From e4c7a83e575ae4d176c2fc5d52a5fe75322bd97b Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 27 Jan 2026 14:53:58 +0100
Subject: [PATCH 1/2] ci(actions): Satisfy zizmor and show that we trust
 ourselves

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .github/workflows/cypress.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml
index 8291ee65d1d0f..2c885352de62c 100644
--- a/.github/workflows/cypress.yml
+++ b/.github/workflows/cypress.yml
@@ -107,7 +107,7 @@ jobs:
     services:
       mysql:
         # Only start mysql if we are running the setup tests
-        image: ${{matrix.containers == 'setup' && 'ghcr.io/nextcloud/continuous-integration-mysql-8.4:latest' || ''}}
+        image: ${{matrix.containers == 'setup' && 'ghcr.io/nextcloud/continuous-integration-mysql-8.4:latest' || ''}} # zizmor: ignore[unpinned-images]
         ports:
           - '3306/tcp'
         env:
@@ -119,7 +119,7 @@ jobs:
 
       mariadb:
         # Only start mariadb if we are running the setup tests
-        image: ${{matrix.containers == 'setup' && 'mariadb:11.4' || ''}}
+        image: ${{matrix.containers == 'setup' && 'mariadb:11.4' || ''}} # zizmor: ignore[unpinned-images]
         ports:
           - '3306/tcp'
         env:
@@ -131,7 +131,7 @@ jobs:
 
       postgres:
         # Only start postgres if we are running the setup tests
-        image: ${{matrix.containers == 'setup' && 'ghcr.io/nextcloud/continuous-integration-postgres-17:latest' || ''}}
+        image: ${{matrix.containers == 'setup' && 'ghcr.io/nextcloud/continuous-integration-postgres-17:latest' || ''}} # zizmor: ignore[unpinned-images]
         ports:
           - '5432/tcp'
         env:
@@ -142,7 +142,7 @@ jobs:
 
       oracle:
         # Only start oracle if we are running the setup tests
-        image: ${{matrix.containers == 'setup' && 'ghcr.io/gvenzl/oracle-free:23' || ''}}
+        image: ${{matrix.containers == 'setup' && 'ghcr.io/gvenzl/oracle-free:23' || ''}} # zizmor: ignore[unpinned-images]
         ports:
           - '1521'
         env:

From e1d9ae53f518dee1b4870d310634bd5dbc9b8569 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 27 Jan 2026 14:56:50 +0100
Subject: [PATCH 2/2] ci(action): Assign permission as low as possible

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .github/workflows/static-code-analysis.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml
index 1ee13554b6f27..2bc40570c4ed6 100644
--- a/.github/workflows/static-code-analysis.yml
+++ b/.github/workflows/static-code-analysis.yml
@@ -15,7 +15,6 @@ on:
 
 permissions:
   contents: read
-  security-events: write
 
 concurrency:
   group: static-code-analysis-${{ github.head_ref || github.run_id }}
@@ -59,6 +58,9 @@ jobs:
 
     if: ${{ github.repository_owner != 'nextcloud-gmbh' }}
 
+    permissions:
+      security-events: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8