mirror of
https://github.com/element-hq/synapse.git
synced 2026-06-02 15:04:06 +00:00
dependabot[bot]
71e07d4c75
Bumps [hashicorp/vault-action](https://github.com/hashicorp/vault-action) from 3.4.0 to 4.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/vault-action/releases">hashicorp/vault-action's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <h2>4.0.0 (May 12, 2026)</h2> <p>Improvements:</p> <ul> <li>Bump node runtime from node20 to node24 <a href="https://redirect.github.com/hashicorp/vault-action/pull/604">GH-604</a></li> <li>Fix leading slash in secret paths causing HTTP 400 errors (e.g. <code>/cubbyhole/test</code> → <code>v1/cubbyhole/test</code> instead of <code>v1//cubbyhole/test</code>)</li> <li>bump jsrsasign from 11.1.0 to 11.1.3</li> <li>bump body-parser from 1.20.3 to 1.20.5</li> <li>bump qs from 6.13.0 to 6.15.1</li> <li>bump http-errors from 2.0.0 to 2.0.1</li> <li>bump minimatch from 3.1.2 to 3.1.5</li> <li>bump underscore from 1.13.4 to 1.13.8</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/vault-action/blob/main/CHANGELOG.md">hashicorp/vault-action's changelog</a>.</em></p> <blockquote> <h2>4.0.0 (May 12, 2026)</h2> <p>Improvements:</p> <ul> <li>Bump node runtime from node20 to node24 <a href="https://redirect.github.com/hashicorp/vault-action/pull/604">GH-604</a></li> <li>Fix leading slash in secret paths causing HTTP 400 errors (e.g. <code>/cubbyhole/test</code> → <code>v1/cubbyhole/test</code> instead of <code>v1//cubbyhole/test</code>)</li> <li>bump jsrsasign from 11.1.0 to 11.1.3</li> <li>bump body-parser from 1.20.3 to 1.20.5</li> <li>bump qs from 6.13.0 to 6.15.1</li> <li>bump http-errors from 2.0.0 to 2.0.1</li> <li>bump minimatch from 3.1.2 to 3.1.5</li> <li>bump underscore from 1.13.4 to 1.13.8</li> </ul> <h2>3.4.0 (June 13, 2025)</h2> <p>Bugs:</p> <ul> <li>replace all dot chars during normalization (<a href="https://redirect.github.com/hashicorp/vault-action/pull/580">hashicorp/vault-action#580</a>)</li> </ul> <p>Improvements:</p> <ul> <li>Prevent possible DoS via polynomial regex (<a href="https://redirect.github.com/hashicorp/vault-action/pull/583">hashicorp/vault-action#583</a>)</li> </ul> <h2>3.3.0 (March 3, 2025)</h2> <p>Features:</p> <ul> <li>Wildcard secret imports can use <code>**</code> to retain case of exported env keys <a href="https://redirect.github.com/hashicorp/vault-action/pull/545">GH-545</a></li> </ul> <h2>3.2.0 (March 3, 2025)</h2> <p>Improvements:</p> <ul> <li>Add retry for jwt auth login to fix intermittent login failures <a href="https://redirect.github.com/hashicorp/vault-action/pull/574">GH-574</a></li> </ul> <h2>3.1.0 (January 9, 2025)</h2> <p>Improvements:</p> <ul> <li>fix wildcard handling when field contains dot <a href="https://redirect.github.com/hashicorp/vault-action/pull/542">GH-542</a></li> <li>bump body-parser from 1.20.0 to 1.20.3</li> <li>bump braces from 3.0.2 to 3.0.3</li> <li>bump cross-spawn from 7.0.3 to 7.0.6</li> <li>bump micromatch from 4.0.5 to 4.0.8</li> </ul> <p>Features:</p> <ul> <li><code>secretId</code> is no longer required for approle to support advanced use cases like machine login when <code>bind_secret_id</code> is false. <a href="https://redirect.github.com/hashicorp/vault-action/pull/522">GH-522</a></li> <li>Use <code>pki</code> configuration to generate certificates from Vault <a href="https://redirect.github.com/hashicorp/vault-action/pull/564">GH-564</a></li> </ul> <h2>3.0.0 (February 15, 2024)</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/hashicorp/vault-action/commit/892a26828f195e65540a40b4768ae4571f51ebfc"><code>892a268</code></a> Update copywrite headers for v.4.0.0 release (<a href="https://redirect.github.com/hashicorp/vault-action/issues/607">#607</a>)</li> <li><a href="https://github.com/hashicorp/vault-action/commit/a7ffa26e2e6ede175ca2e4f7dec54e78425d6936"><code>a7ffa26</code></a> Prepare for release v4.0.0 (<a href="https://redirect.github.com/hashicorp/vault-action/issues/606">#606</a>)</li> <li><a