diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 292494c72cdf9..31f84a999363a 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -27,13 +27,22 @@ jobs: steps: - name: Set server major version environment - run: | - # retrieve version number from branch reference - server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p') - echo "server_major=$server_major" >> $GITHUB_ENV - echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV - - - name: Checking if ${{ env.server_major }} is EOL + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const regex = /^stable(\d+)$/ + const baseRef = context.payload.pull_request.base.ref + const match = baseRef.match(regex) + if (match) { + console.log('Setting server_major to ' + match[1]); + core.exportVariable('server_major', match[1]); + console.log('Setting current_month to ' + (new Date()).toISOString().substr(0, 7)); + core.exportVariable('current_month', (new Date()).toISOString().substr(0, 7)); + } + + - name: Checking if server ${{ env.server_major }} is EOL + if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml index d052668b310ba..f28a02101e441 100644 --- a/.github/workflows/block-merge-freeze.yml +++ b/.github/workflows/block-merge-freeze.yml @@ -28,8 +28,30 @@ jobs: runs-on: ubuntu-latest-low steps: - - name: Download version.php from ${{ github.base_ref }} - run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php' --output version.php + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + + - name: Download version.php from ${{ env.server_ref }} + if: ${{ env.server_ref != '' }} + run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php - name: Run check + if: ${{ env.server_ref != '' }} run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC' diff --git a/.github/workflows/block-outdated-3rdparty.yml b/.github/workflows/block-outdated-3rdparty.yml index 22280f35e3116..d02eb25aacc42 100644 --- a/.github/workflows/block-outdated-3rdparty.yml +++ b/.github/workflows/block-outdated-3rdparty.yml @@ -32,22 +32,44 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: 3rdparty commit hash on current branch id: actual run: | echo "commit=$(git submodule status | grep ' 3rdparty' | egrep -o '[a-f0-9]{40}')" >> "$GITHUB_OUTPUT" + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Last 3rdparty commit on target branch id: target run: | - echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ github.base_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT" + echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ env.server_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT" - name: Compare if 3rdparty commits are different run: | echo '3rdparty/ seems to not point to the last commit of the dedicated branch:' echo 'Branch has: ${{ steps.actual.outputs.commit }}' - echo '${{ github.base_ref }} has: ${{ steps.target.outputs.commit }}' + echo '${{ env.server_ref }} has: ${{ steps.target.outputs.commit }}' - name: Fail if 3rdparty commits are different if: ${{ steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }} diff --git a/.github/workflows/block-unconventional-commits.yml b/.github/workflows/block-unconventional-commits.yml index b4239109cd028..6bf1a79c9415e 100644 --- a/.github/workflows/block-unconventional-commits.yml +++ b/.github/workflows/block-unconventional-commits.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 with: diff --git a/.github/workflows/command-compile.yml b/.github/workflows/command-compile.yml index faf3d51033513..d5ecf01af61f8 100644 --- a/.github/workflows/command-compile.yml +++ b/.github/workflows/command-compile.yml @@ -11,6 +11,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: init: runs-on: ubuntu-latest @@ -102,6 +105,7 @@ jobs: - name: Checkout ${{ needs.init.outputs.head_ref }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + # Needed to allow force push later persist-credentials: true token: ${{ secrets.COMMAND_BOT_PAT }} fetch-depth: 0 diff --git a/.github/workflows/command-pull-3rdparty.yml b/.github/workflows/command-pull-3rdparty.yml index 52e669dccd80c..e204a5c489d09 100644 --- a/.github/workflows/command-pull-3rdparty.yml +++ b/.github/workflows/command-pull-3rdparty.yml @@ -38,24 +38,56 @@ jobs: id: comment-branch - name: Checkout ${{ steps.comment-branch.outputs.head_ref }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false fetch-depth: 0 token: ${{ secrets.COMMAND_BOT_PAT }} ref: ${{ steps.comment-branch.outputs.head_ref }} + - name: Register server reference to fallback to master branch + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Setup git run: | git config --local user.email 'nextcloud-command@users.noreply.github.com' git config --local user.name 'nextcloud-command' + - name: Add reaction on failure + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v3.0.1 + if: ${{ env.server_ref == '' }} + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + repository: ${{ github.event.repository.full_name }} + comment-id: ${{ github.event.comment.id }} + reactions: '-1' + - name: Pull 3rdparty - run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ github.event.issue.pull_request.base.ref }}'"'"'; fi' + if: ${{ env.server_ref != '' }} + run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ env.server_ref }}'"'"'; fi' - name: Commit and push changes + if: ${{ env.server_ref != '' }} run: | git add 3rdparty - git commit -s -m 'Update submodule 3rdparty to latest ${{ github.event.issue.pull_request.base.ref }}' + git commit -s -m 'Update submodule 3rdparty to latest ${{ env.server_ref }}' git push - name: Add reaction on failure diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index bd8298678a0b3..b5b8b534d8c71 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -18,9 +18,16 @@ env: # Adjust APP_NAME if your repository name is different APP_NAME: ${{ github.event.repository.name }} - # Server requires head_ref instead of base_ref, as we want to test the PR branch + # This represents the server branch to checkout. + # Usually it's the base branch of the PR, but for pushes it's the branch itself. + # e.g. 'main', 'stable27' or 'feature/my-feature' + # n.b. server will use head_ref, as we want to test the PR branch. BRANCH: ${{ github.head_ref || github.ref_name }} + +permissions: + contents: read + jobs: init: runs-on: ubuntu-latest @@ -43,6 +50,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false # We need to checkout submodules for 3rdparty submodules: true @@ -80,7 +88,7 @@ jobs: run: npm run cypress:version - name: Save context - uses: buildjet/cache/save@v4 + uses: buildjet/cache/save@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 with: key: cypress-context-${{ github.run_id }} path: ./ @@ -148,7 +156,7 @@ jobs: steps: - name: Restore context - uses: buildjet/cache/restore@v4 + uses: buildjet/cache/restore@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 with: fail-on-cache-miss: true key: cypress-context-${{ github.run_id }} diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml index efe8bfe37f78d..ed902d9280746 100644 --- a/.github/workflows/dependabot-approve-merge.yml +++ b/.github/workflows/dependabot-approve-merge.yml @@ -9,7 +9,7 @@ name: Dependabot on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] branches: - main - master @@ -24,7 +24,7 @@ concurrency: jobs: auto-approve-merge: - if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' runs-on: ubuntu-latest-low permissions: # for hmarr/auto-approve-action to approve PRs diff --git a/.github/workflows/files-external-ftp.yml b/.github/workflows/files-external-ftp.yml index 0ae892479fe7d..408b3de68e0a8 100644 --- a/.github/workflows/files-external-ftp.yml +++ b/.github/workflows/files-external-ftp.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-ftp-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -53,8 +56,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up ftpd @@ -101,7 +105,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-ftp diff --git a/.github/workflows/files-external-s3.yml b/.github/workflows/files-external-s3.yml index a2ae746f994ea..546e8111e5e70 100644 --- a/.github/workflows/files-external-s3.yml +++ b/.github/workflows/files-external-s3.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-s3-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,7 +53,7 @@ jobs: services: minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -60,8 +63,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -99,7 +103,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-s3 @@ -136,14 +140,15 @@ jobs: env: SERVICES: s3 DEBUG: 1 - image: localstack/localstack + image: localstack/localstack@sha256:b52c16663c70b7234f217cb993a339b46686e30a1a5d9279cb5feeb2202f837c # v4.4.0 ports: - "4566:4566" steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -173,7 +178,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-s3 diff --git a/.github/workflows/files-external-sftp.yml b/.github/workflows/files-external-sftp.yml index 44f0168bcb46e..d5e559630148b 100644 --- a/.github/workflows/files-external-sftp.yml +++ b/.github/workflows/files-external-sftp.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-sftp-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -53,8 +56,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up sftpd @@ -90,7 +94,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-sftp diff --git a/.github/workflows/files-external-smb-kerberos.yml b/.github/workflows/files-external-smb-kerberos.yml index cc3d7011f7ff3..8326f6633cabe 100644 --- a/.github/workflows/files-external-smb-kerberos.yml +++ b/.github/workflows/files-external-smb-kerberos.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-smb-kerberos-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -43,13 +46,15 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Checkout user_saml - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/user_saml path: apps/user_saml diff --git a/.github/workflows/files-external-smb.yml b/.github/workflows/files-external-smb.yml index 91f63924058cb..dce6f395ad21c 100644 --- a/.github/workflows/files-external-smb.yml +++ b/.github/workflows/files-external-smb.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-smb-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,14 +53,15 @@ jobs: services: samba: - image: ghcr.io/nextcloud/continuous-integration-samba:latest + image: ghcr.io/nextcloud/continuous-integration-samba:latest # zizmor: ignore[unpinned-images] ports: - 445:445 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -95,7 +99,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-smb diff --git a/.github/workflows/files-external-webdav.yml b/.github/workflows/files-external-webdav.yml index 46d65846a9e73..b941c400c968b 100644 --- a/.github/workflows/files-external-webdav.yml +++ b/.github/workflows/files-external-webdav.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-webdav-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,14 +53,15 @@ jobs: services: apache: - image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest + image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest # zizmor: ignore[unpinned-images] ports: - 8081:80 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -92,7 +96,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-webdav diff --git a/.github/workflows/files-external.yml b/.github/workflows/files-external.yml index 79fcc2696a17a..ab568f4ffe035 100644 --- a/.github/workflows/files-external.yml +++ b/.github/workflows/files-external.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + concurrency: group: files-external-generic-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -49,8 +52,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -80,7 +84,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-files-external-generic diff --git a/.github/workflows/integration-dav.yml b/.github/workflows/integration-dav.yml index 29cae2d22389f..1dea78370fbce 100644 --- a/.github/workflows/integration-dav.yml +++ b/.github/workflows/integration-dav.yml @@ -4,6 +4,9 @@ name: DAV integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-caldav-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -51,8 +54,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -67,7 +71,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set up Python - uses: LizardByte/setup-python-action@master + uses: LizardByte/setup-python-action@f4367d0377eceec7e5e26da8f3863dd365b95a94 # v2025.426.160528 with: python-version: '2.7' diff --git a/.github/workflows/integration-litmus.yml b/.github/workflows/integration-litmus.yml index 3047aaf5b3c87..b55b144e2ff9d 100644 --- a/.github/workflows/integration-litmus.yml +++ b/.github/workflows/integration-litmus.yml @@ -4,6 +4,9 @@ name: Litmus integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-litmus-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,8 +53,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-s3-primary.yml b/.github/workflows/integration-s3-primary.yml index d30080a5bfcd7..d9fe494ff15d6 100644 --- a/.github/workflows/integration-s3-primary.yml +++ b/.github/workflows/integration-s3-primary.yml @@ -4,6 +4,9 @@ name: S3 primary storage integration tests on: pull_request: +permissions: + contents: read + concurrency: group: integration-s3-primary-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -50,12 +53,12 @@ jobs: services: redis: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 ports: - 6379:6379/tcp minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -65,8 +68,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/integration-sqlite.yml b/.github/workflows/integration-sqlite.yml index 7cd822c637109..b067ff75674ba 100644 --- a/.github/workflows/integration-sqlite.yml +++ b/.github/workflows/integration-sqlite.yml @@ -77,12 +77,12 @@ jobs: services: redis: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 ports: - 6379:6379/tcp openldap: - image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 + image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 # zizmor: ignore[unpinned-images] ports: - 389:389 env: @@ -95,12 +95,14 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Checkout Talk app if: ${{ matrix.test-suite == 'videoverification_features' }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/spreed path: apps/spreed ref: ${{ matrix.spreed-versions }} @@ -109,6 +111,7 @@ jobs: if: ${{ matrix.test-suite == 'sharing_features' }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/activity path: apps/activity ref: ${{ matrix.activity-versions }} diff --git a/.github/workflows/lint-eslint.yml b/.github/workflows/lint-eslint.yml index 0624fd232a3e5..43e964b5aaf26 100644 --- a/.github/workflows/lint-eslint.yml +++ b/.github/workflows/lint-eslint.yml @@ -20,6 +20,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -54,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -63,7 +68,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index 9d2c92b88cbd0..5802f749428e7 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -49,9 +49,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php8.1 - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: 8.1 extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index ddbf9411bf4e0..a29db2af4e23a 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -54,9 +54,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} coverage: none diff --git a/.github/workflows/lint-stylelint.yml b/.github/workflows/lint-stylelint.yml index 4eaa131bb3d9a..22c0f445801da 100644 --- a/.github/workflows/lint-stylelint.yml +++ b/.github/workflows/lint-stylelint.