Merge pull request #4471 from nextcloud/dep/actions-2

dartcafe · web-flow · commit 595982743ec0 · 2026-01-31T14:38:51.000+01:00
Update actions
diff --git a/.github/actions/get-polls-version/action.yml b/.github/actions/get-polls-version/action.yml
@@ -1,6 +1,7 @@
 # SPDX-FileCopyrightText: 2022 Nextcloud contributors
 # SPDX-License-Identifier: AGPL-3.0-or-later
 name: Read polls version from info.xml
+description: 'Get app version from info.xml and compare it to tag name'
 inputs:
   skip-check:
     description: Do not check tag against version
@@ -21,7 +22,7 @@ runs:
   steps:
     - name: Get app version from appinfo/info.xml
       id: appinfo
-      uses: mavrosxristoforos/get-xml-info@2.0
+      uses: mavrosxristoforos/get-xml-info@afaa5058ead44cfaff92c6a861b46dd7a8929f60 # v2.0
       with:
         xml-file: 'appinfo/info.xml'
         xpath: '//info//version'
@@ -33,7 +34,7 @@ runs:
 
     - name: Compare versions
       if: ${{ !inputs.skip-version && format('v{0}', steps.appinfo.outputs.info) != steps.gettag.outputs.VERSION }}
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
       with:
         script: |
           core.setFailed('App version ${{ format('v{0}', steps.appinfo.outputs.info) }} is not equal to tag name ${{ steps.gettag.outputs.VERSION }}!')
diff --git a/.github/actions/setup-composer/action.yml b/.github/actions/setup-composer/action.yml
@@ -1,6 +1,7 @@
 # SPDX-FileCopyrightText: 2022 Nextcloud contributors
 # SPDX-License-Identifier: AGPL-3.0-or-later
 name: Setup composer and PHP
+description: 'Setup PHP environment and install composer dependencies with caching'
 inputs:
   php-version:
     description: 'PHP version (default: 8.2)'
@@ -34,7 +35,7 @@ runs:
   using: 'composite'
   steps:
     - name: Use or setup caching composer packages (${{ inputs.mode }})
-      uses: actions/cache@v4
+      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # version 5.0.3
       id: cache-composer
       env:
         cache-name: cache-composer-${{ inputs.mode }}
@@ -47,7 +48,7 @@ runs:
           ${{ runner.os }}-
 
     - name: Set up php ${{ inputs.php-version }}
-      uses: shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0
       with:
         php-version: ${{ inputs.php-version }}
         tools: ${{ inputs.php-tools }}
diff --git a/.github/actions/setup-node/action.yml b/.github/actions/setup-node/action.yml
@@ -1,6 +1,7 @@
 # SPDX-FileCopyrightText: 2022 Nextcloud contributors
 # SPDX-License-Identifier: AGPL-3.0-or-later
 name: Setup node and dependencies
+description: 'Setup node environment and install npm dependencies'
 inputs:
   node-version:
     required: false
@@ -16,7 +17,7 @@ runs:
   using: 'composite'
   steps:
     - name: Use or setup caching npm modules
-      uses: actions/cache@v4
+      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # version 5.0.3
       id: cache-modules
       env:
         cache-name: cache-node-modules
@@ -29,7 +30,7 @@ runs:
           ${{ runner.os }}-
 
     - name: Set up node ${{ inputs.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
       with:
         node-version: ${{ inputs.node-version }}
 
diff --git a/.github/actions/setup-server/action.yml b/.github/actions/setup-server/action.yml
@@ -1,6 +1,7 @@
 # SPDX-FileCopyrightText: 2022 Nextcloud contributors
 # SPDX-License-Identifier: AGPL-3.0-or-later
 name: Checkout and setup server
+description: 'Checkout Nextcloud server and app, setup PHP and install dependencies'
 inputs:
   server-version:
     required: false
@@ -55,7 +56,7 @@ runs:
   using: 'composite'
   steps:
     - name: Checkout server ${{ inputs.server-version }}
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         path: ${{ inputs.server-path }}
         repository: nextcloud/server
@@ -70,12 +71,12 @@ runs:
         git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1
 
     - name: Checkout ${{ inputs.app-name }}
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         path: ${{ inputs.server-path }}/apps/${{ inputs.app-name }}
 
     - name: Set up php ${{ inputs.php-version }}
-      uses: shivammathur/setup-php@v2
+      uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0
       with:
         php-version: ${{ inputs.php-version }}
         tools: ${{ inputs.php-tools }}
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -8,14 +8,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Default github action approve
-      - uses: hmarr/auto-approve-action@v4
+      - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # 4.0.0
         if: github.ref == 'refs/heads/master' &&
             (github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]')
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       # Nextcloud bot approve and merge request
-      - uses: ahmadnassri/action-dependabot-auto-merge@v2
+      - uses: ahmadnassri/action-dependabot-auto-merge@45fc124d949b19b6b8bf6645b6c9d55f4f9ac61a # 2.6.6
         if: github.ref == 'refs/heads/master' &&
             (github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]')
         with:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -30,10 +30,10 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 #4.32.0
       with:
         languages: ${{ matrix.language }}
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 #4.32.0
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 #4.32.0
diff --git a/.github/workflows/lock-closed-issues.yml b/.github/workflows/lock-closed-issues.yml
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 name: 'Lock Issues'
 
-on: 
+on:
   schedule:
     - cron: '2 4 * * *'
 
@@ -12,7 +12,7 @@ jobs:
   lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v6
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 #v6.0.0
         with:
           github-token: ${{ github.token }}
           issue-inactive-days: '31'
diff --git a/.github/workflows/publish_alpha.yml b/.github/workflows/publish_alpha.yml
@@ -49,13 +49,13 @@ jobs:
     - name: Extract release notes
       if: success()
       id: extract-release-notes
-      uses: ffurrer2/extract-release-notes@v3
+      uses: ffurrer2/extract-release-notes@202313ec7461b6b9e401996714484690ab1ae105 # 3.0.0
       with:
         prerelease: true
 
     - name: Publish pre-release ${{ steps.appinfo.outputs.app-version }}
       if: success()
-      uses: softprops/action-gh-release@v2
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # 2.5.0
       with:
         body: "# Changelog for the upcoming release (preview)\n ${{ steps.extract-release-notes.outputs.release_notes }} "
         prerelease: true
diff --git a/.github/workflows/publish_beta.yml b/.github/workflows/publish_beta.yml
@@ -51,13 +51,13 @@ jobs:
     - name: Extract release notes
       if: success()
       id: extract-release-notes
-      uses: ffurrer2/extract-release-notes@v3
+      uses: ffurrer2/extract-release-notes@202313ec7461b6b9e401996714484690ab1ae105 # 3.0.0
       with:
         prerelease: true
 
     - name: Publish pre-release ${{ steps.appinfo.outputs.app-version }}
       if: success()
-      uses: softprops/action-gh-release@v2
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # 2.5.0
       with:
         body: "# Changelog for the upcoming release (preview)\n ${{ steps.extract-release-notes.outputs.release_notes }} "
         prerelease: true
diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml
@@ -50,11 +50,11 @@ jobs:
     - name: Extract release notes
       if: success()
       id: extract-release-notes
-      uses: ffurrer2/extract-release-notes@v3
+      uses: ffurrer2/extract-release-notes@202313ec7461b6b9e401996714484690ab1ae105 # 3.0.0
 
     - name: Draft Release
       if: success()
-      uses: softprops/action-gh-release@v2
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # 2.5.0
       with:
         body: "# Changelog ${{ steps.appinfo.outputs.app-version }} \n ${{ steps.extract-release-notes.outputs.release_notes }} "
         prerelease: false
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -10,7 +10,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v10
+    - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # 10.1.1
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is marked as stale, because it had no activity in the last 30 days. It will be closed in 5 days.'
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
 # SPDX-FileCopyrightText: 2016 Nextcloud contributors
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+.env
 # build dirs
 /assets
 /css/*.map
