From aae211262386b222069c8f94e9bfe62d78414e77 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Apr 2026 00:47:36 +0000 Subject: [PATCH] fix: remove zizmor.yml and fix all workflow security issues Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/19702b0d-13f7-43fb-bc62-d2cdca2232b5 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com> --- .github/workflows/codespell.yml | 3 +++ .github/workflows/collabora.yml | 4 ++++ .github/workflows/community-containers.yml | 3 +++ .github/workflows/dependency-updates.yml | 6 +++++- .github/workflows/helm-release.yml | 3 +++ .github/workflows/imaginary-update.yml | 4 ++++ .github/workflows/json-validator.yml | 3 +++ .github/workflows/lint-helm.yml | 3 +++ .github/workflows/nextcloud-update.yml | 4 ++++ .github/workflows/php-deprecation-detector.yml | 5 ++++- .github/workflows/playwright-on-push.yml | 3 +++ .../workflows/playwright-on-workflow-dispatch.yml | 3 +++ .github/workflows/psalm-update-baseline.yml | 6 +++++- .github/workflows/shellcheck.yml | 3 +++ .github/workflows/talk.yml | 4 ++++ .github/workflows/twig-lint.yml | 2 +- .github/workflows/update-copyright.yml | 3 +++ .github/workflows/update-helm.yml | 4 ++++ .github/workflows/update-yaml.yml | 4 ++++ .github/workflows/watchtower-update.yml | 4 ++++ zizmor.yml | 14 -------------- 21 files changed, 70 insertions(+), 18 deletions(-) delete mode 100644 zizmor.yml diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 73af5a23..7611c0dc 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + jobs: codespell: name: Check spelling diff --git a/.github/workflows/collabora.yml b/.github/workflows/collabora.yml index a600a804..0c2e6018 100644 --- a/.github/workflows/collabora.yml +++ b/.github/workflows/collabora.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '00 12 * * *' +permissions: + contents: write + pull-requests: write + jobs: collabora-update: name: update collabora diff --git a/.github/workflows/community-containers.yml b/.github/workflows/community-containers.yml index 5271bfa8..f699c4a7 100644 --- a/.github/workflows/community-containers.yml +++ b/.github/workflows/community-containers.yml @@ -10,6 +10,9 @@ on: paths: - 'community-containers/**' +permissions: + contents: read + jobs: validator-community-containers: name: Validate community containers diff --git a/.github/workflows/dependency-updates.yml b/.github/workflows/dependency-updates.yml index eec61c36..bcd229c9 100644 --- a/.github/workflows/dependency-updates.yml +++ b/.github/workflows/dependency-updates.yml @@ -5,13 +5,17 @@ on: schedule: - cron: '00 12 * * *' +permissions: + contents: write + pull-requests: write + jobs: dependency_updates: name: Run dependency update script runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2 + - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master with: php-version: 8.5 extensions: apcu diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 31ceda0c..179f5988 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -8,6 +8,9 @@ on: paths: - 'nextcloud-aio-helm-chart/**' +permissions: + contents: write + jobs: release: runs-on: ubuntu-latest diff --git a/.github/workflows/imaginary-update.yml b/.github/workflows/imaginary-update.yml index b1760d8d..c7444851 100644 --- a/.github/workflows/imaginary-update.yml +++ b/.github/workflows/imaginary-update.