diff --git a/.github/workflows/appstore-build-publish.yml b/.github/workflows/appstore-build-publish.yml index 8c1692cea..9a065b51b 100644 --- a/.github/workflows/appstore-build-publish.yml +++ b/.github/workflows/appstore-build-publish.yml @@ -12,6 +12,9 @@ on: release: types: [published] +permissions: + contents: write + jobs: build_and_publish: runs-on: ubuntu-latest @@ -34,11 +37,23 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false path: ${{ env.APP_NAME }} + - name: Get app version number + id: app-version + uses: skjnldsv/xpath-action@f5b036e9d973f42c86324833fd00be90665fbf77 # master + with: + filename: ${{ env.APP_NAME }}/appinfo/info.xml + expression: "//info//version/text()" + + - name: Validate app version against tag + run: | + [ "${{ env.APP_VERSION }}" = "v${{ fromJSON(steps.app-version.outputs.result).version }}" ] + - name: Get appinfo data id: appinfo - uses: skjnldsv/xpath-action@7e6a7c379d0e9abc8acaef43df403ab4fc4f770c # master + uses: skjnldsv/xpath-action@f5b036e9d973f42c86324833fd00be90665fbf77 # master with: filename: ${{ env.APP_NAME }}/appinfo/info.xml expression: "//info//dependencies//nextcloud/@min-version" @@ -137,6 +152,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 if: ${{ steps.server-checkout.outcome != 'success' }} with: + persist-credentials: false submodules: true repository: nextcloud/server path: nextcloud diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml index efe8bfe37..ed902d928 100644 --- a/.github/workflows/dependabot-approve-merge.yml +++ b/.github/workflows/dependabot-approve-merge.yml @@ -9,7 +9,7 @@ name: Dependabot on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] branches: - main - master @@ -24,7 +24,7 @@ concurrency: jobs: auto-approve-merge: - if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' runs-on: ubuntu-latest-low permissions: # for hmarr/auto-approve-action to approve PRs diff --git a/.github/workflows/lint-eslint.yml b/.github/workflows/lint-eslint.yml index cbbcd5aa4..1b1d5328c 100644 --- a/.github/workflows/lint-eslint.yml +++ b/.github/workflows/lint-eslint.yml @@ -57,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 diff --git a/.github/workflows/lint-info-xml.yml b/.github/workflows/lint-info-xml.yml index 290f4eeed..25b655043 100644 --- a/.github/workflows/lint-info-xml.yml +++ b/.github/workflows/lint-info-xml.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Download schema run: wget https://raw.githubusercontent.com/nextcloud/appstore/master/nextcloudappstore/api/v1/release/info.xsd diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml index 14e401869..0a22b80b0 100644 --- a/.github/workflows/lint-php-cs.yml +++ b/.github/workflows/lint-php-cs.yml @@ -45,7 +45,7 @@ jobs: - name: Install dependencies run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i - name: Lint diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index 0f07a932d..9e2de3035 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -25,6 +25,9 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Get version matrix id: versions uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.0.0 @@ -41,6 +44,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up php ${{ matrix.php-versions }} uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2.34.1 diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml index e8b083c02..2472e479d 100644 --- a/.github/workflows/node-test.yml +++ b/.github/workflows/node-test.yml @@ -61,6 +61,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Read package.json node and npm engines version uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3 diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index dbbc4c919..6fc872a8f 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get php version id: php_versions @@ -68,7 +70,7 @@ jobs: if: ${{ steps.node_versions.outputs.nodeVersion }} run: npm i -g 'npm@${{ steps.node_versions.outputs.npmVersion }}' - - name: Install dependencies & build + - name: Install dependencies if: ${{ steps.node_versions.outputs.nodeVersion }} env: CYPRESS_INSTALL_BINARY: 0 diff --git a/.github/workflows/phpunit-mariadb.yml b/.github/workflows/phpunit-mariadb.yml index eb6bf102c..720b777a6 100644 --- a/.github/workflows/phpunit-mariadb.yml +++ b/.github/workflows/phpunit-mariadb.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get version matrix id: versions @@ -68,21 +70,22 @@ jobs: matrix: php-versions: ${{ fromJson(needs.matrix.outputs.php-version) }} server-versions: ${{ fromJson(needs.matrix.outputs.server-max) }} - mariadb-versions: ['10.6', '10.11'] + mariadb-versions: ['10.6', '11.4'] name: MariaDB ${{ matrix.mariadb-versions }} PHP ${{ matrix.php-versions }} Nextcloud ${{ matrix.server-versions }} services: mariadb: - image: ghcr.io/nextcloud/continuous-integration-mariadb-${{ matrix.mariadb-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mariadb-${{ matrix.mariadb-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: - MYSQL_ROOT_PASSWORD: rootpassword - options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 5 + MARIADB_ROOT_PASSWORD: rootpassword + options: --health-cmd="mariadb-admin ping" --health-interval 5s --health-timeout 2s --health-retries 5 steps: - name: Set app env + if: ${{ env.APP_NAME == '' }} run: | # Split and keep last echo "APP_NAME=${GITHUB_REPOSITORY##*/}" >> $GITHUB_ENV @@ -90,6 +93,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true repository: nextcloud/server ref: ${{ matrix.server-versions }} @@ -97,6 +101,7 @@ jobs: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false path: apps/${{ env.APP_NAME }} - name: Checkout teams dependency @@ -114,6 +119,8 @@ jobs: extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, mysql, pdo_mysql coverage: none ini-file: development + # Temporary workaround for missing pcntl_* in PHP 8.3 + ini-values: disable_functions= env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -132,7 +139,9 @@ jobs: # Only run if phpunit config file exists if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} - run: composer i + run: | + composer remove nextcloud/ocp --dev --no-scripts + composer i - name: Set up Nextcloud env: diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml index 859ef4e54..99f545bfa 100644 --- a/.github/workflows/phpunit-mysql.yml +++ b/.github/workflows/phpunit-mysql.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get version matrix id: versions @@ -72,7 +74,7 @@ jobs: services: mysql: - image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest + image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images] ports: - 4444:3306/tcp env: @@ -81,6 +83,7 @@ jobs: steps: - name: Set app env + if: ${{ env.APP_NAME == '' }} run: | # Split and keep last echo "APP_NAME=${GITHUB_REPOSITORY##*/}" >> $GITHUB_ENV @@ -88,6 +91,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true repository: nextcloud/server ref: ${{ matrix.server-versions }} @@ -95,6 +99,7 @@ jobs: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false path: apps/${{ env.APP_NAME }} - name: Checkout teams dependency @@ -112,6 +117,8 @@ jobs: extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, mysql, pdo_mysql coverage: none ini-file: development + # Temporary workaround for missing pcntl_* in PHP 8.3 + ini-values: disable_functions= env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -130,7 +137,9 @@ jobs: # Only run if phpunit config file exists if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} - run: composer i + run: | + composer remove nextcloud/ocp --dev --no-scripts + composer i - name: Set up Nextcloud env: diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml index a293f2416..30ee39101 100644 --- a/.github/workflows/phpunit-oci.yml +++ b/.github/workflows/phpunit-oci.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get version matrix id: versions @@ -94,6 +96,7 @@ jobs: steps: - name: Set app env + if: ${{ env.APP_NAME == '' }} run: | # Split and keep last echo "APP_NAME=${GITHUB_REPOSITORY##*/}" >> $GITHUB_ENV @@ -101,6 +104,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true repository: nextcloud/server ref: ${{ matrix.server-versions }} @@ -108,6 +112,7 @@ jobs: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false path: apps/${{ env.APP_NAME }} - name: Checkout teams dependency @@ -125,6 +130,8 @@ jobs: extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, oci8 coverage: none ini-file: development + # Temporary workaround for missing pcntl_* in PHP 8.3 + ini-values: disable_functions= env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -138,7 +145,9 @@ jobs: # Only run if phpunit config file exists if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} - run: composer i + run: | + composer remove nextcloud/ocp --dev --no-scripts + composer i - name: Set up Nextcloud env: diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml index 5318136f7..b00a820bc 100644 --- a/.github/workflows/phpunit-pgsql.yml +++ b/.github/workflows/phpunit-pgsql.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get version matrix id: versions @@ -73,7 +75,7 @@ jobs: services: postgres: - image: ghcr.io/nextcloud/continuous-integration-postgres-14:latest + image: ghcr.io/nextcloud/continuous-integration-postgres-16:latest # zizmor: ignore[unpinned-images] ports: - 4444:5432/tcp env: @@ -84,6 +86,7 @@ jobs: steps: - name: Set app env + if: ${{ env.APP_NAME == '' }} run: | # Split and keep last echo "APP_NAME=${GITHUB_REPOSITORY##*/}" >> $GITHUB_ENV @@ -91,6 +94,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true repository: nextcloud/server ref: ${{ matrix.server-versions }} @@ -98,6 +102,7 @@ jobs: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false path: apps/${{ env.APP_NAME }} - name: Checkout teams dependency @@ -115,6 +120,8 @@ jobs: extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, pgsql, pdo_pgsql coverage: none ini-file: development + # Temporary workaround for missing pcntl_* in PHP 8.3 + ini-values: disable_functions= env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -128,7 +135,9 @@ jobs: # Only run if phpunit config file exists if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} - run: composer i + run: | + composer remove nextcloud/ocp --dev --no-scripts + composer i - name: Set up Nextcloud env: diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml index a3d90415b..6f1a838eb 100644 --- a/.github/workflows/phpunit-sqlite.yml +++ b/.github/workflows/phpunit-sqlite.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get version matrix id: versions @@ -73,6 +75,7 @@ jobs: steps: - name: Set app env + if: ${{ env.APP_NAME == '' }} run: | # Split and keep last echo "APP_NAME=${GITHUB_REPOSITORY##*/}" >> $GITHUB_ENV @@ -80,6 +83,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false submodules: true repository: nextcloud/server ref: ${{ matrix.server-versions }} @@ -87,6 +91,7 @@ jobs: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false path: apps/${{ env.APP_NAME }} - name: Checkout teams app @@ -111,6 +116,8 @@ jobs: extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite coverage: xdebug ini-file: development + # Temporary workaround for missing pcntl_* in PHP 8.3 + ini-values: disable_functions= env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -124,7 +131,9 @@ jobs: # Only run if phpunit config file exists if: steps.check_composer.outputs.files_exists == 'true' working-directory: apps/${{ env.APP_NAME }} - run: composer i + run: | + composer remove nextcloud/ocp --dev --no-scripts + composer i - name: Set up Nextcloud env: diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml index 7d4966907..5a5093a0d 100644 --- a/.github/workflows/pr-feedback.yml +++ b/.github/workflows/pr-feedback.yml @@ -36,7 +36,7 @@ jobs: blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -) echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT" - - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 + - uses: nextcloud/pr-feedback-action@d7257d0e6298aace6a627c796390c5490f6be33b # main with: feedback-message: | Hello there, @@ -50,6 +50,6 @@ jobs: (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).) days-before-feedback: 14 - start-date: '2024-04-30' + start-date: '2025-06-12' exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }}' exempt-bots: true diff --git a/.github/workflows/psalm-matrix.yml b/.github/workflows/psalm-matrix.yml index 5e686f1b1..44dbfa744 100644 --- a/.github/workflows/psalm-matrix.yml +++ b/.github/workflows/psalm-matrix.yml @@ -14,6 +14,9 @@ concurrency: group: psalm-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: matrix: runs-on: ubuntu-latest-low @@ -22,10 +25,16 @@ jobs: steps: - name: Checkout app uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Get version matrix id: versions uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1 + - name: Check enforcement of minimum PHP version ${{ steps.versions.outputs.php-min }} in psalm.xml + run: grep 'phpVersion="${{ steps.versions.outputs.php-min }}' psalm.xml + static-analysis: runs-on: ubuntu-latest needs: matrix @@ -38,28 +47,32 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - - name: Set up php${{ matrix.php-versions }} + - name: Set up php${{ matrix.php-min }} uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2.34.1 with: - php-version: ${{ matrix.php-versions }} + php-version: ${{ matrix.php-min }} extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite coverage: none ini-file: development + # Temporary workaround for missing pcntl_* in PHP 8.3 + ini-values: disable_functions= env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Install dependencies run: | - composer remove nextcloud/ocp --dev + composer remove nextcloud/ocp --dev --no-scripts composer i - - name: Install dependencies + - name: Install dependencies # zizmor: ignore[template-injection] run: composer require --dev 'nextcloud/ocp:${{ matrix.ocp-version }}' --ignore-platform-reqs --with-dependencies - name: Run coding standards check - run: composer run psalm + run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github summary: runs-on: ubuntu-latest-low diff --git a/psalm.xml b/psalm.xml index 44851b400..0479684f5 100644 --- a/psalm.xml +++ b/psalm.xml @@ -9,6 +9,7 @@ xmlns="https://getpsalm.org/schema/config" xsi:schemaLocation="https://getpsalm.org/schema/config vendor-bin/psalm/vendor/vimeo/psalm/config.xsd" errorBaseline="tests/psalm-baseline.xml" + phpVersion="8.1" >