Merge pull request #53056 from nextcloud/ci/noid/ghActionSync

GH action sync
2026-05-28 04:32:30 -04:00 · 2025-05-23 07:34:59 +02:00 · 2025-05-23 07:34:59 +02:00 · 8450efc26e
commit 8450efc26e
parent 86d9289512 3aa1706c64
31 changed files with 131 additions and 60 deletions
--- a/.github/workflows/block-unconventional-commits.yml
+++ b/.github/workflows/block-unconventional-commits.yml
@ -28,6 +28,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0
        with:
--- a/.github/workflows/command-compile.yml
+++ b/.github/workflows/command-compile.yml
@ -11,6 +11,9 @@ on:
  issue_comment:
    types: [created]

+permissions:
+  contents: read
+
 jobs:
  init:
    runs-on: ubuntu-latest
@ -102,6 +105,7 @@ jobs:
      - name: Checkout ${{ needs.init.outputs.head_ref }}
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          # Needed to allow force push later
          persist-credentials: true
          token: ${{ secrets.COMMAND_BOT_PAT }}
          fetch-depth: 0
@ -120,7 +124,7 @@ jobs:
          fallbackNpm: '^10'

      - name: Set up node ${{ steps.package-engines-versions.outputs.nodeVersion }}
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ steps.package-engines-versions.outputs.nodeVersion }}
          cache: npm
--- a/.github/workflows/cypress.yml
+++ b/.github/workflows/cypress.yml
@ -18,9 +18,16 @@ env:
  # Adjust APP_NAME if your repository name is different
  APP_NAME: ${{ github.event.repository.name }}

-  # Server requires head_ref instead of base_ref, as we want to test the PR branch
+  # This represents the server branch to checkout.
+  # Usually it's the base branch of the PR, but for pushes it's the branch itself.
+  # e.g. 'main', 'stable27' or 'feature/my-feature'
+  # n.b. server will use head_ref, as we want to test the PR branch.
  BRANCH: ${{ github.head_ref || github.ref_name }}

+
+permissions:
+  contents: read
+
 jobs:
  init:
    runs-on: ubuntu-latest
@ -43,6 +50,7 @@ jobs:
      - name: Checkout server
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          # We need to checkout submodules for 3rdparty
          submodules: true

@ -64,7 +72,7 @@ jobs:
          fallbackNpm: "^10"

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

@ -80,7 +88,7 @@ jobs:
        run: npm run cypress:version

      - name: Save context
-        uses: buildjet/cache/save@v4
+        uses: buildjet/cache/save@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2
        with:
          key: cypress-context-${{ github.run_id }}
          path: ./
@ -94,7 +102,7 @@ jobs:
      matrix:
        # Run multiple copies of the current job in parallel
        # Please increase the number or runners as your tests suite grows (0 based index for e2e tests)
-        containers: ["component", '0', '1', '2', '3', '4', '5', '6', '7']
+        containers: ['component', '0', '1', '2', '3', '4', '5', '6', '7']
        # Hack as strategy.job-total includes the component and GitHub does not allow math expressions
        # Always align this number with the total of e2e runners (max. index + 1)
        total-containers: [8]
@ -103,14 +111,14 @@ jobs:

    steps:
      - name: Restore context
-        uses: buildjet/cache/restore@v4
+        uses: buildjet/cache/restore@3e70d19e31d6a8030aeddf6ed8dbe601f94d09f4 # v4.0.2
        with:
          fail-on-cache-miss: true
          key: cypress-context-${{ github.run_id }}
          path: ./

      - name: Set up node ${{ needs.init.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ needs.init.outputs.nodeVersion }}

@ -142,8 +150,8 @@ jobs:
          SPLIT: ${{ matrix.total-containers }}
          SPLIT_INDEX: ${{ matrix.containers == 'component' && 0 || matrix.containers }}

