diff options
| author | Joas Schilling <coding@schilljs.com> | 2025-05-23 21:03:04 +0200 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2025-05-23 21:03:04 +0200 |
| commit | 519d77db3308bc3deb406faa877ae7e5b9ea901d (patch) | |
| tree | 18ffcfc02b4c172f426ed684db6cce184cbde9d9 | |
| parent | d22a4cab90d55a8e27c306c27c78a9fd3f9a4dcb (diff) | |
| download | nextcloud-server-519d77db3308bc3deb406faa877ae7e5b9ea901d.tar.gz nextcloud-server-519d77db3308bc3deb406faa877ae7e5b9ea901d.zip | |
ci: Pin more actions, images and permissions
Signed-off-by: Joas Schilling <coding@schilljs.com>
33 files changed, 151 insertions, 54 deletions
diff --git a/.github/workflows/block-outdated-3rdparty.yml b/.github/workflows/block-outdated-3rdparty.yml index 22280f35e31..0ae86a67ca5 100644 --- a/.github/workflows/block-outdated-3rdparty.yml +++ b/.github/workflows/block-outdated-3rdparty.yml @@ -32,6 +32,8 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: 3rdparty commit hash on current branch id: actual diff --git a/.github/workflows/command-pull-3rdparty.yml b/.github/workflows/command-pull-3rdparty.yml index 52e669dccd8..7f335f84829 100644 --- a/.github/workflows/command-pull-3rdparty.yml +++ b/.github/workflows/command-pull-3rdparty.yml @@ -38,8 +38,9 @@ jobs: id: comment-branch - name: Checkout ${{ steps.comment-branch.outputs.head_ref }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false fetch-depth: 0 token: ${{ secrets.COMMAND_BOT_PAT }} ref: ${{ steps.comment-branch.outputs.head_ref }} diff --git a/.github/workflows/files-external-ftp.yml b/.github/workflows/files-external-ftp.yml index 1dcf5e4bed5..408b3de68e0 100644 --- a/.github/workflows/files-external-ftp.yml +++ b/.github/workflows/files-external-ftp.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-ftp-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -53,8 +56,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up ftpd diff --git a/.github/workflows/files-external-s3.yml b/.github/workflows/files-external-s3.yml index f3f5e99e1e9..546e8111e5e 100644 --- a/.github/workflows/files-external-s3.yml +++ b/.github/workflows/files-external-s3.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-s3-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,7 +53,7 @@ jobs: services: minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -60,8 +63,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -136,14 +140,15 @@ jobs: env: SERVICES: s3 DEBUG: 1 - image: localstack/localstack + image: localstack/localstack@sha256:b52c16663c70b7234f217cb993a339b46686e30a1a5d9279cb5feeb2202f837c # v4.4.0 ports: - "4566:4566" steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/files-external-sftp.yml b/.github/workflows/files-external-sftp.yml index b4b8adaff4d..d5e55963014 100644 --- a/.github/workflows/files-external-sftp.yml +++ b/.github/workflows/files-external-sftp.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-sftp-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -53,8 +56,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up sftpd diff --git a/.github/workflows/files-external-smb-kerberos.yml b/.github/workflows/files-external-smb-kerberos.yml index cc3d7011f7f..8326f6633ca 100644 --- a/.github/workflows/files-external-smb-kerberos.yml +++ b/.github/workflows/files-external-smb-kerberos.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-smb-kerberos-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -43,13 +46,15 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Checkout user_saml - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/user_saml path: apps/user_saml diff --git a/.github/workflows/files-external-smb.yml b/.github/workflows/files-external-smb.yml index 892705a8183..dce6f395ad2 100644 --- a/.github/workflows/files-external-smb.yml +++ b/.github/workflows/files-external-smb.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-smb-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,14 +53,15 @@ jobs: services: samba: - image: ghcr.io/nextcloud/continuous-integration-samba:latest + image: ghcr.io/nextcloud/continuous-integration-samba:latest # zizmor: ignore[unpinned-images] ports: - 445:445 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/files-external-webdav.yml b/.github/workflows/files-external-webdav.yml index 7398a2b59b7..b941c400c96 100644 --- a/.github/workflows/files-external-webdav.yml +++ b/.github/workflows/files-external-webdav.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-webdav-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,14 +53,15 @@ jobs: services: apache: - image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest + image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest # zizmor: ignore[unpinned-images] ports: - 8081:80 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/files-external.yml b/.github/workflows/files-external.yml index 967decbedf7..ab568f4ffe0 100644 --- a/.github/workflows/files-external.yml +++ b/.github/workflows/files-external.