ci(actions): Pin CI actions

nickvergessen · nickvergessen · commit 8682e5fe0ec7 · 2026-01-28T11:58:56.000+01:00
Signed-off-by: Joas Schilling &lt;coding@schilljs.com&gt;
diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml
@@ -27,14 +27,23 @@ jobs:
 
     steps:
       - name: Set server major version environment
-        run: |
-          # retrieve version number from branch reference
-          server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p')
-          echo "server_major=$server_major" >> $GITHUB_ENV
-          echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV
-
-      - name: Checking if ${{ env.server_major }} is EOL
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const regex = /^stable(\d+)$/
+            const baseRef = context.payload.pull_request.base.ref
+            const match = baseRef.match(regex)
+            if (match) {
+              console.log('Setting server_major to ' + match[1]);
+              core.exportVariable('server_major', match[1]);
+              console.log('Setting current_day to ' + (new Date()).toISOString().substr(0, 10));
+              core.exportVariable('current_day', (new Date()).toISOString().substr(0, 10));
+            }
+
+      - name: Checking if server ${{ env.server_major }} is EOL
+        if: ${{ env.server_major != '' }}
         run: |
           curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \
-            | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \
+            | jq '.["${{ env.server_major }}"]["eol"] // "9999-99-99" | . >= "${{ env.current_day }}"' \
             | grep -q true
diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml
@@ -29,11 +29,29 @@ jobs:
 
     steps:
       - name: Register server reference to fallback to master branch
-        run: |
-          server_ref="$(if [ '${{ github.base_ref }}' = 'main' ]; then echo -n 'master'; else echo -n '${{ github.base_ref }}'; fi)"
-          echo "server_ref=$server_ref" >> $GITHUB_ENV
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const baseRef = context.payload.pull_request.base.ref
+            if (baseRef === 'main' || baseRef === 'master') {
+              core.exportVariable('server_ref', 'master');
+              console.log('Setting server_ref to master');
+            } else {
+              const regex = /^stable(\d+)$/
+              const match = baseRef.match(regex)
+              if (match) {
+                core.exportVariable('server_ref', match[0]);
+                console.log('Setting server_ref to ' + match[0]);
+              } else {
+                console.log('Not based on master/main/stable*, so skipping freeze check');
+              }
+            }
+
       - name: Download version.php from ${{ env.server_ref }}
+        if: ${{ env.server_ref != '' }}
         run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php
 
       - name: Run check
+        if: ${{ env.server_ref != '' }}
         run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC'
diff --git a/.github/workflows/check-occ-command.yml b/.github/workflows/check-occ-command.yml
@@ -5,12 +5,18 @@ on:
     paths:
       - '**.rst'
 
+permissions:
+  contents: read
+
 jobs:
   check-occ-command:
     name: Check occ command syntax
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Run script
         run: |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -6,13 +6,16 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   codespell:
     name: Check spelling
     runs-on: self-hosted
     steps:
       - name: Check out code
-        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/generate_catalog_templates.yml b/.github/workflows/generate_catalog_templates.yml
@@ -8,12 +8,15 @@ on:
       - 'user_manual/**'
       - '!user_manual/locale/**'
 
+permissions:
+  contents: read
+
 jobs:
   user_manual:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml
@@ -15,12 +15,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          submodules: true
+          persist-credentials: false
 
       - name: Set up php
-        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0
         with:
           php-version: '8.1'
           # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml
@@ -15,6 +15,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   pr-feedback:
     if: ${{ github.repository_owner == 'nextcloud' }}
@@ -32,7 +36,7 @@ jobs:
           blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -)
           echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT"
 
-      - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4
+      - uses: nextcloud/pr-feedback-action@f0cab224dea8e1f282f9451de322f323c78fc7a5 # main
         with:
           feedback-message: |
             Hello there,
@@ -46,6 +50,6 @@ jobs:
 
