diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml index 3130fa19..aea22c57 100644 --- a/.github/workflows/lint-yaml.yml +++ b/.github/workflows/lint-yaml.yml @@ -32,11 +32,18 @@ jobs: config_data: | line-length: warning - - name: Install the latest version of uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - - - name: Check GitHub actions - run: uvx zizmor --min-severity medium .github/workflows/*.yml + - name: Run zizmor 🌈 on actions + uses: zizmorcore/zizmor-action@b572f7b1a1c2d41efaab43d504f68d215c3cd727 # v0.5.4 + with: + inputs: '.github/workflows/*.yml' + advanced-security: false + annotations: true + min-severity: 'medium' - - name: Check GitHub workflow-templates - run: uvx zizmor --min-severity medium workflow-templates/*.yml + - name: Run zizmor 🌈 on workflow-templates + uses: zizmorcore/zizmor-action@b572f7b1a1c2d41efaab43d504f68d215c3cd727 # v0.5.4 + with: + inputs: 'workflow-templates/*.yml' + advanced-security: false + annotations: true + min-severity: 'medium' diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml index 8432af67..cda93815 100644 --- a/workflow-templates/appstore-build-publish.yml +++ b/workflow-templates/appstore-build-publish.yml @@ -74,6 +74,7 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} + package-manager-cache: false - name: Set up npm ${{ steps.versions.outputs.npmVersion }} # Skip if no package.json @@ -87,7 +88,7 @@ jobs: filename: ${{ env.APP_NAME }}/appinfo/info.xml - name: Set up php ${{ steps.php-versions.outputs.php-min }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.php-versions.outputs.php-min }} coverage: none @@ -181,7 +182,7 @@ jobs: tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }} - name: Attach tarball to github release - uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2.11.5 + uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # 2.11.5 id: attach_to_release with: repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml index 487ec681..695803d3 100644 --- a/workflow-templates/command-compile.yml +++ b/workflow-templates/command-compile.yml @@ -52,7 +52,7 @@ jobs: exit 1 - name: Check actor permission - uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v2 + uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0 with: require: write @@ -65,7 +65,7 @@ jobs: reactions: '+1' - name: Parse command - uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v2 + uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v3.1 id: command # Init path depending on which command is run diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml index 82ee6559..44ab38cb 100644 --- a/workflow-templates/command-openapi.yml +++ b/workflow-templates/command-openapi.yml @@ -52,7 +52,7 @@ jobs: exit 1 - name: Check actor permission - uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v2 + uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0 with: require: write @@ -65,7 +65,7 @@ jobs: reactions: '+1' - name: Parse command - uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v2 + uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v3.1 id: command # Init path depending on which command is run diff --git a/workflow-templates/dependabot-approve-merge.yml b/workflow-templates/dependabot-approve-merge.yml index 71261f46..14bbd547 100644 --- a/workflow-templates/dependabot-approve-merge.yml +++ b/workflow-templates/dependabot-approve-merge.yml @@ -52,7 +52,7 @@ jobs: # Enable GitHub auto merge - name: Auto merge - uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # 2.0.0 if: startsWith(steps.branchname.outputs.branch, 'dependabot/') && (github.event.pull_request.action == 'opened' || github.event.pull_request.action == 'reopened') with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/workflow-templates/documentation.yml b/workflow-templates/documentation.yml index 27cd12a6..be030711 100644 --- a/workflow-templates/documentation.yml +++ b/workflow-templates/documentation.yml @@ -25,7 +25,7 @@ jobs: - name: Check actor permission level # Only allow admin to deploy on release if: github.event.release - uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v2 + uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0 with: require: admin @@ -45,6 +45,7 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} + package-manager-cache: false - name: Set up npm ${{ steps.versions.outputs.npmVersion }} run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}' diff --git a/workflow-templates/lint-php-cs.yml b/workflow-templates/lint-php-cs.yml index da402086..57f7a2b1 100644 --- a/workflow-templates/lint-php-cs.yml +++ b/workflow-templates/lint-php-cs.yml @@ -34,7 +34,7 @@ jobs: uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php${{ steps.versions.outputs.php-min }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.versions.outputs.