diff options
| author | Andy Scherzinger <info@andy-scherzinger.de> | 2025-05-24 15:54:59 +0200 |
|---|---|---|
| committer | Andy Scherzinger <info@andy-scherzinger.de> | 2025-05-25 15:09:56 +0200 |
| commit | e39244f4e2e8a5618daa143d6c10c8110354e80d (patch) | |
| tree | 120570cdf71381c593d1bf19ffc6548a51c03448 | |
| parent | 45672ffcc02a671ce2dbeba044934787b4129a68 (diff) | |
| download | nextcloud-server-ci/noid/workflows-stable31.tar.gz nextcloud-server-ci/noid/workflows-stable31.zip | |
ci(gh): Sync workflow updatesci/noid/workflows-stable31
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
36 files changed, 275 insertions, 93 deletions
diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 292494c72cd..31f84a99936 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -27,13 +27,22 @@ jobs: steps: - name: Set server major version environment - run: | - # retrieve version number from branch reference - server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p') - echo "server_major=$server_major" >> $GITHUB_ENV - echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV - - - name: Checking if ${{ env.server_major }} is EOL + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const regex = /^stable(\d+)$/ + const baseRef = context.payload.pull_request.base.ref + const match = baseRef.match(regex) + if (match) { + console.log('Setting server_major to ' + match[1]); + core.exportVariable('server_major', match[1]); + console.log('Setting current_month to ' + (new Date()).toISOString().substr(0, 7)); + core.exportVariable('current_month', (new Date()).toISOString().substr(0, 7)); + } + + - name: Checking if server ${{ env.server_major }} is EOL + if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml index d052668b310..f28a02101e4 100644 --- a/.github/workflows/block-merge-freeze.yml +++ b/.github/workflows/block-merge-freeze.yml @@ -28,8 +28,30 @@ jobs: runs-on: ubuntu-latest-low steps: - - name: Download version.php from ${{ github.base_ref }} - run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php' --output version.php + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + + - name: Download version.php from ${{ env.server_ref }} + if: ${{ env.server_ref != '' }} + run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php - name: Run check + if: ${{ env.server_ref != '' }} run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC' diff --git a/.github/workflows/block-outdated-3rdparty.yml b/.github/workflows/block-outdated-3rdparty.yml index 22280f35e31..d02eb25aacc 100644 --- a/.github/workflows/block-outdated-3rdparty.yml +++ b/.github/workflows/block-outdated-3rdparty.yml @@ -32,22 +32,44 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: 3rdparty commit hash on current branch id: actual run: | echo "commit=$(git submodule status | grep ' 3rdparty' | egrep -o '[a-f0-9]{40}')" >> "$GITHUB_OUTPUT" + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Last 3rdparty commit on target branch id: target run: | - echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ github.base_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT" + echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ env.server_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT" - name: Compare if 3rdparty commits are different run: | echo '3rdparty/ seems to not point to the last commit of the dedicated branch:' echo 'Branch has: ${{ steps.actual.outputs.commit }}' - echo '${{ github.base_ref }} has: ${{ steps.target.outputs.commit }}' + echo '${{ env.server_ref }} has: ${{ steps.target.outputs.commit }}' - name: Fail if 3rdparty commits are different if: ${{ steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }} diff --git a/.github/workflows/command-pull-3rdparty.yml b/.github/workflows/command-pull-3rdparty.yml index 52e669dccd8..e204a5c489d 100644 --- a/.github/workflows/command-pull-3rdparty.yml +++ b/.github/workflows/command-pull-3rdparty.yml @@ -38,24 +38,56 @@ jobs: id: comment-branch - name: Checkout ${{ steps.comment-branch.outputs.head_ref }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false fetch-depth: 0 token: ${{ secrets.COMMAND_BOT_PAT }} ref: ${{ steps.comment-branch.outputs.head_ref }} + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Setup git run: | git config --local user.email 'nextcloud-command@users.noreply.github.com' git config --local user.name 'nextcloud-command' + - name: Add reaction on failure + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v3.0.1 + if: ${{ env.server_ref == '' }} + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + repository: ${{ github.event.repository.full_name }} + comment-id: ${{ github.event.comment.id }} + reactions: '-1' + - name: Pull 3rdparty - run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ github.event.issue.pull_request.base.ref }}'"'"'; fi' + if: ${{ env.server_ref != '' }} + run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ env.server_ref }}'"'"'; fi' - name: Commit and push changes + if: ${{ env.server_ref != '' }} run: | git add 3rdparty - git commit -s -m 'Update submodule 3rdparty to latest ${{ github.event.issue.pull_request.base.ref }}' + git commit -s -m 'Update submodule 3rdparty to latest ${{ env.server_ref }}' git push - name: Add reaction on failure diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index fa469a783e9..55b40e5f449 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -150,7 +150,7 @@ jobs: SPLIT: ${{ matrix.total-containers }} SPLIT_INDEX: ${{ matrix.containers == 'component' && 0 || matrix.containers }} - - name: Upload snapshots + - name: Upload snapshots and videos uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: diff --git a/.github/workflows/files-external-ftp.yml b/.github/workflows/files-external-ftp.yml index f99a41b457c..e7f764e4bc3 100644 --- a/.github/workflows/files-external-ftp.yml +++ b/.github/workflows/files-external-ftp.