From 8b92f695b73207e8020fb904ba8bbaa12dcaea8a Mon Sep 17 00:00:00 2001 From: Andy Scherzinger Date: Fri, 23 May 2025 09:26:21 +0200 Subject: [PATCH] ci(gh): Sync actions Signed-off-by: Andy Scherzinger --- .../workflows/block-unconventional-commits.yml | 2 ++ .github/workflows/command-compile.yml | 4 ++++ .github/workflows/cypress.yml | 14 +++++++++++--- .github/workflows/dependabot-approve-merge.yml | 4 ++-- .github/workflows/files-external-ftp.yml | 2 +- .github/workflows/files-external-s3.yml | 4 ++-- .github/workflows/files-external-sftp.yml | 2 +- .github/workflows/files-external-smb.yml | 2 +- .github/workflows/files-external-webdav.yml | 2 +- .github/workflows/files-external.yml | 2 +- .github/workflows/lint-eslint.yml | 7 ++++++- .github/workflows/lint-php-cs.yml | 2 +- .github/workflows/lint-php.yml | 4 +++- .github/workflows/lint-stylelint.yml | 2 ++ .github/workflows/node-test.yml | 7 ++++++- .github/workflows/node.yml | 7 ++++++- .github/workflows/npm-audit-fix.yml | 2 +- .github/workflows/object-storage-azure.yml | 2 +- .github/workflows/object-storage-s3.yml | 2 +- .github/workflows/object-storage-swift.yml | 2 +- .github/workflows/openapi.yml | 4 +++- .github/workflows/phpunit-mariadb.yml | 8 ++++++-- .github/workflows/phpunit-memcached.yml | 2 +- .github/workflows/phpunit-mysql-sharding.yml | 2 +- .github/workflows/phpunit-mysql.yml | 10 +++++++--- .github/workflows/phpunit-nodb.yml | 2 +- .github/workflows/phpunit-oci.yml | 8 ++++++-- .github/workflows/phpunit-pgsql.yml | 8 ++++++-- .github/workflows/phpunit-sqlite.yml | 8 ++++++-- .github/workflows/pr-feedback.yml | 7 ++++++- .github/workflows/reuse.yml | 15 ++++++++++----- .github/workflows/static-code-analysis.yml | 4 ++++ 32 files changed, 111 insertions(+), 42 deletions(-) diff --git a/.github/workflows/block-unconventional-commits.yml b/.github/workflows/block-unconventional-commits.yml index b4239109cd0..6bf1a79c941 100644 --- a/.github/workflows/block-unconventional-commits.yml +++ b/.github/workflows/block-unconventional-commits.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 with: diff --git a/.github/workflows/command-compile.yml b/.github/workflows/command-compile.yml index faf3d510335..d5ecf01af61 100644 --- a/.github/workflows/command-compile.yml +++ b/.github/workflows/command-compile.yml @@ -11,6 +11,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: init: runs-on: ubuntu-latest @@ -102,6 +105,7 @@ jobs: - name: Checkout ${{ needs.init.outputs.head_ref }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + # Needed to allow force push later persist-credentials: true token: ${{ secrets.COMMAND_BOT_PAT }} fetch-depth: 0 diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index bd8298678a0..b5b8b534d8c 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -18,9 +18,16 @@ env: # Adjust APP_NAME if your repository name is different APP_NAME: ${{ github.event.repository.name }} - # Server requires head_ref instead of base_ref, as we want to test the PR branch + # This represents the server branch to checkout. + # Usually it's the base branch of the PR, but for pushes it's the branch itself. + # e.g. 'main', 'stable27' or 'feature/my-feature' + # n.b. server will use head_ref, as we want to test the PR branch. BRANCH: ${{ github.head_ref || github.ref_name }} + +permissions: + contents: read + jobs: init: runs-on: ubuntu-latest @@ -43,6 +50,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false # We need to checkout submodules for 3rdparty submodules: true @@ -80,7 +88,7 @@ jobs: run: npm run cypress:version - name: Save context - uses: buildjet/cache/save@v4 + uses: buildjet/cache/save@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 with: key: cypress-context-${{ github.run_id }} path: ./ @@ -148,7 +156,7 @@ jobs: steps: - name: Restore context - uses: buildjet/cache/restore@v4 + uses: buildjet/cache/restore@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 with: fail-on-cache-miss: true key: cypress-context-${{ github.run_id }} diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml index efe8bfe37f7..ed902d92807 100644 --- a/.github/workflows/dependabot-approve-merge.yml +++ b/.github/workflows/dependabot-approve-merge.yml @@ -9,7 +9,7 @@ name: Dependabot on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] branches: - main - master @@ -24,7 +24,7 @@ concurrency: jobs: auto-approve-merge: - if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' runs-on: ubuntu-latest-low permissions: # for hmarr/auto-approve-action to approve PRs diff --git a/.github/workflows/files-external-ftp.yml b/.github/workflows/files-external-ftp.yml index 