             (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).)
           days-before-feedback: 14
-          start-date: '2024-04-30'
+          start-date: '2025-06-12'
           exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }}'
           exempt-bots: true
diff --git a/.github/workflows/sphinxbuild.yml b/.github/workflows/sphinxbuild.yml
@@ -7,12 +7,19 @@ on:
       - master
       - stable*
 
+permissions:
+  contents: read
+
 jobs:
   user_manual:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
-    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
+    - name: Checkout
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+
+    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: '3.12'
         cache: 'pip'
@@ -32,54 +39,66 @@ jobs:
   user_manual-en:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
-    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
-      with:
-        python-version: '3.12'
-        cache: 'pip'
-    - name: Install pip dependencies
-      run: pip install -r requirements.txt
-    - name: Build using Makefile
-      run: cd user_manual && make html-lang-en
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+      - name: Install pip dependencies
+        run: pip install -r requirements.txt
+      - name: Build using Makefile
+        run: cd user_manual && make html-lang-en
 
   developer_manual:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
-    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
-      with:
-        python-version: '3.12'
-        cache: 'pip'
-    - name: Install pip dependencies
-      run: pip install -r requirements.txt
-    - name: Build using Makefile
-      run: cd developer_manual && make html
-    - name: Pack the results in local tar file
-      shell: bash
-      run: tar czf /tmp/documentation.tar.gz -C developer_manual/_build/html/com .
-    - name: Upload static documentation
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-      with:
-        name: Developer manual.zip
-        path: "/tmp/documentation.tar.gz"
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+      - name: Install pip dependencies
+        run: pip install -r requirements.txt
+      - name: Build using Makefile
+        run: cd developer_manual && make html
+      - name: Pack the results in local tar file
+        shell: bash
+        run: tar czf /tmp/documentation.tar.gz -C developer_manual/_build/html/com .
+      - name: Upload static documentation
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: Developer manual.zip
+          path: "/tmp/documentation.tar.gz"
 
   admin_manual:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
-    - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
-      with:
-        python-version: '3.12'
-        cache: 'pip'
-    - name: Install pip dependencies
-      run: pip install -r requirements.txt
-    - name: Build using Makefile
-      run: cd admin_manual && make html
-    - name: Pack the results in local tar file
-      shell: bash
-      run: tar czf /tmp/documentation.tar.gz -C admin_manual/_build/html/com .
-    - name: Upload static documentation
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-      with:
-        name: Administration manual.zip
-        path: "/tmp/documentation.tar.gz"
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+      - name: Install pip dependencies
+        run: pip install -r requirements.txt
+      - name: Build using Makefile
+        run: cd admin_manual && make html
+      - name: Pack the results in local tar file
+        shell: bash
+        run: tar czf /tmp/documentation.tar.gz -C admin_manual/_build/html/com .
+      - name: Upload static documentation
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: Administration manual.zip
+          path: "/tmp/documentation.tar.gz"
diff --git a/.github/workflows/transifex.yml b/.github/workflows/transifex.yml
@@ -2,25 +2,28 @@ name: AutoMerge Transifex Pull Requests
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   approve:
-    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'transifex-integration[bot]'
+    runs-on: ubuntu-latest-low
+    permissions:
+      # for hmarr/auto-approve-action to approve PRs
+      pull-requests: write
+      # for alexwilson/enable-github-automerge-action to approve PRs
+      contents: write
+
     name: Approve
     steps:
-      - uses: hmarr/auto-approve-action@v4.0.0
-        if: github.actor == 'transifex-integration[bot]'
+      - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
-  automerge:
-    runs-on: ubuntu-latest
-    name: Auto-merge
-    needs: approve
-    steps:
-      - uses: pascalgn/automerge-action@v0.16.4
-        if: github.actor == 'transifex-integration[bot]'
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          MERGE_LABELS: ""
-          MERGE_RETRIES: 10
-          MERGE_RETRY_SLEEP: 120000
+      # Enable GitHub auto merge
+      - name: Auto merge
+        uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0
+        if: startsWith(steps.branchname.outputs.branch, 'translations_')
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