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index f0219c7b1dd1f..aae448c8035d5 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -60,6 +63,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -81,6 +86,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -99,7 +106,7 @@ jobs: run: npm run test:coverage --if-present - name: Collect coverage - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./coverage/lcov.info @@ -119,6 +126,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -147,6 +156,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up node ${{ needs.versions.outputs.nodeVersion }} uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml index 830d7bc60e00e..7bd4338ae9e10 100644 --- a/.github/workflows/node.yml +++ b/.github/workflows/node.yml @@ -20,6 +20,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -54,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -63,7 +68,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml index f9f93d4f61c22..7e7fe1dabc617 100644 --- a/.github/workflows/npm-audit-fix.yml +++ b/.github/workflows/npm-audit-fix.yml @@ -24,7 +24,7 @@ jobs: strategy: fail-fast: false matrix: - branches: ['main', 'master', 'stable31', 'stable30', 'stable29'] + branches: ['main', 'master', 'stable31', 'stable30'] name: npm-audit-fix-${{ matrix.branches }} diff --git a/.github/workflows/object-storage-azure.yml b/.github/workflows/object-storage-azure.yml index 85b42f5e55d6d..812b55ba61acd 100644 --- a/.github/workflows/object-storage-azure.yml +++ b/.github/workflows/object-storage-azure.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-azure-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,7 +57,7 @@ jobs: services: azurite: - image: mcr.microsoft.com/azure-storage/azurite + image: mcr.microsoft.com/azure-storage/azurite@sha256:0a47e12e3693483cef5c71f35468b91d751611f172d2f97414e9c69113b106d9 # v3.34.0 env: AZURITE_ACCOUNTS: nextcloud:bmV4dGNsb3Vk ports: @@ -62,15 +65,16 @@ jobs: options: --health-cmd="nc 127.0.0.1 10000 -z" --health-interval=1s --health-retries=30 cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -105,7 +109,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-azure diff --git a/.github/workflows/object-storage-s3.yml b/.github/workflows/object-storage-s3.yml index 19f500bac9e20..4f0cee3d8a95a 100644 --- a/.github/workflows/object-storage-s3.yml +++ b/.github/workflows/object-storage-s3.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-s3-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,13 +57,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -70,8 +73,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -111,7 +115,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-s3 diff --git a/.github/workflows/object-storage-swift.yml b/.github/workflows/object-storage-swift.yml index dd28ec6cfaae1..89dbfcc80b1b4 100644 --- a/.github/workflows/object-storage-swift.yml +++ b/.github/workflows/object-storage-swift.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: object-storage-swift-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,21 +57,22 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 swift: - image: ghcr.io/cscfi/docker-keystone-swift + image: ghcr.io/cscfi/docker-keystone-swift@sha256:e8b1ec21120ab9adc6ac6a2b98785fd273676439a8633fe898e37f2aea7e0712 ports: - 5000:5000 - 8080:8080 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -101,7 +105,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-swift diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 1d5cdd45c2402..ec686844f03b0 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -27,9 +27,11 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: '8.1' extensions: ctype, curl, dom, fileinfo, gd, json, libxml, mbstring, openssl, pcntl, pdo, posix, session, simplexml, xml, xmlreader, xmlwriter, zip, zlib diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index cafce1e34ea34..775ff2d82de6a 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -4,6 +4,9 @@ name: Performance testing on: pull_request: +permissions: + contents: read + concurrency: group: performance-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -14,6 +17,9 @@ jobs: if: ${{ github.repository_owner != 'nextcloud-gmbh' }} + permissions: + pull-requests: write + strategy: fail-fast: false matrix: @@ -29,13 +35,14 @@ jobs: exit 1 - name: Checkout server before PR - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true ref: ${{ github.event.pull_request.base.ref }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, redis, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite @@ -49,7 +56,7 @@ jobs: php -S localhost:8080 & - name: Apply blueprint - uses: icewind1991/blueprint@v0.1.2 + uses: icewind1991/blueprint@00504403f76cb2a09efd0d16793575055e6f63cb # v0.1.2 