From 214db147adbb117bda8aad41e7b156f686f254e2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Apr 2026 01:04:59 +0000 Subject: [PATCH 01/25] build(deps): bump actions/cache in /workflow-templates Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- workflow-templates/command-compile.yml | 2 +- workflow-templates/command-openapi.yml | 2 +- workflow-templates/cypress.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml index f236822..b3989ff 100644 --- a/workflow-templates/command-compile.yml +++ b/workflow-templates/command-compile.yml @@ -97,7 +97,7 @@ jobs: steps: - name: Restore cached git repository - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .git key: git-repo diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml index 20325da..97f4c69 100644 --- a/workflow-templates/command-openapi.yml +++ b/workflow-templates/command-openapi.yml @@ -97,7 +97,7 @@ jobs: steps: - name: Restore cached git repository - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .git key: git-repo diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml index 3eff029..b67071a 100644 --- a/workflow-templates/cypress.yml +++ b/workflow-templates/cypress.yml @@ -81,7 +81,7 @@ jobs: TESTING=true npm run build --if-present - name: Save context - uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: key: cypress-context-${{ github.run_id }} path: ./ @@ -101,7 +101,7 @@ jobs: steps: - name: Restore context - uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: fail-on-cache-miss: true key: cypress-context-${{ github.run_id }} From 351a8b7f58a9d571dd1ad5134d8044c681be88c1 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 21 Apr 2026 07:45:58 +0200 Subject: [PATCH 02/25] fix(psalm-phpstan): Remove roave/security-advisories Signed-off-by: Joas Schilling --- workflow-templates/phpstan.yml | 3 --- workflow-templates/psalm-matrix.yml | 3 --- workflow-templates/psalm.yml | 3 --- 3 files changed, 9 deletions(-) diff --git a/workflow-templates/phpstan.yml b/workflow-templates/phpstan.yml index 6244932..cba8d41 100644 --- a/workflow-templates/phpstan.yml +++ b/workflow-templates/phpstan.yml @@ -52,9 +52,6 @@ jobs: composer remove nextcloud/ocp --dev --no-scripts composer i - - name: Check for vulnerable PHP dependencies - run: composer require --dev roave/security-advisories:dev-latest - - name: Install nextcloud/ocp run: composer require --dev nextcloud/ocp:dev-${{ steps.versions.outputs.branches-max }} --ignore-platform-reqs --with-dependencies diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml index b22a423..8d6603e 100644 --- a/workflow-templates/psalm-matrix.yml +++ b/workflow-templates/psalm-matrix.yml @@ -67,9 +67,6 @@ jobs: composer remove nextcloud/ocp --dev --no-scripts composer i - - name: Check for vulnerable PHP dependencies - run: composer require --dev roave/security-advisories:dev-latest - - name: Install dependencies # zizmor: ignore[template-injection] run: composer require --dev 'nextcloud/ocp:${{ matrix.ocp-version }}' --ignore-platform-reqs --with-dependencies diff --git a/workflow-templates/psalm.yml b/workflow-templates/psalm.yml index d69fd28..4d4a4ec 100644 --- a/workflow-templates/psalm.yml +++ b/workflow-templates/psalm.yml @@ -52,9 +52,6 @@ jobs: composer remove nextcloud/ocp --dev --no-scripts composer i - - name: Check for vulnerable PHP dependencies - run: composer require --dev roave/security-advisories:dev-latest - - name: Install nextcloud/ocp run: composer require --dev nextcloud/ocp:dev-${{ steps.versions.outputs.branches-max }} --ignore-platform-reqs --with-dependencies From 1eaf9a6a94eb7e537857c31ddf029c04c2d910bb Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 21 Apr 2026 08:28:04 +0200 Subject: [PATCH 03/25] ci(zizmor): Remove adjusted secrets-outside-env rule Signed-off-by: Joas Schilling --- .github/workflows/dispatch-workflow-org.yml | 4 ++-- .github/workflows/dispatch-workflow-repo.yml | 2 +- .github/workflows/dispatch-workflow.yml | 2 +- workflow-templates/appstore-build-publish.yml | 6 +++--- workflow-templates/command-compile.yml | 8 ++++---- workflow-templates/command-openapi.yml | 8 ++++---- workflow-templates/cypress.yml | 12 ++++++------ workflow-templates/npm-audit-fix.yml | 2 +- workflow-templates/rector-apply.yml | 2 +- workflow-templates/sync-workflow-templates.yml | 2 +- workflow-templates/update-nextcloud-ocp-matrix.yml | 2 +- workflow-templates/update-nextcloud-ocp.yml | 2 +- 12 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/dispatch-workflow-org.yml b/.github/workflows/dispatch-workflow-org.yml index 632a15d..f49b0b6 100644 --- a/.github/workflows/dispatch-workflow-org.yml +++ b/.github/workflows/dispatch-workflow-org.yml @@ -25,7 +25,7 @@ jobs: - name: Get all repositories id: get-repos env: - GH_TOKEN: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} # zizmor: ignore[secrets-outside-env] + GH_TOKEN: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} run: | repositories=$(gh api \ --paginate \ @@ -45,7 +45,7 @@ jobs: steps: - name: Dispatch update workflow env: - GH_TOKEN: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} # zizmor: ignore[secrets-outside-env] + GH_TOKEN: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} run: | gh workflow run dispatch-workflow-repo.yml \ --repo ${{ github.repository }} \ diff --git a/.github/workflows/dispatch-workflow-repo.yml b/.github/workflows/dispatch-workflow-repo.yml index e42adb0..198f9bf 100644 --- a/.github/workflows/dispatch-workflow-repo.yml +++ b/.github/workflows/dispatch-workflow-repo.yml @@ -93,4 +93,4 @@ jobs: signoff: true title: '[${{ github.event.inputs.branch }}] ci: update all workflow templates from organization template repository' labels: dependencies - token: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} diff --git a/.github/workflows/dispatch-workflow.yml b/.github/workflows/dispatch-workflow.yml index 058b553..8271820 100644 --- a/.github/workflows/dispatch-workflow.yml +++ b/.github/workflows/dispatch-workflow.yml @@ -109,4 +109,4 @@ jobs: signoff: true title: 'ci: update ${{ github.event.inputs.name }} workflow from template' labels: dependencies - token: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml index 1e6bd32..fc73fb9 100644 --- a/workflow-templates/appstore-build-publish.yml +++ b/workflow-templates/appstore-build-publish.yml @@ -172,7 +172,7 @@ jobs: tar -xvf ${{ env.APP_NAME }}.tar.gz cd ../../../ # Setting up keys - echo '${{ secrets.APP_PRIVATE_KEY }}' > ${{ env.APP_NAME }}.key # zizmor: ignore[secrets-outside-env] + echo '${{ secrets.APP_PRIVATE_KEY }}' > ${{ env.APP_NAME }}.key wget --quiet "https://github.com/nextcloud/app-certificate-requests/raw/master/${{ env.APP_NAME }}/${{ env.APP_NAME }}.crt" # Signing php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }} @@ -194,6 +194,6 @@ jobs: uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1.0.3 with: app_name: ${{ env.APP_NAME }} - appstore_token: ${{ secrets.APPSTORE_TOKEN }} # zizmor: ignore[secrets-outside-env] + appstore_token: ${{ secrets.APPSTORE_TOKEN }} download_url: ${{ steps.attach_to_release.outputs.browser_download_url }} - app_private_key: ${{ secrets.APP_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env] + app_private_key: ${{ secrets.APP_PRIVATE_KEY }} diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml index b3989ff..ba5ea1f 100644 --- a/workflow-templates/command-compile.yml +++ b/workflow-templates/command-compile.yml @@ -59,7 +59,7 @@ jobs: - name: Add reaction on start uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} comment-id: ${{ github.event.comment.id }} reactions: '+1' @@ -86,7 +86,7 @@ jobs: uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 if: failure() with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} comment-id: ${{ github.event.comment.id }} reactions: '-1' @@ -107,7 +107,7 @@ jobs: with: # Needed to allow force push later persist-credentials: true - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} fetch-depth: 0 ref: ${{ needs.init.outputs.head_ref }} @@ -216,7 +216,7 @@ jobs: uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 if: failure() with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} comment-id: ${{ github.event.comment.id }} reactions: '-1' diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml index 97f4c69..464bb33 100644 --- a/workflow-templates/command-openapi.yml +++ b/workflow-templates/command-openapi.yml @@ -59,7 +59,7 @@ jobs: - name: Add reaction on start uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} comment-id: ${{ github.event.comment.id }} reactions: '+1' @@ -86,7 +86,7 @@ jobs: uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 if: failure() with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} comment-id: ${{ github.event.comment.id }} reactions: '-1' @@ -107,7 +107,7 @@ jobs: with: # Needed to allow force push later persist-credentials: true - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} fetch-depth: 0 ref: ${{ needs.init.outputs.head_ref }} @@ -193,7 +193,7 @@ jobs: uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 if: failure() with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} repository: ${{ github.event.repository.full_name }} comment-id: ${{ github.event.comment.id }} reactions: '-1' diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml index b67071a..5dc0af2 100644 --- a/workflow-templates/cypress.yml +++ b/workflow-templates/cypress.yml @@ -118,14 +118,14 @@ jobs: - name: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} cypress tests uses: cypress-io/github-action@783cb3f07983868532cabaedaa1e6c00ff4786a8 # v7.1.9 with: - record: ${{ secrets.CYPRESS_RECORD_KEY && true }} # zizmor: ignore[secrets-outside-env] - parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }} # zizmor: ignore[secrets-outside-env] + record: ${{ secrets.CYPRESS_RECORD_KEY && true }} + parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }} # cypress run type component: ${{ matrix.containers == 'component' }} - group: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_GROUP }} # zizmor: ignore[secrets-outside-env] + group: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_GROUP }} # cypress env - ci-build-id: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_BUILD_ID }} # zizmor: ignore[secrets-outside-env] - tag: ${{ secrets.CYPRESS_RECORD_KEY && github.event_name }} # zizmor: ignore[secrets-outside-env] + ci-build-id: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_BUILD_ID }} + tag: ${{ secrets.CYPRESS_RECORD_KEY && github.event_name }} env: # Needs to be prefixed with CYPRESS_ CYPRESS_BRANCH: ${{ env.BRANCH }} @@ -134,7 +134,7 @@ jobs: # Needed for some specific code workarounds TESTING: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} # zizmor: ignore[secrets-outside-env] + CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} CYPRESS_BUILD_ID: ${{ github.sha }}-${{ github.run_number }} CYPRESS_GROUP: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} diff --git a/workflow-templates/npm-audit-fix.yml b/workflow-templates/npm-audit-fix.yml index 3e27439..23bae52 100644 --- a/workflow-templates/npm-audit-fix.yml +++ b/workflow-templates/npm-audit-fix.yml @@ -71,7 +71,7 @@ jobs: if: steps.checkout.outcome == 'success' uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'fix(deps): Fix npm audit' committer: GitHub author: nextcloud-command diff --git a/workflow-templates/rector-apply.yml b/workflow-templates/rector-apply.yml index 6b33ad7..e356a7a 100644 --- a/workflow-templates/rector-apply.yml +++ b/workflow-templates/rector-apply.yml @@ -56,7 +56,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'refactor: Apply rector changes' committer: GitHub author: nextcloud-command diff --git a/workflow-templates/sync-workflow-templates.yml b/workflow-templates/sync-workflow-templates.yml index c80d194..8e99648 100644 --- a/workflow-templates/sync-workflow-templates.yml +++ b/workflow-templates/sync-workflow-templates.yml @@ -122,7 +122,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: - token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} commit-message: 'ci(actions): Update workflow templates from organization template repository' committer: GitHub author: nextcloud-command diff --git a/workflow-templates/update-nextcloud-ocp-matrix.yml b/workflow-templates/update-nextcloud-ocp-matrix.yml index 276934c..b8950bf 100644 --- a/workflow-templates/update-nextcloud-ocp-matrix.yml +++ b/workflow-templates/update-nextcloud-ocp-matrix.yml @@ -90,7 +90,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'chore(dev-deps): Bump nextcloud/ocp package' committer: GitHub author: nextcloud-command diff --git a/workflow-templates/update-nextcloud-ocp.yml b/workflow-templates/update-nextcloud-ocp.yml index a3c0f23..835f956 100644 --- a/workflow-templates/update-nextcloud-ocp.yml +++ b/workflow-templates/update-nextcloud-ocp.yml @@ -99,7 +99,7 @@ jobs: if: steps.checkout.outcome == 'success' uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: - token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] + token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'chore(dev-deps): Bump nextcloud/ocp package' committer: GitHub author: nextcloud-command From 9ca48081d45cc3eb3e4c5964db8bd025403d5bd4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 25 Apr 2026 01:04:01 +0000 Subject: [PATCH 04/25] ci(deps): bump astral-sh/setup-uv in /.github/workflows Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 8.0.0 to 8.1.0. - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/cec208311dfd045dd5311c1add060b2062131d57...08807647e7069bb48b6ef5acd8ec9567f424441b) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/lint-yaml.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml index f0ecfe3..3130fa1 100644 --- a/.github/workflows/lint-yaml.yml +++ b/.github/workflows/lint-yaml.yml @@ -33,7 +33,7 @@ jobs: line-length: warning - name: Install the latest version of uv - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Check GitHub actions run: uvx zizmor --min-severity medium .github/workflows/*.yml From b46b3bb9ff1f438b1b431460462b7cbf54d80588 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 01:04:52 +0000 Subject: [PATCH 05/25] build(deps): bump actions/setup-node in /workflow-templates Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.3.