diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 292494c72cdf9..31f84a999363a 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -27,13 +27,22 @@ jobs: steps: - name: Set server major version environment - run: | - # retrieve version number from branch reference - server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p') - echo "server_major=$server_major" >> $GITHUB_ENV - echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV - - - name: Checking if ${{ env.server_major }} is EOL + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const regex = /^stable(\d+)$/ + const baseRef = context.payload.pull_request.base.ref + const match = baseRef.match(regex) + if (match) { + console.log('Setting server_major to ' + match[1]); + core.exportVariable('server_major', match[1]); + console.log('Setting current_month to ' + (new Date()).toISOString().substr(0, 7)); + core.exportVariable('current_month', (new Date()).toISOString().substr(0, 7)); + } + + - name: Checking if server ${{ env.server_major }} is EOL + if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml index d052668b310ba..f28a02101e441 100644 --- a/.github/workflows/block-merge-freeze.yml +++ b/.github/workflows/block-merge-freeze.yml @@ -28,8 +28,30 @@ jobs: runs-on: ubuntu-latest-low steps: - - name: Download version.php from ${{ github.base_ref }} - run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php' --output version.php + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + + - name: Download version.php from ${{ env.server_ref }} + if: ${{ env.server_ref != '' }} + run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php - name: Run check + if: ${{ env.server_ref != '' }} run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC' diff --git a/.github/workflows/block-outdated-3rdparty.yml b/.github/workflows/block-outdated-3rdparty.yml index 013a103c6349f..8d35a2125c90c 100644 --- a/.github/workflows/block-outdated-3rdparty.yml +++ b/.github/workflows/block-outdated-3rdparty.yml @@ -31,25 +31,49 @@ jobs: - 'version.php' - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: 3rdparty commit hash on current branch id: actual run: | echo "commit=$(git submodule status | grep ' 3rdparty' | egrep -o '[a-f0-9]{40}')" >> "$GITHUB_OUTPUT" + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping outdated 3rdparty check'); + } + } + - name: Last 3rdparty commit on target branch + if: ${{ env.server_ref != '' }} id: target run: | - echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ github.base_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT" + echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ env.server_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT" - name: Compare if 3rdparty commits are different + if: ${{ env.server_ref != '' }} run: | echo '3rdparty/ seems to not point to the last commit of the dedicated branch:' echo 'Branch has: ${{ steps.actual.outputs.commit }}' - echo '${{ github.base_ref }} has: ${{ steps.target.outputs.commit }}' + echo '${{ env.server_ref }} has: ${{ steps.target.outputs.commit }}' - name: Fail if 3rdparty commits are different - if: ${{ steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }} + if: ${{ env.server_ref != '' && steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }} run: | exit 1 diff --git a/.github/workflows/block-unconventional-commits.yml b/.github/workflows/block-unconventional-commits.yml index 0e7d81efc6fab..6bf1a79c9415e 100644 --- a/.github/workflows/block-unconventional-commits.yml +++ b/.github/workflows/block-unconventional-commits.yml @@ -27,7 +27,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 with: diff --git a/.github/workflows/command-compile.yml b/.github/workflows/command-compile.yml index 3d9f618612c4a..d5ecf01af61f8 100644 --- a/.github/workflows/command-compile.yml +++ b/.github/workflows/command-compile.yml @@ -11,6 +11,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: init: runs-on: ubuntu-latest @@ -76,7 +79,7 @@ jobs: fi - name: Init branch - uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v1 + uses: xt0rted/pull-request-comment-branch@e8b8daa837e8ea7331c0003c9c316a64c6d8b0b1 # v3.0.0 id: comment-branch - name: Add reaction on failure @@ -86,7 +89,7 @@ jobs: token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} comment-id: ${{ github.event.comment.id }} - reactions: "-1" + reactions: '-1' process: runs-on: ubuntu-latest @@ -94,14 +97,16 @@ jobs: steps: - name: Restore cached git repository - uses: buildjet/cache@e376f15c6ec6dc595375c78633174c7e5f92dc0e # v3 + uses: buildjet/cache@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 with: path: .git key: git-repo - name: Checkout ${{ needs.init.outputs.head_ref }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + # Needed to allow force push later + persist-credentials: true token: ${{ secrets.COMMAND_BOT_PAT }} fetch-depth: 0 ref: ${{ needs.init.outputs.head_ref }} @@ -119,7 +124,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.package-engines-versions.