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-generic-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -49,8 +52,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-dav.yml b/.github/workflows/integration-dav.yml index 29cae2d2238..1dea78370fb 100644 --- a/.github/workflows/integration-dav.yml +++ b/.github/workflows/integration-dav.yml @@ -4,6 +4,9 @@ name: DAV integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-caldav-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -51,8 +54,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -67,7 +71,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set up Python - uses: LizardByte/setup-python-action@master + uses: LizardByte/setup-python-action@f4367d0377eceec7e5e26da8f3863dd365b95a94 # v2025.426.160528 with: python-version: '2.7' diff --git a/.github/workflows/integration-litmus.yml b/.github/workflows/integration-litmus.yml index 3047aaf5b3c..b55b144e2ff 100644 --- a/.github/workflows/integration-litmus.yml +++ b/.github/workflows/integration-litmus.yml @@ -4,6 +4,9 @@ name: Litmus integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-litmus-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,8 +53,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-s3-primary.yml b/.github/workflows/integration-s3-primary.yml index d30080a5bfc..d9fe494ff15 100644 --- a/.github/workflows/integration-s3-primary.yml +++ b/.github/workflows/integration-s3-primary.yml @@ -4,6 +4,9 @@ name: S3 primary storage integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-s3-primary-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,12 +53,12 @@ jobs: services: redis: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 ports: - 6379:6379/tcp minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -65,8 +68,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-sqlite.yml b/.github/workflows/integration-sqlite.yml index 7cd822c6371..b067ff75674 100644 --- a/.github/workflows/integration-sqlite.yml +++ b/.github/workflows/integration-sqlite.yml @@ -77,12 +77,12 @@ jobs: services: redis: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 ports: - 6379:6379/tcp openldap: - image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 + image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 # zizmor: ignore[unpinned-images] ports: - 389:389 env: @@ -95,12 +95,14 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Checkout Talk app if: ${{ matrix.test-suite == 'videoverification_features' }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/spreed path: apps/spreed ref: ${{ matrix.spreed-versions }} @@ -109,6 +111,7 @@ jobs: if: ${{ matrix.test-suite == 'sharing_features' }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/activity path: apps/activity ref: ${{ matrix.activity-versions }} diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index 9d6858b16a6..5802f749428 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -49,6 +49,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php8.1 uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index bdd8dcf5a17..aae448c8035 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -86,6 +86,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -124,6 +126,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -152,6 +156,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 diff --git a/.github/workflows/object-storage-azure.yml b/.github/workflows/object-storage-azure.yml index af653c9c043..812b55ba61a 100644 --- a/.github/workflows/object-storage-azure.yml +++ b/.github/workflows/object-storage-azure.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-azure-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,7 +57,7 @@ jobs: services: azurite: - image: mcr.microsoft.com/azure-storage/azurite + image: mcr.microsoft.com/azure-storage/azurite@sha256:0a47e12e3693483cef5c71f35468b91d751611f172d2f97414e9c69113b106d9 # v3.34.0 env: AZURITE_ACCOUNTS: nextcloud:bmV4dGNsb3Vk ports: @@ -62,15 +65,16 @@ jobs: options: --health-cmd="nc 127.0.0.1 10000 -z" --health-interval=1s --health-retries=30 cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/object-storage-s3.yml b/.github/workflows/object-storage-s3.yml index 8bd2571a603..4f0cee3d8a9 100644 --- a/.github/workflows/object-storage-s3.yml +++ b/.github/workflows/object-storage-s3.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-s3-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,13 +57,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -70,8 +73,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/object-storage-swift.yml b/.github/workflows/object-storage-swift.yml index 15cb113f246..89dbfcc80b1 100644 --- a/.github/workflows/object-storage-swift.yml +++ b/.github/workflows/object-storage-swift.