diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 292494c72cd..3ea4d268d25 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -27,14 +27,23 @@ jobs: steps: - name: Set server major version environment - run: | - # retrieve version number from branch reference - server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p') - echo "server_major=$server_major" >> $GITHUB_ENV - echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV - - - name: Checking if ${{ env.server_major }} is EOL + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const regex = /^stable(\d+)$/ + const baseRef = context.payload.pull_request.base.ref + const match = baseRef.match(regex) + if (match) { + console.log('Setting server_major to ' + match[1]); + core.exportVariable('server_major', match[1]); + console.log('Setting current_day to ' + (new Date()).toISOString().substr(0, 10)); + core.exportVariable('current_day', (new Date()).toISOString().substr(0, 10)); + } + + - name: Checking if server ${{ env.server_major }} is EOL + if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ - | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ + | jq '.["${{ env.server_major }}"]["eol"] // "9999-99-99" | . >= "${{ env.current_day }}"' \ | grep -q true diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml index bbbe1ab0def..61660808334 100644 --- a/.github/workflows/block-merge-freeze.yml +++ b/.github/workflows/block-merge-freeze.yml @@ -29,11 +29,29 @@ jobs: steps: - name: Register server reference to fallback to master branch - run: | - server_ref="$(if [ '${{ github.base_ref }}' = 'main' ]; then echo -n 'master'; else echo -n '${{ github.base_ref }}'; fi)" - echo "server_ref=$server_ref" >> $GITHUB_ENV + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Download version.php from ${{ env.server_ref }} + if: ${{ env.server_ref != '' }} run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php - name: Run check + if: ${{ env.server_ref != '' }} run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC' diff --git a/.github/workflows/check-occ-command.yml b/.github/workflows/check-occ-command.yml index fa8a5f30139..746b963f309 100644 --- a/.github/workflows/check-occ-command.yml +++ b/.github/workflows/check-occ-command.yml @@ -5,12 +5,18 @@ on: paths: - '**.rst' +permissions: + contents: read + jobs: check-occ-command: name: Check occ command syntax runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Run script run: | diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 8fac098ec3e..57ffa41996a 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -6,17 +6,20 @@ on: branches: - master +permissions: + contents: read + jobs: codespell: name: Check spelling runs-on: self-hosted steps: - name: Check out code - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Check spelling - uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1 + uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2 with: skip: '**.svg,**.js' diff --git a/.github/workflows/generate_catalog_templates.yml b/.github/workflows/generate_catalog_templates.yml index 0b6e8f62ae3..561dda69f74 100644 --- a/.github/workflows/generate_catalog_templates.yml +++ b/.github/workflows/generate_catalog_templates.yml @@ -8,12 +8,15 @@ on: - 'user_manual/**' - '!user_manual/locale/**' +permissions: + contents: read + jobs: user_manual: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 5f347b99252..474ac014df6 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -15,9 +15,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - submodules: true + persist-credentials: false - name: Set up php uses: shivammathur/setup-php@20529878ed81ef8e78ddf08b480401e6101a850f # v2 diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index cda7948067d..f4c0477ce71 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,6 +15,10 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: if: ${{ github.repository_owner == 'nextcloud' }} @@ -32,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@f0cab224dea8e1f282f9451de322f323c78fc7a5 # main with: feedback-message: | Hello there, @@ -46,6 +50,6 @@ jobs: (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).) days-before-feedback: 14 - start-date: '2024-04-30' + start-date: '2025-06-12' exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }}' exempt-bots: true diff --git a/.github/workflows/sphinxbuild.yml b/.github/workflows/sphinxbuild.yml index 3437b66f282..be919a129fb 100644 --- a/.github/workflows/sphinxbuild.yml +++ b/.github/workflows/sphinxbuild.yml @@ -7,79 +7,95 @@ on: - master - stable* +permissions: + contents: read + jobs: user_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - cache: 'pip' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd user_manual && make html - - name: Pack the results in local tar file - shell: bash - run: tar czf /tmp/documentation.tar.gz -C user_manual/_build/html . - - name: Upload static documentation - uses: actions/upload-artifact@v4.6.2 - with: - name: User manual.zip - path: "/tmp/documentation.tar.gz" + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.10' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd user_manual && make html + - name: Pack the results in local tar file + shell: bash + run: tar czf /tmp/documentation.tar.gz -C user_manual/_build/html . + - name: Upload static documentation + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: User manual.zip + path: "/tmp/documentation.tar.gz" user_manual-en: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - cache: 'pip' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd user_manual && make html-lang-en + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.10' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd user_manual && make html-lang-en developer_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - cache: 'pip' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd developer_manual && make html - - name: Pack the results in local tar file - shell: bash - run: tar czf /tmp/documentation.tar.gz -C developer_manual/_build/html/com . - - name: Upload static documentation - uses: actions/upload-artifact@v4.6.2 - with: - name: Developer manual.zip - path: "/tmp/documentation.tar.gz" + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.10' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd developer_manual && make html + - name: Pack the results in local tar file + shell: bash + run: tar czf /tmp/documentation.tar.gz -C developer_manual/_build/html/com . + - name: Upload static documentation + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: Developer manual.zip + path: "/tmp/documentation.tar.gz" admin_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - cache: 'pip' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd admin_manual && make html - - name: Pack the results in local tar file - shell: bash - run: tar czf /tmp/documentation.tar.gz -C admin_manual/_build/html/com . - - name: Upload static documentation - uses: actions/upload-artifact@v4.6.2 - with: - name: Administration manual.zip - path: "/tmp/documentation.tar.gz" + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.10' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd admin_manual && make html + - name: Pack the results in local tar file + shell: bash + run: tar czf /tmp/documentation.tar.gz -C admin_manual/_build/html/com . + - name: Upload static documentation + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: Administration manual.zip + path: "/tmp/documentation.tar.gz" diff --git a/.github/workflows/transifex.yml b/.github/workflows/transifex.yml index 4652f7ed178..92a57259264 100644 --- a/.github/workflows/transifex.yml +++ b/.github/workflows/transifex.yml @@ -2,25 +2,28 @@ name: AutoMerge Transifex Pull Requests on: pull_request: +permissions: + contents: read + jobs: approve: - runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'transifex-integration[bot]' + runs-on: ubuntu-latest-low + permissions: + # for hmarr/auto-approve-action to approve PRs + pull-requests: write + # for alexwilson/enable-github-automerge-action to approve PRs + contents: write + name: Approve steps: - - uses: hmarr/auto-approve-action@v4.0.0 - if: github.actor == 'transifex-integration[bot]' + - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - automerge: - runs-on: ubuntu-latest - name: Auto-merge - needs: approve - steps: - - uses: pascalgn/automerge-action@v0.16.4 - if: github.actor == 'transifex-integration[bot]' - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - MERGE_LABELS: "" - MERGE_RETRIES: 10 - MERGE_RETRY_SLEEP: 120000 + # Enable GitHub auto merge + - name: Auto merge + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + if: startsWith(steps.branchname.outputs.branch, 'translations_') + with: + github-token: ${{ secrets.GITHUB_TOKEN }}