href="https://github.com/hashicorp/vault-action/commit/a049f0183861f1dbbd996f64b48335487cc968db"><code>a049f01</code></a> [COMPLIANCE] Add/Update Copyright Headers (<a href="https://redirect.github.com/hashicorp/vault-action/issues/605">#605</a>)</li> <li><a href="https://github.com/hashicorp/vault-action/commit/95977a3e2387e93244aaae1232de66fc47b379a3"><code>95977a3</code></a> Adding team-vault-consumption as CODEOWNERS (<a href="https://redirect.github.com/hashicorp/vault-action/issues/600">#600</a>)</li> <li><a href="https://github.com/hashicorp/vault-action/commit/7e48e563b6a9b4b0ba8b028c5ee89c41a8ae2671"><code>7e48e56</code></a> Upgrade Node.js to 24 and update dependencies (<a href="https://redirect.github.com/hashicorp/vault-action/issues/604">#604</a>)</li> <li><a href="https://github.com/hashicorp/vault-action/commit/79632e33d6953d190b940ffa440bf97821cabd80"><code>79632e3</code></a> [COMPLIANCE] Add Copyright and License Headers (Batch 1 of 1) (<a href="https://redirect.github.com/hashicorp/vault-action/issues/589">#589</a>)</li> <li><a href="https://github.com/hashicorp/vault-action/commit/734c523c4fbdb289cdf26dd2dc177f3627d1e140"><code>734c523</code></a> README.md: Removing jwtGithubAudience default (<a href="https://redirect.github.com/hashicorp/vault-action/issues/590">#590</a>)</li> <li><a href="https://github.com/hashicorp/vault-action/commit/2c5827061f1ad91ca97897d6257ebe638e033699"><code>2c58270</code></a> [Compliance] - PR Template Changes Required (<a href="https://redirect.github.com/hashicorp/vault-action/issues/586">#586</a>)</li> <li>See full diff in <a href="https://github.com/hashicorp/vault-action/compare/4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b...892a26828f195e65540a40b4768ae4571f51ebfc">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
222 lines
8.4 KiB
YAML
222 lines
8.4 KiB
YAML
# GitHub actions workflow which builds and publishes the docker images.
|
|
|
|
name: Build docker images
|
|
|
|
on:
|
|
push:
|
|
tags: ["v*"]
|
|
branches: [master, main, develop]
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write # needed for signing the images with GitHub OIDC Token
|
|
jobs:
|
|
build:
|
|
name: Build and push image for ${{ matrix.platform }}
|
|
runs-on: ${{ matrix.runs_on }}
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- platform: linux/amd64
|
|
runs_on: ubuntu-24.04
|
|
suffix: linux-amd64
|
|
- platform: linux/arm64
|
|
runs_on: ubuntu-24.04-arm
|
|
suffix: linux-arm64
|
|
steps:
|
|
- name: Set up Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: Extract version from pyproject.toml
|
|
# Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
|
|
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell
|
|
shell: bash
|
|
run: |
|
|
echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml | sed -E 's/version\s*=\s*["]([^"]*)["]/\1/')" >> $GITHUB_ENV
|
|
|
|
- name: Log in to DockerHub
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
- name: Log in to GHCR
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Tailscale
|
|
uses: tailscale/github-action@306e68a486fd2350f2bfc3b19fcd143891a4a2d8 # v4.1.2
|
|
with:
|
|
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
|
|
audience: ${{ secrets.TS_AUDIENCE }}
|
|
tags: tag:github-actions
|
|
|
|
- name: Compute vault jwt role name
|
|
id: vault-jwt-role
|
|
run: |
|
|
echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Get team registry token
|
|
id: import-secrets
|
|
uses: hashicorp/vault-action@892a26828f195e65540a40b4768ae4571f51ebfc # v4.0.0
|
|
with:
|
|
url: https://vault.infra.ci.i.element.dev
|
|
role: ${{ steps.vault-jwt-role.outputs.role_name }}
|
|
path: service-management/github-actions
|
|
jwtGithubAudience: https://vault.infra.ci.i.element.dev
|
|
method: jwt
|
|
secrets: |
|
|
services/backend-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
|
|
services/backend-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
|
|
|
|
- name: Login to Element OCI Registry
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: oci-push.vpn.infra.element.io