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/53b83947a5a98c8d113130e565377fae1a50d02f...48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- workflow-templates/appstore-build-publish.yml | 2 +- workflow-templates/command-compile.yml | 2 +- workflow-templates/command-openapi.yml | 2 +- workflow-templates/cypress.yml | 4 ++-- workflow-templates/documentation.yml | 2 +- workflow-templates/lint-eslint.yml | 2 +- workflow-templates/lint-stylelint.yml | 2 +- workflow-templates/lint-typescript.yml | 2 +- workflow-templates/node-test.yml | 2 +- workflow-templates/node.yml | 2 +- workflow-templates/npm-audit-fix.yml | 2 +- workflow-templates/openapi.yml | 2 +- 12 files changed, 13 insertions(+), 13 deletions(-) diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml index fc73fb9..8432af6 100644 --- a/workflow-templates/appstore-build-publish.yml +++ b/workflow-templates/appstore-build-publish.yml @@ -71,7 +71,7 @@ jobs: - name: Set up node ${{ steps.versions.outputs.nodeVersion }} # Skip if no package.json if: ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml index ba5ea1f..487ec68 100644 --- a/workflow-templates/command-compile.yml +++ b/workflow-templates/command-compile.yml @@ -124,7 +124,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.package-engines-versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.package-engines-versions.outputs.nodeVersion }} cache: npm diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml index 464bb33..82ee655 100644 --- a/workflow-templates/command-openapi.yml +++ b/workflow-templates/command-openapi.yml @@ -134,7 +134,7 @@ jobs: - name: Set up node ${{ steps.node_versions.outputs.nodeVersion }} if: ${{ steps.node_versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.node_versions.outputs.nodeVersion }} diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml index 5dc0af2..fa6d23c 100644 --- a/workflow-templates/cypress.yml +++ b/workflow-templates/cypress.yml @@ -68,7 +68,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} @@ -108,7 +108,7 @@ jobs: path: ./ - name: Set up node ${{ needs.init.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ needs.init.outputs.nodeVersion }} diff --git a/workflow-templates/documentation.yml b/workflow-templates/documentation.yml index f6970a5..27cd12a 100644 --- a/workflow-templates/documentation.yml +++ b/workflow-templates/documentation.yml @@ -42,7 +42,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/workflow-templates/lint-eslint.yml b/workflow-templates/lint-eslint.yml index af11871..7343685 100644 --- a/workflow-templates/lint-eslint.yml +++ b/workflow-templates/lint-eslint.yml @@ -68,7 +68,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/workflow-templates/lint-stylelint.yml b/workflow-templates/lint-stylelint.yml index fb317ca..52544ac 100644 --- a/workflow-templates/lint-stylelint.yml +++ b/workflow-templates/lint-stylelint.yml @@ -37,7 +37,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/workflow-templates/lint-typescript.yml b/workflow-templates/lint-typescript.yml index 6d5fa22..6cecc80 100644 --- a/workflow-templates/lint-typescript.yml +++ b/workflow-templates/lint-typescript.yml @@ -67,7 +67,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/workflow-templates/node-test.yml b/workflow-templates/node-test.yml index f0227e7..df17e37 100644 --- a/workflow-templates/node-test.yml +++ b/workflow-templates/node-test.yml @@ -72,7 +72,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/workflow-templates/node.yml b/workflow-templates/node.yml index 1ee7662..417d97a 100644 --- a/workflow-templates/node.yml +++ b/workflow-templates/node.yml @@ -65,7 +65,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/workflow-templates/npm-audit-fix.yml b/workflow-templates/npm-audit-fix.yml index 23bae52..2074c4c 100644 --- a/workflow-templates/npm-audit-fix.yml +++ b/workflow-templates/npm-audit-fix.yml @@ -48,7 +48,7 @@ jobs: fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/workflow-templates/openapi.yml b/workflow-templates/openapi.yml index d2cf695..d0f3491 100644 --- a/workflow-templates/openapi.yml +++ b/workflow-templates/openapi.yml @@ -62,7 +62,7 @@ jobs: - name: Set up node ${{ steps.node_versions.outputs.nodeVersion }} if: ${{ steps.node_versions.outputs.nodeVersion }} - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.node_versions.outputs.nodeVersion }} From f2e18eb19123fdbd148f952f00996849ef6240cc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 May 2026 01:10:24 +0000 Subject: [PATCH 06/25] build(deps): bump webiny/action-conventional-commits Bumps [webiny/action-conventional-commits](https://github.com/webiny/action-conventional-commits) from 1.3.1 to 1.4.2. - [Release notes](https://github.com/webiny/action-conventional-commits/releases) - [Commits](https://github.com/webiny/action-conventional-commits/compare/faccb24fc2550dd15c0390d944379d2d8ed9690e...7f91b1595ca1951cdb671ddc9f07a49081ec5b69) --- updated-dependencies: - dependency-name: webiny/action-conventional-commits dependency-version: 1.4.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- workflow-templates/block-unconventional-commits.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow-templates/block-unconventional-commits.yml b/workflow-templates/block-unconventional-commits.yml index 01c4dea..258951e 100644 --- a/workflow-templates/block-unconventional-commits.yml +++ b/workflow-templates/block-unconventional-commits.yml @@ -31,6 +31,6 @@ jobs: with: persist-credentials: false - - uses: webiny/action-conventional-commits@faccb24fc2550dd15c0390d944379d2d8ed9690e # v1.3.1 + - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 6ae952e2c28d386c4782709a36aa55524a04e018 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 2 May 2026 03:27:56 +0000 Subject: [PATCH 07/25] ci(deps): bump webiny/action-conventional-commits in /.github/workflows Bumps [webiny/action-conventional-commits](https://github.com/webiny/action-conventional-commits) from 1.3.1 to 1.4.2. - [Release notes](https://github.com/webiny/action-conventional-commits/releases) - [Commits](https://github.com/webiny/action-conventional-commits/compare/faccb24fc2550dd15c0390d944379d2d8ed9690e...7f91b1595ca1951cdb671ddc9f07a49081ec5b69) --- updated-dependencies: - dependency-name: webiny/action-conventional-commits dependency-version: 1.4.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/block-unconventional-commits.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/block-unconventional-commits.yml b/.github/workflows/block-unconventional-commits.yml index 01c4dea..258951e 100644 --- a/.github/workflows/block-unconventional-commits.yml +++ b/.github/workflows/block-unconventional-commits.yml @@ -31,6 +31,6 @@ jobs: with: persist-credentials: false - - uses: webiny/action-conventional-commits@faccb24fc2550dd15c0390d944379d2d8ed9690e # v1.3.1 + - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 5c9a0d8369f8ccfc80f407a60928ec304aad71e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 May 2026 01:05:17 +0000 Subject: [PATCH 08/25] build(deps): bump cypress-io/github-action in /workflow-templates Bumps [cypress-io/github-action](https://github.com/cypress-io/github-action) from 7.1.9 to 7.1.10. - [Release notes](https://github.com/cypress-io/github-action/releases) - [Changelog](https://github.com/cypress-io/github-action/blob/master/CHANGELOG.md) - [Commits](https://github.com/cypress-io/github-action/compare/783cb3f07983868532cabaedaa1e6c00ff4786a8...c495c3ddffba403ba11be95fffb67e25203b3799) --- updated-dependencies: - dependency-name: cypress-io/github-action dependency-version: 7.1.10 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- workflow-templates/cypress.