ci(gh): Sync workflow updates

Signed-off-by: Andy Scherzinger <[email protected]>

Author: AndyScherzinger

.github/workflows/block-merge-eol.yml

@@ -27,13 +27,22 @@ jobs:
 
     steps:
       - name: Set server major version environment
-        run: |
-          # retrieve version number from branch reference
-          server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p')
-          echo "server_major=$server_major" >> $GITHUB_ENV
-          echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV
-
-      - name: Checking if ${{ env.server_major }} is EOL
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const regex = /^stable(\d+)$/
+            const baseRef = context.payload.pull_request.base.ref
+            const match = baseRef.match(regex)
+            if (match) {
+              console.log('Setting server_major to ' + match[1]);
+              core.exportVariable('server_major', match[1]);
+              console.log('Setting current_month to ' + (new Date()).toISOString().substr(0, 7));
+              core.exportVariable('current_month', (new Date()).toISOString().substr(0, 7));
+            }
+
+      - name: Checking if server ${{ env.server_major }} is EOL
+        if: ${{ env.server_major != '' }}
         run: |
           curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \
             | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \

.github/workflows/block-merge-freeze.yml

@@ -28,8 +28,30 @@ jobs:
     runs-on: ubuntu-latest-low
 
     steps:
-      - name: Download version.php from ${{ github.base_ref }}
-        run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php' --output version.php
+      - name: Register server reference to fallback to master branch
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const baseRef = context.payload.pull_request.base.ref
+            if (baseRef === 'main' || baseRef === 'master') {
+              core.exportVariable('server_ref', 'master');
+              console.log('Setting server_ref to master');
+            } else {
+              const regex = /^stable(\d+)$/
+              const match = baseRef.match(regex)
+              if (match) {
+                core.exportVariable('server_ref', match[0]);
+                console.log('Setting server_ref to ' + match[0]);
+              } else {
+                console.log('Not based on master/main/stable*, so skipping freeze check');
+              }
+            }
+
+      - name: Download version.php from ${{ env.server_ref }}
+        if: ${{ env.server_ref != '' }}
+        run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ env.server_ref }}/version.php' --output version.php
 
       - name: Run check
+        if: ${{ env.server_ref != '' }}
         run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC'

.github/workflows/block-outdated-3rdparty.yml

@@ -32,22 +32,44 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: 3rdparty commit hash on current branch
         id: actual
         run: |
           echo "commit=$(git submodule status | grep ' 3rdparty' | egrep -o '[a-f0-9]{40}')" >> "$GITHUB_OUTPUT"
 
+      - name: Register server reference to fallback to master branch
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const baseRef = context.payload.pull_request.base.ref
+            if (baseRef === 'main' || baseRef === 'master') {
+              core.exportVariable('server_ref', 'master');
+              console.log('Setting server_ref to master');
+            } else {
+              const regex = /^stable(\d+)$/
+              const match = baseRef.match(regex)
+              if (match) {
+                core.exportVariable('server_ref', match[0]);
+                console.log('Setting server_ref to ' + match[0]);
+              } else {
+                console.log('Not based on master/main/stable*, so skipping freeze check');
+              }
+            }
+
       - name: Last 3rdparty commit on target branch
         id: target
         run: |
-          echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ github.base_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT"
+          echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ env.server_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT"
 
       - name: Compare if 3rdparty commits are different
         run: |
           echo '3rdparty/ seems to not point to the last commit of the dedicated branch:'
           echo 'Branch has: ${{ steps.actual.outputs.commit }}'
-          echo '${{ github.base_ref }} has: ${{ steps.target.outputs.commit }}'
+          echo '${{ env.server_ref }} has: ${{ steps.target.outputs.commit }}'
 
       - name: Fail if 3rdparty commits are different
         if: ${{ steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }}

.github/workflows/command-pull-3rdparty.yml

@@ -38,24 +38,56 @@ jobs:
         id: comment-branch
 
       - name: Checkout ${{ steps.comment-branch.outputs.head_ref }}
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
           token: ${{ secrets.COMMAND_BOT_PAT }}
           ref: ${{ steps.comment-branch.outputs.head_ref }}
 
+      - name: Register server reference to fallback to master branch
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const baseRef = context.payload.pull_request.base.ref
+            if (baseRef === 'main' || baseRef === 'master') {
+              core.exportVariable('server_ref', 'master');
+              console.log('Setting server_ref to master');
+            } else {
+              const regex = /^stable(\d+)$/
+              const match = baseRef.match(regex)
+              if (match) {
+                core.exportVariable('server_ref', match[0]);
+                console.log('Setting server_ref to ' + match[0]);
+              } else {
+                console.log('Not based on master/main/stable*, so skipping freeze check');
+              }
+            }
+
       - name: Setup git
         run: |
           git config --local user.email '[email protected]'
           git config --local user.name 'nextcloud-command'
 
+      - name: Add reaction on failure
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v3.0.1
+        if: ${{ env.server_ref == '' }}
+        with:
+          token: ${{ secrets.COMMAND_BOT_PAT }}
+          repository: ${{ github.event.repository.full_name }}
+          comment-id: ${{ github.event.comment.id }}
+          reactions: '-1'
+
       - name: Pull 3rdparty
-        run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ github.event.issue.pull_request.base.ref }}'"'"'; fi'
+        if: ${{ env.server_ref != '' }}
+        run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ env.server_ref }}'"'"'; fi'
 
       - name: Commit and push changes
+        if: ${{ env.server_ref != '' }}
         run: |
           git add 3rdparty
-          git commit -s -m 'Update submodule 3rdparty to latest ${{ github.event.issue.pull_request.base.ref }}'
+          git commit -s -m 'Update submodule 3rdparty to latest ${{ env.server_ref }}'
           git push
 
       - name: Add reaction on failure

.github/workflows/cypress.yml

@@ -150,7 +150,7 @@ jobs:
           SPLIT: ${{ matrix.total-containers }}
           SPLIT_INDEX: ${{ matrix.containers == 'component' && 0 || matrix.containers }}
 
-      - name: Upload snapshots
+      - name: Upload snapshots and videos
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:

.github/workflows/files-external-ftp.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-ftp-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -53,8 +56,9 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up ftpd

.github/workflows/files-external-s3.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-s3-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -50,7 +53,7 @@ jobs:
 
     services:
       minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
         env:
           MINIO_ROOT_USER: nextcloud
           MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
@@ -60,8 +63,9 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up php ${{ matrix.php-versions }}
@@ -129,13 +133,13 @@ jobs:
         env:
           SERVICES: s3
           DEBUG: 1
-        image: localstack/localstack
+        image: localstack/localstack@sha256:b52c16663c70b7234f217cb993a339b46686e30a1a5d9279cb5feeb2202f837c # v4.4.0
         ports:
           - "4566:4566"
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: true
 

.github/workflows/files-external-sftp.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-sftp-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -53,8 +56,9 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up sftpd

.github/workflows/files-external-smb-kerberos.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-smb-kerberos-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -43,13 +46,15 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Checkout user_saml
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           repository: nextcloud/user_saml
           path: apps/user_saml
 

.github/workflows/files-external-smb.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-smb-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -50,14 +53,15 @@ jobs:
 
     services:
       samba:
-        image: ghcr.io/nextcloud/continuous-integration-samba:latest
+        image: ghcr.io/nextcloud/continuous-integration-samba:latest # zizmor: ignore[unpinned-images]
         ports:
           - 445:445
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up php ${{ matrix.php-versions }}