From a830308e37ce82b1c5e752eaf15e69e5d151c71a Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Wed, 28 Jan 2026 11:58:56 +0100 Subject: [PATCH] ci(actions): Pin CI actions Signed-off-by: Joas Schilling --- .github/workflows/block-merge-eol.yml | 25 +++++++++----- .github/workflows/block-merge-freeze.yml | 24 ++++++++++++-- .github/workflows/check-occ-command.yml | 7 +++- .github/workflows/codespell.yml | 3 ++ .../workflows/generate_catalog_templates.yml | 3 ++ .github/workflows/openapi.yml | 4 +-- .github/workflows/pr-feedback.yml | 8 +++-- .github/workflows/sphinxbuild.yml | 11 +++++++ .github/workflows/transifex.yml | 33 ++++++++++--------- 9 files changed, 87 insertions(+), 31 deletions(-) diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 292494c72cd..3ea4d268d25 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -27,14 +27,23 @@ jobs: steps: - name: Set server major version environment - run: | - # retrieve version number from branch reference - server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p') - echo "server_major=$server_major" >> $GITHUB_ENV - echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV - - - name: Checking if ${{ env.server_major }} is EOL + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const regex = /^stable(\d+)$/ + const baseRef = context.payload.pull_request.base.ref + const match = baseRef.match(regex) + if (match) { + console.log('Setting server_major to ' + match[1]); + core.exportVariable('server_major', match[1]); + console.log('Setting current_day to ' + (new Date()).toISOString().substr(0, 10)); + core.exportVariable('current_day', (new Date()).toISOString().substr(0, 10)); + } + + - name: Checking if server ${{ env.server_major }} is EOL + if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ - | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ + | jq '.["${{ env.server_major }}"]["eol"] // "9999-99-99" | . >= "${{ env.current_day }}"' \ | grep -q true diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml index bbbe1ab0def..61660808334 100644 --- a/.github/workflows/block-merge-freeze.yml +++ b/.github/workflows/block-merge-freeze.yml @@ -29,11 +29,29 @@ jobs: steps: - name: Register server reference to fallback to master branch - run: | - server_ref="$(if [ '${{ github.base_ref }}' = 'main' ]; then echo -n 'master'; else echo -n '${{ github.base_ref }}'; fi)" - echo "server_ref=$server_ref" >> $GITHUB_ENV + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Download version.php from ${{ env.server_ref }} + if: ${{ env.server_ref != '' }} run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php - name: Run check + if: ${{ env.server_ref != '' }} run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC' diff --git a/.github/workflows/check-occ-command.yml b/.github/workflows/check-occ-command.yml index db942954c6a..cd4452d8b34 100644 --- a/.github/workflows/check-occ-command.yml +++ b/.github/workflows/check-occ-command.yml @@ -5,12 +5,17 @@ on: paths: - '**.rst' +permissions: + contents: read + jobs: check-occ-command: name: Check occ command syntax runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Run script run: | diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 600674fbf44..09b5e95a443 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -6,6 +6,9 @@ on: branches: - master +permissions: + contents: read + jobs: codespell: name: Check spelling diff --git a/.github/workflows/generate_catalog_templates.yml b/.github/workflows/generate_catalog_templates.yml index 037b90ba1b0..8ca1ebe55af 100644 --- a/.github/workflows/generate_catalog_templates.yml +++ b/.github/workflows/generate_catalog_templates.yml @@ -8,6 +8,9 @@ on: - 'user_manual/**' - '!user_manual/locale/**' +permissions: + contents: read + jobs: user_manual: runs-on: ubuntu-latest diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 09f9902fe85..e7c243c443f 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -17,10 +17,10 @@ jobs: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.2.2 with: - submodules: true + persist-credentials: false - name: Set up php - uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: '8.1' # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index cda7948067d..f4c0477ce71 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,6 +15,10 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: if: ${{ github.repository_owner == 'nextcloud' }} @@ -32,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@f0cab224dea8e1f282f9451de322f323c78fc7a5 # main with: feedback-message: | Hello there, @@ -46,6 +50,6 @@ jobs: (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).) days-before-feedback: 14 - start-date: '2024-04-30' + start-date: '2025-06-12' exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }}' exempt-bots: true diff --git a/.github/workflows/sphinxbuild.yml b/.github/workflows/sphinxbuild.yml index b9e3b77f02a..5932b6fe95c 100644 --- a/.github/workflows/sphinxbuild.yml +++ b/.github/workflows/sphinxbuild.yml @@ -7,11 +7,16 @@ on: - master - stable* +permissions: + contents: read + jobs: user_manual: runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: '3.12' @@ -33,6 +38,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: '3.12' @@ -46,6 +53,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: '3.12' @@ -67,6 +76,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: '3.12' diff --git a/.github/workflows/transifex.yml b/.github/workflows/transifex.yml index 4652f7ed178..92a57259264 100644 --- a/.github/workflows/transifex.yml +++ b/.github/workflows/transifex.yml @@ -2,25 +2,28 @@ name: AutoMerge Transifex Pull Requests on: pull_request: +permissions: + contents: read + jobs: approve: - runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'transifex-integration[bot]' + runs-on: ubuntu-latest-low + permissions: + # for hmarr/auto-approve-action to approve PRs + pull-requests: write + # for alexwilson/enable-github-automerge-action to approve PRs + contents: write + name: Approve steps: - - uses: hmarr/auto-approve-action@v4.0.0 - if: github.actor == 'transifex-integration[bot]' + - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - automerge: - runs-on: ubuntu-latest - name: Auto-merge - needs: approve - steps: - - uses: pascalgn/automerge-action@v0.16.4 - if: github.actor == 'transifex-integration[bot]' - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - MERGE_LABELS: "" - MERGE_RETRIES: 10 - MERGE_RETRY_SLEEP: 120000 + # Enable GitHub auto merge + - name: Auto merge + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + if: startsWith(steps.branchname.outputs.branch, 'translations_') + with: + github-token: ${{ secrets.GITHUB_TOKEN }}