with: blueprint: tests/blueprints/basic.toml ref: ${{ github.event.pull_request.head.ref }} @@ -66,7 +73,7 @@ jobs: output: before.json profiler-branch: master - - name: Apply PR + - name: Apply PR # zizmor: ignore[template-injection] run: | git remote add pr '${{ github.event.pull_request.head.repo.clone_url }}' git fetch pr '${{ github.event.pull_request.head.ref }}' @@ -98,7 +105,7 @@ jobs: before.json after.json - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 if: failure() && steps.compare.outcome == 'failure' with: github-token: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/phpunit-32bits.yml b/.github/workflows/phpunit-32bits.yml index 19c70a9ea41a5..020d27508e623 100644 --- a/.github/workflows/phpunit-32bits.yml +++ b/.github/workflows/phpunit-32bits.yml @@ -32,8 +32,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Install tools diff --git a/.github/workflows/phpunit-mariadb.yml b/.github/workflows/phpunit-mariadb.yml index d48efc7aeb9ac..855f15f48f6dd 100644 --- a/.github/workflows/phpunit-mariadb.yml +++ b/.github/workflows/phpunit-mariadb.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src}} @@ -68,7 +71,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 @@ -88,10 +91,11 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -124,7 +128,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mariadb diff --git a/.github/workflows/phpunit-memcached.yml b/.github/workflows/phpunit-memcached.yml index 26dfb0db4387e..97103e97f4be9 100644 --- a/.github/workflows/phpunit-memcached.yml +++ b/.github/workflows/phpunit-memcached.yml @@ -64,15 +64,16 @@ jobs: services: memcached: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 11212:11212/tcp - 11212:11212/udp steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -101,7 +102,7 @@ jobs: - name: Upload code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.xml flags: phpunit-memcached diff --git a/.github/workflows/phpunit-mysql-sharding.yml b/.github/workflows/phpunit-mysql-sharding.yml index 15e020df3b056..5db6c12cedeaa 100644 --- a/.github/workflows/phpunit-mysql-sharding.yml +++ b/.github/workflows/phpunit-mysql-sharding.yml @@ -62,13 +62,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: @@ -78,7 +78,7 @@ jobs: MYSQL_DATABASE: oc_autotest options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard1: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5001:3306/tcp env: @@ -88,7 +88,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard2: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5002:3306/tcp env: @@ -98,7 +98,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard3: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5003:3306/tcp env: @@ -108,7 +108,7 @@ jobs: MYSQL_DATABASE: nextcloud options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10 shard4: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 5004:3306/tcp env: @@ -120,8 +120,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -159,7 +160,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mysql diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml index 9f95a47f97c47..de69848c5b182 100644 --- a/.github/workflows/phpunit-mysql.yml +++ b/.github/workflows/phpunit-mysql.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -68,13 +71,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: @@ -86,12 +89,13 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -124,7 +128,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-mysql diff --git a/.github/workflows/phpunit-nodb.yml b/.github/workflows/phpunit-nodb.yml index 91d1a5fcb7257..1cef70d380a9b 100644 --- a/.github/workflows/phpunit-nodb.yml +++ b/.github/workflows/phpunit-nodb.yml @@ -67,15 +67,16 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} @@ -107,7 +108,7 @@ jobs: - name: Upload nodb code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.nodb.xml flags: phpunit-nodb diff --git a/.github/workflows/phpunit-object-store-primary.yml b/.github/workflows/phpunit-object-store-primary.yml index 1ae84beffae5b..6d6d63588486e 100644 --- a/.github/workflows/phpunit-object-store-primary.yml +++ b/.github/workflows/phpunit-object-store-primary.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "15 2 * * *" +permissions: + contents: read + concurrency: group: phpunit-object-store-primary-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -54,13 +57,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 minio: - image: bitnami/minio + image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22 env: MINIO_ROOT_USER: nextcloud MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ= @@ -70,8 +73,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml index 72d3a873b8947..ececac2f8f9ac 100644 --- a/.github/workflows/phpunit-oci.yml +++ b/.github/workflows/phpunit-oci.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -73,7 +76,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 @@ -100,10 +103,11 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -129,7 +133,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-oci diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml index f0580e4c1eb5f..7939bb529d85e 100644 --- a/.github/workflows/phpunit-pgsql.yml +++ b/.github/workflows/phpunit-pgsql.