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.package-engines-versions.outputs.nodeVersion }} cache: npm @@ -176,4 +181,4 @@ jobs: token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} comment-id: ${{ github.event.comment.id }} - reactions: "-1" + reactions: '-1' diff --git a/.github/workflows/command-pull-3rdparty.yml b/.github/workflows/command-pull-3rdparty.yml index 5090193d424fc..597c37c98d735 100644 --- a/.github/workflows/command-pull-3rdparty.yml +++ b/.github/workflows/command-pull-3rdparty.yml @@ -34,28 +34,60 @@ jobs: exit 1 - name: Init branch - uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v1 + uses: xt0rted/pull-request-comment-branch@e8b8daa837e8ea7331c0003c9c316a64c6d8b0b1 # v1 id: comment-branch - name: Checkout ${{ steps.comment-branch.outputs.head_ref }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false fetch-depth: 0 token: ${{ secrets.COMMAND_BOT_PAT }} ref: ${{ steps.comment-branch.outputs.head_ref }} + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping pull 3rdparty command'); + } + } + - name: Setup git run: | git config --local user.email 'nextcloud-command@users.noreply.github.com' git config --local user.name 'nextcloud-command' + - name: Add reaction on failure + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v3.0.1 + if: ${{ env.server_ref == '' }} + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + repository: ${{ github.event.repository.full_name }} + comment-id: ${{ github.event.comment.id }} + reactions: '-1' + - name: Pull 3rdparty - run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ github.event.issue.pull_request.base.ref }}'"'"'; fi' + if: ${{ env.server_ref != '' }} + run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ env.server_ref }}'"'"'; fi' - name: Commit and push changes + if: ${{ env.server_ref != '' }} run: | git add 3rdparty - git commit -s -m 'Update submodule 3rdparty to latest ${{ github.event.issue.pull_request.base.ref }}' + git commit -s -m 'Update submodule 3rdparty to latest ${{ env.server_ref }}' git push - name: Add reaction on failure diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index 2cebe52e26b0c..758cc639ef0e8 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -18,9 +18,16 @@ env: # Adjust APP_NAME if your repository name is different APP_NAME: ${{ github.event.repository.name }} - # Server requires head_ref instead of base_ref, as we want to test the PR branch + # This represents the server branch to checkout. + # Usually it's the base branch of the PR, but for pushes it's the branch itself. + # e.g. 'main', 'stable27' or 'feature/my-feature' + # n.b. server will use head_ref, as we want to test the PR branch. BRANCH: ${{ github.head_ref || github.ref_name }} + +permissions: + contents: read + jobs: init: runs-on: ubuntu-latest @@ -39,8 +46,9 @@ jobs: exit 1 - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false # We need to checkout submodules for 3rdparty submodules: true @@ -62,7 +70,7 @@ jobs: fallbackNpm: "^10" - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} @@ -78,7 +86,7 @@ jobs: run: npm run cypress:version - name: Save context - uses: buildjet/cache/save@e376f15c6ec6dc595375c78633174c7e5f92dc0e # v3 + uses: buildjet/cache/save@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 with: key: cypress-context-${{ github.run_id }} path: ./ @@ -92,7 +100,7 @@ jobs: matrix: # Run multiple copies of the current job in parallel # Please increase the number or runners as your tests suite grows (0 based index for e2e tests) - containers: ["component", '0', '1', '2', '3', '4', '5', '6', '7'] + containers: ['component', '0', '1', '2', '3', '4', '5', '6', '7'] # Hack as strategy.job-total includes the component and GitHub does not allow math expressions # Always align this number with the total of e2e runners (max. index + 1) total-containers: [8] @@ -101,14 +109,14 @@ jobs: steps: - name: Restore context - uses: buildjet/cache/restore@e376f15c6ec6dc595375c78633174c7e5f92dc0e # v3 + uses: buildjet/cache/restore@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 with: fail-on-cache-miss: true key: cypress-context-${{ github.run_id }} path: ./ - name: Set up node ${{ needs.init.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ needs.init.outputs.nodeVersion }} @@ -116,7 +124,7 @@ jobs: run: npm i -g 'npm@${{ needs.init.outputs.npmVersion }}' - name: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} cypress tests - uses: cypress-io/github-action@df7484c5ba85def7eef30db301afa688187bc378 # v6.7.2 + uses: cypress-io/github-action@f1f0912d392f0d06bdd01fb9ebe3b3299e5806fb # v6.7.7 with: component: ${{ matrix.containers == 'component' }} group: ${{ matrix.use-cypress-cloud && matrix.containers == 'component' && 'Run component' || matrix.use-cypress-cloud && 'Run E2E' || '' }} @@ -135,8 +143,8 @@ jobs: SPLIT: ${{ matrix.total-containers }} SPLIT_INDEX: ${{ matrix.containers == 'component' && 0 || matrix.containers }} - - name: Upload snapshots - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - name: Upload snapshots and videos + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: snapshots_videos_${{ matrix.containers }} @@ -149,7 +157,7 @@ jobs: run: docker logs nextcloud-cypress-tests_${{ env.APP_NAME }} > nextcloud.log - name: Upload NC logs - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: failure() && matrix.containers != 'component' with: name: nc_logs_${{ matrix.containers }} @@ -160,7 +168,7 @@ jobs: run: docker exec nextcloud-cypress-tests_${{ env.APP_NAME }} tar -cvjf - data > data.tar - name: Upload data dir archive - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: failure() && matrix.containers != 'component' with: name: nc_data_${{ matrix.containers }} diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml index efe8bfe37f78d..ed902d9280746 100644 --- a/.github/workflows/dependabot-approve-merge.yml +++ b/.github/workflows/dependabot-approve-merge.yml @@ -9,7 +9,7 @@ name: Dependabot on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] branches: - main - master @@ -24,7 +24,7 @@ concurrency: jobs: auto-approve-merge: - if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' runs-on: ubuntu-latest-low permissions: # for hmarr/auto-approve-action to approve PRs diff --git a/.github/workflows/files-external-ftp.yml b/.github/workflows/files-external-ftp.yml index 887c89c26c74e..0bf7bc77e1981 100644 --- a/.github/workflows/files-external-ftp.yml +++ b/.github/workflows/files-external-ftp.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-ftp-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -53,8 +56,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up ftpd @@ -100,7 +104,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-ftp diff --git a/.github/workflows/files-external-s3.yml b/.github/workflows/files-external-s3.yml index 3f498f06519fd..5d0711554236e 100644 --- a/.github/workflows/files-external-s3.yml +++ b/.github/workflows/files-external-s3.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-s3-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,7 +53,7 @@ jobs: services: minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -60,8 +63,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -98,7 +102,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-s3 @@ -129,14 +133,15 @@ jobs: env: SERVICES: s3 DEBUG: 1 - image: localstack/localstack + image: localstack/localstack@sha256:b52c16663c70b7234f217cb993a339b46686e30a1a5d9279cb5feeb2202f837c # v4.4.0 ports: - "4566:4566" steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -165,7 +170,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-s3 diff --git a/.github/workflows/files-external-sftp.yml b/.github/workflows/files-external-sftp.yml index f5c1af826bf68..b4d6280000638 100644 --- a/.github/workflows/files-external-sftp.yml +++ b/.github/workflows/files-external-sftp.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-sftp-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -53,8 +56,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up sftpd @@ -89,7 +93,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-sftp diff --git a/.github/workflows/files-external-smb-kerberos.yml b/.github/workflows/files-external-smb-kerberos.yml index e698f9c2c23b8..8326f6633cabe 100644 --- a/.github/workflows/files-external-smb-kerberos.yml +++ b/.github/workflows/files-external-smb-kerberos.