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml index fa6d23c..f5ca9aa 100644 --- a/workflow-templates/cypress.yml +++ b/workflow-templates/cypress.yml @@ -116,7 +116,7 @@ jobs: run: npm i -g 'npm@${{ needs.init.outputs.npmVersion }}' - name: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} cypress tests - uses: cypress-io/github-action@783cb3f07983868532cabaedaa1e6c00ff4786a8 # v7.1.9 + uses: cypress-io/github-action@c495c3ddffba403ba11be95fffb67e25203b3799 # v7.1.10 with: record: ${{ secrets.CYPRESS_RECORD_KEY && true }} parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }} From 287d9cefe764b42e1a7859f8f77ea2973aaf071a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 01:05:34 +0000 Subject: [PATCH 09/25] build(deps): bump cypress-io/github-action in /workflow-templates Bumps [cypress-io/github-action](https://github.com/cypress-io/github-action) from 7.1.10 to 7.2.0. - [Release notes](https://github.com/cypress-io/github-action/releases) - [Changelog](https://github.com/cypress-io/github-action/blob/master/CHANGELOG.md) - [Commits](https://github.com/cypress-io/github-action/compare/c495c3ddffba403ba11be95fffb67e25203b3799...b7a7441d775af8f8b9d19945c10dd689a51dba68) --- updated-dependencies: - dependency-name: cypress-io/github-action dependency-version: 7.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- workflow-templates/cypress.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml index f5ca9aa..496af16 100644 --- a/workflow-templates/cypress.yml +++ b/workflow-templates/cypress.yml @@ -116,7 +116,7 @@ jobs: run: npm i -g 'npm@${{ needs.init.outputs.npmVersion }}' - name: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} cypress tests - uses: cypress-io/github-action@c495c3ddffba403ba11be95fffb67e25203b3799 # v7.1.10 + uses: cypress-io/github-action@b7a7441d775af8f8b9d19945c10dd689a51dba68 # v7.2.0 with: record: ${{ secrets.CYPRESS_RECORD_KEY && true }} parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }} From 92d3852dc5b531272e3e7aa7b902a3b818e90035 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 06:31:38 +0000 Subject: [PATCH 10/25] build(deps): bump cypress-io/github-action in /workflow-templates Bumps [cypress-io/github-action](https://github.com/cypress-io/github-action) from 7.2.0 to 7.3.0. - [Release notes](https://github.com/cypress-io/github-action/releases) - [Changelog](https://github.com/cypress-io/github-action/blob/master/CHANGELOG.md) - [Commits](https://github.com/cypress-io/github-action/compare/b7a7441d775af8f8b9d19945c10dd689a51dba68...dace029018fcdf86e0df89a31bc3cfa5b32570d8) --- updated-dependencies: - dependency-name: cypress-io/github-action dependency-version: 7.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- workflow-templates/cypress.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml index 496af16..3e13d4f 100644 --- a/workflow-templates/cypress.yml +++ b/workflow-templates/cypress.yml @@ -116,7 +116,7 @@ jobs: run: npm i -g 'npm@${{ needs.init.outputs.npmVersion }}' - name: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} cypress tests - uses: cypress-io/github-action@b7a7441d775af8f8b9d19945c10dd689a51dba68 # v7.2.0 + uses: cypress-io/github-action@dace029018fcdf86e0df89a31bc3cfa5b32570d8 # v7.3.0 with: record: ${{ secrets.CYPRESS_RECORD_KEY && true }} parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }} From adf492fc1b7ab0aab46e76ee1fbc5813b470fd43 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 12 May 2026 11:46:05 +0200 Subject: [PATCH 11/25] fix(psalm-matrix): Fix PHP version pick up from matrix job Signed-off-by: Joas Schilling --- workflow-templates/psalm-matrix.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml index 8d6603e..dc0105c 100644 --- a/workflow-templates/psalm-matrix.yml +++ b/workflow-templates/psalm-matrix.yml @@ -22,6 +22,7 @@ jobs: runs-on: ubuntu-latest-low outputs: ocp-matrix: ${{ steps.versions.outputs.ocp-matrix }} + php-min: ${{ steps.versions.outputs.php-min }} steps: - name: Checkout app uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -50,10 +51,10 @@ jobs: with: persist-credentials: false - - name: Set up php${{ matrix.php-min }} + - name: Set up php${{ needs.matrix.outputs.php-min }} uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 with: - php-version: ${{ matrix.php-min }} + php-version: ${{ needs.matrix.outputs.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite coverage: none ini-file: development From 5a209e1e32f1946ccab0e5bf78946ac10f9e85c6 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 15 May 2026 09:39:58 +0200 Subject: [PATCH 12/25] chore(branches): Support stable34 Signed-off-by: Joas Schilling --- workflow-templates/npm-audit-fix.yml | 1 + workflow-templates/sync-workflow-templates.yml | 1 + workflow-templates/update-nextcloud-ocp.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/workflow-templates/npm-audit-fix.yml b/workflow-templates/npm-audit-fix.yml index 2074c4c..82fa89f 100644 --- a/workflow-templates/npm-audit-fix.yml +++ b/workflow-templates/npm-audit-fix.yml @@ -26,6 +26,7 @@ jobs: matrix: branches: - ${{ github.event.repository.default_branch }} + - 'stable34' - 'stable33' - 'stable32' diff --git a/workflow-templates/sync-workflow-templates.yml b/workflow-templates/sync-workflow-templates.yml index 8e99648..93704ef 100644 --- a/workflow-templates/sync-workflow-templates.yml +++ b/workflow-templates/sync-workflow-templates.yml @@ -26,6 +26,7 @@ jobs: matrix: branches: - ${{ github.event.repository.default_branch }} + - 'stable34' - 'stable33' - 'stable32' diff --git a/workflow-templates/update-nextcloud-ocp.yml b/workflow-templates/update-nextcloud-ocp.yml index 835f956..6e00570 100644 --- a/workflow-templates/update-nextcloud-ocp.yml +++ b/workflow-templates/update-nextcloud-ocp.yml @@ -26,6 +26,7 @@ jobs: matrix: branches: - ${{ github.event.repository.default_branch }} + - 'stable34' - 'stable33' - 'stable32' From e055d065bbcec70ca1e5c0fd385421c5c6ce7150 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 15 May 2026 13:58:33 +0200 Subject: [PATCH 13/25] ci(zizmor): Use zizmor action directly Signed-off-by: Joas Schilling --- .github/workflows/lint-yaml.