From 24cf213232b6d113e1188d9d9539dffcaed67b0c Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 27 Nov 2025 09:07:16 +0100 Subject: [PATCH 1/3] ci(actions): Update workflows Signed-off-by: Joas Schilling --- .github/workflows/lint-php-cs.yml | 14 +++++++++----- .github/workflows/lint-php.yml | 8 +++++--- .github/workflows/pr-feedback.yml | 11 ++++++++--- .github/workflows/reuse.yml | 9 ++++++--- .github/workflows/test-repositories.yml | 13 ++++++++----- .github/workflows/test.yml | 6 ++++-- 6 files changed, 40 insertions(+), 21 deletions(-) diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index 44cf66b..a08cf99 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -25,12 +25,14 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - - name: Set up php8.2 - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 + - name: Set up php8.3 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: - php-version: 8.2 + php-version: 8.3 extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite coverage: none ini-file: development @@ -38,7 +40,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Install dependencies - run: composer i + run: | + composer remove nextcloud/ocp --dev --no-scripts + composer i - name: Lint run: composer run cs:check || ( echo 'Please run `composer run cs:fix` to format your code' && exit 1 ) diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index 0923d94..e9e26c4 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -22,16 +22,18 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - php-versions: [ '8.1' ] + php-versions: ['8.1', '8.2', '8.3', '8.4', '8.5'] name: php-lint steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: ${{ matrix.php-versions }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index 6a01fa0..f4c0477 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -15,12 +15,17 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + pull-requests: write + jobs: pr-feedback: + if: ${{ github.repository_owner == 'nextcloud' }} runs-on: ubuntu-latest steps: - name: The get-github-handles-from-website action - uses: marcelklehr/get-github-handles-from-website-action@a739600f6b91da4957f51db0792697afbb2f143c # v1.0.0 + uses: marcelklehr/get-github-handles-from-website-action@06b2239db0a48fe1484ba0bfd966a3ab81a08308 # v1.0.1 id: scrape with: website: 'https://nextcloud.com/team/' @@ -31,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@f0cab224dea8e1f282f9451de322f323c78fc7a5 # main with: feedback-message: | Hello there, @@ -45,6 +50,6 @@ jobs: (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).) days-before-feedback: 14 - start-date: '2024-04-30' + start-date: '2025-06-12' exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }}' exempt-bots: true diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index b682855..d65f3b0 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -11,14 +11,17 @@ name: REUSE Compliance Check on: [pull_request] +permissions: + contents: read + jobs: reuse-compliance-check: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - name: REUSE Compliance Check - uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 diff --git a/.github/workflows/test-repositories.yml b/.github/workflows/test-repositories.yml index 1aa1138..1ca4d71 100644 --- a/.github/workflows/test-repositories.yml +++ b/.github/workflows/test-repositories.yml @@ -29,7 +29,7 @@ jobs: strategy: fail-fast: false matrix: - php-versions: [ "8.1" ] + php-versions: [ "8.3" ] repositories: - "nextcloud/app_template" - "nextcloud/approve_links" @@ -50,10 +50,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: ${{ matrix.php-versions }} coverage: none @@ -62,8 +64,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout repository for testing - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: + persist-credentials: false repository: ${{ matrix.repositories }} path: temp-repository @@ -107,7 +110,7 @@ jobs: summary: permissions: contents: none - runs-on: ubuntu-latest + runs-on: ubuntu-latest-low needs: openapi-repositories if: always() diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 248d408..dec4679 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -34,10 +34,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0 with: php-version: ${{ matrix.php-versions }} coverage: none From 62dbec84064eaccd34de6773dc374e03cb12a655 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 27 Nov 2025 09:08:35 +0100 Subject: [PATCH 2/3] ci(actions): Update OCP and automerge it Signed-off-by: Joas Schilling --- .../workflows/dependabot-approve-merge.yml | 58 ++++++++ .../update-nextcloud-ocp-approve-merge.yml | 58 ++++++++ .github/workflows/update-nextcloud-ocp.yml | 127 ++++++++++++++++++ 3 files changed, 243 insertions(+) create mode 100644 .github/workflows/dependabot-approve-merge.yml create mode 100644 .github/workflows/update-nextcloud-ocp-approve-merge.yml create mode 100644 .github/workflows/update-nextcloud-ocp.yml diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml new file mode 100644 index 0000000..e1d0b9b --- /dev/null +++ b/.github/workflows/dependabot-approve-merge.yml @@ -0,0 +1,58 @@ +# This workflow is provided via the organization template repository +# +# https://github.com/nextcloud/.github +# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization +# +# SPDX-FileCopyrightText: Nextcloud GmbH and Nextcloud contributors +# SPDX-License-Identifier: MIT + +name: Auto approve Dependabot PRs + +on: + pull_request_target: # zizmor: ignore[dangerous-triggers] + branches: + - main + - master + - stable* + +permissions: + contents: read + +concurrency: + group: dependabot-approve-merge-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + auto-approve-merge: + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' + runs-on: ubuntu-latest-low + permissions: + # for hmarr/auto-approve-action to approve PRs + pull-requests: write + # for alexwilson/enable-github-automerge-action to approve PRs + contents: write + + steps: + - name: Disabled on forks + if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} + run: | + echo 'Can not approve PRs from forks' + exit 1 + + - uses: mdecoleman/pr-branch-name@55795d86b4566d300d237883103f052125cc7508 # v3.0.0 + id: branchname + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + + # GitHub actions bot approve + - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 + if: startsWith(steps.branchname.outputs.branch, 'dependabot/') && contains(steps.branchname.outputs.branch, '/webrtc-adapter-') != true && contains(steps.branchname.outputs.branch, '/nextcloud/vue-') != true + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + # Enable GitHub auto merge + - name: Auto merge + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + if: startsWith(steps.branchname.outputs.branch, 'dependabot/') && contains(steps.branchname.outputs.branch, '/webrtc-adapter-') != true && contains(steps.branchname.outputs.branch, '/nextcloud/vue-') != true + with: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-nextcloud-ocp-approve-merge.yml b/.github/workflows/update-nextcloud-ocp-approve-merge.yml new file mode 100644 index 0000000..dfe0ef4 --- /dev/null +++ b/.github/workflows/update-nextcloud-ocp-approve-merge.yml @@ -0,0 +1,58 @@ +# This workflow is provided via the organization template repository +# +# https://github.com/nextcloud/.github +# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization +# +# SPDX-FileCopyrightText: 2023-2024 Nextcloud GmbH and Nextcloud contributors +# SPDX-License-Identifier: MIT + +name: Auto approve nextcloud/ocp + +on: + pull_request_target: # zizmor: ignore[dangerous-triggers] + branches: + - main + - master + - stable* + +permissions: + contents: read + +concurrency: + group: update-nextcloud-ocp-approve-merge-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + auto-approve-merge: + if: github.actor == 'nextcloud-command' + runs-on: ubuntu-latest-low + permissions: + # for hmarr/auto-approve-action to approve PRs + pull-requests: write + # for alexwilson/enable-github-automerge-action to approve PRs + contents: write + + steps: + - name: Disabled on forks + if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} + run: | + echo 'Can not approve PRs from forks' + exit 1 + + - uses: mdecoleman/pr-branch-name@55795d86b4566d300d237883103f052125cc7508 # v3.0.0 + id: branchname + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + + # GitHub actions bot approve + - uses: hmarr/auto-approve-action@b40d6c9ed2fa10c9a2749eca7eb004418a705501 # v2 + if: startsWith(steps.branchname.outputs.branch, 'automated/noid/') && endsWith(steps.branchname.outputs.branch, 'update-nextcloud-ocp') + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + # Enable GitHub auto merge + - name: Auto merge + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0 + if: startsWith(steps.branchname.outputs.branch, 'automated/noid/') && endsWith(steps.branchname.outputs.branch, 'update-nextcloud-ocp') + with: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-nextcloud-ocp.yml b/.github/workflows/update-nextcloud-ocp.yml new file mode 100644 index 0000000..673d152 --- /dev/null +++ b/.github/workflows/update-nextcloud-ocp.yml @@ -0,0 +1,127 @@ +# This workflow is provided via the organization template repository +# +# https://github.com/nextcloud/.github +# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization +# +# SPDX-FileCopyrightText: 2022-2024 Nextcloud GmbH and Nextcloud contributors +# SPDX-License-Identifier: MIT + +name: Update nextcloud/ocp + +on: + workflow_dispatch: + schedule: + - cron: "5 2 * * 0" + +permissions: + contents: read + issues: write + +jobs: + update-nextcloud-ocp: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + branches: + - ${{ github.event.repository.default_branch }} + - 'stable32' + - 'stable31' + + name: update-nextcloud-ocp-${{ matrix.branches }} + + steps: + - id: checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + ref: ${{ matrix.branches }} + submodules: true + continue-on-error: true + + - name: Set up php8.2 + if: steps.checkout.outcome == 'success' + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2.35.5 + with: + php-version: 8.2 + # https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation + extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite + coverage: none + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Read codeowners + if: steps.checkout.outcome == 'success' + id: codeowners + run: | + grep '/appinfo/info.xml' .github/CODEOWNERS | cut -f 2- -d ' ' | xargs | awk '{ print "codeowners="$0 }' >> $GITHUB_OUTPUT + continue-on-error: true + + - name: Composer install + if: steps.checkout.outcome == 'success' + run: composer install + + - name: Composer update nextcloud/ocp # zizmor: ignore[template-injection] + id: update_branch + if: ${{ steps.checkout.outcome == 'success' && matrix.branches != 'main' }} + run: composer require --dev 'nextcloud/ocp:dev-${{ matrix.branches }}' + + - name: Raise on issue on failure + uses: dacbd/create-issue-action@cdb57ab6ff8862aa09fee2be6ba77a59581921c2 # v2.0.0 + if: ${{ steps.checkout.outcome == 'success' && failure() && steps.update_branch.conclusion == 'failure' }} + with: + token: ${{ secrets.GITHUB_TOKEN }} + title: 'Failed to update nextcloud/ocp package on branch ${{ matrix.branches }}' + body: 'Please check the output of the GitHub action and manually resolve the issues
${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
${{ steps.codeowners.outputs.codeowners }}' + + - name: Composer update nextcloud/ocp + id: update_main + if: ${{ steps.checkout.outcome == 'success' && matrix.branches == 'main' }} + run: composer require --dev nextcloud/ocp:dev-master + + - name: Raise on issue on failure + uses: dacbd/create-issue-action@cdb57ab6ff8862aa09fee2be6ba77a59581921c2 # v2.0.0 + if: ${{ steps.checkout.outcome == 'success' && failure() && steps.update_main.conclusion == 'failure' }} + with: + token: ${{ secrets.GITHUB_TOKEN }} + title: 'Failed to update nextcloud/ocp package on branch ${{ matrix.branches }}' + body: 'Please check the output of the GitHub action and manually resolve the issues
${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
${{ steps.codeowners.outputs.codeowners }}' + + - name: Reset checkout 3rdparty + if: steps.checkout.outcome == 'success' + run: | + git clean -f 3rdparty + git checkout 3rdparty + continue-on-error: true + + - name: Reset checkout vendor + if: steps.checkout.outcome == 'success' + run: | + git clean -f vendor + git checkout vendor + continue-on-error: true + + - name: Reset checkout vendor-bin + if: steps.checkout.outcome == 'success' + run: | + git clean -f vendor-bin + git checkout vendor-bin + continue-on-error: true + + - name: Create Pull Request + if: steps.checkout.outcome == 'success' + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + commit-message: 'chore(dev-deps): Bump nextcloud/ocp package' + committer: GitHub + author: nextcloud-command + signoff: true + branch: 'automated/noid/${{ matrix.branches }}-update-nextcloud-ocp' + title: '[${{ matrix.branches }}] Update nextcloud/ocp dependency' + body: | + Auto-generated update of [nextcloud/ocp](https://github.com/nextcloud-deps/ocp/) dependency + labels: | + dependencies + 3. to review From 3e4c9826491a1c20e513645d63d5ebd10a494182 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 27 Nov 2025 09:08:50 +0100 Subject: [PATCH 3/3] ci(actions): Use dependabot to bump actions as well Signed-off-by: Joas Schilling --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 59b8db0..7aadf7f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,3 +10,17 @@ updates: time: "03:00" timezone: Europe/Paris open-pull-requests-limit: 10 + + # GitHub Actions +- package-ecosystem: "github-actions" + directory: ".github/workflows" + commit-message: + prefix: "ci" + include: "scope" + schedule: + interval: weekly + day: saturday + time: "03:00" + timezone: Europe/Berlin + cooldown: + default-days: 4