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-smb-kerberos-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -43,13 +46,15 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Checkout user_saml - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/user_saml path: apps/user_saml diff --git a/.github/workflows/files-external-smb.yml b/.github/workflows/files-external-smb.yml index 092f7e9e3a2af..18a5ece16a646 100644 --- a/.github/workflows/files-external-smb.yml +++ b/.github/workflows/files-external-smb.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-smb-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,14 +53,15 @@ jobs: services: samba: - image: ghcr.io/nextcloud/continuous-integration-samba:latest + image: ghcr.io/nextcloud/continuous-integration-samba:latest # zizmor: ignore[unpinned-images] ports: - 445:445 steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -94,7 +98,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@922d8d7b314a529f2be903c1e79ee8283c492863 # v4.1.1 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-smb diff --git a/.github/workflows/files-external-webdav.yml b/.github/workflows/files-external-webdav.yml index 86d8d539d93bd..91ff941512aba 100644 --- a/.github/workflows/files-external-webdav.yml +++ b/.github/workflows/files-external-webdav.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-webdav-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,14 +53,15 @@ jobs: services: apache: - image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest + image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest # zizmor: ignore[unpinned-images] ports: - 8081:80 steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -91,7 +95,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@922d8d7b314a529f2be903c1e79ee8283c492863 # v4.1.1 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-webdav diff --git a/.github/workflows/files-external.yml b/.github/workflows/files-external.yml index f6bc46faba750..18d12a4a3b603 100644 --- a/.github/workflows/files-external.yml +++ b/.github/workflows/files-external.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-generic-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -49,8 +52,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -79,7 +83,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-generic diff --git a/.github/workflows/generate-release-changelog.yml b/.github/workflows/generate-release-changelog.yml index c0945bde9531c..1660b77d974b2 100644 --- a/.github/workflows/generate-release-changelog.yml +++ b/.github/workflows/generate-release-changelog.yml @@ -50,8 +50,9 @@ jobs: PREVIOUS_TAG=$(echo "$TAGS" | grep -v 'rc\|beta\|alpha' | sed -n '2p') echo "CURRENT_TAG=$CURRENT_TAG" >> $GITHUB_ENV echo "PREVIOUS_TAG=$PREVIOUS_TAG" >> $GITHUB_ENV - - - name: Verify current tag + + # Since this action only runs on nextcloud-releases, ignoring is okay + - name: Verify current tag # zizmor: ignore[template-injection] run: | if [ "${{ github.ref_name }}" != "${{ env.CURRENT_TAG }}" ]; then echo "Current tag does not match the release tag. Exiting." @@ -71,7 +72,8 @@ jobs: run: | echo '{"username": "github-actions"}' > github_helper/credentials.json - - name: Generate changelog between ${{ env.PREVIOUS_TAG }} and ${{ github.ref_name }} + # Since this action only runs on nextcloud-releases, ignoring is okay + - name: Generate changelog between ${{ env.PREVIOUS_TAG }} and ${{ github.ref_name }} # zizmor: ignore[template-injection] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -79,7 +81,8 @@ jobs: composer install php index.php generate:changelog --no-bots --format=forum server ${{ env.PREVIOUS_TAG }} ${{ github.ref_name }} > changelog.md - - name: Set changelog to release + # Since this action only runs on nextcloud-releases, ignoring is okay + - name: Set changelog to release # zizmor: ignore[template-injection] env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | diff --git a/.github/workflows/integration-dav.yml b/.github/workflows/integration-dav.yml index ce493ae42b171..b66c76516c3cb 100644 --- a/.github/workflows/integration-dav.yml +++ b/.github/workflows/integration-dav.yml @@ -4,6 +4,9 @@ name: DAV integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-caldav-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -51,8 +54,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -67,7 +71,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set up Python - uses: LizardByte/setup-python-action@master + uses: LizardByte/setup-python-action@f4367d0377eceec7e5e26da8f3863dd365b95a94 # v2025.426.160528 with: python-version: '2.7' diff --git a/.github/workflows/integration-litmus.yml b/.github/workflows/integration-litmus.yml index 5419db900cac6..134956ca4ffa8 