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -69,13 +72,13 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 postgres: - image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:5432/tcp env: @@ -88,10 +91,11 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -119,7 +123,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-postgres diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index 76758de78d968..bcbde3f108a50 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -23,6 +23,9 @@ concurrency: jobs: changes: runs-on: ubuntu-latest-low + permissions: + contents: read + pull-requests: read outputs: src: ${{ steps.changes.outputs.src }} @@ -64,7 +67,7 @@ jobs: services: cache: - image: ghcr.io/nextcloud/continuous-integration-redis:latest + image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images] ports: - 6379:6379/tcp options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3 @@ -73,10 +76,11 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a #v2.33.0 + uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -105,7 +109,7 @@ jobs: - name: Upload db code coverage if: ${{ !cancelled() && matrix.coverage }} - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./clover.db.xml flags: phpunit-sqlite diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index 4c7daff099101..bc5560796e3cf 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,8 +15,13 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: + if: ${{ github.repository_owner == 'nextcloud' }} runs-on: ubuntu-latest steps: - name: The get-github-handles-from-website action @@ -31,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 # main with: feedback-message: | Hello there, diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index 62bb8b11d4c94..95a8626a4a51d 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -11,12 +11,17 @@ name: REUSE Compliance Check on: [pull_request] +permissions: + contents: read + jobs: reuse-compliance-check: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - - name: REUSE Compliance Check - uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 + - name: REUSE Compliance Check + uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f358974a9c116..d8fdaca0dee20 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest @@ -17,7 +20,7 @@ jobs: issues: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: repo-token: ${{ secrets.COMMAND_BOT_PAT }} stale-issue-message: > diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml index f707849564fc7..63aa86d34e4d8 100644 --- a/.github/workflows/static-code-analysis.yml +++ b/.github/workflows/static-code-analysis.yml @@ -13,6 +13,9 @@ on: - '.github/workflows/static-code-analysis.yml' - '**.php' +permissions: + contents: read + concurrency: group: static-code-analysis-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -27,6 +30,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php @@ -57,6 +61,7 @@ jobs: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php @@ -78,7 +83,7 @@ jobs: - name: Upload Security Analysis results to GitHub if: always() - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: sarif_file: results.sarif @@ -91,6 +96,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php @@ -121,6 +127,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: + persist-credentials: false submodules: true - name: Set up php diff --git a/.github/workflows/update-cacert-bundle.yml b/.github/workflows/update-cacert-bundle.yml index 263f0d94dde4d..ab7dc7b660469 100644 --- a/.github/workflows/update-cacert-bundle.yml +++ b/.github/workflows/update-cacert-bundle.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + jobs: update-ca-certificate-bundle: runs-on: ubuntu-latest @@ -19,8 +22,9 @@ jobs: name: update-ca-certificate-bundle-${{ matrix.branches }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true diff --git a/.github/workflows/update-code-signing-crl.yml b/.github/workflows/update-code-signing-crl.yml index eb2c00e9302e0..064d47c2d5c64 100644 --- a/.github/workflows/update-code-signing-crl.yml +++ b/.github/workflows/update-code-signing-crl.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "5 2 * * *" +permissions: + contents: read + jobs: update-code-signing-crl: runs-on: ubuntu-latest @@ -19,8 +22,9 @@ jobs: name: update-code-signing-crl-${{ matrix.branches }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true diff --git a/.github/workflows/update-min-supported-desktop.yml b/.github/workflows/update-min-supported-desktop.yml index a1c55675337d3..fa203ede356bb 100644 --- a/.github/workflows/update-min-supported-desktop.yml +++ b/.github/workflows/update-min-supported-desktop.yml @@ -7,13 +7,17 @@ on: schedule: - cron: "0 0 * * 1" +permissions: + contents: read + jobs: update-minimum-supported-desktop-version: runs-on: ubuntu-latest-low steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true - name: Download desktop client version file from 5 years ago