diff --git a/.github/workflows/block-unconventional-commits.yml b/.github/workflows/block-unconventional-commits.yml index 409e70a..01c4dea 100644 --- a/.github/workflows/block-unconventional-commits.yml +++ b/.github/workflows/block-unconventional-commits.yml @@ -23,14 +23,14 @@ jobs: block-unconventional-commits: name: Block unconventional commits - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 + - uses: webiny/action-conventional-commits@faccb24fc2550dd15c0390d944379d2d8ed9690e # v1.3.1 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/fixup.yml b/.github/workflows/fixup.yml index 1444299..69da2bb 100644 --- a/.github/workflows/fixup.yml +++ b/.github/workflows/fixup.yml @@ -27,7 +27,7 @@ jobs: pull-requests: write name: Block fixup and squash commits - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low steps: - name: Run check diff --git a/.github/workflows/lint-eslint.yml b/.github/workflows/lint-eslint.yml index a4ad18b..c87353b 100644 --- a/.github/workflows/lint-eslint.yml +++ b/.github/workflows/lint-eslint.yml @@ -19,7 +19,7 @@ concurrency: jobs: changes: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low permissions: contents: read pull-requests: read @@ -56,7 +56,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -64,11 +64,11 @@ jobs: uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 id: versions with: - fallbackNode: '^20' - fallbackNpm: '^10' + fallbackNode: '^24' + fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} @@ -87,7 +87,7 @@ jobs: summary: permissions: contents: none - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low needs: [changes, lint] if: always() diff --git a/.github/workflows/lint-info-xml.yml b/.github/workflows/lint-info-xml.yml index 5027785..d0c84cc 100644 --- a/.github/workflows/lint-info-xml.yml +++ b/.github/workflows/lint-info-xml.yml @@ -19,12 +19,12 @@ concurrency: jobs: xml-linters: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low name: info.xml lint steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index a1a246f..f55a05e 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -25,16 +25,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Get php version id: versions - uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1 + uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php${{ steps.versions.outputs.php-min }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: ${{ steps.versions.outputs.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite @@ -45,7 +45,7 @@ jobs: - name: Install dependencies run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i - name: Lint diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index 2903794..26cc9df 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -19,18 +19,18 @@ concurrency: jobs: matrix: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low outputs: php-versions: ${{ steps.versions.outputs.php-versions }} steps: - name: Checkout app - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Get version matrix id: versions - uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.0.0 + uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 php-lint: runs-on: ubuntu-latest @@ -43,12 +43,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: ${{ matrix.php-versions }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite @@ -63,7 +63,7 @@ jobs: summary: permissions: contents: none - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low needs: php-lint if: always() diff --git a/.github/workflows/lint-stylelint.yml b/.github/workflows/lint-stylelint.yml index 22c0f44..ce4d6d7 100644 --- a/.github/workflows/lint-stylelint.yml +++ b/.github/workflows/lint-stylelint.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -33,11 +33,11 @@ jobs: uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 id: versions with: - fallbackNode: '^20' - fallbackNpm: '^10' + fallbackNode: '^24' + fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml index 0c817bd..7eaa343 100644 --- a/.github/workflows/node.yml +++ b/.github/workflows/node.yml @@ -19,7 +19,7 @@ concurrency: jobs: changes: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low permissions: contents: read pull-requests: read @@ -53,7 +53,7 @@ jobs: name: NPM build steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -61,17 +61,23 @@ jobs: uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 id: versions with: - fallbackNode: '^20' - fallbackNpm: '^10' + fallbackNode: '^24' + fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} - name: Set up npm ${{ steps.versions.outputs.npmVersion }} run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}' + - name: Validate package-lock.json # See https://github.com/npm/cli/issues/4460 + run: | + npm i -g npm-package-lock-add-resolved@1.1.4 + npm-package-lock-add-resolved + git --no-pager diff --exit-code + - name: Install dependencies & build env: CYPRESS_INSTALL_BINARY: 0 @@ -80,7 +86,7 @@ jobs: npm ci npm run build --if-present - - name: Check webpack build changes + - name: Check build changes run: | bash -c "[[ ! \"`git status --porcelain `\" ]] || (echo 'Please recompile and commit the assets, see the section \"Show changes on failure\" for details' && exit 1)" @@ -94,7 +100,7 @@ jobs: summary: permissions: contents: none - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low needs: [changes, build] if: always() diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml index 