From 45c5958f40fbcb56f6daa6f1c293a236cad78894 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Mon, 13 Oct 2025 08:48:36 +0200 Subject: [PATCH 1/2] ci(actions): Update workflows from templates Signed-off-by: Joas Schilling --- .github/workflows/block-merge-eol.yml | 6 +-- .github/workflows/command-compile.yml | 54 ++++++++++++++++++---- .github/workflows/lint-php-cs.yml | 2 +- .github/workflows/node.yml | 2 +- .github/workflows/npm-audit-fix.yml | 2 +- .github/workflows/phpunit-mysql.yml | 4 +- .github/workflows/phpunit-oci.yml | 19 ++++---- .github/workflows/phpunit-pgsql.yml | 4 +- .github/workflows/phpunit-sqlite.yml | 2 +- .github/workflows/pr-feedback.yml | 4 +- .github/workflows/psalm.yml | 5 +- .github/workflows/reuse.yml | 2 +- .github/workflows/update-nextcloud-ocp.yml | 3 +- 13 files changed, 75 insertions(+), 34 deletions(-) diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 31f84a999..fc050d8eb 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -37,13 +37,13 @@ jobs: if (match) { console.log('Setting server_major to ' + match[1]); core.exportVariable('server_major', match[1]); - console.log('Setting current_month to ' + (new Date()).toISOString().substr(0, 7)); - core.exportVariable('current_month', (new Date()).toISOString().substr(0, 7)); + console.log('Setting current_day to ' + (new Date()).toISOString().substr(0, 10)); + core.exportVariable('current_day', (new Date()).toISOString().substr(0, 10)); } - name: Checking if server ${{ env.server_major }} is EOL if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ - | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ + | jq '.["${{ env.server_major }}"]["eol"] // "9999-99-99" | . >= "${{ env.current_day }}"' \ | grep -q true diff --git a/.github/workflows/command-compile.yml b/.github/workflows/command-compile.yml index 70b29b29f..3b27baadc 100644 --- a/.github/workflows/command-compile.yml +++ b/.github/workflows/command-compile.yml @@ -57,7 +57,7 @@ jobs: require: write - name: Add reaction on start - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} @@ -83,7 +83,7 @@ jobs: id: comment-branch - name: Add reaction on failure - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 if: failure() with: token: ${{ secrets.COMMAND_BOT_PAT }} @@ -131,12 +131,46 @@ jobs: - name: Set up npm ${{ steps.package-engines-versions.outputs.npmVersion }} run: npm i -g 'npm@${{ steps.package-engines-versions.outputs.npmVersion }}' - + - name: Rebase to ${{ needs.init.outputs.base_ref }} if: ${{ contains(needs.init.outputs.arg1, 'rebase') }} run: | git fetch origin '${{ needs.init.outputs.base_ref }}:${{ needs.init.outputs.base_ref }}' - git rebase 'origin/${{ needs.init.outputs.base_ref }}' + + # Start the rebase + git rebase 'origin/${{ needs.init.outputs.base_ref }}' || { + # Handle rebase conflicts in a loop + while [ -d .git/rebase-merge ] || [ -d .git/rebase-apply ]; do + echo "Handling rebase conflict..." + + # Remove and checkout /dist and /js folders from the base branch + if [ -d "dist" ]; then + rm -rf dist + git checkout origin/${{ needs.init.outputs.base_ref }} -- dist/ 2>/dev/null || echo "No dist folder in base branch" + fi + if [ -d "js" ]; then + rm -rf js + git checkout origin/${{ needs.init.outputs.base_ref }} -- js/ 2>/dev/null || echo "No js folder in base branch" + fi + + # Stage all changes + git add . + + # Check if there are any changes after resolving conflicts + if git diff --cached --quiet; then + echo "No changes after conflict resolution, skipping commit" + git rebase --skip + else + echo "Changes found, continuing rebase without editing commit message" + git -c core.editor=true rebase --continue + fi + + # Break if rebase is complete + if [ ! -d .git/rebase-merge ] && [ ! -d .git/rebase-apply ]; then + break + fi + done + } - name: Install dependencies & build env: @@ -151,7 +185,7 @@ jobs: run: | git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}' git