diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 292494c7..99042c44 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -27,13 +27,22 @@ jobs: steps: - name: Set server major version environment - run: | - # retrieve version number from branch reference - server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p') - echo "server_major=$server_major" >> $GITHUB_ENV - echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV - - - name: Checking if ${{ env.server_major }} is EOL + uses: actions/github-script@v7 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const regex = /^stable(\d+)$/ + const baseRef = context.payload.pull_request.base.ref + const match = baseRef.match(regex) + if (match) { + console.log('Setting server_major to ' + match[1]); + core.exportVariable('server_major', match[1]); + console.log('Setting current_month to ' + (new Date()).toISOString().substr(0, 7)); + core.exportVariable('current_month', (new Date()).toISOString().substr(0, 7)); + } + + - name: Checking if server ${{ env.server_major }} is EOL + if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml index bbbe1ab0..ff4d1570 100644 --- a/.github/workflows/block-merge-freeze.yml +++ b/.github/workflows/block-merge-freeze.yml @@ -29,11 +29,29 @@ jobs: steps: - name: Register server reference to fallback to master branch - run: | - server_ref="$(if [ '${{ github.base_ref }}' = 'main' ]; then echo -n 'master'; else echo -n '${{ github.base_ref }}'; fi)" - echo "server_ref=$server_ref" >> $GITHUB_ENV + uses: actions/github-script@v7 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Download version.php from ${{ env.server_ref }} + if: ${{ env.server_ref != '' }} run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php - name: Run check + if: ${{ env.server_ref != '' }} run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC' diff --git a/.github/workflows/block-unconventional-commits.yml b/.github/workflows/block-unconventional-commits.yml index b4239109..6bf1a79c 100644 --- a/.github/workflows/block-unconventional-commits.yml +++ b/.github/workflows/block-unconventional-commits.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 with: diff --git a/.github/workflows/command-compile.yml b/.github/workflows/command-compile.yml index bdbd5d28..70b29b29 100644 --- a/.github/workflows/command-compile.yml +++ b/.github/workflows/command-compile.yml @@ -11,6 +11,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: init: runs-on: ubuntu-latest @@ -94,7 +97,7 @@ jobs: steps: - name: Restore cached git repository - uses: buildjet/cache/save@v4 + uses: buildjet/cache@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2 with: path: .git key: git-repo @@ -102,6 +105,8 @@ jobs: - name: Checkout ${{ needs.init.outputs.head_ref }} uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + # Needed to allow force push later + persist-credentials: true token: ${{ secrets.COMMAND_BOT_PAT }} fetch-depth: 0 ref: ${{ needs.init.outputs.head_ref }} @@ -119,7 +124,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.package-engines-versions.outputs.nodeVersion }} - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ steps.package-engines-versions.outputs.nodeVersion }} cache: npm diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml index efe8bfe3..583fd481 100644 --- a/.github/workflows/dependabot-approve-merge.yml +++ b/.github/workflows/dependabot-approve-merge.yml @@ -9,7 +9,7 @@ name: Dependabot on: - pull_request_target: + pull_request: branches: - main - master @@ -24,7 +24,7 @@ concurrency: jobs: auto-approve-merge: - if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' runs-on: ubuntu-latest-low permissions: # for hmarr/auto-approve-action to approve PRs diff --git a/.github/workflows/lint-eslint.yml b/.github/workflows/lint-eslint.yml index b2c51b1b..104a05c4 100644 --- a/.github/workflows/lint-eslint.yml +++ b/.github/workflows/lint-eslint.yml @@ -57,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -66,7 +68,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index f1cb859d..519b345e 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get php version id: versions diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index de70f70e..adaa50b8 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -25,6 +25,9 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Get version matrix id: versions uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.0.0 @@ -41,6 +44,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php ${{ matrix.php-versions }} uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index 3057cf56..b0678c2c 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -61,6 +61,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -70,7 +72,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} @@ -91,7 +93,7 @@ jobs: run: npm run test:coverage --if-present - name: Collect coverage - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: files: ./coverage/lcov.info diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml index 562bbb87..0137e979 100644 --- a/.github/workflows/node.yml +++ b/.github/workflows/node.yml @@ -54,6 +54,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -63,7 +65,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml index bfba674c..ab51e6c4 100644 --- a/.github/workflows/npm-audit-fix.yml +++ b/.github/workflows/npm-audit-fix.yml @@ -14,6 +14,9 @@ on: # At 2:30 on Sundays - cron: '30 2 * * 0' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -21,15 +24,18 @@ jobs: strategy: fail-fast: false matrix: - branches: ['main', 'master', 'stable30', 'stable29', 'stable28'] + branches: ['main', 'master', 'stable31', 'stable30', 'stable29'] name: npm-audit-fix-${{ matrix.branches }} steps: - name: Checkout + id: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} + continue-on-error: true - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 @@ -39,7 +45,7 @@ jobs: fallbackNpm: '^10' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} @@ -51,7 +57,7 @@ jobs: uses: nextcloud-libraries/npm-audit-action@2a60bd2e79cc77f2cc4d9a3fe40f1a69896f3a87 # v0.1.0 - name: Run npm ci and npm run build - if: always() + if: steps.checkout.outcome == 'success' env: CYPRESS_INSTALL_BINARY: 0 run: | @@ -59,7 +65,7 @@ jobs: npm run build --if-present - name: Create Pull Request - if: always() + if: steps.checkout.outcome == 'success' uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 with: token: ${{ secrets.COMMAND_BOT_PAT }} diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index 99b70884..03d672b9 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get version matrix id: versions @@ -80,6 +82,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true repository: nextcloud/server ref: ${{ matrix.server-versions }} @@ -87,6 +90,7 @@ jobs: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} @@ -97,6 +101,8 @@ jobs: extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite coverage: none ini-file: development + # Temporary workaround for missing pcntl_* in PHP 8.3 + ini-values: disable_functions= env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index 6bf2137b..7d496690 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,13 +15,17 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: if: ${{ github.repository_owner == 'nextcloud' }} runs-on: ubuntu-latest steps: - name: The get-github-handles-from-website action - uses: marcelklehr/get-github-handles-from-website-action@a739600f6b91da4957f51db0792697afbb2f143c # v1.0.0 + uses: marcelklehr/get-github-handles-from-website-action@06b2239db0a48fe1484ba0bfd966a3ab81a08308 # v1.0.1 id: scrape with: website: 'https://nextcloud.com/team/' diff --git a/.github/workflows/psalm-matrix.yml b/.github/workflows/psalm-matrix.yml index 51f27184..cbac517f 100644 --- a/.github/workflows/psalm-matrix.yml +++ b/.github/workflows/psalm-matrix.yml @@ -14,6 +14,9 @@ concurrency: group: psalm-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: matrix: runs-on: ubuntu-latest-low @@ -22,6 +25,8 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get version matrix id: versions @@ -42,6 +47,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php${{ matrix.php-versions }} uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 @@ -50,6 +57,8 @@ jobs: extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite coverage: none ini-file: development + # Temporary workaround for missing pcntl_* in PHP 8.3 + ini-values: disable_functions= env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -59,11 +68,11 @@ jobs: composer i - - name: Install dependencies + - name: Install dependencies # zizmor: ignore[template-injection] run: composer require --dev 'nextcloud/ocp:${{ matrix.ocp-version }}' --ignore-platform-reqs --with-dependencies - name: Run coding standards check - run: composer run psalm + run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github summary: runs-on: ubuntu-latest-low diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index b6828556..0d8e1962 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -11,6 +11,9 @@ name: REUSE Compliance Check on: [pull_request] +permissions: + contents: read + jobs: reuse-compliance-check: runs-on: ubuntu-latest diff --git a/.github/workflows/update-nextcloud-ocp.yml b/.github/workflows/update-nextcloud-ocp.yml index 6134860b..5592f61b 100644 --- a/.github/workflows/update-nextcloud-ocp.yml +++ b/.github/workflows/update-nextcloud-ocp.yml @@ -13,6 +13,9 @@ on: schedule: - cron: "5 2 * * 0" +permissions: + contents: read + jobs: update-nextcloud-ocp: runs-on: ubuntu-latest @@ -20,7 +23,7 @@ jobs: strategy: fail-fast: false matrix: - branches: ['main', 'master', 'stable30', 'stable29', 'stable28'] + branches: ['main', 'master', 'stable31', 'stable30', 'stable29'] name: update-nextcloud-ocp-${{ matrix.branches }} @@ -28,6 +31,7 @@ jobs: - id: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ matrix.branches }} submodules: true continue-on-error: true