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/lint-php.yml b/workflow-templates/lint-php.yml index d1eafea6..47e4dc4f 100644 --- a/workflow-templates/lint-php.yml +++ b/workflow-templates/lint-php.yml @@ -49,7 +49,7 @@ jobs: persist-credentials: false - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/openapi.yml b/workflow-templates/openapi.yml index d0f34915..f97254c6 100644 --- a/workflow-templates/openapi.yml +++ b/workflow-templates/openapi.yml @@ -35,7 +35,7 @@ jobs: uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.php_versions.outputs.php-available }} extensions: xml diff --git a/workflow-templates/phpstan.yml b/workflow-templates/phpstan.yml index cba8d41b..74d3f667 100644 --- a/workflow-templates/phpstan.yml +++ b/workflow-templates/phpstan.yml @@ -36,7 +36,7 @@ jobs: run: "grep 'min: ${{ steps.versions.outputs.php-min-id }}' phpstan.neon" - name: Set up php${{ steps.versions.outputs.php-available }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.versions.outputs.php-available }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/phpunit-mariadb.yml b/workflow-templates/phpunit-mariadb.yml index 3a2389b5..aa875001 100644 --- a/workflow-templates/phpunit-mariadb.yml +++ b/workflow-templates/phpunit-mariadb.yml @@ -105,7 +105,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/phpunit-mysql.yml b/workflow-templates/phpunit-mysql.yml index e0216816..2802c4ce 100644 --- a/workflow-templates/phpunit-mysql.yml +++ b/workflow-templates/phpunit-mysql.yml @@ -103,7 +103,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/phpunit-oci.yml b/workflow-templates/phpunit-oci.yml index 53553826..9a2ac512 100644 --- a/workflow-templates/phpunit-oci.yml +++ b/workflow-templates/phpunit-oci.yml @@ -115,7 +115,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/phpunit-pgsql.yml b/workflow-templates/phpunit-pgsql.yml index 4592e625..89461296 100644 --- a/workflow-templates/phpunit-pgsql.yml +++ b/workflow-templates/phpunit-pgsql.yml @@ -106,7 +106,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/phpunit-sqlite.yml b/workflow-templates/phpunit-sqlite.yml index e2e299ab..b35556a0 100644 --- a/workflow-templates/phpunit-sqlite.yml +++ b/workflow-templates/phpunit-sqlite.yml @@ -95,7 +95,7 @@ jobs: path: apps/${{ env.APP_NAME }} - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ matrix.php-versions }} # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml index dc0105ca..e786c3bf 100644 --- a/workflow-templates/psalm-matrix.yml +++ b/workflow-templates/psalm-matrix.yml @@ -52,7 +52,7 @@ jobs: persist-credentials: false - name: Set up php${{ needs.matrix.outputs.php-min }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ needs.matrix.outputs.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/psalm.yml b/workflow-templates/psalm.yml index 4d4a4ec4..1784f416 100644 --- a/workflow-templates/psalm.yml +++ b/workflow-templates/psalm.yml @@ -36,7 +36,7 @@ jobs: run: grep 'phpVersion="${{ steps.versions.outputs.php-min }}' psalm.xml - name: Set up php${{ steps.versions.outputs.php-available }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.versions.outputs.php-available }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/rector-apply.yml b/workflow-templates/rector-apply.yml index e356a7a5..87c00e4a 100644 --- a/workflow-templates/rector-apply.yml +++ b/workflow-templates/rector-apply.yml @@ -36,7 +36,7 @@ jobs: uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php${{ steps.versions.outputs.php-min }} - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.versions.outputs.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/workflow-templates/renovate-approve-merge.yml b/workflow-templates/renovate-approve-merge.yml index decbabf2..e7cf2421 100644 --- a/workflow-templates/renovate-approve-merge.yml +++ b/workflow-templates/renovate-approve-merge.yml @@ -52,7 +52,7 @@ jobs: # Enable GitHub auto merge - name: Auto merge - uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # 2.0.0 if: startsWith(steps.branchname.outputs.branch, 'renovate/') && (github.event.pull_request.action == 'opened' || github.event.pull_request.action == 'reopened') with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/workflow-templates/update-nextcloud-ocp-approve-merge.yml b/workflow-templates/update-nextcloud-ocp-approve-merge.yml index dfe0ef4e..c036bfc4 100644 --- a/workflow-templates/update-nextcloud-ocp-approve-merge.yml +++ b/workflow-templates/update-nextcloud-ocp-approve-merge.yml @@ -52,7 +52,7 @@ jobs: # Enable GitHub auto merge - name: Auto merge - uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # 2.0.0 if: startsWith(steps.branchname.outputs.branch, 'automated/noid/') && endsWith(steps.branchname.outputs.branch, 'update-nextcloud-ocp') with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/workflow-templates/update-nextcloud-ocp-matrix.yml b/workflow-templates/update-nextcloud-ocp-matrix.yml index b8950bf9..07254e40 100644 --- a/workflow-templates/update-nextcloud-ocp-matrix.yml +++ b/workflow-templates/update-nextcloud-ocp-matrix.yml @@ -41,7 +41,7 @@ jobs: uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php8.2 - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: 8.2 # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/workflow-templates/update-nextcloud-ocp.yml b/workflow-templates/update-nextcloud-ocp.yml index 6e00570e..3aa06d41 100644 --- a/workflow-templates/update-nextcloud-ocp.yml +++ b/workflow-templates/update-nextcloud-ocp.yml @@ -43,7 +43,7 @@ jobs: - name: Set up php8.2 if: steps.checkout.outcome == 'success' - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: 8.2 # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation