element-hq · pixlwave · Mar 11, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -8,6 +8,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 env:
   # Make the git branch for a PR available to our Fastfile
   MX_GIT_BRANCH: ${{ github.event.pull_request.head.ref }}
@@ -20,19 +22,20 @@ jobs:
     # Concurrency group not needed as this workflow only runs on develop which we always want to test.
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
             submodules: 'true'
+            persist-credentials: false
 
       # Common cache
       # Note: GH actions do not support yaml anchor yet. We need to duplicate this for every job
-      - uses: actions/cache@v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: Pods
           key: ${{ runner.os }}-pods-${{ hashFiles('**/Podfile.lock') }}
           restore-keys: |
             ${{ runner.os }}-pods-
-      - uses: actions/cache@v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: vendor/bundle
           key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}

diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
@@ -9,6 +9,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 env:
   # Make the git branch for a PR available to our Fastfile
   MX_GIT_BRANCH: ${{ github.event.pull_request.head.ref }}
@@ -25,19 +27,20 @@ jobs:
       cancel-in-progress: true
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
             submodules: 'true'
+            persist-credentials: false
 
       # Common cache
       # Note: GH actions do not support yaml anchor yet. We need to duplicate this for every job
-      - uses: actions/cache@v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: Pods
           key: ${{ runner.os }}-pods-${{ hashFiles('**/Podfile.lock') }}
           restore-keys: |
             ${{ runner.os }}-pods-
-      - uses: actions/cache@v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: vendor/bundle
           key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
@@ -65,7 +68,7 @@ jobs:
         run: bundle exec fastlane test
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: unittests
diff --git a/.github/workflows/ci-ui-tests.yml b/.github/workflows/ci-ui-tests.yml
@@ -5,6 +5,8 @@ on:
 
   workflow_dispatch:
 
+permissions: {}
+
 env:
   # Make the git branch for a PR available to our Fastfile
   MX_GIT_BRANCH: ${{ github.event.pull_request.head.ref }}
@@ -20,19 +22,20 @@ jobs:
       cancel-in-progress: true
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
             submodules: 'true'
+            persist-credentials: false
 
       # Common cache
       # Note: GH actions do not support yaml anchor yet. We need to duplicate this for every job
-      - uses: actions/cache@v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: Pods
           key: ${{ runner.os }}-pods-${{ hashFiles('**/Podfile.lock') }}
           restore-keys: |
             ${{ runner.os }}-pods-
-      - uses: actions/cache@v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: vendor/bundle
           key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
@@ -60,7 +63,7 @@ jobs:
         run: bundle exec fastlane uitest
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: uitests
diff --git a/.github/workflows/release-alpha.yml b/.github/workflows/release-alpha.yml
@@ -1,11 +1,12 @@
 name: Build alpha release
 
 on:
-
   # Triggers the workflow on any pull request
   pull_request:
     types: [ labeled, synchronize, opened, reopened ]
 
+permissions: {}
+
 env:
   # Make the git branch for a PR available to our Fastfile
   MX_GIT_BRANCH: ${{ github.event.pull_request.head.ref }}
@@ -25,22 +26,23 @@ jobs:
       cancel-in-progress: true
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
             submodules: 'true'
+            persist-credentials: false
 
       # Common cache
       # Note: GH actions do not support yaml anchor yet. We need to duplicate this for every job
       - name: Cache CocoaPods libraries
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: Pods
           key: ${{ runner.os }}-pods-${{ hashFiles('**/Podfile.lock') }}
           restore-keys: |
             ${{ runner.os }}-pods-
 
       - name: Cache Ruby gems
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: vendor/bundle
           key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
@@ -62,7 +64,7 @@ jobs:
 
       # Import alpha release private signing certificate
       - name: Import signing certificate
-        uses: apple-actions/import-codesign-certs@v1
+        uses: apple-actions/import-codesign-certs@b610f78488812c1e56b20e6df63ec42d833f2d14 # v6.0.0
         with:
           p12-file-base64: ${{ secrets.ALPHA_CERTIFICATES_P12 }}
           p12-password: ${{ secrets.ALPHA_CERTIFICATES_P12_PASSWORD }}
@@ -80,7 +82,7 @@ jobs:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
 
       - name: Add or update PR comment with Ad-hoc release informations
-        uses: NejcZdovc/comment-pr@v1
+        uses: NejcZdovc/comment-pr@a423635d183a8259308e80593c96fecf31539c26 # v2.1.0
         with:
           message: |
             :iphone: Scan the QR code below to install the build for this PR. 

diff --git a/.github/workflows/triage-move-labelled.yml b/.github/workflows/triage-move-labelled.yml
@@ -4,6 +4,8 @@ on:
   issues:
     types: [labeled]
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
   apply_Z-Labs_label:
     name: Add Z-Labs label for features behind labs flags
@@ -20,7 +22,7 @@ jobs:
       contains(github.event.issue.labels.*.name, 'A-Tags') ||
       contains(github.event.issue.labels.*.name, 'A-Rich-Text-Editor')
     steps:
-      - uses: actions/github-script@v5
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             github.rest.issues.addLabels({
@@ -42,7 +44,7 @@ jobs:
        contains(github.event.issue.labels.*.name, 'O-Frequent')) ||
        contains(github.event.issue.labels.*.name, 'A11y'))
     steps:
-      - uses: actions/add-to-project@main
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/element-hq/projects/18
           github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -53,7 +55,7 @@ jobs:
     if: >
       contains(github.event.issue.labels.*.name, 'X-Needs-Product')
     steps:
-      - uses: actions/add-to-project@main
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/element-hq/projects/28
           github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
diff --git a/.github/workflows/triage-priority-bugs.yml b/.github/workflows/triage-priority-bugs.yml
@@ -4,6 +4,8 @@ on:
   issues:
     types: [labeled, unlabeled]
 
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
   p1_issues_to_team_workboard:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/triage-review-requests.yml b/.github/workflows/triage-review-requests.yml
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,24 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
diff --git a/changelog.d/pr-8008.build b/changelog.d/pr-8008.build
@@ -0,0 +1 @@
+Add zizmor checks on CI.