diff --git a/.github/workflows/appstore-build-publish.yml b/.github/workflows/appstore-build-publish.yml index 3eaf3c8..316ba14 100644 --- a/.github/workflows/appstore-build-publish.yml +++ b/.github/workflows/appstore-build-publish.yml @@ -12,6 +12,9 @@ on: release: types: [published] +permissions: + contents: write + jobs: build_and_publish: runs-on: ubuntu-latest diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml index ff4417a..583fd48 100644 --- a/.github/workflows/dependabot-approve-merge.yml +++ b/.github/workflows/dependabot-approve-merge.yml @@ -9,7 +9,7 @@ name: Dependabot on: - pull_request_target: # zizmor: ignore[dangerous-triggers] + pull_request: branches: - main - master @@ -24,7 +24,7 @@ concurrency: jobs: auto-approve-merge: - if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' runs-on: ubuntu-latest-low permissions: # for hmarr/auto-approve-action to approve PRs diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index c75405d..6787cff 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -10,6 +10,9 @@ on: - master - stable* +permissions: + contents: read + env: APP_NAME: files_accesscontrol @@ -54,8 +57,9 @@ jobs: steps: - name: Checkout server - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false repository: nextcloud/server ref: ${{ matrix.server-versions }} @@ -68,8 +72,9 @@ jobs: cd build/integration && composer require --dev phpunit/phpunit:~9 - name: Checkout app - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} diff --git a/.github/workflows/phpunit-mariadb.yml b/.github/workflows/phpunit-mariadb.yml index bd5d442..014ce78 100644 --- a/.github/workflows/phpunit-mariadb.yml +++ b/.github/workflows/phpunit-mariadb.yml @@ -70,7 +70,7 @@ jobs: matrix: php-versions: ${{ fromJson(needs.matrix.outputs.php-version) }} server-versions: ${{ fromJson(needs.matrix.outputs.server-max) }} - mariadb-versions: ['10.6', '10.11'] + mariadb-versions: ['10.6', '11.4'] name: MariaDB ${{ matrix.mariadb-versions }} PHP ${{ matrix.php-versions }} Nextcloud ${{ matrix.server-versions }} @@ -80,8 +80,8 @@ jobs: ports: - 4444:3306/tcp env: - MYSQL_ROOT_PASSWORD: rootpassword - options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 5 + MARIADB_ROOT_PASSWORD: rootpassword + options: --health-cmd="mariadb-admin ping" --health-interval 5s --health-timeout 2s --health-retries 5 steps: - name: Set app env diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index cda7948..7d49669 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,6 +15,10 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: if: ${{ github.repository_owner == 'nextcloud' }} diff --git a/.github/workflows/psalm.yml b/.github/workflows/psalm.yml index c2d2e86..452186e 100644 --- a/.github/workflows/psalm.yml +++ b/.github/workflows/psalm.yml @@ -14,6 +14,9 @@ concurrency: group: psalm-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: static-analysis: runs-on: ubuntu-latest diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index b682855..0d8e196 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -11,6 +11,9 @@ name: REUSE Compliance Check on: [pull_request] +permissions: + contents: read + jobs: reuse-compliance-check: runs-on: ubuntu-latest diff --git a/.github/workflows/update-nextcloud-ocp.yml b/.github/workflows/update-nextcloud-ocp.yml index 08e5b5e..5592f61 100644 --- a/.github/workflows/update-nextcloud-ocp.yml +++ b/.github/workflows/update-nextcloud-ocp.yml @@ -13,6 +13,9 @@ on: schedule: - cron: "5 2 * * 0" +permissions: + contents: read + jobs: update-nextcloud-ocp: runs-on: ubuntu-latest