-      - name: Upload snapshots and videos
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - name: Upload snapshots
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: snapshots_videos_${{ matrix.containers }}
@ -156,7 +164,7 @@ jobs:
        run: docker logs nextcloud-cypress-tests_${{ env.APP_NAME }} > nextcloud.log

      - name: Upload NC logs
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: failure() && matrix.containers != 'component'
        with:
          name: nc_logs_${{ matrix.containers }}
@ -167,7 +175,7 @@ jobs:
        run: docker exec nextcloud-cypress-tests_${{ env.APP_NAME }} tar -cvjf - data > data.tar

      - name: Upload data dir archive
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: failure() && matrix.containers != 'component'
        with:
          name: nc_data_${{ matrix.containers }}
--- a/.github/workflows/dependabot-approve-merge.yml
+++ b/.github/workflows/dependabot-approve-merge.yml
@ -9,7 +9,7 @@
 name: Dependabot

 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
    branches:
      - main
      - master
@ -24,7 +24,7 @@ concurrency:

 jobs:
  auto-approve-merge:
-    if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]'
    runs-on: ubuntu-latest-low
    permissions:
      # for hmarr/auto-approve-action to approve PRs
--- a/.github/workflows/files-external-ftp.yml
+++ b/.github/workflows/files-external-ftp.yml
@ -100,7 +100,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-files-external-ftp
--- a/.github/workflows/files-external-s3.yml
+++ b/.github/workflows/files-external-s3.yml
@ -98,7 +98,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-files-external-s3
@ -165,7 +165,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-files-external-s3
--- a/.github/workflows/files-external-sftp.yml
+++ b/.github/workflows/files-external-sftp.yml
@ -89,7 +89,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-files-external-sftp
--- a/.github/workflows/files-external-smb.yml
+++ b/.github/workflows/files-external-smb.yml
@ -94,7 +94,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v4.1.1
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-files-external-smb
--- a/.github/workflows/files-external-webdav.yml
+++ b/.github/workflows/files-external-webdav.yml
@ -91,7 +91,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v4.1.1
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-files-external-webdav
--- a/.github/workflows/files-external.yml
+++ b/.github/workflows/files-external.yml
@ -79,7 +79,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-files-external-generic
--- a/.github/workflows/lint-eslint.yml
+++ b/.github/workflows/lint-eslint.yml
@ -20,6 +20,9 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
+    permissions:
+      contents: read
+      pull-requests: read

    outputs:
      src: ${{ steps.changes.outputs.src}}
@ -54,6 +57,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Read package.json node and npm engines version
        uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
@ -63,7 +68,7 @@ jobs:
          fallbackNpm: '^10'

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

--- a/.github/workflows/lint-php-cs.yml
+++ b/.github/workflows/lint-php-cs.yml
@ -51,7 +51,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up php8.1
-        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
        with:
          php-version: 8.1
          extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@ -54,9 +54,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
        with:
          php-version: ${{ matrix.php-versions }}
          coverage: none
--- a/.github/workflows/lint-stylelint.yml
+++ b/.github/workflows/lint-stylelint.yml
@ -26,6 +26,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Read package.json node and npm engines version
        uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
@ -35,7 +37,7 @@ jobs:
          fallbackNpm: '^10'

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

--- a/.github/workflows/node-test.yml
+++ b/.github/workflows/node-test.yml
@ -23,6 +23,9 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
+    permissions:
+      contents: read
+      pull-requests: read

    outputs:
      src: ${{ steps.changes.outputs.src}}
@ -60,6 +63,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Read package.json node and npm engines version
        uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
@ -83,7 +88,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up node ${{ needs.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ needs.versions.outputs.nodeVersion }}

@ -99,7 +104,7 @@ jobs:
        run: npm run test:coverage --if-present

      - name: Collect coverage
-        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v4.3.1
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./coverage/lcov.info

@ -117,7 +122,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up node ${{ needs.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ needs.versions.outputs.nodeVersion }}