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-ftp-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -53,8 +56,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up ftpd diff --git a/.github/workflows/files-external-s3.yml b/.github/workflows/files-external-s3.yml index ecf23b73023..3849ee7bf63 100644 --- a/.github/workflows/files-external-s3.yml +++ b/.github/workflows/files-external-s3.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-s3-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,7 +53,7 @@ jobs: services: minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -60,8 +63,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -129,13 +133,13 @@ jobs: env: SERVICES: s3 DEBUG: 1 - image: localstack/localstack + image: localstack/localstack@sha256:b52c16663c70b7234f217cb993a339b46686e30a1a5d9279cb5feeb2202f837c # v4.4.0 ports: - "4566:4566" steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true diff --git a/.github/workflows/files-external-sftp.yml b/.github/workflows/files-external-sftp.yml index dd7a5871a97..ae5cd0874cb 100644 --- a/.github/workflows/files-external-sftp.yml +++ b/.github/workflows/files-external-sftp.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-sftp-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -53,8 +56,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up sftpd diff --git a/.github/workflows/files-external-smb-kerberos.yml b/.github/workflows/files-external-smb-kerberos.yml index cc3d7011f7f..8326f6633ca 100644 --- a/.github/workflows/files-external-smb-kerberos.yml +++ b/.github/workflows/files-external-smb-kerberos.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-smb-kerberos-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -43,13 +46,15 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Checkout user_saml - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/user_saml path: apps/user_saml diff --git a/.github/workflows/files-external-smb.yml b/.github/workflows/files-external-smb.yml index 23b20782126..f6bb592b21e 100644 --- a/.github/workflows/files-external-smb.yml +++ b/.github/workflows/files-external-smb.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-smb-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,14 +53,15 @@ jobs: services: samba: - image: ghcr.io/nextcloud/continuous-integration-samba:latest + image: ghcr.io/nextcloud/continuous-integration-samba:latest # zizmor: ignore[unpinned-images] ports: - 445:445 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/files-external-webdav.yml b/.github/workflows/files-external-webdav.yml index 657139db5e9..1b4fe53bc74 100644 --- a/.github/workflows/files-external-webdav.yml +++ b/.github/workflows/files-external-webdav.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-webdav-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,14 +53,15 @@ jobs: services: apache: - image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest + image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest # zizmor: ignore[unpinned-images] ports: - 8081:80 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/files-external.yml b/.github/workflows/files-external.yml index 8461cd99ab6..1e31bf81e0e 100644 --- a/.github/workflows/files-external.yml +++ b/.github/workflows/files-external.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-generic-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -49,8 +52,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-dav.yml b/.github/workflows/integration-dav.yml index 8eb815276b1..c3f2667c7dd 100644 --- a/.github/workflows/integration-dav.yml +++ b/.github/workflows/integration-dav.yml @@ -4,6 +4,9 @@ name: DAV integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-caldav-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -51,8 +54,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -67,7 +71,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set up Python - uses: LizardByte/setup-python-action@master + uses: LizardByte/setup-python-action@f4367d0377eceec7e5e26da8f3863dd365b95a94 # v2025.426.160528 with: python-version: '2.7' diff --git a/.github/workflows/integration-litmus.yml b/.github/workflows/integration-litmus.yml index add9fb5f170..134956ca4ff 100644 --- a/.github/workflows/integration-litmus.yml +++ b/.github/workflows/integration-litmus.yml @@ -4,6 +4,9 @@ name: Litmus integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-litmus-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,8 +53,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-s3-primary.yml b/.github/workflows/integration-s3-primary.yml index 6cf8b4b0d36..d9fe494ff15 100644 --- a/.github/workflows/integration-s3-primary.yml +++ b/.github/workflows/integration-s3-primary.yml @@ -4,6 +4,9 @@ name: S3 primary storage integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-s3-primary-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,12 +53,12 @@ jobs: services: redis: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 ports: - 6379:6379/tcp minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -65,12 +68,13 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/integration-sqlite.yml b/.github/workflows/integration-sqlite.yml index 3ce3830610f..5eb89c23761 100644 --- a/.github/workflows/integration-sqlite.yml +++ b/.github/workflows/integration-sqlite.yml @@ -77,12 +77,12 @@ jobs: services: redis: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 ports: - 6379:6379/tcp openldap: - image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 + image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 # zizmor: ignore[unpinned-images] ports: - 389:389 env: @@ -95,12 +95,14 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Checkout Talk app if: ${{ matrix.test-suite == 'videoverification_features' }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/spreed path: apps/spreed ref: ${{ matrix.spreed-versions }} @@ -109,12 +111,13 @@ jobs: if: ${{ matrix.test-suite == 'sharing_features' }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/activity path: apps/activity ref: ${{ matrix.activity-versions }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index 9d6858b16a6..5802f749428 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -49,6 +49,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php8.1 uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index bf073fbda4d..f4d4d94e336 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -86,6 +86,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -120,6 +122,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -148,6 +152,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 diff --git a/.github/workflows/object-storage-azure.yml b/.github/workflows/object-storage-azure.yml index 92971a85900..fe712bbd46a 100644 --- a/.github/workflows/object-storage-azure.yml +++ b/.github/workflows/object-storage-azure.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-azure-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,7 +57,7 @@ jobs: services: azurite: - image: mcr.microsoft.com/azure-storage/azurite + image: mcr.microsoft.com/azure-storage/azurite@sha256:0a47e12e3693483cef5c71f35468b91d751611f172d2f97414e9c69113b106d9 # v3.34.0 env: AZURITE_ACCOUNTS: nextcloud:bmV4dGNsb3Vk ports: @@ -62,19 +65,20 @@ jobs: options: --health-cmd="nc 127.0.0.1 10000 -z" --health-interval=1s --health-retries=30 cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/object-storage-s3.yml b/.github/workflows/object-storage-s3.yml index 4d4f0949cbe..ade892b8b44 100644 --- a/.github/workflows/object-storage-s3.yml +++ b/.github/workflows/object-storage-s3.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-s3-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,13 +57,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -70,12 +73,13 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/object-storage-swift.yml b/.github/workflows/object-storage-swift.yml index d19aff53928..f0bc84a1240 100644 --- a/.github/workflows/object-storage-swift.yml +++ b/.github/workflows/object-storage-swift.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-swift-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,25 +57,26 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 swift: - image: ghcr.io/cscfi/docker-keystone-swift + image: ghcr.io/cscfi/docker-keystone-swift@sha256:e8b1ec21120ab9adc6ac6a2b98785fd273676439a8633fe898e37f2aea7e0712 ports: - 5000:5000 - 8080:8080 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index bd7789f8624..daee1b4a13e 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -4,6 +4,9 @@ name: Performance testing on: pull_request: +permissions: + contents: read + concurrency: group: performance-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -14,6 +17,9 @@ jobs: if: ${{ github.repository_owner != 'nextcloud-gmbh' }} + permissions: + pull-requests: write + strategy: fail-fast: false matrix: @@ -29,13 +35,14 @@ jobs: exit 1 - name: Checkout server before PR - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true ref: ${{ github.event.pull_request.base.ref }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, redis, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite @@ -49,7 +56,7 @@ jobs: php -S localhost:8080 & - name: Apply blueprint - uses: icewind1991/blueprint@v0.1.2 + uses: icewind1991/blueprint@00504403f76cb2a09efd0d16793575055e6f63cb # v0.1.2 with: blueprint: tests/blueprints/basic.toml ref: ${{ github.event.pull_request.head.ref }} @@ -66,7 +73,7 @@ jobs: output: before.json profiler-branch: stable31 - - name: Apply PR + - name: Apply PR # zizmor: ignore[template-injection] run: | git remote add pr '${{ github.event.pull_request.head.repo.clone_url }}' git fetch pr '${{ github.event.pull_request.head.ref }}' @@ -91,14 +98,14 @@ jobs: - name: Upload profiles if: always() - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: profiles path: | before.json after.json - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 if: failure() && steps.compare.outcome == 'failure' with: github-token: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/phpunit-32bits.yml b/.github/workflows/phpunit-32bits.yml index 10a45003601..020d27508e6 100644 --- a/.github/workflows/phpunit-32bits.yml +++ b/.github/workflows/phpunit-32bits.yml @@ -32,8 +32,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Install tools @@ -42,7 +43,7 @@ jobs: sudo apt-get install -y ffmpeg imagemagick libmagickcore-6.q16-3-extra - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} extensions: ctype, curl, dom, fileinfo, gd, imagick, intl, json, mbstring, openssl, pdo_sqlite, posix, sqlite, xml, zip, apcu diff --git a/.github/workflows/phpunit-mariadb.yml b/.github/workflows/phpunit-mariadb.yml index a941f361ac3..7fab66f1270 100644 --- a/.github/workflows/phpunit-mariadb.yml +++ b/.github/workflows/phpunit-mariadb.yml @@ -71,7 +71,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 diff --git a/.github/workflows/phpunit-memcached.yml b/.github/workflows/phpunit-memcached.yml index 7acb65cc904..8252bf398d2 100644 --- a/.github/workflows/phpunit-memcached.yml +++ b/.github/workflows/phpunit-memcached.yml @@ -64,19 +64,20 @@ jobs: services: memcached: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 11212:11212/tcp - 11212:11212/udp steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/phpunit-mysql-sharding.yml