Merge pull request #2988 from nextcloud/maintenance/pin-gh-actions-to-sha

Pin versions of GH actions and some minor updates

Author: christianlupus

.changelog/current/2988-pin-gh-versions.md

@@ -0,0 +1,3 @@
+# Maintenance
+
+- Pin GitHub actions to enhance security protection against dependency attacks

.github/dependabot.yml

@@ -7,25 +7,33 @@ updates:
     time: "03:00"
     timezone: Europe/Paris
   open-pull-requests-limit: 10
+  cooldown:
+    default-days: 7
 - package-ecosystem: composer
   directory: "/"
   schedule:
     interval: daily
     time: "03:00"
     timezone: Europe/Paris
   open-pull-requests-limit: 10
+  cooldown:
+    default-days: 7
 - package-ecosystem: bundler
   directory: "/docs"
   schedule:
     timezone: Europe/Berlin
     interval: daily
     time: "02:50"
   open-pull-requests-limit: 10
+  cooldown:
+    default-days: 7
 - package-ecosystem: github-actions
   directory: "/"
   schedule:
     timezone: Europe/Berlin
     interval: daily
     time: "02:50"
   open-pull-requests-limit: 10
+  cooldown:
+    default-days: 7
 

.github/workflows/build-test-images.yml

@@ -32,8 +32,10 @@ jobs:
                 fi
             
             - name: Checkout the app
-              uses: actions/checkout@v6
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
               if: ${{ steps.check.outputs.skip == 'false' }}
+              with:
+                persist-credentials: false
             - name: Make sure the appinfo is built
               shell: bash
               run: make appinfo/info.xml

.github/workflows/dependabot-approve-merge.yml

@@ -23,7 +23,7 @@ concurrency:
 
 jobs:
   auto-approve-merge:
-    if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]'
     runs-on: ubuntu-latest-low
     permissions:
       # for hmarr/auto-approve-action to approve PRs

.github/workflows/depending-issues.yml

@@ -29,7 +29,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: z0al/dependent-issues@v1.5.2
+      - uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43
         env:
           # (Required) The token to use to make API calls to GitHub.
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/deploy-appstore.yml

@@ -20,25 +20,16 @@ jobs:
 
         steps:
             -   name: Checkout the project
-                uses: actions/checkout@v6
+                uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
                 with:
                     path: cookbook
                     ref: ${{ github.ref }}
                     fetch-depth: 0
+                    persist-credentials: false
 
             -   name: Get the date
                 id: date
                 run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
-            -   name: Use cache for NPM
-                uses: actions/cache@v5.0.1
-                with:
-                    path: |
-                        ~/.npm
-                        cookbook/node_modules
-                    key: ${{ runner.os }}-node-${{ steps.date.outputs.date }}-${{ hashFiles('cookbook/package-lock.json') }}
-                    restore-keys: |
-                        ${{ runner.os }}-node-${{ steps.date.outputs.date }}-
-                        ${{ runner.os }}-node-
 
             -   name: Install the NPM packages
                 run: npm ci
@@ -51,7 +42,7 @@ jobs:
             -   name: Extract app version
                 id: appversion
                 run: |
-                    version=$(echo ${{ github.ref }} | sed 's@^refs/tags/@@;s@^v@@i')
+                    version=$(echo ${GITHUB_REF} | sed 's@^refs/tags/@@;s@^v@@i')
                     echo -n "version=" >> $GITHUB_OUTPUT
                     echo "$version" >> $GITHUB_OUTPUT
                     if echo $version | grep '^[0-9]*\.[0-9]*\.[0-9]*$' > /dev/null
@@ -70,7 +61,7 @@ jobs:
                 run: ls -lh /tmp/cookbook-${{ steps.appversion.outputs.version }}.tar.gz
 
             -   name: Create release
-                uses: softprops/action-gh-release@v2.5.0
+                uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
                 id: release
                 with:
                     files: /tmp/cookbook-${{ steps.appversion.outputs.version }}.tar.gz

.github/workflows/pages.yml

@@ -14,8 +14,6 @@ on:
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 # Allow one concurrent deployment
 concurrency:
@@ -32,9 +30,11 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b
 
       - name: Count number of plantuml files
         id: count-plantuml
@@ -52,12 +52,12 @@ jobs:
         run: make -C docs build-uml-svg
 
       - name: Build with Jekyll
-        uses: actions/jekyll-build-pages@v1
+        uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697
         with:
           source: ./docs/
           destination: ./docs/_site
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b
         with:
           path: ./docs/_site/
 
@@ -69,7 +69,10 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.event.ref == 'refs/heads/master' && github.repository == 'nextcloud/cookbook'
     needs: build
+    permissions:
+      pages: write
+      id-token: write
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e

.github/workflows/publish-test-results.yml

@@ -26,10 +26,11 @@ jobs:
       - name: Download and Extract Artifacts
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_EVENT_WORKFLOW_RUN_ARTIFACTS_URL: ${{ github.event.workflow_run.artifacts_url }}
         run: |
            mkdir -p artifacts && cd artifacts
 
-           artifacts_url=${{ github.event.workflow_run.artifacts_url }}
+           artifacts_url=${GITHUB_EVENT_WORKFLOW_RUN_ARTIFACTS_URL}
 
            gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact
            do
@@ -39,7 +40,7 @@ jobs:
            done
 
       - name: Publish Unit Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f
         with:
           commit: ${{ github.event.workflow_run.head_sha }}
           event_file: artifacts/Event File/event.json

.github/workflows/pull-checks.yml

@@ -12,10 +12,11 @@ jobs:
 
         steps:
             -   name: Checkout the app
-                uses: actions/checkout@v6
+                uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
                 with:
                     filter: "blob:none"
                     fetch-depth: 0
+                    persist-credentials: false
 
             -   name: Get the diff
                 id: diff
@@ -167,9 +168,10 @@ jobs:
 
         steps:
             -   name: Checkout of the app
-                uses: actions/checkout@v6
+                uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
                 with:
                     fetch-depth: 1
+                    persist-credentials: false
 
             -   name: Install dependencies
                 run: |
@@ -200,7 +202,7 @@ jobs:
                 run: wget https://raw.githubusercontent.com/nextcloud/appstore/master/nextcloudappstore/api/v1/release/info.xsd
 
             -   name: Lint info.xml
-                uses: ChristophWurst/xmllint-action@v1
+                uses: ChristophWurst/xmllint-action@7c54ff113fc0f6d4588a15cb4dfe31b6ecca5212
                 with:
                     xml-file: ./appinfo/info.xml
                     xml-schema-file: ./info.xsd
@@ -211,14 +213,15 @@ jobs:
 
         steps:
             -   name: Checkout of the app
-                uses: actions/checkout@v6
+                uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
                 with:
                     fetch-depth: 1
+                    persist-credentials: false
             -   name: Get the date
                 id: date
                 run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
             -   name: Cache NPM cache
-                uses: actions/cache@v5.0.1
+                uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
                 with:
                     path: |
                         ~/.npm
@@ -247,6 +250,6 @@ jobs:
 
         steps:
             -   name: Run check
-                uses: xt0rted/block-autosquash-commits-action@v2
+                uses: xt0rted/block-autosquash-commits-action@79880c36b4811fe549cfffe20233df88876024e7
                 with:
                     repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yml

@@ -12,7 +12,7 @@ jobs:
 
         steps:
 
-          - uses: actions/stale@v10
+          - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d
             name: Close stale issues
             with:
                 days-before-stale: 45