@ -145,7 +150,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up node ${{ needs.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ needs.versions.outputs.nodeVersion }}

--- a/.github/workflows/node.yml
+++ b/.github/workflows/node.yml
@ -20,6 +20,9 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
+    permissions:
+      contents: read
+      pull-requests: read

    outputs:
      src: ${{ steps.changes.outputs.src}}
@ -54,6 +57,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Read package.json node and npm engines version
        uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
@ -63,7 +68,7 @@ jobs:
          fallbackNpm: '^10'

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

--- a/.github/workflows/npm-audit-fix.yml
+++ b/.github/workflows/npm-audit-fix.yml
@ -14,6 +14,9 @@ on:
    # At 2:30 on Sundays
    - cron: '30 2 * * 0'

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest
@ -21,15 +24,18 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        branches: ['main', 'master', 'stable30', 'stable29', 'stable28']
+        branches: ['main', 'master', 'stable31', 'stable30']

    name: npm-audit-fix-${{ matrix.branches }}

    steps:
      - name: Checkout
+        id: checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          ref: ${{ matrix.branches }}
+        continue-on-error: true

      - name: Read package.json node and npm engines version
        uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
@ -39,7 +45,7 @@ jobs:
          fallbackNpm: '^10'

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

@ -48,10 +54,10 @@ jobs:

      - name: Fix npm audit
        id: npm-audit
-        uses: nextcloud-libraries/npm-audit-action@2a60bd2e79cc77f2cc4d9a3fe40f1a69896f3a87 # v0.1.0
+        uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0

      - name: Run npm ci and npm run build
-        if: always()
+        if: steps.checkout.outcome == 'success'
        env:
          CYPRESS_INSTALL_BINARY: 0
        run: |
@ -59,8 +65,8 @@ jobs:
          npm run build --if-present

      - name: Create Pull Request
-        if: always()
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        if: steps.checkout.outcome == 'success'
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
          commit-message: 'fix(deps): Fix npm audit'
--- a/.github/workflows/object-storage-azure.yml
+++ b/.github/workflows/object-storage-azure.yml
@ -105,7 +105,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-azure
--- a/.github/workflows/object-storage-s3.yml
+++ b/.github/workflows/object-storage-s3.yml
@ -111,7 +111,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-s3
--- a/.github/workflows/object-storage-swift.yml
+++ b/.github/workflows/object-storage-swift.yml
@ -101,7 +101,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-swift
--- a/.github/workflows/openapi.yml
+++ b/.github/workflows/openapi.yml
@ -27,9 +27,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Set up php
-        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
        with:
          php-version: '8.1'
          extensions: ctype, curl, dom, fileinfo, gd, json, libxml, mbstring, openssl, pcntl, pdo, posix, session, simplexml, xml, xmlreader, xmlwriter, zip, zlib
--- a/.github/workflows/phpunit-mariadb.yml
+++ b/.github/workflows/phpunit-mariadb.yml
@ -23,6 +23,9 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
+    permissions:
+      contents: read
+      pull-requests: read

    outputs:
      src: ${{ steps.changes.outputs.src}}
@ -88,10 +91,11 @@ jobs:
      - name: Checkout server
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
        with:
          php-version: ${{ matrix.php-versions }}
          # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
@ -124,7 +128,7 @@ jobs:

      - name: Upload db code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.db.xml
          flags: phpunit-mariadb
--- a/.github/workflows/phpunit-memcached.yml
+++ b/.github/workflows/phpunit-memcached.yml
@ -101,7 +101,7 @@ jobs:

      - name: Upload code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.xml
          flags: phpunit-memcached
--- a/.github/workflows/phpunit-mysql-sharding.yml
+++ b/.github/workflows/phpunit-mysql-sharding.yml
@ -159,7 +159,7 @@ jobs:

      - name: Upload db code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.db.xml
          flags: phpunit-mysql
--- a/.github/workflows/phpunit-mysql.yml
+++ b/.github/workflows/phpunit-mysql.yml
@ -23,6 +23,9 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
+    permissions:
+      contents: read
+      pull-requests: read

    outputs:
      src: ${{ steps.changes.outputs.src }}
@ -86,12 +89,13 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
        with:
          php-version: ${{ matrix.php-versions }}
          # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
@ -124,7 +128,7 @@ jobs:

      - name: Upload db code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.db.xml
          flags: phpunit-mysql
--- a/.github/workflows/phpunit-nodb.yml
+++ b/.github/workflows/phpunit-nodb.yml
@ -107,7 +107,7 @@ jobs:

      - name: Upload nodb code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.nodb.xml
          flags: phpunit-nodb
--- a/.github/workflows/phpunit-oci.yml
+++ b/.github/workflows/phpunit-oci.yml
@ -23,6 +23,9 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
+    permissions:
+      contents: read
+      pull-requests: read

    outputs:
      src: ${{ steps.changes.outputs.src }}
@ -100,10 +103,11 @@ jobs:
      - name: Checkout server
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
        with:
          php-version: ${{ matrix.php-versions }}
          # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
@ -129,7 +133,7 @@ jobs:

      - name: Upload db code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.db.xml
          flags: phpunit-oci
--- a/.github/workflows/phpunit-pgsql.yml
+++ b/.github/workflows/phpunit-pgsql.yml
@ -23,6 +23,9 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
+    permissions:
+      contents: read
+      pull-requests: read

    outputs:
      src: ${{ steps.changes.outputs.src }}
@ -88,10 +91,11 @@ jobs:
      - name: Checkout server
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
        with:
          php-version: ${{ matrix.php-versions }}
          # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
@ -119,7 +123,7 @@ jobs:

      - name: Upload db code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.db.xml
          flags: phpunit-postgres
--- a/.github/workflows/phpunit-sqlite.yml
+++ b/.github/workflows/phpunit-sqlite.yml
@ -23,6 +23,9 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
+    permissions:
+      contents: read
+      pull-requests: read

    outputs:
      src: ${{ steps.changes.outputs.src }}
@ -73,10 +76,11 @@ jobs:
      - name: Checkout server
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 #v2.31.1
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
        with:
          php-version: ${{ matrix.php-versions }}
          # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
@ -105,7 +109,7 @@ jobs:

      - name: Upload db code coverage
        if: ${{ !cancelled() && matrix.coverage }}
-        uses: codecov/codecov-action@v5.0.7
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./clover.db.xml
          flags: phpunit-sqlite
--- a/.github/workflows/pr-feedback.yml
+++ b/.github/workflows/pr-feedback.yml
@ -15,12 +15,17 @@ on:
  schedule:
    - cron: '30 1 * * *'

+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
  pr-feedback:
+    if: ${{ github.repository_owner == 'nextcloud' }}
    runs-on: ubuntu-latest
    steps:
      - name: The get-github-handles-from-website action
-        uses: marcelklehr/get-github-handles-from-website-action@a739600f6b91da4957f51db0792697afbb2f143c # v1.0.0
+        uses: marcelklehr/get-github-handles-from-website-action@06b2239db0a48fe1484ba0bfd966a3ab81a08308 # v1.0.1
        id: scrape
        with:
          website: 'https://nextcloud.com/team/'
@ -31,7 +36,7 @@ jobs:
          blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -)
          echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT"

-      - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4
+      - uses: nextcloud/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 # main
        with:
          feedback-message: |
            Hello there,
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@ -11,12 +11,17 @@ name: REUSE Compliance Check

 on: [pull_request]

+permissions:
+  contents: read
+
 jobs:
  reuse-compliance-check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-low
    steps:
-    - name: Checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

-    - name: REUSE Compliance Check
-      uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0
+      - name: REUSE Compliance Check
+        uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0