0ae892479fe..1dcf5e4bed5 100644 --- a/.github/workflows/files-external-ftp.yml +++ b/.github/workflows/files-external-ftp.yml @@ -101,7 +101,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-ftp diff --git a/.github/workflows/files-external-s3.yml b/.github/workflows/files-external-s3.yml index a2ae746f994..f3f5e99e1e9 100644 --- a/.github/workflows/files-external-s3.yml +++ b/.github/workflows/files-external-s3.yml @@ -99,7 +99,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-s3 @@ -173,7 +173,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-s3 diff --git a/.github/workflows/files-external-sftp.yml b/.github/workflows/files-external-sftp.yml index 44f0168bcb4..b4b8adaff4d 100644 --- a/.github/workflows/files-external-sftp.yml +++ b/.github/workflows/files-external-sftp.yml @@ -90,7 +90,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-sftp diff --git a/.github/workflows/files-external-smb.yml b/.github/workflows/files-external-smb.yml index 91f63924058..892705a8183 100644 --- a/.github/workflows/files-external-smb.yml +++ b/.github/workflows/files-external-smb.yml @@ -95,7 +95,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-smb diff --git a/.github/workflows/files-external-webdav.yml b/.github/workflows/files-external-webdav.yml index 46d65846a9e..7398a2b59b7 100644 --- a/.github/workflows/files-external-webdav.yml +++ b/.github/workflows/files-external-webdav.yml @@ -92,7 +92,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-webdav diff --git a/.github/workflows/files-external.yml b/.github/workflows/files-external.yml index 79fcc2696a1..967decbedf7 100644 --- a/.github/workflows/files-external.yml +++ b/.github/workflows/files-external.yml @@ -80,7 +80,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-generic diff --git a/.github/workflows/lint-eslint.yml b/.github/workflows/lint-eslint.yml index 0624fd232a3..43e964b5aaf 100644 --- a/.github/workflows/lint-eslint.yml +++ b/.github/workflows/lint-eslint.yml @@ -20,6 +20,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -54,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -63,7 +68,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index 9d2c92b88cb..9d6858b16a6 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -51,7 +51,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up php8.1 - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: 8.1 extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index ddbf9411bf4..a29db2af4e2 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -54,9 +54,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} coverage: none diff --git a/.github/workflows/lint-stylelint.yml b/.github/workflows/lint-stylelint.yml index 4eaa131bb3d..22c0f445801 100644 --- a/.github/workflows/lint-stylelint.yml +++ b/.github/workflows/lint-stylelint.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index f0219c7b1dd..bdd8dcf5a17 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -60,6 +63,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -99,7 +104,7 @@ jobs: run: npm run test:coverage --if-present - name: Collect coverage - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./coverage/lcov.info diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml index 830d7bc60e0..7bd4338ae9e 100644 --- a/.github/workflows/node.yml +++ b/.github/workflows/node.yml @@ -20,6 +20,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -54,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -63,7 +68,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml index f9f93d4f61c..7e7fe1dabc6 100644 --- a/.github/workflows/npm-audit-fix.yml +++ b/.github/workflows/npm-audit-fix.yml @@ -24,7 +24,7 @@ jobs: strategy: fail-fast: false matrix: - branches: ['main', 'master', 'stable31', 'stable30', 'stable29'] + branches: ['main', 'master', 'stable31', 'stable30'] name: npm-audit-fix-${{ matrix.branches }} diff --git a/.github/workflows/object-storage-azure.yml b/.github/workflows/object-storage-azure.yml index 85b42f5e55d..af653c9c043 100644 --- a/.github/workflows/object-storage-azure.yml +++ b/.github/workflows/object-storage-azure.yml @@ -105,7 +105,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-azure diff --git a/.github/workflows/object-storage-s3.yml b/.github/workflows/object-storage-s3.yml index 19f500bac9e..8bd2571a603 100644 --- a/.github/workflows/object-storage-s3.yml +++ b/.github/workflows/object-storage-s3.yml @@ -111,7 +111,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-s3 diff --git a/.github/workflows/object-storage-swift.yml b/.github/workflows/object-storage-swift.yml index dd28ec6cfaa..15cb113f246 100644 --- a/.github/workflows/object-storage-swift.yml +++ b/.github/workflows/object-storage-swift.yml @@ -101,7 +101,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-swift diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 1d5cdd45c24..ec686844f03 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -27,9 +27,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: '8.1' extensions: ctype, curl, dom, fileinfo, gd, json, libxml, mbstring, openssl, pcntl, pdo, posix, session, simplexml, xml, xmlreader, xmlwriter, zip, zlib diff --git a/.github/workflows/phpunit-mariadb.yml b/.github/workflows/phpunit-mariadb.yml index d48efc7aeb9..37e01829aeb 100644 --- a/.github/workflows/phpunit-mariadb.yml +++ b/.github/workflows/phpunit-mariadb.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -88,10 +91,11 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -124,7 +128,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mariadb diff --git a/.github/workflows/phpunit-memcached.yml b/.github/workflows/phpunit-memcached.yml index 26dfb0db438..98ff8b48484 100644 --- a/.github/workflows/phpunit-memcached.yml +++ b/.github/workflows/phpunit-memcached.yml @@ -101,7 +101,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-memcached diff --git a/.github/workflows/phpunit-mysql-sharding.yml b/.github/workflows/phpunit-mysql-sharding.yml index 15e020df3b0..ae8d8aa5d05 100644 --- a/.github/workflows/phpunit-mysql-sharding.yml +++ b/.github/workflows/phpunit-mysql-sharding.yml @@ -159,7 +159,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mysql diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml index 9f95a47f97c..86698015181 100644 --- a/.github/workflows/phpunit-mysql.yml +++ b/.github/workflows/phpunit-mysql.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -86,12 +89,13 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -124,7 +128,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mysql diff --git a/.github/workflows/phpunit-nodb.yml b/.github/workflows/phpunit-nodb.yml index 91d1a5fcb72..2732c706358 100644 --- a/.github/workflows/phpunit-nodb.yml +++ b/.github/workflows/phpunit-nodb.yml @@ -107,7 +107,7 @@ jobs: - name: Upload nodb code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.nodb.xml flags: phpunit-nodb diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml index 72d3a873b89..44232c88e72 100644 --- a/.github/workflows/phpunit-oci.yml +++ b/.github/workflows/phpunit-oci.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -100,10 +103,11 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -129,7 +133,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-oci diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml index f0580e4c1eb..89d9f29f7d6 100644 --- a/.github/workflows/phpunit-pgsql.yml +++ b/.github/workflows/phpunit-pgsql.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -88,10 +91,11 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -119,7 +123,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-postgres diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index 76758de78d9..5479458336a 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -73,10 +76,11 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -105,7 +109,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-sqlite diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index 4c7daff0991..bc5560796e3 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,8 +15,13 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: + if: ${{ github.repository_owner == 'nextcloud' }} runs-on: ubuntu-latest steps: - name: The get-github-handles-from-website action @@ -31,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 # main with: feedback-message: | Hello there, diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index 62bb8b11d4c..95a8626a4a5 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -11,12 +11,17 @@ name: REUSE Compliance Check on: [pull_request] +permissions: + contents: read + jobs: reuse-compliance-check: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - - name: REUSE Compliance Check - uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 + - name: REUSE Compliance Check + uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml index f707849564f..81321a86c39 100644 --- a/.github/workflows/static-code-analysis.yml +++ b/.github/workflows/static-code-analysis.yml @@ -27,6 +27,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php @@ -57,6 +58,7 @@ jobs: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php @@ -91,6 +93,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php @@ -121,6 +124,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php