commit --signoff -m 'chore(assets): Recompile assets' - + - name: Commit fixup if: ${{ contains(needs.init.outputs.arg1, 'fixup') }} run: | @@ -168,14 +202,18 @@ jobs: - name: Push normally if: ${{ !contains(needs.init.outputs.arg1, 'rebase') && !contains(needs.init.outputs.arg1, 'amend') }} - run: git push origin '${{ needs.init.outputs.head_ref }}' + env: + HEAD_REF: ${{ needs.init.outputs.head_ref }} + run: git push origin "$HEAD_REF" - name: Force push if: ${{ contains(needs.init.outputs.arg1, 'rebase') || contains(needs.init.outputs.arg1, 'amend') }} - run: git push --force origin '${{ needs.init.outputs.head_ref }}' + env: + HEAD_REF: ${{ needs.init.outputs.head_ref }} + run: git push --force-with-lease origin "$HEAD_REF" - name: Add reaction on failure - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 if: failure() with: token: ${{ secrets.COMMAND_BOT_PAT }} diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index 519b345ea..032a38a00 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -45,7 +45,7 @@ jobs: - name: Install dependencies run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i - name: Lint diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml index 0137e9795..1913e8cea 100644 --- a/.github/workflows/node.yml +++ b/.github/workflows/node.yml @@ -80,7 +80,7 @@ jobs: npm ci npm run build --if-present - - name: Check webpack build changes + - name: Check build changes run: | bash -c "[[ ! \"`git status --porcelain `\" ]] || (echo 'Please recompile and commit the assets, see the section \"Show changes on failure\" for details' && exit 1)" diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml index ab51e6c48..3d6b871b1 100644 --- a/.github/workflows/npm-audit-fix.yml +++ b/.github/workflows/npm-audit-fix.yml @@ -24,7 +24,7 @@ jobs: strategy: fail-fast: false matrix: - branches: ['main', 'master', 'stable31', 'stable30', 'stable29'] + branches: ['main', 'master', 'stable32', 'stable31'] name: npm-audit-fix-${{ matrix.branches }} diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml index 9c898a613..d4be76671 100644 --- a/.github/workflows/phpunit-mysql.yml +++ b/.github/workflows/phpunit-mysql.yml @@ -74,7 +74,7 @@ jobs: services: mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: @@ -131,7 +131,7 @@ jobs: if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i - name: Set up Nextcloud diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml index 1d9ae9235..c124d270c 100644 --- a/.github/workflows/phpunit-oci.yml +++ b/.github/workflows/phpunit-oci.yml @@ -70,28 +70,27 @@ jobs: matrix: php-versions: ${{ fromJson(needs.matrix.outputs.php-version) }} server-versions: ${{ fromJson(needs.matrix.outputs.server-max) }} + oci-versions: ['11', '18', '21', '23'] - name: OCI PHP ${{ matrix.php-versions }} Nextcloud ${{ matrix.server-versions }} + name: OCI ${{ matrix.oci-versions }} PHP ${{ matrix.php-versions }} Nextcloud ${{ matrix.server-versions }} services: oracle: - image: ghcr.io/gvenzl/oracle-xe:11 + image: ghcr.io/gvenzl/oracle-${{ matrix.oci-versions < 23 && 'xe' || 'free' }}:${{ matrix.oci-versions }} # Provide passwords and other environment variables to container env: - ORACLE_RANDOM_PASSWORD: true - APP_USER: autotest - APP_USER_PASSWORD: owncloud + ORACLE_PASSWORD: oracle # Forward Oracle port ports: - - 1521:1521/tcp + - 1521:1521 # Provide healthcheck script options for startup options: >- --health-cmd healthcheck.sh - --health-interval 10s - --health-timeout 5s + --health-interval 20s + --health-timeout 10s --health-retries 10 steps: @@ -139,7 +138,7 @@ jobs: if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i - name: Set up Nextcloud @@ -147,7 +146,7 @@ jobs: DB_PORT: 1521 run: | mkdir data - ./occ maintenance:install --verbose --database=oci --database-name=XE --database-host=127.0.0.1 --database-port=$DB_PORT --database-user=autotest --database-pass=owncloud --admin-user admin --admin-pass admin + ./occ maintenance:install --verbose --database=oci --database-name=${{ matrix.oci-versions < 23 && 'XE' || 'FREE' }} --database-host=127.0.0.1 --database-port=$DB_PORT --database-user=system --database-pass=oracle --admin-user admin --admin-pass admin ./occ app:enable --force ${{ env.APP_NAME }} - name: Check PHPUnit script is defined diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml index 284efa294..65ea5eea2 100644 --- a/.github/workflows/phpunit-pgsql.yml +++ b/.github/workflows/phpunit-pgsql.yml @@ -75,7 +75,7 @@ jobs: services: postgres: - image: ghcr.io/nextcloud/continuous-integration-postgres-14:latest + image: ghcr.io/nextcloud/continuous-integration-postgres-16:latest # zizmor: ignore[unpinned-images] ports: - 4444:5432/tcp env: @@ -129,7 +129,7 @@ jobs: if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i - name: Set up Nextcloud diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index bdbc39bef..37326f5d5 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -118,7 +118,7 @@ jobs: if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i - name: Set up Nextcloud diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index 98e9fada7..f4c0477ce 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -36,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: nextcloud/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 # main + - uses: nextcloud/pr-feedback-action@f0cab224dea8e1f282f9451de322f323c78fc7a5 # main with: feedback-message: | Hello there, @@ -50,6 +50,6 @@ jobs: (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).) days-before-feedback: 14 - start-date: '2024-04-30' + start-date: '2025-06-12' exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }}' exempt-bots: true diff --git a/.github/workflows/psalm.yml b/.github/workflows/psalm.yml index 452186eea..3de99fadf 100644 --- a/.github/workflows/psalm.yml +++ b/.github/workflows/psalm.yml @@ -49,9 +49,12 @@ jobs: - name: Install dependencies run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i + - name: Check for vulnerable PHP dependencies + run: composer require --dev roave/security-advisories:dev-latest + - name: Install nextcloud/ocp run: composer require --dev nextcloud/ocp:dev-${{ steps.versions.outputs.branches-max }} --ignore-platform-reqs --with-dependencies diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index 0d8e1962a..acb0ad86e 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -24,4 +24,4 @@ jobs: persist-credentials: false - name: REUSE Compliance Check - uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 diff --git a/.github/workflows/update-nextcloud-ocp.yml b/.github/workflows/update-nextcloud-ocp.yml index 5592f61ba..3e40fc708 100644 --- a/.github/workflows/update-nextcloud-ocp.yml +++ b/.github/workflows/update-nextcloud-ocp.yml @@ -15,6 +15,7 @@ on: permissions: contents: read + issues: write jobs: update-nextcloud-ocp: @@ -58,7 +59,7 @@ jobs: if: steps.checkout.outcome == 'success' run: composer install - - name: Composer update nextcloud/ocp + - name: Composer update nextcloud/ocp # zizmor: ignore[template-injection] id: update_branch if: ${{ steps.checkout.outcome == 'success' && matrix.branches != 'main' }} run: composer require --dev 'nextcloud/ocp:dev-${{ matrix.branches }}' From 5cc2cdb8e23c0b0ad6822578efef73b7610fc48d Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 14 Oct 2025 08:28:17 +0200 Subject: [PATCH 2/2] ci(reuse): Downgrade reuse again so the script does not yield it Signed-off-by: Joas Schilling --- .github/workflows/reuse.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index acb0ad86e..0d8e1962a 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -24,4 +24,4 @@ jobs: persist-credentials: false - name: REUSE Compliance Check - uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 + uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0