|
|
username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
|
|
password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
|
|
|
|
- name: Build and push by digest
|
|
id: build
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
with:
|
|
push: true
|
|
labels: |
|
|
gitsha1=${{ github.sha }}
|
|
org.opencontainers.image.version=${{ env.SYNAPSE_VERSION }}
|
|
tags: |
|
|
docker.io/matrixdotorg/synapse
|
|
ghcr.io/element-hq/synapse
|
|
oci-push.vpn.infra.element.io/synapse
|
|
file: "docker/Dockerfile"
|
|
platforms: ${{ matrix.platform }}
|
|
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
|
|
|
|
- name: Export digest
|
|
run: |
|
|
mkdir -p ${{ runner.temp }}/digests
|
|
digest="${{ steps.build.outputs.digest }}"
|
|
touch "${{ runner.temp }}/digests/${digest#sha256:}"
|
|
|
|
- name: Upload digest
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: digests-${{ matrix.suffix }}
|
|
path: ${{ runner.temp }}/digests/*
|
|
if-no-files-found: error
|
|
retention-days: 1
|
|
|
|
merge:
|
|
name: Push merged images to ${{ matrix.repository }}
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
repository:
|
|
- docker.io/matrixdotorg/synapse
|
|
- ghcr.io/element-hq/synapse
|
|
- oci-push.vpn.infra.element.io/synapse
|
|
|
|
needs:
|
|
- build
|
|
steps:
|
|
- name: Download digests
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
path: ${{ runner.temp }}/digests
|
|
pattern: digests-*
|
|
merge-multiple: true
|
|
|
|
- name: Log in to DockerHub
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
if: ${{ startsWith(matrix.repository, 'docker.io') }}
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
- name: Log in to GHCR
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
if: ${{ startsWith(matrix.repository, 'ghcr.io') }}
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Tailscale
|
|
uses: tailscale/github-action@306e68a486fd2350f2bfc3b19fcd143891a4a2d8 # v4.1.2
|
|
with:
|
|
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
|
|
audience: ${{ secrets.TS_AUDIENCE }}
|
|
tags: tag:github-actions
|
|
|
|
- name: Compute vault jwt role name
|
|
id: vault-jwt-role
|
|
run: |
|
|
echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Get team registry token
|
|
id: import-secrets
|
|
uses: hashicorp/vault-action@892a26828f195e65540a40b4768ae4571f51ebfc # v4.0.0
|
|
with:
|
|
url: https://vault.infra.ci.i.element.dev
|
|
role: ${{ steps.vault-jwt-role.outputs.role_name }}
|
|
path: service-management/github-actions
|
|
jwtGithubAudience: https://vault.infra.ci.i.element.dev
|
|
method: jwt
|
|
secrets: |
|
|
services/backend-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
|
|
services/backend-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
|
|
|
|
- name: Login to Element OCI Registry
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: oci-push.vpn.infra.element.io
|
|
username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
|
|
password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
|
|
|
|
- name: Calculate docker image tag
|
|
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
with:
|
|
images: ${{ matrix.repository }}
|
|
flavor: |
|
|
latest=false
|
|
tags: |
|
|
type=raw,value=develop,enable=${{ github.ref == 'refs/heads/develop' }}
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
type=pep440,pattern={{raw}}
|
|
type=sha
|
|
|
|
- name: Create manifest list and push
|
|
working-directory: ${{ runner.temp }}/digests
|
|
env:
|
|
REPOSITORY: ${{ matrix.repository }}
|
|
run: |
|
|
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
|
|
$(printf "$REPOSITORY@sha256:%s " *)
|
|
|
|
- name: Sign each manifest
|
|
env:
|
|
REPOSITORY: ${{ matrix.repository }}
|
|
run: |
|
|
DIGESTS=""
|
|
for TAG in $(echo "$DOCKER_METADATA_OUTPUT_JSON" | jq -r '.tags[]'); do
|
|
DIGEST="$(docker buildx imagetools inspect $TAG --format '{{json .Manifest}}' | jq -r '.digest')"
|
|
DIGESTS="$DIGESTS $REPOSITORY@$DIGEST"
|
|
done
|
|
cosign sign --yes $DIGESTS
|