From 089e4972f1d096018d672ff551513a701741f667 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Wed, 28 Jan 2026 11:58:56 +0100 Subject: [PATCH] ci(actions): Pin CI actions Signed-off-by: Joas Schilling --- .github/workflows/block-merge-eol.yml | 25 ++-- .github/workflows/block-merge-freeze.yml | 24 +++- .github/workflows/codespell.yml | 9 +- .../workflows/generate_catalog_templates.yml | 38 +++-- .github/workflows/openapi.yml | 6 +- .github/workflows/pr-feedback.yml | 8 +- .github/workflows/sphinxbuild.yml | 134 ++++++++++-------- .github/workflows/transifex.yml | 33 +++-- 8 files changed, 176 insertions(+), 101 deletions(-) diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml index 292494c72cd..3ea4d268d25 100644 --- a/.github/workflows/block-merge-eol.yml +++ b/.github/workflows/block-merge-eol.yml @@ -27,14 +27,23 @@ jobs: steps: - name: Set server major version environment - run: | - # retrieve version number from branch reference - server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p') - echo "server_major=$server_major" >> $GITHUB_ENV - echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV - - - name: Checking if ${{ env.server_major }} is EOL + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const regex = /^stable(\d+)$/ + const baseRef = context.payload.pull_request.base.ref + const match = baseRef.match(regex) + if (match) { + console.log('Setting server_major to ' + match[1]); + core.exportVariable('server_major', match[1]); + console.log('Setting current_day to ' + (new Date()).toISOString().substr(0, 10)); + core.exportVariable('current_day', (new Date()).toISOString().substr(0, 10)); + } + + - name: Checking if server ${{ env.server_major }} is EOL + if: ${{ env.server_major != '' }} run: | curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \ - | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \ + | jq '.["${{ env.server_major }}"]["eol"] // "9999-99-99" | . >= "${{ env.current_day }}"' \ | grep -q true diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml index bbbe1ab0def..61660808334 100644 --- a/.github/workflows/block-merge-freeze.yml +++ b/.github/workflows/block-merge-freeze.yml @@ -29,11 +29,29 @@ jobs: steps: - name: Register server reference to fallback to master branch - run: | - server_ref="$(if [ '${{ github.base_ref }}' = 'main' ]; then echo -n 'master'; else echo -n '${{ github.base_ref }}'; fi)" - echo "server_ref=$server_ref" >> $GITHUB_ENV + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const baseRef = context.payload.pull_request.base.ref + if (baseRef === 'main' || baseRef === 'master') { + core.exportVariable('server_ref', 'master'); + console.log('Setting server_ref to master'); + } else { + const regex = /^stable(\d+)$/ + const match = baseRef.match(regex) + if (match) { + core.exportVariable('server_ref', match[0]); + console.log('Setting server_ref to ' + match[0]); + } else { + console.log('Not based on master/main/stable*, so skipping freeze check'); + } + } + - name: Download version.php from ${{ env.server_ref }} + if: ${{ env.server_ref != '' }} run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php - name: Run check + if: ${{ env.server_ref != '' }} run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC' diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 0a22d144435..57ffa41996a 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -6,17 +6,20 @@ on: branches: - master +permissions: + contents: read + jobs: codespell: name: Check spelling runs-on: self-hosted steps: - name: Check out code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Check spelling - uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1 + uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2 with: - skip: '**.svg' + skip: '**.svg,**.js' diff --git a/.github/workflows/generate_catalog_templates.yml b/.github/workflows/generate_catalog_templates.yml index afde24af2e2..561dda69f74 100644 --- a/.github/workflows/generate_catalog_templates.yml +++ b/.github/workflows/generate_catalog_templates.yml @@ -8,34 +8,52 @@ on: - 'user_manual/**' - '!user_manual/locale/**' +permissions: + contents: read + jobs: user_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - - uses: ammaraskar/sphinx-action@master + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + with: + python-version: '3.13' + + - uses: ammaraskar/sphinx-action@54e52bfb642e9b60ea5b6bcb05fe3f74b40d290a # v8.2.3 with: docs-folder: "user_manual/" - pre-build-command: pip install -r requirements.txt - build-command: make gettext + pre-build-command: "pip install -r requirements.txt" + build-command: "make gettext" + + - name: Change file owner to correct user + run: | + ls -la user_manual/locale/source + sudo chown -R 1001:1001 user_manual/locale/source + ls -la user_manual/locale/source - - uses: peter-evans/create-pull-request@v7 + - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 id: cpr with: token: ${{ secrets.COMMAND_BOT_PAT }} - commit-message: "chore(l10n): Updates catalog templates (POT files fetched automatically by transifex)" - title: Updates catalog templates - branch: update-l10n + commit-message: 'chore(l10n): Updates catalog templates (POT files fetched automatically by transifex)' + committer: GitHub + author: nextcloud-command signoff: true + branch: 'automated/noid/update-l10n' + title: 'Updates catalog templates' - - uses: hmarr/auto-approve-action@v4.0.0 + - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 if: steps.cpr.outputs.pull-request-operation == 'created' with: github-token: "${{ secrets.GITHUB_TOKEN }}" pull-request-number: ${{ steps.cpr.outputs.pull-request-number }} - - uses: pascalgn/automerge-action@v0.16.4 + - uses: pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67 # v0.16.4 if: steps.cpr.outputs.pull-request-operation == 'created' env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index ba05304966f..474ac014df6 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -15,12 +15,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - submodules: true + persist-credentials: false - name: Set up php - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2 + uses: shivammathur/setup-php@20529878ed81ef8e78ddf08b480401e6101a850f # v2 with: php-version: '8.1' # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index cda7948067d..f4c0477ce71 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,6 +15,10 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: if: ${{ github.repository_owner == 'nextcloud' }} @@ -32,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@f0cab224dea8e1f282f9451de322f323c78fc7a5 # main with: feedback-message: | Hello there, @@ -46,6 +50,6 @@ jobs: (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).) days-before-feedback: 14 - start-date: '2024-04-30' + start-date: '2025-06-12' exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }}' exempt-bots: true diff --git a/.github/workflows/sphinxbuild.yml b/.github/workflows/sphinxbuild.yml index d895a49cb77..be919a129fb 100644 --- a/.github/workflows/sphinxbuild.yml +++ b/.github/workflows/sphinxbuild.yml @@ -1,4 +1,4 @@ -name: "Pull Request Docs Check" +name: "Build documentation" on: pull_request: @@ -7,75 +7,95 @@ on: - master - stable* +permissions: + contents: read + jobs: user_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd user_manual && make html - - name: Pack the results in local tar file - shell: bash - run: tar czf /tmp/documentation.tar.gz -C user_manual/_build/html . - - name: Upload static documentation - uses: actions/upload-artifact@v4.4.3 - with: - name: User manual.zip - path: "/tmp/documentation.tar.gz" + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.10' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd user_manual && make html + - name: Pack the results in local tar file + shell: bash + run: tar czf /tmp/documentation.tar.gz -C user_manual/_build/html . + - name: Upload static documentation + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: User manual.zip + path: "/tmp/documentation.tar.gz" user_manual-en: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd user_manual && make html-lang-en + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.10' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd user_manual && make html-lang-en developer_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd developer_manual && make html - - name: Pack the results in local tar file - shell: bash - run: tar czf /tmp/documentation.tar.gz -C developer_manual/_build/html/com . - - name: Upload static documentation - uses: actions/upload-artifact@v4.4.3 - with: - name: Developer manual.zip - path: "/tmp/documentation.tar.gz" + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.10' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd developer_manual && make html + - name: Pack the results in local tar file + shell: bash + run: tar czf /tmp/documentation.tar.gz -C developer_manual/_build/html/com . + - name: Upload static documentation + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: Developer manual.zip + path: "/tmp/documentation.tar.gz" admin_manual: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - - name: Install pip dependencies - run: pip install -r requirements.txt - - name: Build using Makefile - run: cd admin_manual && make html - - name: Pack the results in local tar file - shell: bash - run: tar czf /tmp/documentation.tar.gz -C admin_manual/_build/html/com . - - name: Upload static documentation - uses: actions/upload-artifact@v4.4.3 - with: - name: Administration manual.zip - path: "/tmp/documentation.tar.gz" + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.10' + cache: 'pip' + - name: Install pip dependencies + run: pip install -r requirements.txt + - name: Build using Makefile + run: cd admin_manual && make html + - name: Pack the results in local tar file + shell: bash + run: tar czf /tmp/documentation.tar.gz -C admin_manual/_build/html/com . + - name: Upload static documentation + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: Administration manual.zip + path: "/tmp/documentation.tar.gz" diff --git a/.github/workflows/transifex.yml b/.github/workflows/transifex.yml index 4652f7ed178..92a57259264 100644 --- a/.github/workflows/transifex.yml +++ b/.github/workflows/transifex.yml @@ -2,25 +2,28 @@ name: AutoMerge Transifex Pull Requests on: pull_request: +permissions: + contents: read + jobs: approve: - runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'transifex-integration[bot]' + runs-on: ubuntu-latest-low + permissions: + # for hmarr/auto-approve-action to approve PRs + pull-requests: write + # for alexwilson/enable-github-automerge-action to approve PRs + contents: write + name: Approve steps: - - uses: hmarr/auto-approve-action@v4.0.0 - if: github.actor == 'transifex-integration[bot]' + - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - automerge: - runs-on: ubuntu-latest - name: Auto-merge - needs: approve - steps: - - uses: pascalgn/automerge-action@v0.16.4 - if: github.actor == 'transifex-integration[bot]' - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - MERGE_LABELS: "" - MERGE_RETRIES: 10 - MERGE_RETRY_SLEEP: 120000 + # Enable GitHub auto merge + - name: Auto merge + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + if: startsWith(steps.branchname.outputs.branch, 'translations_') + with: + github-token: ${{ secrets.GITHUB_TOKEN }}