100644 --- a/.github/workflows/integration-litmus.yml +++ b/.github/workflows/integration-litmus.yml @@ -4,6 +4,9 @@ name: Litmus integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-litmus-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,8 +53,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-s3-primary.yml b/.github/workflows/integration-s3-primary.yml index a11f8ec81d95f..03aefac1d2dfb 100644 --- a/.github/workflows/integration-s3-primary.yml +++ b/.github/workflows/integration-s3-primary.yml @@ -4,6 +4,9 @@ name: S3 primary storage integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-s3-primary-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,12 +53,12 @@ jobs: services: redis: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 ports: - 6379:6379/tcp minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -65,8 +68,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-sqlite.yml b/.github/workflows/integration-sqlite.yml index 7c29f9a9e6326..fa566a870fe3e 100644 --- a/.github/workflows/integration-sqlite.yml +++ b/.github/workflows/integration-sqlite.yml @@ -75,12 +75,12 @@ jobs: services: redis: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 ports: - 6379:6379/tcp openldap: - image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 + image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 # zizmor: ignore[unpinned-images] ports: - 389:389 env: @@ -91,14 +91,16 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Checkout Talk app if: ${{ matrix.test-suite == 'videoverification_features' }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/spreed path: apps/spreed ref: ${{ matrix.spreed-versions }} diff --git a/.github/workflows/lint-eslint.yml b/.github/workflows/lint-eslint.yml index e53cc1977f279..43e964b5aaf26 100644 --- a/.github/workflows/lint-eslint.yml +++ b/.github/workflows/lint-eslint.yml @@ -20,6 +20,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -53,7 +56,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -63,7 +68,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index f2af7aea5351c..b5856794b470d 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -48,7 +48,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php8.1 uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index 4941de4be16b4..298ab483dbb3a 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -53,7 +53,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php ${{ matrix.php-versions }} uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index 63c079c32f37b..f4d4d94e3361a 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -59,7 +62,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -80,10 +85,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ needs.versions.outputs.nodeVersion }} @@ -99,7 +106,7 @@ jobs: run: npm run test:coverage --if-present - name: Collect coverage - uses: codecov/codecov-action@922d8d7b314a529f2be903c1e79ee8283c492863 # v4.3.1 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./coverage/lcov.info @@ -114,10 +121,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ needs.versions.outputs.nodeVersion }} @@ -142,10 +151,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ needs.versions.outputs.nodeVersion }} diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml index 913768c24925f..7bd4338ae9e10 100644 --- a/.github/workflows/node.yml +++ b/.github/workflows/node.yml @@ -20,6 +20,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -53,7 +56,9 @@ jobs: name: NPM build steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -63,7 +68,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml index 64fb9a4067649..3a6c43d281e86 100644 --- a/.github/workflows/npm-audit-fix.yml +++ b/.github/workflows/npm-audit-fix.yml @@ -14,6 +14,9 @@ on: # At 2:30 on Sundays - cron: '30 2 * * 0' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -27,9 +30,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + id: checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} + continue-on-error: true - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -39,7 +45,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} @@ -48,10 +54,10 @@ jobs: - name: Fix npm audit id: npm-audit - uses: nextcloud-libraries/npm-audit-action@2a60bd2e79cc77f2cc4d9a3fe40f1a69896f3a87 # v0.1.0 + uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0 - name: Run npm ci and npm run build - if: always() + if: steps.checkout.outcome == 'success' env: CYPRESS_INSTALL_BINARY: 0 run: | @@ -59,8 +65,8 @@ jobs: npm run build --if-present - name: Create Pull Request - if: always() - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + if: steps.checkout.outcome == 'success' + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'fix(deps): Fix npm audit' diff --git a/.github/workflows/object-storage-azure.yml b/.github/workflows/object-storage-azure.yml index 3dd34f84e5b21..c6c17f859e8e5 100644 --- a/.github/workflows/object-storage-azure.yml +++ b/.github/workflows/object-storage-azure.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-azure-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,7 +57,7 @@ jobs: services: azurite: - image: mcr.microsoft.com/azure-storage/azurite + image: mcr.microsoft.com/azure-storage/azurite@sha256:0a47e12e3693483cef5c71f35468b91d751611f172d2f97414e9c69113b106d9 # v3.34.0 env: AZURITE_ACCOUNTS: nextcloud:bmV4dGNsb3Vk ports: @@ -62,15 +65,16 @@ jobs: options: --health-cmd="nc 127.0.0.1 10000 -z" --health-interval=1s --health-retries=30 cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -105,7 +109,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-azure diff --git a/.github/workflows/object-storage-s3.yml b/.github/workflows/object-storage-s3.yml index 39864367321be..2b65873e68f1b 100644 --- a/.github/workflows/object-storage-s3.yml +++ b/.github/workflows/object-storage-s3.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-s3-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,13 +57,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -70,8 +73,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -111,7 +115,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-s3 diff --git a/.github/workflows/object-storage-swift.yml b/.github/workflows/object-storage-swift.yml index 401a7f5af53f0..596a49e12cb9f 100644 --- a/.github/workflows/object-storage-swift.yml +++ b/.github/workflows/object-storage-swift.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-swift-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,21 +57,22 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 swift: - image: ghcr.io/cscfi/docker-keystone-swift + image: ghcr.io/cscfi/docker-keystone-swift@sha256:e8b1ec21120ab9adc6ac6a2b98785fd273676439a8633fe898e37f2aea7e0712 ports: - 5000:5000 - 8080:8080 steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -101,7 +105,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-swift diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 282684aef89f7..98fcd4639b602 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -26,7 +26,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index 8cd6ea6e20b34..7c4c0654d1c21 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -4,6 +4,9 @@ name: Performance testing on: pull_request: +permissions: + contents: read + concurrency: group: performance-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -14,6 +17,9 @@ jobs: if: ${{ github.repository_owner != 'nextcloud-gmbh' }} + permissions: + pull-requests: write + strategy: fail-fast: false matrix: @@ -29,8 +35,9 @@ jobs: exit 1 - name: Checkout server before PR - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true ref: ${{ github.event.pull_request.base.ref }} @@ -49,7 +56,7 @@ jobs: php -S localhost:8080 & - name: Apply blueprint - uses: icewind1991/blueprint@v0.1.2 + uses: icewind1991/blueprint@00504403f76cb2a09efd0d16793575055e6f63cb # v0.1.2 with: blueprint: tests/blueprints/basic.toml ref: ${{ github.event.pull_request.head.ref }} @@ -66,7 +73,7 @@ jobs: output: before.json profiler-branch: stable30 - - name: Apply PR + - name: Apply PR # zizmor: ignore[template-injection] run: | git remote add pr '${{ github.event.pull_request.head.repo.clone_url }}' git fetch pr '${{ github.event.pull_request.head.ref }}' @@ -91,14 +98,14 @@ jobs: - name: Upload profiles if: always() - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: profiles path: | before.json after.json - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 if: failure() && steps.compare.outcome == 'failure' with: github-token: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/phpunit-32bits.yml b/.github/workflows/phpunit-32bits.yml index 321d833dd068d..ce04dd98858e0 100644 --- a/.github/workflows/phpunit-32bits.yml +++ b/.github/workflows/phpunit-32bits.yml @@ -32,8 +32,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Install tools diff --git a/.github/workflows/phpunit-mariadb.yml b/.github/workflows/phpunit-mariadb.yml index 0d393f2ef5f41..aaae0f4393f4d 100644 --- a/.github/workflows/phpunit-mariadb.yml +++ b/.github/workflows/phpunit-mariadb.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -66,7 +69,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 @@ -84,8 +87,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -122,7 +126,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mariadb diff --git a/.github/workflows/phpunit-memcached.yml b/.github/workflows/phpunit-memcached.yml index 69b5dd7d8f042..2f3889a54a85f 100644 --- a/.github/workflows/phpunit-memcached.yml +++ b/.github/workflows/phpunit-memcached.yml @@ -64,15 +64,16 @@ jobs: services: memcached: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 11212:11212/tcp - 11212:11212/udp steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -101,7 +102,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-memcached diff --git a/.github/workflows/phpunit-mysql-sharding.yml b/.github/workflows/phpunit-mysql-sharding.yml index 40727b385c425..822dccd2118df 100644 --- a/.github/workflows/phpunit-mysql-sharding.yml +++ b/.github/workflows/phpunit-mysql-sharding.yml @@ -62,13 +62,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: @@ -78,7 +78,7 @@ jobs: MYSQL_DATABASE: oc_autotest options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard1: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5001:3306/tcp env: @@ -88,7 +88,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard2: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5002:3306/tcp env: @@ -98,7 +98,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard3: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5003:3306/tcp env: @@ -108,7 +108,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard4: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5004:3306/tcp env: @@ -120,8 +120,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -159,7 +160,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.1.1 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mysql diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml index 110a2da9c7402..3965f00f216bc 100644 --- a/.github/workflows/phpunit-mysql.yml +++ b/.github/workflows/phpunit-mysql.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -66,13 +69,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: @@ -84,8 +87,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -122,7 +126,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mysql diff --git a/.github/workflows/phpunit-nodb.yml b/.github/workflows/phpunit-nodb.yml index e632629b8ad49..4b222545e692c 100644 --- a/.github/workflows/phpunit-nodb.yml +++ b/.github/workflows/phpunit-nodb.yml @@ -67,15 +67,16 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -107,7 +108,7 @@ jobs: - name: Upload nodb code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.nodb.xml flags: phpunit-nodb diff --git a/.github/workflows/phpunit-object-store-primary.yml b/.github/workflows/phpunit-object-store-primary.yml index 0c8140a96ce2e..4ac1bc84994aa 100644 --- a/.github/workflows/phpunit-object-store-primary.yml +++ b/.github/workflows/phpunit-object-store-primary.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: phpunit-object-store-primary-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,13 +57,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -70,8 +73,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml index fe449820a7840..a83836de9f13e 100644 --- a/.github/workflows/phpunit-oci.yml +++ b/.github/workflows/phpunit-oci.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -71,7 +74,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 @@ -96,8 +99,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -127,7 +131,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-oci diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml index 957bae2079b37..c12a4567c8e60 100644 --- a/.github/workflows/phpunit-pgsql.yml +++ b/.github/workflows/phpunit-pgsql.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -67,13 +70,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 postgres: - image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:5432/tcp env: @@ -84,8 +87,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -117,7 +121,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-postgres diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index 582f3bc5b8503..8fa7ff770e099 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -64,15 +67,16 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -105,7 +109,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@v4.5.0 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-sqlite diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index 7b68226f89d53..bc5560796e3cf 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,12 +15,17 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: + if: ${{ github.repository_owner == 'nextcloud' }} runs-on: ubuntu-latest steps: - name: The get-github-handles-from-website action - uses: marcelklehr/get-github-handles-from-website-action@a739600f6b91da4957f51db0792697afbb2f143c # v1.0.0 + uses: marcelklehr/get-github-handles-from-website-action@06b2239db0a48fe1484ba0bfd966a3ab81a08308 # v1.0.1 id: scrape with: website: 'https://nextcloud.com/team/' @@ -31,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 # main with: feedback-message: | Hello there, diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index 031e80a835554..95a8626a4a51d 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -11,12 +11,17 @@ name: REUSE Compliance Check on: [pull_request] +permissions: + contents: read + jobs: reuse-compliance-check: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - - name: REUSE Compliance Check - uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4.0.0 + - name: REUSE Compliance Check + uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index cced0a2d468fb..d8fdaca0dee20 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest @@ -17,7 +20,7 @@ jobs: issues: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: repo-token: ${{ secrets.COMMAND_BOT_PAT }} stale-issue-message: > @@ -27,7 +30,6 @@ jobs: for your contributions. stale-issue-label: 'stale' only-labels: 'needs info' - labels-to-remove-when-unstale: 'needs info,stale' exempt-issue-labels: '1. to develop,2. developing,3. to review,4. to release,security' days-before-stale: 30 days-before-close: 14 diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml index 8aaccb8ce0128..84f88c2f5e197 100644 --- a/.github/workflows/static-code-analysis.yml +++ b/.github/workflows/static-code-analysis.yml @@ -4,6 +4,17 @@ name: Psalm static code analysis on: pull_request: + push: + branches: + - main + - master + - stable* + paths: + - '.github/workflows/static-code-analysis.yml' + - '**.php' + +permissions: + contents: read concurrency: group: static-code-analysis-${{ github.head_ref || github.run_id }} @@ -13,12 +24,13 @@ jobs: static-code-analysis: runs-on: ubuntu-latest - if: ${{ github.repository_owner != 'nextcloud-gmbh' }} + if: ${{ github.event_name != 'push' && github.repository_owner != 'nextcloud-gmbh' }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php @@ -49,10 +61,13 @@ jobs: static-code-analysis-security: runs-on: ubuntu-latest + if: ${{ github.repository_owner != 'nextcloud-gmbh' }} + steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php @@ -70,17 +85,20 @@ jobs: - name: Upload Security Analysis results to GitHub if: always() - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: sarif_file: results.sarif static-code-analysis-ocp: runs-on: ubuntu-latest + if: ${{ github.event_name != 'push' && github.repository_owner != 'nextcloud-gmbh' }} + steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php diff --git a/.github/workflows/update-cacert-bundle.yml b/.github/workflows/update-cacert-bundle.yml index bd268ed838def..cefdb2a34efe3 100644 --- a/.github/workflows/update-cacert-bundle.yml +++ b/.github/workflows/update-cacert-bundle.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + jobs: update-ca-certificate-bundle: runs-on: ubuntu-latest @@ -19,8 +22,9 @@ jobs: name: update-ca-certificate-bundle-${{ matrix.branches }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true @@ -28,7 +32,7 @@ jobs: run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e with: token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'fix(security): Update CA certificate bundle' diff --git a/.github/workflows/update-code-signing-crl.yml b/.github/workflows/update-code-signing-crl.yml index c19f471eab997..5030bd9ba7ac6 100644 --- a/.github/workflows/update-code-signing-crl.yml +++ b/.github/workflows/update-code-signing-crl.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + jobs: update-code-signing-crl: runs-on: ubuntu-latest @@ -19,8 +22,9 @@ jobs: name: update-code-signing-crl-${{ matrix.branches }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true @@ -31,7 +35,7 @@ jobs: run: openssl crl -verify -in resources/codesigning/root.crl -CAfile resources/codesigning/root.crt -noout - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e with: token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'fix(security): Update code signing revocation list'