From c378e95ad6eeb5ade231c53e06ae40d714ccd4d5 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 27 Jan 2026 14:53:58 +0100 Subject: [PATCH 1/3] ci(actions): Satisfy zizmor and show that we trust ourselves Signed-off-by: Joas Schilling --- .github/workflows/cypress.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index d416b1fb42cb0..7051717f1d51b 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -107,7 +107,7 @@ jobs: services: mysql: # Only start mysql if we are running the setup tests - image: ${{matrix.containers == 'setup' && 'ghcr.io/nextcloud/continuous-integration-mysql-8.4:latest' || ''}} + image: ${{matrix.containers == 'setup' && 'ghcr.io/nextcloud/continuous-integration-mysql-8.4:latest' || ''}} # zizmor: ignore[unpinned-images] ports: - '3306/tcp' env: @@ -119,7 +119,7 @@ jobs: mariadb: # Only start mariadb if we are running the setup tests - image: ${{matrix.containers == 'setup' && 'mariadb:11.4' || ''}} + image: ${{matrix.containers == 'setup' && 'mariadb:11.4' || ''}} # zizmor: ignore[unpinned-images] ports: - '3306/tcp' env: @@ -131,7 +131,7 @@ jobs: postgres: # Only start postgres if we are running the setup tests - image: ${{matrix.containers == 'setup' && 'ghcr.io/nextcloud/continuous-integration-postgres-17:latest' || ''}} + image: ${{matrix.containers == 'setup' && 'ghcr.io/nextcloud/continuous-integration-postgres-17:latest' || ''}} # zizmor: ignore[unpinned-images] ports: - '5432/tcp' env: @@ -142,7 +142,7 @@ jobs: oracle: # Only start oracle if we are running the setup tests - image: ${{matrix.containers == 'setup' && 'ghcr.io/gvenzl/oracle-free:23' || ''}} + image: ${{matrix.containers == 'setup' && 'ghcr.io/gvenzl/oracle-free:23' || ''}} # zizmor: ignore[unpinned-images] ports: - '1521' env: From 2fbcbc0eaf1722a9d77c838581cc38ec8cce5614 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 27 Jan 2026 14:56:50 +0100 Subject: [PATCH 2/3] ci(action): Assign permission as low as possible Signed-off-by: Joas Schilling --- .github/workflows/static-code-analysis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml index 8b02044229293..ee2eaff5dedaf 100644 --- a/.github/workflows/static-code-analysis.yml +++ b/.github/workflows/static-code-analysis.yml @@ -15,7 +15,6 @@ on: permissions: contents: read - security-events: write concurrency: group: static-code-analysis-${{ github.head_ref || github.run_id }} @@ -59,6 +58,9 @@ jobs: if: ${{ github.repository_owner != 'nextcloud-gmbh' }} + permissions: + security-events: write + steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 From dbee8cf5d86524fb382376b79a1b41c20e3f4b64 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 27 Jan 2026 15:02:51 +0100 Subject: [PATCH 3/3] ci(rector): Update actions and add versions Signed-off-by: Joas Schilling --- .github/workflows/rector.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 6bab4cbed2f6b..56a6554d25bfc 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -20,13 +20,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false submodules: true - name: Set up php - uses: shivammathur/setup-php@ec406be512d7077f68eed36e63f4d91bc006edc4 #v2.35.4 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 #v2.36.0 with: php-version: '8.2' extensions: apcu,ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip