dandri/matrix-authentication-service
1
0
Fork 0
mirror of https://github.com/element-hq/matrix-authentication-service.git synced 2026-06-06 11:21:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,224 Commits 96 Branches 90 Tags
8e65bf198eecde89d3a6a5d76ec995fe09e5cc97
Commit Graph

621 Commits

Author SHA1 Message Date
Quentin Gliech cb043e2cd9 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#5629) 2026-05-25 13:01:00 +02:00
Quentin Gliech a02fb6e14f build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#5628) 2026-05-25 13:00:49 +02:00
Quentin Gliech 6043fa729c build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 (#5627) 2026-05-25 13:00:40 +02:00
Quentin Gliech 73060d1819 build(deps): bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 (#5626) 2026-05-25 13:00:27 +02:00
Quentin Gliech 9ae07db85a Bump all frontend dependencies 2026-05-25 12:36:56 +02:00
Quentin Gliech f78917ecbf Merge branch 'main' into quenting/pnpm 2026-05-25 11:12:18 +02:00
Quentin Gliech eeea952b55 Add a comment about the artefact collection 2026-05-20 15:24:19 +02:00
Quentin Gliech 7834229784 Re-add DOCKER_METADATA_ANNOTATIONS_LEVELS to narrow annotations to the index 
`docker buildx imagetools create --annotation manifest:KEY=VALUE` errors
out with "manifest annotations are not supported yet". metadata-action
defaults to emitting `manifest:` prefixed entries, so without an explicit
`DOCKER_METADATA_ANNOTATIONS_LEVELS: index` the finalize step blows up
the first time it sees a non-empty annotations list.
 2026-05-20 15:22:56 +02:00
Quentin Gliech 63deb0b1fd Don't specify DOCKER_METADATA_ANNOTATIONS_LEVELS 
We're injecting annotations manually anyway
 2026-05-20 14:42:17 +02:00
Quentin Gliech d88db7deff Simplify the injection of annotations in the final manifest 2026-05-20 14:41:53 +02:00
Quentin Gliech c2dc7c11a9 Split multi-arch Docker build into parallel jobs 
- Modify Dockerfile to build single architecture based on TARGETARCH instead of cross-compiling both targets in one run
- Replace single build-image job with matrix job (amd64, arm64)
- Add finalize-image job that creates multi-arch manifests using `docker buildx imagetools create` and signs the final images
- Each architecture gets its own build cache

This enables parallel builds of each architecture, reducing total build time by running both simultaneously rather than sequentially.
 2026-05-20 12:57:22 +02:00
Quentin Gliech 750de33486 Push MAS docker images to Element OCI Registry (#5459) 2026-05-20 11:58:11 +02:00
Quentin Gliech 6946e57ffd Fix the release notes reference to the image 2026-05-20 10:58:01 +02:00
Quentin Gliech 2d6176308d Merge branch 'main' into hughns/apalis-dependabot 2026-05-20 10:45:24 +02:00
Quentin Gliech efb878e0a3 Increase dependabot interval from daily to monthly (#5686) 2026-05-20 10:44:51 +02:00
Quentin Gliech e833483070 Bump OCI login action to v4.1.0 to match the GHCR login 2026-05-20 10:44:20 +02:00
Quentin Gliech c52161d420 Merge remote-tracking branch 'origin/main' into devon/element-docker 2026-05-20 10:14:18 +02:00
Quentin Gliech 815e9ef19a Skip oci.element.io push on PR-labelled builds 
Tailscale + Vault JWT auth needs a `push`-event OIDC token, so gate the
oci-push registry image and its login steps on `github.event_name == 'push'`.
PR-labelled builds (`Z-Build-Workflow`) push only to ghcr.io.
 2026-05-20 09:50:18 +02:00
Quentin Gliech f0100c4fa8 Disable provenance in the metadata output 2026-05-20 09:34:26 +02:00
Hugh Nimmo-Smith 676e2fc75f Increase dependabot interval from daily to monthly 2026-05-15 14:04:43 +01:00
Hugh Nimmo-Smith 5976430070 Remove unused apalis dependabot config 2026-05-15 14:00:53 +01:00
Quentin Gliech f99f4f5fba Fix the transformation of the Docker build metadata in CI 
This broke in #5664 due to STEPS_BAKE_OUTPUTS_METADATA being too large
to be passed as an argument to a shell script.

This replaces the `jq` call with a javascript action which transforms
the output.
 2026-05-15 13:29:55 +02:00
dependabot[bot] 24a5e74898 build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 8.1.0 to 8.1.1.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](https://github.com/peter-evans/create-pull-request/compare/c0f553fe549906ede9cf27b5156039d195d2ece0...5f6978faf089d4d20b00c7766989d076bb2fc7f1)

---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
  dependency-version: 8.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-05-13 14:10:47 +00:00
dependabot[bot] e3c7375ca4 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-05-13 14:10:09 +00:00
dependabot[bot] 10a0a197cc build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.6.1 to 3.0.0.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/153bb8e04406b158c6c84fc1615b65b24149a1fe...b4309332981a82ec1c5618f44dd2e27cc8bfbfda)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-05-13 14:10:07 +00:00
dependabot[bot] 8343a30051 build(deps): bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 
Bumps [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) from 4.0.0 to 5.0.0.
- [Release notes](https://github.com/actions/upload-pages-artifact/releases)
- [Commits](https://github.com/actions/upload-pages-artifact/compare/7b1f4a764d45c48632c6b24a0339c27f5614fb0b...fc324d3547104276b827a68afc52ff2a11cc49c9)

---
updated-dependencies:
- dependency-name: actions/upload-pages-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-05-13 14:09:58 +00:00
Andrew Morgan 451761c39c Note that clippy is synced to the Dockerfile Rust version 2026-05-13 12:50:21 +02:00
Andrew Morgan c69b4e0cc2 Correct STEPS_BAKE_OUTPUTS_METADATA line 
Looks like this is an edge case in zizmor.
 2026-05-13 12:49:06 +02:00
Andrew Morgan ea9f324e75 Use --override to set default toolchain 
And remove now unnecessary rustup default calls.
 2026-05-13 12:45:49 +02:00
Andrew Morgan 49ad5c79e1 Use Rust 1.93.0 for clippy CI job 
Revert from stable (1.95.0), which introduced new lints. We'll tackle those in a separate PR.
 2026-05-13 10:58:26 +02:00
Quentin Gliech aa34d9ebe5 Specify the node version in a .node-version file 
This should fix the Cloudflare Pages build
 2026-05-12 16:51:15 +02:00
Quentin Gliech d5d6b1b90d Include .github/scripts in the pnpm workspace 
This package only provides type-checking and editor IntelliSense for the
.cjs scripts loaded by actions/github-script in workflows — nothing in
CI relies on its node_modules being present. But folding it into the
workspace means there's exactly one lockfile to update and one
`pnpm install` to run.

Two new pnpm-workspace.yaml entries fall out:

 - allowBuilds: @actions/github-script (fetched from git, has a husky
   prepare script that compiles dist/).
 - trustPolicyExclude: undici@5.29.0, a transitive of @actions/http-client
   whose older 5.x releases shipped with provenance but this one doesn't.

The local .github/scripts/.gitignore is now redundant since the root
.gitignore covers node_modules workspace-wide.
 2026-05-12 12:51:21 +02:00
Quentin Gliech bca6b65ee4 dependabot: point the npm ecosystem at the workspace root 
The frontend dependencies now live in a pnpm workspace rooted at the
repo root. Dependabot's "npm" ecosystem supports pnpm workspaces, so
pointing it at "/" lets it discover both package.json files (root +
frontend) and bump them off pnpm-lock.yaml in a single PR per group.
 2026-05-12 12:51:21 +02:00
Quentin Gliech 4bd083e81d ci: install pnpm via pnpm/action-setup, move CLI tools to root devDeps 
All workflows that previously ran `npm ci` + a frontend script now install
pnpm via pnpm/action-setup (which honors the `packageManager` field in the
root package.json) and run scripts through `pnpm --filter mas-frontend`.
setup-node gets `cache: "pnpm"` so the pnpm store survives between runs.

The @localazy/cli and semver CLIs used by the release/translation workflows
move from ad-hoc `npm install -g` / `npx --yes` invocations to root
devDependencies, so the version is locked in pnpm-lock.yaml and a single
`pnpm install --frozen-lockfile` makes both available as `pnpm exec`.

misc/build-docs.sh (used by the docs workflow and Cloudflare Pages) is
updated to call `corepack enable` on Cloudflare Pages and to run storybook
through `pnpm --filter mas-frontend exec`.
 2026-05-12 12:51:20 +02:00
Andrew Morgan d1a1ef7341 Install rustfmt component 2026-05-06 16:36:58 +01:00
Andrew Morgan 0ca5040e3d Make nightly the default toolchain for cargo fmt job 2026-05-06 15:58:21 +01:00
Andrew Morgan 647b5a79ac Revert "WIP disable caching in release workflows" 
This reverts commit 72e5ae40b0.

Let's do this in a follow-up PR.
 2026-05-05 20:27:13 +01:00
Andrew Morgan 72e5ae40b0 WIP disable caching in release workflows 2026-05-05 13:16:29 +01:00
Andrew Morgan 34153e03ac Switch rust install GH action to rustup 2026-05-05 12:55:12 +01:00
Andrew Morgan d9dd2bb68e Set a cooldown for dependabot updates 
Set to 14 days to align with the rest of Element's Backend repos.
 2026-05-05 12:36:40 +01:00
Andrew Morgan cd9e54cc89 Replace steps.bake.outputs.metadata with an env var 
So the bake job's output can't be used to run arbitrary shell commands. See https://docs.zizmor.sh/audits/#template-injection
 2026-05-05 12:36:20 +01:00
Andrew Morgan fdf8dde38a Tell actions/checkout not to persist credentials 
Recommended by `zizmor`. See https://docs.zizmor.sh/audits/#artipacked
for an explanation.
 2026-05-05 12:34:58 +01:00
Andrew Morgan b99023662a Pin versions of github actions using zizmor 
To eliminate risk of supply chain attacks.
 2026-05-05 12:32:07 +01:00
Olivier 'reivilibre 2105226034 build(deps): bump docker/bake-action from 7.0.0 to 7.1.0 (#5624) 2026-04-10 17:08:00 +00:00
dependabot[bot] a804d3ecb7 build(deps): bump docker/bake-action from 7.0.0 to 7.1.0 
Bumps [docker/bake-action](https://github.com/docker/bake-action) from 7.0.0 to 7.1.0.
- [Release notes](https://github.com/docker/bake-action/releases)
- [Commits](https://github.com/docker/bake-action/compare/v7.0.0...v7.1.0)

---
updated-dependencies:
- dependency-name: docker/bake-action
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-10 13:54:10 +00:00
dependabot[bot] 671a676dfd build(deps): bump EmbarkStudios/cargo-deny-action from 2.0.15 to 2.0.16 
Bumps [EmbarkStudios/cargo-deny-action](https://github.com/embarkstudios/cargo-deny-action) from 2.0.15 to 2.0.16.
- [Release notes](https://github.com/embarkstudios/cargo-deny-action/releases)
- [Commits](https://github.com/embarkstudios/cargo-deny-action/compare/v2.0.15...v2.0.16)

---
updated-dependencies:
- dependency-name: EmbarkStudios/cargo-deny-action
  dependency-version: 2.0.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-10 13:54:03 +00:00
dependabot[bot] a325b44827 build(deps): bump docker/login-action from 4.0.0 to 4.1.0 
Bumps [docker/login-action](https://github.com/docker/login-action) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v4.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-03 13:53:42 +00:00
Quentin Gliech 1ac6ffb5ca build(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 (#5585) 2026-03-31 12:08:09 +02:00
Quentin Gliech 380671acbc build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1 (#5584) 2026-03-31 12:06:41 +02:00
dependabot[bot] 70884482be build(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.2 to 6.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5.5.2...v6.0.0)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-26 14:02:32 +00:00