4ffccc1..2559b1c 100644 --- a/.github/workflows/npm-audit-fix.yml +++ b/.github/workflows/npm-audit-fix.yml @@ -24,14 +24,15 @@ jobs: strategy: fail-fast: false matrix: - branches: ['main'] + branches: + - ${{ github.event.repository.default_branch }} name: npm-audit-fix-${{ matrix.branches }} steps: - name: Checkout id: checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ matrix.branches }} @@ -41,11 +42,11 @@ jobs: uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 id: versions with: - fallbackNode: '^20' - fallbackNpm: '^10' + fallbackNode: '^24' + fallbackNpm: '^11.3' - name: Set up node ${{ steps.versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: ${{ steps.versions.outputs.nodeVersion }} @@ -66,7 +67,7 @@ jobs: - name: Create Pull Request if: steps.checkout.outcome == 'success' - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'fix(deps): Fix npm audit' diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index e67896e..20fbcd0 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -26,16 +26,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Get php version id: php_versions - uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1 + uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Set up php - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: ${{ steps.php_versions.outputs.php-available }} extensions: xml @@ -57,12 +57,12 @@ jobs: # Continue if no package.json continue-on-error: true with: - fallbackNode: '^20' - fallbackNpm: '^10' + fallbackNode: '^24' + fallbackNpm: '^11.3' - name: Set up node ${{ steps.node_versions.outputs.nodeVersion }} if: ${{ steps.node_versions.outputs.nodeVersion }} - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: ${{ steps.node_versions.outputs.nodeVersion }} diff --git a/.github/workflows/psalm-matrix.yml b/.github/workflows/psalm-matrix.yml index fe0f2ae..54ed700 100644 --- a/.github/workflows/psalm-matrix.yml +++ b/.github/workflows/psalm-matrix.yml @@ -19,18 +19,18 @@ permissions: jobs: matrix: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low outputs: ocp-matrix: ${{ steps.versions.outputs.ocp-matrix }} steps: - name: Checkout app - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Get version matrix id: versions - uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1 + uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 - name: Check enforcement of minimum PHP version ${{ steps.versions.outputs.php-min }} in psalm.xml run: grep 'phpVersion="${{ steps.versions.outputs.php-min }}' psalm.xml @@ -46,12 +46,12 @@ jobs: name: static-psalm-analysis ${{ matrix.ocp-version }} steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up php${{ matrix.php-min }} - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: ${{ matrix.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite @@ -64,9 +64,11 @@ jobs: - name: Install dependencies run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i + - name: Check for vulnerable PHP dependencies + run: composer require --dev roave/security-advisories:dev-latest - name: Install dependencies # zizmor: ignore[template-injection] run: composer require --dev 'nextcloud/ocp:${{ matrix.ocp-version }}' --ignore-platform-reqs --with-dependencies @@ -75,7 +77,7 @@ jobs: run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github summary: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low needs: static-analysis if: always() diff --git a/.github/workflows/update-nextcloud-ocp-approve-merge.yml b/.github/workflows/update-nextcloud-ocp-approve-merge.yml index 15d378d..dfe0ef4 100644 --- a/.github/workflows/update-nextcloud-ocp-approve-merge.yml +++ b/.github/workflows/update-nextcloud-ocp-approve-merge.yml @@ -25,7 +25,7 @@ concurrency: jobs: auto-approve-merge: if: github.actor == 'nextcloud-command' - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low permissions: # for hmarr/auto-approve-action to approve PRs pull-requests: write diff --git a/.github/workflows/update-nextcloud-ocp-matrix.yml b/.github/workflows/update-nextcloud-ocp-matrix.yml index 7e2107b..24d932b 100644 --- a/.github/workflows/update-nextcloud-ocp-matrix.yml +++ b/.github/workflows/update-nextcloud-ocp-matrix.yml @@ -15,6 +15,7 @@ on: permissions: contents: read + issues: write jobs: update-nextcloud-ocp: @@ -23,20 +24,24 @@ jobs: strategy: fail-fast: false matrix: - branches: ['master'] - target: ['stable30'] + branches: + - ${{ github.event.repository.default_branch }} name: update-nextcloud-ocp-${{ matrix.branches }} steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ matrix.branches }} submodules: true + - name: Get version matrix + id: versions + uses: icewind1991/nextcloud-version-matrix@8a7bac6300b2f0f3100088b297995a229558ddba # v1.3.2 + - name: Set up php8.2 - uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: 8.2 # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation @@ -56,7 +61,7 @@ jobs: - name: Composer update nextcloud/ocp id: update_branch - run: composer require --dev nextcloud/ocp:dev-${{ matrix.target }} + run: composer require --dev nextcloud/ocp:dev-${{ steps.versions.outputs.branches-min }} - name: Raise on issue on failure uses: dacbd/create-issue-action@cdb57ab6ff8862aa09fee2be6ba77a59581921c2 # v2.0.0 @@ -85,7 +90,7 @@ jobs: continue-on-error: true - name: Create Pull Request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.COMMAND_BOT_PAT }} commit-message: 'chore(dev-deps): Bump nextcloud/ocp package'