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml index 3130fa1..afd147c 100644 --- a/.github/workflows/lint-yaml.yml +++ b/.github/workflows/lint-yaml.yml @@ -32,11 +32,18 @@ jobs: config_data: | line-length: warning - - name: Install the latest version of uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - - - name: Check GitHub actions - run: uvx zizmor --min-severity medium .github/workflows/*.yml + - name: Run zizmor 🌈 on actions + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + inputs: '.github/workflows/*.yml' + advanced-security: false + annotations: true + min-severity: 'medium' - - name: Check GitHub workflow-templates - run: uvx zizmor --min-severity medium workflow-templates/*.yml + - name: Run zizmor 🌈 on workflow-templates + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + inputs: 'workflow-templates/*.yml' + advanced-security: false + annotations: true + min-severity: 'medium' From 488897c872a296d7d44c07465e7faf6f80ecd635 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 15 May 2026 17:55:52 +0200 Subject: [PATCH 14/25] ci(zizmor): Fix tag pattern for setup-php Signed-off-by: Joas Schilling --- workflow-templates/appstore-build-publish.yml | 2 +- workflow-templates/lint-php-cs.yml | 2 +- workflow-templates/lint-php.yml | 2 +- workflow-templates/openapi.yml | 2 +- workflow-templates/phpstan.yml | 2 +- workflow-templates/phpunit-mariadb.yml | 2 +- workflow-templates/phpunit-mysql.yml | 2 +- workflow-templates/phpunit-oci.yml | 2 +- workflow-templates/phpunit-pgsql.yml | 2 +- workflow-templates/phpunit-sqlite.yml | 2 +- workflow-templates/psalm-matrix.yml | 2 +- workflow-templates/psalm.yml | 2 +- workflow-templates/rector-apply.yml | 2 +- workflow-templates/update-nextcloud-ocp-matrix.yml | 2 +- workflow-templates/update-nextcloud-ocp.yml | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml index 8432af6..eb7c578 100644 --- a/workflow-templates/appstore-build-publish.yml +++ b/workflow-templates/appstore-build-publish.yml @@ -87,7 +87,7 @@ jobs: filename: ${{ env.APP_NAME }}/appinfo/info.xml - name: Set up php ${{ steps.php-versions.outputs.php-min }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.php-versions.outputs.php-min }} coverage: none diff --git a/workflow-templates/lint-php-cs.yml b/workflow-templates/lint-php-cs.yml index da40208..57f7a2b 100644 --- a/workflow-templates/lint-php-cs.yml +++ b/workflow-templates/lint-php-cs.yml @@ -34,7 +34,7 @@ jobs: uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php${{ steps.versions.outputs.php-min }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.versions.outputs.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/lint-php.yml b/workflow-templates/lint-php.yml index d1eafea..47e4dc4 100644 --- a/workflow-templates/lint-php.yml +++ b/workflow-templates/lint-php.yml @@ -49,7 +49,7 @@ jobs: persist-credentials: false - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/openapi.yml b/workflow-templates/openapi.yml index d0f3491..f97254c 100644 --- a/workflow-templates/openapi.yml +++ b/workflow-templates/openapi.yml @@ -35,7 +35,7 @@ jobs: uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.php_versions.outputs.php-available }} extensions: xml diff --git a/workflow-templates/phpstan.yml b/workflow-templates/phpstan.yml index cba8d41..74d3f66 100644 --- a/workflow-templates/phpstan.yml +++ b/workflow-templates/phpstan.yml @@ -36,7 +36,7 @@ jobs: run: "grep 'min: ${{ steps.versions.outputs.php-min-id }}' phpstan.neon" - name: Set up php${{ steps.versions.outputs.php-available }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.versions.outputs.php-available }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/phpunit-mariadb.yml b/workflow-templates/phpunit-mariadb.yml index 3a2389b..aa87500 100644 --- a/workflow-templates/phpunit-mariadb.yml +++ b/workflow-templates/phpunit-mariadb.yml @@ -105,7 +105,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/phpunit-mysql.yml b/workflow-templates/phpunit-mysql.yml index e021681..2802c4c 100644 --- a/workflow-templates/phpunit-mysql.yml +++ b/workflow-templates/phpunit-mysql.yml @@ -103,7 +103,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/phpunit-oci.yml b/workflow-templates/phpunit-oci.yml index 5355382..9a2ac51 100644 --- a/workflow-templates/phpunit-oci.yml +++ b/workflow-templates/phpunit-oci.yml @@ -115,7 +115,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/phpunit-pgsql.yml b/workflow-templates/phpunit-pgsql.yml index 4592e62..8946129 100644 --- a/workflow-templates/phpunit-pgsql.yml +++ b/workflow-templates/phpunit-pgsql.yml @@ -106,7 +106,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/phpunit-sqlite.yml b/workflow-templates/phpunit-sqlite.yml index e2e299a..b35556a 100644 --- a/workflow-templates/phpunit-sqlite.yml +++ b/workflow-templates/phpunit-sqlite.yml @@ -95,7 +95,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml index dc0105c..e786c3b 100644 --- a/workflow-templates/psalm-matrix.yml +++ b/workflow-templates/psalm-matrix.yml @@ -52,7 +52,7 @@ jobs: persist-credentials: false - name: Set up php${{ needs.matrix.outputs.php-min }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ needs.matrix.outputs.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/psalm.yml b/workflow-templates/psalm.yml index 4d4a4ec..1784f41 100644 --- a/workflow-templates/psalm.yml +++ b/workflow-templates/psalm.yml @@ -36,7 +36,7 @@ jobs: run: grep 'phpVersion="${{ steps.versions.outputs.php-min }}' psalm.xml - name: Set up php${{ steps.versions.outputs.php-available }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.versions.outputs.php-available }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/rector-apply.yml b/workflow-templates/rector-apply.yml index e356a7a..87c00e4 100644 --- a/workflow-templates/rector-apply.yml +++ b/workflow-templates/rector-apply.yml @@ -36,7 +36,7 @@ jobs: uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php${{ steps.versions.outputs.php-min }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.versions.outputs.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/update-nextcloud-ocp-matrix.yml b/workflow-templates/update-nextcloud-ocp-matrix.yml index b8950bf..07254e4 100644 --- a/workflow-templates/update-nextcloud-ocp-matrix.yml +++ b/workflow-templates/update-nextcloud-ocp-matrix.yml @@ -41,7 +41,7 @@ jobs: uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php8.2 - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: 8.2 # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/update-nextcloud-ocp.yml b/workflow-templates/update-nextcloud-ocp.yml index 6e00570..3aa06d4 100644 --- a/workflow-templates/update-nextcloud-ocp.yml +++ b/workflow-templates/update-nextcloud-ocp.yml @@ -43,7 +43,7 @@ jobs: - name: Set up php8.2 if: steps.checkout.outcome == 'success' - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: 8.2 # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation From 3530f9d3149dba62e988f3522a73f758fe038d05 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 15 May 2026 18:00:12 +0200 Subject: [PATCH 15/25] ci(zizmor): Fix misnamed version comments Signed-off-by: Joas Schilling --- workflow-templates/command-compile.yml | 4 ++-- workflow-templates/command-openapi.yml | 4 ++-- workflow-templates/documentation.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml index 487ec68..695803d 100644 --- a/workflow-templates/command-compile.yml +++ b/workflow-templates/command-compile.yml @@ -52,7 +52,7 @@ jobs: exit 1 - name: Check actor permission - uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v2 + uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0 with: require: write @@ -65,7 +65,7 @@ jobs: reactions: '+1' - name: Parse command - uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v2 + uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v3.1 id: command # Init path depending on which command is run diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml index 82ee655..44ab38c 100644 --- a/workflow-templates/command-openapi.yml +++ b/workflow-templates/command-openapi.yml @@ -52,7 +52,7 @@ jobs: exit 1 - name: Check actor permission - uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v2 + uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0 with: require: write @@ -65,7 +65,7 @@ jobs: reactions: '+1' - name: Parse command - uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v2 + uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v3.1 id: command # Init path depending on which command is run diff --git a/workflow-templates/documentation.yml b/workflow-templates/documentation.yml index 27cd12a..a4eb31e 100644 --- a/workflow-templates/documentation.yml +++ b/workflow-templates/documentation.yml @@ -25,7 +25,7 @@ jobs: - name: Check actor permission level # Only allow admin to deploy on release if: github.event.release - uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v2 + uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0 with: require: admin From 1854a00c5ab3365acc61960e869f3328cd54c31b Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 15 May 2026 18:04:52 +0200 Subject: [PATCH 16/25] ci(zizmor): Update to latest Signed-off-by: Joas Schilling --- .github/workflows/lint-yaml.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml index afd147c..aea22c5 100644 --- a/.github/workflows/lint-yaml.yml +++ b/.github/workflows/lint-yaml.yml @@ -33,7 +33,7 @@ jobs: line-length: warning - name: Run zizmor 🌈 on actions - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@b572f7b1a1c2d41efaab43d504f68d215c3cd727 # v0.5.4 with: inputs: '.github/workflows/*.yml' advanced-security: false @@ -41,7 +41,7 @@ jobs: min-severity: 'medium' - name: Run zizmor 🌈 on workflow-templates - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@b572f7b1a1c2d41efaab43d504f68d215c3cd727 # v0.5.4 with: inputs: 'workflow-templates/*.yml' advanced-security: false From 2f08bed320f4d6364d6c3cdd2dc5c2a039ae529b Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 15 May 2026 19:43:20 +0200 Subject: [PATCH 17/25] fix(zizmor): Fix tag names Signed-off-by: Joas Schilling --- workflow-templates/appstore-build-publish.yml | 2 +- workflow-templates/dependabot-approve-merge.yml | 2 +- workflow-templates/renovate-approve-merge.yml | 2 +- workflow-templates/update-nextcloud-ocp-approve-merge.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml index eb7c578..f28ab7f 100644 --- a/workflow-templates/appstore-build-publish.yml +++ b/workflow-templates/appstore-build-publish.yml @@ -181,7 +181,7 @@ jobs: tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }} - name: Attach tarball to github release - uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2.11.5 + uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # 2.11.5 id: attach_to_release with: repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/workflow-templates/dependabot-approve-merge.yml b/workflow-templates/dependabot-approve-merge.yml index 71261f4..14bbd54 100644 --- a/workflow-templates/dependabot-approve-merge.yml +++ b/workflow-templates/dependabot-approve-merge.yml @@ -52,7 +52,7 @@ jobs: # Enable GitHub auto merge - name: Auto merge - uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # 2.0.0 if: startsWith(steps.branchname.outputs.branch, 'dependabot/') && (github.event.pull_request.action == 'opened' || github.event.pull_request.action == 'reopened') with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/workflow-templates/renovate-approve-merge.yml b/workflow-templates/renovate-approve-merge.yml index decbabf..e7cf242 100644 --- a/workflow-templates/renovate-approve-merge.yml +++ b/workflow-templates/renovate-approve-merge.yml @@ -52,7 +52,7 @@ jobs: # Enable GitHub auto merge - name: Auto merge - uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # 2.0.0 if: startsWith(steps.branchname.outputs.branch, 'renovate/') && (github.event.pull_request.action == 'opened' || github.event.pull_request.action == 'reopened') with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/workflow-templates/update-nextcloud-ocp-approve-merge.yml b/workflow-templates/update-nextcloud-ocp-approve-merge.yml index dfe0ef4..c036bfc 100644 --- a/workflow-templates/update-nextcloud-ocp-approve-merge.yml +++ b/workflow-templates/update-nextcloud-ocp-approve-merge.yml @@ -52,7 +52,7 @@ jobs: # Enable GitHub auto merge - name: Auto merge - uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # 2.0.0 if: startsWith(steps.branchname.outputs.branch, 'automated/noid/') && endsWith(steps.branchname.outputs.branch, 'update-nextcloud-ocp') with: github-token: ${{ secrets.GITHUB_TOKEN }} From cdfbfdfee3941b5fe4b010815b5be3f0df6913c1 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 15 May 2026 19:45:05 +0200 Subject: [PATCH 18/25] fix(zizmor): Disable cache in release action Signed-off-by: Joas Schilling --- workflow-templates/appstore-build-publish.yml | 1 + workflow-templates/documentation.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml index f28ab7f..cda9381 100644 --- a/workflow-templates/appstore-build-publish.yml +++ b/workflow-templates/appstore-build-publish.yml @@ -74,6 +74,7 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} + package-manager-cache: false - name: Set up npm ${{ steps.versions.outputs.npmVersion }} # Skip if no package.json diff --git a/workflow-templates/documentation.yml b/workflow-templates/documentation.yml index a4eb31e..be03071 100644 --- a/workflow-templates/documentation.yml +++ b/workflow-templates/documentation.yml @@ -45,6 +45,7 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} + package-manager-cache: false - name: Set up npm ${{ steps.versions.outputs.npmVersion }} run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}' From b4c0786a8147aeff83c9fe33b99c68c3383474b0 Mon Sep 17 00:00:00 2001 From: Josh Date: Sun, 5 Apr 2026 22:44:54 -0400 Subject: [PATCH 19/25] ci(cmd-compile): use persist-credentials: false and env indirection Defense in depth and consistency alignment with command-3rdparty's implementation: - Switch checkout to persist-credentials: false so the PAT is not in the credential store during npm ci / npm run build - Add explicit git remote set-url before push steps - Move all ${{ }} interpolations in run: blocks to env: variables Signed-off-by: Josh --- workflow-templates/command-compile.yml | 35 ++++++++++++++++++-------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml index 695803d..5e741a7 100644 --- a/workflow-templates/command-compile.yml +++ b/workflow-templates/command-compile.yml @@ -105,8 +105,7 @@ jobs: - name: Checkout ${{ needs.init.outputs.head_ref }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - # Needed to allow force push later - persist-credentials: true + persist-credentials: false token: ${{ secrets.COMMAND_BOT_PAT }} fetch-depth: 0 ref: ${{ needs.init.outputs.head_ref }} @@ -134,11 +133,13 @@ jobs: - name: Rebase to ${{ needs.init.outputs.base_ref }} if: ${{ contains(needs.init.outputs.arg1, 'rebase') }} + env: + BASE_REF: ${{ needs.init.outputs.base_ref }} run: | - git fetch origin '${{ needs.init.outputs.base_ref }}:${{ needs.init.outputs.base_ref }}' + git fetch origin "${BASE_REF}:${BASE_REF}" # Start the rebase - git rebase 'origin/${{ needs.init.outputs.base_ref }}' || { + git rebase "origin/${BASE_REF}" || { # Handle rebase conflicts in a loop while [ -d .git/rebase-merge ] || [ -d .git/rebase-apply ]; do echo "Handling rebase conflict..." @@ -146,11 +147,11 @@ jobs: # Remove and checkout /dist and /js folders from the base branch if [ -d "dist" ]; then rm -rf dist - git checkout origin/${{ needs.init.outputs.base_ref }} -- dist/ 2>/dev/null || echo "No dist folder in base branch" + git checkout "origin/${BASE_REF}" -- dist/ 2>/dev/null || echo "No dist folder in base branch" fi if [ -d "js" ]; then rm -rf js - git checkout origin/${{ needs.init.outputs.base_ref }} -- js/ 2>/dev/null || echo "No js folder in base branch" + git checkout "origin/${BASE_REF}" -- js/ 2>/dev/null || echo "No js folder in base branch" fi # Stage all changes @@ -182,20 +183,26 @@ jobs: - name: Commit default if: ${{ !contains(needs.init.outputs.arg1, 'fixup') && !contains(needs.init.outputs.arg1, 'amend') }} + env: + GIT_PATH: ${{ needs.init.outputs.git_path }} run: | - git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}' + git add "${GITHUB_WORKSPACE}${GIT_PATH}" git commit --signoff -m 'chore(assets): Recompile assets' - name: Commit fixup if: ${{ contains(needs.init.outputs.arg1, 'fixup') }} + env: + GIT_PATH: ${{ needs.init.outputs.git_path }} run: | - git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}' + git add "${GITHUB_WORKSPACE}${GIT_PATH}" git commit --fixup=HEAD --signoff - name: Commit amend if: ${{ contains(needs.init.outputs.arg1, 'amend') }} + env: + GIT_PATH: ${{ needs.init.outputs.git_path }} run: | - git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}' + git add "${GITHUB_WORKSPACE}${GIT_PATH}" git commit --amend --no-edit --signoff # Remove any [skip ci] from the amended commit git commit --amend -m "$(git log -1 --format='%B' | sed '/\[skip ci\]/d')" @@ -204,13 +211,19 @@ jobs: if: ${{ !contains(needs.init.outputs.arg1, 'rebase') && !contains(needs.init.outputs.arg1, 'amend') }} env: HEAD_REF: ${{ needs.init.outputs.head_ref }} - run: git push origin "$HEAD_REF" + BOT_TOKEN: ${{ secrets.COMMAND_BOT_PAT }} + run: | + git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/${{ github.repository }}.git" + git push origin "$HEAD_REF" - name: Force push if: ${{ contains(needs.init.outputs.arg1, 'rebase') || contains(needs.init.outputs.arg1, 'amend') }} env: HEAD_REF: ${{ needs.init.outputs.head_ref }} - run: git push --force-with-lease origin "$HEAD_REF" + BOT_TOKEN: ${{ secrets.COMMAND_BOT_PAT }} + run: | + git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/${{ github.repository }}.git" + git push --force-with-lease origin "$HEAD_REF" - name: Add reaction on failure uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 From 1d3d97f13ca641e9f64c6eb24e50b4e06de8a22b Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 6 Apr 2026 08:10:52 -0400 Subject: [PATCH 20/25] chore(cmd-compil): add suppressor Signed-off-by: Josh --- workflow-templates/command-compile.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml index 5e741a7..c517120 100644 --- a/workflow-templates/command-compile.yml +++ b/workflow-templates/command-compile.yml @@ -211,7 +211,7 @@ jobs: if: ${{ !contains(needs.init.outputs.arg1, 'rebase') && !contains(needs.init.outputs.arg1, 'amend') }} env: HEAD_REF: ${{ needs.init.outputs.head_ref }} - BOT_TOKEN: ${{ secrets.COMMAND_BOT_PAT }} + BOT_TOKEN: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] run: | git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/${{ github.repository }}.git" git push origin "$HEAD_REF" @@ -220,7 +220,7 @@ jobs: if: ${{ contains(needs.init.outputs.arg1, 'rebase') || contains(needs.init.outputs.arg1, 'amend') }} env: HEAD_REF: ${{ needs.init.outputs.head_ref }} - BOT_TOKEN: ${{ secrets.COMMAND_BOT_PAT }} + BOT_TOKEN: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env] run: | git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/${{ github.repository }}.git" git push --force-with-lease origin "$HEAD_REF" From 121aba772191908d82e520a7e3993c6c395d3040 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Thu, 16 Apr 2026 19:26:22 +0200 Subject: [PATCH 21/25] fix(dependabot): only auto-merge minor and patch updates The risks of breaking your app with unchecked major updates is quite high, so we can approve but the maintainer should at least manually merge the PR for major updates. Signed-off-by: Ferdinand Thiessen --- workflow-templates/dependabot-approve-merge.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/workflow-templates/dependabot-approve-merge.yml b/workflow-templates/dependabot-approve-merge.yml index 14bbd54..712f688 100644 --- a/workflow-templates/dependabot-approve-merge.yml +++ b/workflow-templates/dependabot-approve-merge.yml @@ -44,6 +44,12 @@ jobs: with: repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + # GitHub actions bot approve - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 if: startsWith(steps.branchname.outputs.branch, 'dependabot/') @@ -53,6 +59,6 @@ jobs: # Enable GitHub auto merge - name: Auto merge uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # 2.0.0 - if: startsWith(steps.branchname.outputs.branch, 'dependabot/') && (github.event.pull_request.action == 'opened' || github.event.pull_request.action == 'reopened') + if: startsWith(steps.branchname.outputs.branch, 'dependabot/') && (github.event.action == 'opened' || github.event.action == 'reopened') && (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') with: github-token: ${{ secrets.GITHUB_TOKEN }} From 8240ae37a1d06fffd7197efb390291bca4694c89 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Sat, 16 May 2026 10:45:23 +0200 Subject: [PATCH 22/25] fix: correctly use `github.event.action` to fetch the type of event `github.event.pull_request` is the pull request object not the event object, so `.action` always resolves to null and breaks auto-merge. Signed-off-by: Ferdinand Thiessen --- workflow-templates/renovate-approve-merge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow-templates/renovate-approve-merge.yml b/workflow-templates/renovate-approve-merge.yml index e7cf242..71ee40f 100644 --- a/workflow-templates/renovate-approve-merge.yml +++ b/workflow-templates/renovate-approve-merge.yml @@ -53,6 +53,6 @@ jobs: # Enable GitHub auto merge - name: Auto merge uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # 2.0.0 - if: startsWith(steps.branchname.outputs.branch, 'renovate/') && (github.event.pull_request.action == 'opened' || github.event.pull_request.action == 'reopened') + if: startsWith(steps.branchname.outputs.branch, 'renovate/') && (github.event.action == 'opened' || github.event.action == 'reopened') with: github-token: ${{ secrets.GITHUB_TOKEN }} From 2f72ee6a929592f3e5d14c2a8f420dd5711a25e2 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Thu, 16 Apr 2026 19:34:47 +0200 Subject: [PATCH 23/25] chore: rename `node` to `npm-build` workflow We do not have Node.JS applications but this workflow just checks if it can build the Javascript frontend using `npm build`. This should reduce confusion about the workflows intend. Signed-off-by: Ferdinand Thiessen --- workflow-templates/node.properties.json | 11 ----------- workflow-templates/npm-build.properties.json | 11 +++++++++++ workflow-templates/{node.svg => npm-build.svg} | 0 workflow-templates/{node.yml => npm-build.yml} | 2 +- 4 files changed, 12 insertions(+), 12 deletions(-) delete mode 100644 workflow-templates/node.properties.json create mode 100644 workflow-templates/npm-build.properties.json rename workflow-templates/{node.svg => npm-build.svg} (100%) rename workflow-templates/{node.yml => npm-build.yml} (99%) diff --git a/workflow-templates/node.properties.json b/workflow-templates/node.properties.json deleted file mode 100644 index 8e58812..0000000 --- a/workflow-templates/node.properties.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "name": "Node checkout and build workflow", - "description": "Nextcloud node build workflow template.", - "iconName": "node", - "categories": [ - "JavaScript" - ], - "filePatterns": [ - "^package.json$" - ] -} diff --git a/workflow-templates/npm-build.properties.json b/workflow-templates/npm-build.properties.json new file mode 100644 index 0000000..2747495 --- /dev/null +++ b/workflow-templates/npm-build.properties.json @@ -0,0 +1,11 @@ +{ + "name": "Frontend build workflow", + "description": "Nextcloud workflow template for check frontend builds.", + "iconName": "npm-build", + "categories": [ + "JavaScript" + ], + "filePatterns": [ + "^package.json$" + ] +} diff --git a/workflow-templates/node.svg b/workflow-templates/npm-build.svg similarity index 100% rename from workflow-templates/node.svg rename to workflow-templates/npm-build.svg diff --git a/workflow-templates/node.yml b/workflow-templates/npm-build.yml similarity index 99% rename from workflow-templates/node.yml rename to workflow-templates/npm-build.yml index 417d97a..896bb7b 100644 --- a/workflow-templates/node.yml +++ b/workflow-templates/npm-build.yml @@ -6,7 +6,7 @@ # SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors # SPDX-License-Identifier: MIT -name: Node +name: Build Javascript on: pull_request From e7192dc651350943edcbe77e27ab9888f59c111b Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Sat, 16 May 2026 10:57:48 +0200 Subject: [PATCH 24/25] chore: add fallback for legacy workflow name Signed-off-by: Ferdinand Thiessen --- workflow-templates/node.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 workflow-templates/node.yml diff --git a/workflow-templates/node.yml b/workflow-templates/node.yml new file mode 100644 index 0000000..9f672c2 --- /dev/null +++ b/workflow-templates/node.yml @@ -0,0 +1,32 @@ +# This workflow is provided via the organization template repository +# +# https://github.com/nextcloud/.github +# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization +# +# SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors +# SPDX-License-Identifier: MIT + +# TODO: Remove this after a grace period of 6 months to give everyone the chance to switch to the new workflow name +# TODO: To be removed end of 2026. +name: No-op please switch to npm-build.yml + +on: pull_request + +permissions: + contents: none + +concurrency: + group: node-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + summary: + runs-on: ubuntu-latest-low + if: always() + + # This is the summary, we just avoid to rename it so that branch protection rules still match + name: node + + steps: + - name: No-op please switch to npm-build.yml + run: echo "The workflow has been renamed, please switch to npm-build.yml from organization templates"; exit 1; From 4eac2215087be8541ebcb846e9ea1364702617bf Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Sat, 16 May 2026 11:04:51 +0200 Subject: [PATCH 25/25] fix: use one-line `gh` script instead of unmaintained action The auto-approve action is unmaintained currently and still uses Node 20 which is deprecated by GitHub and will be removed soon. Auto-approve can be replaced with a 1-line `gh` script. Signed-off-by: Ferdinand Thiessen --- workflow-templates/dependabot-approve-merge.yml | 11 ++++++----- workflow-templates/renovate-approve-merge.yml | 11 ++++++----- .../update-nextcloud-ocp-approve-merge.yml | 11 ++++++----- 3 files changed, 18 insertions(+), 15 deletions(-) diff --git a/workflow-templates/dependabot-approve-merge.yml b/workflow-templates/dependabot-approve-merge.yml index 712f688..0658754 100644 --- a/workflow-templates/dependabot-approve-merge.yml +++ b/workflow-templates/dependabot-approve-merge.yml @@ -27,7 +27,7 @@ jobs: if: github.event.pull_request.user.login == 'dependabot[bot]' runs-on: ubuntu-latest-low permissions: - # for hmarr/auto-approve-action to approve PRs + # for auto-approve step to work pull-requests: write # for alexwilson/enable-github-automerge-action to approve PRs contents: write @@ -50,11 +50,12 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} - # GitHub actions bot approve - - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 + - name: GitHub actions bot approve if: startsWith(steps.branchname.outputs.branch, 'dependabot/') - with: - github-token: ${{ secrets.GITHUB_TOKEN }} + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Enable GitHub auto merge - name: Auto merge diff --git a/workflow-templates/renovate-approve-merge.yml b/workflow-templates/renovate-approve-merge.yml index e7cf242..e51d74f 100644 --- a/workflow-templates/renovate-approve-merge.yml +++ b/workflow-templates/renovate-approve-merge.yml @@ -27,7 +27,7 @@ jobs: if: github.event.pull_request.user.login == 'renovate[bot]' runs-on: ubuntu-latest permissions: - # for hmarr/auto-approve-action to approve PRs + # for auto-approve step to work pull-requests: write # for alexwilson/enable-github-automerge-action to approve PRs contents: write @@ -44,11 +44,12 @@ jobs: with: repo-token: ${{ secrets.GITHUB_TOKEN }} - # GitHub actions bot approve - - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 + - name: GitHub actions bot approve if: startsWith(steps.branchname.outputs.branch, 'renovate/') - with: - github-token: ${{ secrets.GITHUB_TOKEN }} + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Enable GitHub auto merge - name: Auto merge diff --git a/workflow-templates/update-nextcloud-ocp-approve-merge.yml b/workflow-templates/update-nextcloud-ocp-approve-merge.yml index c036bfc..51735a7 100644 --- a/workflow-templates/update-nextcloud-ocp-approve-merge.yml +++ b/workflow-templates/update-nextcloud-ocp-approve-merge.yml @@ -27,7 +27,7 @@ jobs: if: github.actor == 'nextcloud-command' runs-on: ubuntu-latest-low permissions: - # for hmarr/auto-approve-action to approve PRs + # for auto-approve-action to approve PRs pull-requests: write # for alexwilson/enable-github-automerge-action to approve PRs contents: write @@ -44,11 +44,12 @@ jobs: with: repo-token: ${{ secrets.GITHUB_TOKEN }} - # GitHub actions bot approve - - uses: hmarr/auto-approve-action@b40d6c9ed2fa10c9a2749eca7eb004418a705501 # v2 + - name: GitHub actions bot approve if: startsWith(steps.branchname.outputs.branch, 'automated/noid/') && endsWith(steps.branchname.outputs.branch, 'update-nextcloud-ocp') - with: - github-token: ${{ secrets.GITHUB_TOKEN }} + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Enable GitHub auto merge - name: Auto merge