835df
synapse guest module: replace ADD with COPY
AndrewFerr Feb 6, 2025
3becf5d
synapse guest module: use minimal container image
AndrewFerr Feb 6, 2025
5f405b4
Revise code owner for synapse directories
AndrewFerr Feb 6, 2025
36e583d
Swap underscores for hyphens in workflow filenames
AndrewFerr Feb 6, 2025
90a61c5
Convert run_in_venv Node script to Bash
AndrewFerr Feb 7, 2025
b135eb1
Make run_in_venv POSIX compliant (not just Bash)
AndrewFerr Feb 7, 2025
481ceb9
run_in_venv: allow setting Python version
AndrewFerr Feb 7, 2025
78a400e
run_in_venv: skip unnecessary env reinstallation
AndrewFerr Feb 7, 2025
36def69
Split out vitest from general tests
AndrewFerr Feb 7, 2025
eef233c
Don't use vitest as global yarn script
AndrewFerr Feb 7, 2025
50855ea
synapse guest module: set version to 1.0.0
AndrewFerr Feb 10, 2025
2890cc1
synapse guest module: change license
AndrewFerr Feb 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
* @element-hq/element-web-reviewers
synapse/ @element-hq/server-products-developers
76 changes: 76 additions & 0 deletions .github/workflows/publish-release-synapse-module.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# This pipeline runs for every new tag. It will pull the docker container for
# the commit hash of the tag, and will publish it as `:<tag-name>` and `latest`.
name: Release Synapse Guest Module

on:
push:
tags:
- "module/restricted-guests@*"

jobs:
build:
name: Build
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
packages: write
id-token: write
env:
DOCKER_IMAGE: ghcr.io/element-hq/synapse-guest-module
steps:
- name: Generate Docker metadata of the existing image
id: meta-existing-tag
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_IMAGE }}
tags: |
type=sha,prefix=

- name: Generate Docker metadata of the new image
id: meta-new-tags
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_IMAGE }}
labels: |
org.opencontainers.image.title=Synapse Guest Module
org.opencontainers.image.description=A synapse module to restrict the actions of guests
org.opencontainers.image.vendor=New Vector Ltd.
tags: |
type=match,pattern=@element-hq/synapse-guest-module@(.*),group=1

- name: Generate Dockerfile
env:
SOURCE_IMAGE: ${{ fromJSON(steps.meta-existing-tag.outputs.json).tags[0] }}
run: |
echo "FROM $SOURCE_IMAGE" > Dockerfile

- name: Login to ghcr.io
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # @v3.5.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build and push
id: build_and_push
uses: docker/build-push-action@v6
with:
push: true
context: .
tags: ${{ steps.meta-new-tags.outputs.tags }}
labels: ${{ steps.meta-new-tags.outputs.labels }}
platforms: linux/amd64,linux/arm64,linux/s390x
sbom: true
provenance: true

- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build_and_push.outputs.digest }}
run: cosign sign --yes "${DOCKER_IMAGE}@${DIGEST}"
0 .github/workflows/static_analysis.yaml → .github/workflows/static-analysis.yaml
View file
Open in desktop
File renamed without changes.
71 changes: 71 additions & 0 deletions .github/workflows/synapse-module.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: Test and build Synapse Guest Module

on:
push:
branches:
- main
pull_request:

jobs:
build-py:
name: Build Python
runs-on: ubuntu-latest
timeout-minutes: 15
defaults:
run:
working-directory: ./modules/restricted-guests/synapse/
env:
DOCKER_IMAGE: ghcr.io/element-hq/synapse-guest-module
steps:
- uses: actions/checkout@v4

- uses: actions/setup-python@v5
with:
python-version: "3.11"

- run: python -m pip install tox

- name: lint
run: tox -e check_codestyle

- name: type checking and declarations
run: tox -e check_types

- name: test
run: tox -e py

- name: Login to ghcr.io
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Generate Docker metadata
id: meta
uses: docker/metadata-action@v5
env:
DOCKER_METADATA_PR_HEAD_SHA: true
with:
images: ${{ env.DOCKER_IMAGE }}
labels: |
org.opencontainers.image.title=Synapse Guest Module
org.opencontainers.image.description=A synapse module to restrict the actions of guests
org.opencontainers.image.vendor=New Vector Ltd.
tags: |
type=sha,prefix=

- name: Docker build and push
uses: docker/build-push-action@v6
id: dockerBuild
with:
push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'pull_request' && secrets.GH_APP_OS_APP_ID != '' }}
context: modules/restricted-guests/synapse
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64,linux/s390x
sbom: true
provenance: true
2 changes: 1 addition & 1 deletion .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
run: "yarn install --frozen-lockfile"

- name: Run tests
run: yarn test --coverage
run: yarn workspaces run vitest --coverage

- name: Upload Artifact
uses: actions/upload-artifact@v4
Expand Down
8 changes: 8 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,14 @@ dist
.yarn/install-state.gz
.pnp.*

# Python
.venv
__pycache__/
.tox/
*.egg-info/
_trial_temp/
.mypy_cache/

# Custom rules
# Ignore all built libraries
lib/
Expand Down
Loading
Loading