From 8682e5fe0ec7a6c80c6798c5772d118b0906ab74 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Wed, 28 Jan 2026 11:58:56 +0100 Subject: [PATCH] ci(actions): Pin CI actions Signed-off-by: Joas Schilling --- .github/workflows/block-merge-eol.yml | 23 ++-- .github/workflows/block-merge-freeze.yml | 24 +++- .github/workflows/check-occ-command.yml | 8 +- .github/workflows/codespell.yml | 5 +- .../workflows/generate_catalog_templates.yml | 5 +- .github/workflows/openapi.yml | 6 +- .github/workflows/pr-feedback.yml | 8 +- .github/workflows/sphinxbuild.yml | 109 ++++++++++-------- .github/workflows/transifex.yml | 33 +++--- 9 files changed, 143 insertions(+), 78 deletions(-) diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 292494c72..3ea4d268d 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -27,14 +27,23 @@ jobs: steps: - name: Set server major version environment - run: | - # retrieve version number from branch reference - server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p') - echo "server_major=$server_major" >> $GITHUB_ENV - echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const regex = /^stable(\d+)$/ + const baseRef = context.payload.pull_request.base.ref + const match = baseRef.match(regex) + if (match) { + console.log('Setting server_major to ' + match[1]); + core.exportVariable('server_major', match[1]); + console.log('Setting current_day to ' + (new Date()).toISOString().substr(0, 10)); + core.exportVariable('current_day', (new Date()).toISOString().substr(0, 10)); + } - - name: Checking if ${{ env.server_major }} is EOL + - name: Checking if server ${{ env.server_major }} is EOL + if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ - | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ + | jq '.["${{ env.server_major }}"]["eol"] // "9999-99-99" | . >= "${{ env.current_day }}"' \ | grep -q true diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml index bbbe1ab0d..616608083 100644 --- a/.github/workflows/block-merge-freeze.yml +++ b/.github/workflows/block-merge-freeze.yml @@ -29,11 +29,29 @@ jobs: steps: - name: Register server reference to fallback to master branch - run: | - server_ref="$(if [ '${{ github.base_ref }}' = 'main' ]; then echo -n 'master'; else echo -n '${{ github.base_ref }}'; fi)" - echo "server_ref=$server_ref" >> $GITHUB_ENV + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Download version.php from ${{ env.server_ref }} + if: ${{ env.server_ref != '' }} run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php - name: Run check + if: ${{ env.server_ref != '' }} run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC' diff --git a/.github/workflows/check-occ-command.yml b/.github/workflows/check-occ-command.yml index 319e2847d..746b963f3 100644 --- a/.github/workflows/check-occ-command.yml +++ b/.github/workflows/check-occ-command.yml @@ -5,12 +5,18 @@ on: paths: - '**.rst' +permissions: + contents: read + jobs: check-occ-command: name: Check occ command syntax runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Run script run: | diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index d1ece257e..57ffa4199 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -6,13 +6,16 @@ on: branches: - master +permissions: + contents: read + jobs: codespell: name: Check spelling runs-on: self-hosted steps: - name: Check out code - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/generate_catalog_templates.yml b/.github/workflows/generate_catalog_templates.yml index 08fac226a..16c6220f6 100644 --- a/.github/workflows/generate_catalog_templates.yml +++ b/.github/workflows/generate_catalog_templates.yml @@ -8,12 +8,15 @@ on: - 'user_manual/**' - '!user_manual/locale/**' +permissions: + contents: read + jobs: user_manual: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 0d0b91889..4d3cdfca3 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -15,12 +15,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - submodules: true + persist-credentials: false - name: Set up php - uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: '8.1' # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index cda794806..f4c0477ce 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,6 +15,10 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: if: ${{ github.repository_owner == 'nextcloud' }} @@ -32,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@f0cab224dea8e1f282f9451de322f323c78fc7a5 # main with: feedback-message: | Hello there, @@ -46,6 +50,6 @@ jobs: (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).) days-before-feedback: 14 - start-date: '2024-04-30' + start-date: '2025-06-12' exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }}' exempt-bots: true diff --git a/.github/workflows/sphinxbuild.yml b/.github/workflows/sphinxbuild.yml index db41350b2..664179098 100644 --- a/.github/workflows/sphinxbuild.yml +++ b/.github/workflows/sphinxbuild.yml @@ -7,12 +7,19 @@ on: - master - stable* +permissions: + contents: read + jobs: user_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1 - - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: '3.12' cache: 'pip' @@ -32,54 +39,66 @@ jobs: user_manual-en: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1 - - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 - with: - python-version: '3.12' - cache: 'pip' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd user_manual && make html-lang-en + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.12' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd user_manual && make html-lang-en developer_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1 - - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 - with: - python-version: '3.12' - cache: 'pip' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd developer_manual && make html - - name: Pack the results in local tar file - shell: bash - run: tar czf /tmp/documentation.tar.gz -C developer_manual/_build/html/com . - - name: Upload static documentation - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: Developer manual.zip - path: "/tmp/documentation.tar.gz" + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.12' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd developer_manual && make html + - name: Pack the results in local tar file + shell: bash + run: tar czf /tmp/documentation.tar.gz -C developer_manual/_build/html/com . + - name: Upload static documentation + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: Developer manual.zip + path: "/tmp/documentation.tar.gz" admin_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1 - - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 - with: - python-version: '3.12' - cache: 'pip' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd admin_manual && make html - - name: Pack the results in local tar file - shell: bash - run: tar czf /tmp/documentation.tar.gz -C admin_manual/_build/html/com . - - name: Upload static documentation - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: Administration manual.zip - path: "/tmp/documentation.tar.gz" + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.12' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd admin_manual && make html + - name: Pack the results in local tar file + shell: bash + run: tar czf /tmp/documentation.tar.gz -C admin_manual/_build/html/com . + - name: Upload static documentation + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: Administration manual.zip + path: "/tmp/documentation.tar.gz" diff --git a/.github/workflows/transifex.yml b/.github/workflows/transifex.yml index 4652f7ed1..92a572592 100644 --- a/.github/workflows/transifex.yml +++ b/.github/workflows/transifex.yml @@ -2,25 +2,28 @@ name: AutoMerge Transifex Pull Requests on: pull_request: +permissions: + contents: read + jobs: approve: - runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'transifex-integration[bot]' + runs-on: ubuntu-latest-low + permissions: + # for hmarr/auto-approve-action to approve PRs + pull-requests: write + # for alexwilson/enable-github-automerge-action to approve PRs + contents: write + name: Approve steps: - - uses: hmarr/auto-approve-action@v4.0.0 - if: github.actor == 'transifex-integration[bot]' + - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - automerge: - runs-on: ubuntu-latest - name: Auto-merge - needs: approve - steps: - - uses: pascalgn/automerge-action@v0.16.4 - if: github.actor == 'transifex-integration[bot]' - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - MERGE_LABELS: "" - MERGE_RETRIES: 10 - MERGE_RETRY_SLEEP: 120000 + # Enable GitHub auto merge + - name: Auto merge + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + if: startsWith(steps.branchname.outputs.branch, 'translations_') + with: + github-token: ${{ secrets.GITHUB_TOKEN }}