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-swift-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,21 +57,22 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 swift: - image: ghcr.io/cscfi/docker-keystone-swift + image: ghcr.io/cscfi/docker-keystone-swift@sha256:e8b1ec21120ab9adc6ac6a2b98785fd273676439a8633fe898e37f2aea7e0712 ports: - 5000:5000 - 8080:8080 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index 45be499a762..d055c0d0b23 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -4,6 +4,9 @@ name: Performance testing on: pull_request: +permissions: + contents: read + concurrency: group: performance-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -14,6 +17,9 @@ jobs: if: ${{ github.repository_owner != 'nextcloud-gmbh' }} + permissions: + pull-requests: write + strategy: fail-fast: false matrix: @@ -29,8 +35,9 @@ jobs: exit 1 - name: Checkout server before PR - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true ref: ${{ github.event.pull_request.base.ref }} diff --git a/.github/workflows/phpunit-32bits.yml b/.github/workflows/phpunit-32bits.yml index 19c70a9ea41..020d27508e6 100644 --- a/.github/workflows/phpunit-32bits.yml +++ b/.github/workflows/phpunit-32bits.yml @@ -32,8 +32,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Install tools diff --git a/.github/workflows/phpunit-mariadb.yml b/.github/workflows/phpunit-mariadb.yml index 37e01829aeb..855f15f48f6 100644 --- a/.github/workflows/phpunit-mariadb.yml +++ b/.github/workflows/phpunit-mariadb.yml @@ -71,7 +71,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 diff --git a/.github/workflows/phpunit-memcached.yml b/.github/workflows/phpunit-memcached.yml index 98ff8b48484..97103e97f4b 100644 --- a/.github/workflows/phpunit-memcached.yml +++ b/.github/workflows/phpunit-memcached.yml @@ -64,15 +64,16 @@ jobs: services: memcached: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 11212:11212/tcp - 11212:11212/udp steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/phpunit-mysql-sharding.yml b/.github/workflows/phpunit-mysql-sharding.yml index ae8d8aa5d05..5db6c12cede 100644 --- a/.github/workflows/phpunit-mysql-sharding.yml +++ b/.github/workflows/phpunit-mysql-sharding.yml @@ -62,13 +62,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: @@ -78,7 +78,7 @@ jobs: MYSQL_DATABASE: oc_autotest options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard1: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5001:3306/tcp env: @@ -88,7 +88,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard2: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5002:3306/tcp env: @@ -98,7 +98,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard3: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5003:3306/tcp env: @@ -108,7 +108,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard4: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5004:3306/tcp env: @@ -120,8 +120,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml index 86698015181..de69848c5b1 100644 --- a/.github/workflows/phpunit-mysql.yml +++ b/.github/workflows/phpunit-mysql.yml @@ -71,13 +71,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: diff --git a/.github/workflows/phpunit-nodb.yml b/.github/workflows/phpunit-nodb.yml index 2732c706358..1cef70d380a 100644 --- a/.github/workflows/phpunit-nodb.yml +++ b/.github/workflows/phpunit-nodb.yml @@ -67,15 +67,16 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml index 44232c88e72..ececac2f8f9 100644 --- a/.github/workflows/phpunit-oci.yml +++ b/.github/workflows/phpunit-oci.yml @@ -76,7 +76,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml index 89d9f29f7d6..7939bb529d8 100644 --- a/.github/workflows/phpunit-pgsql.yml +++ b/.github/workflows/phpunit-pgsql.yml @@ -72,13 +72,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 postgres: - image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:5432/tcp env: diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index 5479458336a..bcbde3f108a 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -67,7 +67,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 34b82693a8d..d8fdaca0dee 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml index 3565508b90e..63aa86d34e4 100644 --- a/.github/workflows/static-code-analysis.yml +++ b/.github/workflows/static-code-analysis.yml @@ -13,6 +13,9 @@ on: - '.github/workflows/static-code-analysis.yml' - '**.php' +permissions: + contents: read + concurrency: group: static-code-analysis-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/update-cacert-bundle.yml b/.github/workflows/update-cacert-bundle.yml index 263f0d94dde..ab7dc7b6604 100644 --- a/.github/workflows/update-cacert-bundle.yml +++ b/.github/workflows/update-cacert-bundle.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + jobs: update-ca-certificate-bundle: runs-on: ubuntu-latest @@ -19,8 +22,9 @@ jobs: name: update-ca-certificate-bundle-${{ matrix.branches }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true diff --git a/.github/workflows/update-code-signing-crl.yml b/.github/workflows/update-code-signing-crl.yml index eb2c00e9302..064d47c2d5c 100644 --- a/.github/workflows/update-code-signing-crl.yml +++ b/.github/workflows/update-code-signing-crl.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + jobs: update-code-signing-crl: runs-on: ubuntu-latest @@ -19,8 +22,9 @@ jobs: name: update-code-signing-crl-${{ matrix.branches }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true diff --git a/.github/workflows/update-min-supported-desktop.yml b/.github/workflows/update-min-supported-desktop.yml index a1c55675337..fa203ede356 100644 --- a/.github/workflows/update-min-supported-desktop.yml +++ b/.github/workflows/update-min-supported-desktop.yml @@ -7,13 +7,17 @@ on: schedule: - cron: "0 0 * * 1" +permissions: + contents: read + jobs: update-minimum-supported-desktop-version: runs-on: ubuntu-latest-low steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Download desktop client version file from 5 years ago |