b/.github/workflows/phpunit-mysql-sharding.yml index ec7f7288bcf..f01ad21bd30 100644 --- a/.github/workflows/phpunit-mysql-sharding.yml +++ b/.github/workflows/phpunit-mysql-sharding.yml @@ -62,13 +62,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: @@ -78,7 +78,7 @@ jobs: MYSQL_DATABASE: oc_autotest options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard1: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5001:3306/tcp env: @@ -88,7 +88,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard2: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5002:3306/tcp env: @@ -98,7 +98,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard3: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5003:3306/tcp env: @@ -108,7 +108,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard4: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5004:3306/tcp env: @@ -120,12 +120,13 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml index 78ec0fe70a1..edf439f7c80 100644 --- a/.github/workflows/phpunit-mysql.yml +++ b/.github/workflows/phpunit-mysql.yml @@ -71,13 +71,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: diff --git a/.github/workflows/phpunit-nodb.yml b/.github/workflows/phpunit-nodb.yml index 0dbb1f112aa..aad4f86c30f 100644 --- a/.github/workflows/phpunit-nodb.yml +++ b/.github/workflows/phpunit-nodb.yml @@ -67,19 +67,20 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/phpunit-object-store-primary.yml b/.github/workflows/phpunit-object-store-primary.yml index 4703bf7622f..6d6d6358848 100644 --- a/.github/workflows/phpunit-object-store-primary.yml +++ b/.github/workflows/phpunit-object-store-primary.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: phpunit-object-store-primary-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,13 +57,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -70,12 +73,13 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: ${{ matrix.php-versions }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, redis, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml index 635bbb947fd..bf9cfd918b7 100644 --- a/.github/workflows/phpunit-oci.yml +++ b/.github/workflows/phpunit-oci.yml @@ -76,7 +76,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml index 55153d8c5b7..4ff37ea0148 100644 --- a/.github/workflows/phpunit-pgsql.yml +++ b/.github/workflows/phpunit-pgsql.yml @@ -72,13 +72,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 postgres: - image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:5432/tcp env: diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index 8b38b6b13dc..39f00c3cc40 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -67,7 +67,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f358974a9c1..d8fdaca0dee 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest @@ -17,7 +20,7 @@ jobs: issues: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: repo-token: ${{ secrets.COMMAND_BOT_PAT }} stale-issue-message: > diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml index e3328dbcf2a..63aa86d34e4 100644 --- a/.github/workflows/static-code-analysis.yml +++ b/.github/workflows/static-code-analysis.yml @@ -13,6 +13,9 @@ on: - '.github/workflows/static-code-analysis.yml' - '**.php' +permissions: + contents: read + concurrency: group: static-code-analysis-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -27,10 +30,11 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: '8.1' extensions: apcu,ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip @@ -57,10 +61,11 @@ jobs: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: '8.1' extensions: ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip @@ -78,7 +83,7 @@ jobs: - name: Upload Security Analysis results to GitHub if: always() - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: sarif_file: results.sarif @@ -91,10 +96,11 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: '8.1' extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip @@ -121,10 +127,11 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 with: php-version: '8.1' extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip diff --git a/.github/workflows/update-cacert-bundle.yml b/.github/workflows/update-cacert-bundle.yml index d023d035ded..2edc733586d 100644 --- a/.github/workflows/update-cacert-bundle.yml +++ b/.github/workflows/update-cacert-bundle.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + jobs: update-ca-certificate-bundle: runs-on: ubuntu-latest @@ -19,8 +22,9 @@ jobs: name: update-ca-certificate-bundle-${{ matrix.branches }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true @@ -28,7 +32,7 @@ jobs: run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem - name: Create Pull Request - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e with: token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'fix(security): Update CA certificate bundle' diff --git a/.github/workflows/update-code-signing-crl.yml b/.github/workflows/update-code-signing-crl.yml index eead7406b5f..064d47c2d5c 100644 --- a/.github/workflows/update-code-signing-crl.yml +++ b/.github/workflows/update-code-signing-crl.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + jobs: update-code-signing-crl: runs-on: ubuntu-latest @@ -19,8 +22,9 @@ jobs: name: update-code-signing-crl-${{ matrix.branches }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true @@ -31,7 +35,7 @@ jobs: run: openssl crl -verify -in resources/codesigning/root.crl -CAfile resources/codesigning/root.crt -noout - name: Create Pull Request - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e with: token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'fix(security): Update code signing revocation list' |