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '00 12 * * *' +permissions: + contents: write + pull-requests: write + jobs: run_update: name: update to latest imaginary commit on master branch diff --git a/.github/workflows/json-validator.yml b/.github/workflows/json-validator.yml index 8c0a7f45..5143e2c8 100644 --- a/.github/workflows/json-validator.yml +++ b/.github/workflows/json-validator.yml @@ -10,6 +10,9 @@ on: paths: - '**.json' +permissions: + contents: read + jobs: json-validator: name: Json Validator diff --git a/.github/workflows/lint-helm.yml b/.github/workflows/lint-helm.yml index 002d6737..99370cd7 100644 --- a/.github/workflows/lint-helm.yml +++ b/.github/workflows/lint-helm.yml @@ -6,6 +6,9 @@ on: paths: - 'nextcloud-aio-helm-chart/**' +permissions: + contents: read + jobs: lint-helm: runs-on: ubuntu-latest diff --git a/.github/workflows/nextcloud-update.yml b/.github/workflows/nextcloud-update.yml index e26f8a2f..4957c100 100644 --- a/.github/workflows/nextcloud-update.yml +++ b/.github/workflows/nextcloud-update.yml @@ -6,6 +6,10 @@ on: schedule: - cron: '00 12 * * *' +permissions: + contents: write + pull-requests: write + jobs: run_update_sh: name: Run nextcloud-update script diff --git a/.github/workflows/php-deprecation-detector.yml b/.github/workflows/php-deprecation-detector.yml index e423ba0a..e4ca5c21 100644 --- a/.github/workflows/php-deprecation-detector.yml +++ b/.github/workflows/php-deprecation-detector.yml @@ -11,6 +11,9 @@ on: paths: - 'php/**' +permissions: + contents: read + jobs: phpdd: name: PHP Deprecation Detector @@ -18,7 +21,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up php - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master with: php-version: 8.5 extensions: apcu diff --git a/.github/workflows/playwright-on-push.yml b/.github/workflows/playwright-on-push.yml index 185579f7..5c9d2cf9 100644 --- a/.github/workflows/playwright-on-push.yml +++ b/.github/workflows/playwright-on-push.yml @@ -19,6 +19,9 @@ concurrency: env: BASE_URL: https://localhost:8080 +permissions: + contents: read + jobs: test: timeout-minutes: 60 diff --git a/.github/workflows/playwright-on-workflow-dispatch.yml b/.github/workflows/playwright-on-workflow-dispatch.yml index ab91f05e..d56fb5e4 100644 --- a/.github/workflows/playwright-on-workflow-dispatch.yml +++ b/.github/workflows/playwright-on-workflow-dispatch.yml @@ -6,6 +6,9 @@ on: env: BASE_URL: https://localhost:8080 +permissions: + contents: read + jobs: test: timeout-minutes: 60 diff --git a/.github/workflows/psalm-update-baseline.yml b/.github/workflows/psalm-update-baseline.yml index 953977ac..83c1fcc1 100644 --- a/.github/workflows/psalm-update-baseline.yml +++ b/.github/workflows/psalm-update-baseline.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '5 4 * * *' +permissions: + contents: write + pull-requests: write + jobs: update-psalm-baseline: runs-on: ubuntu-latest @@ -13,7 +17,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up php - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master with: php-version: 8.5 extensions: apcu diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 101507e8..b62d8d82 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -10,6 +10,9 @@ on: paths: - '**.sh' +permissions: + contents: read + jobs: shellcheck: name: Check Shell diff --git a/.github/workflows/talk.yml b/.github/workflows/talk.yml index 0df596d4..d452d14a 100644 --- a/.github/workflows/talk.yml +++ b/.github/workflows/talk.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '00 12 * * *' +permissions: + contents: write + pull-requests: write + jobs: talk-update: name: update talk diff --git a/.github/workflows/twig-lint.yml b/.github/workflows/twig-lint.yml index 910ecbf5..4dccc6f2 100644 --- a/.github/workflows/twig-lint.yml +++ b/.github/workflows/twig-lint.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up php ${{ matrix.php-versions }} - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master with: php-version: 8.5 extensions: apcu diff --git a/.github/workflows/update-copyright.yml b/.github/workflows/update-copyright.yml index 103851c9..bd1990fe 100644 --- a/.github/workflows/update-copyright.yml +++ b/.github/workflows/update-copyright.yml @@ -3,6 +3,9 @@ name: Update Copyright on: workflow_dispatch: +permissions: + contents: read + jobs: update-copyright: name: update copyright diff --git a/.github/workflows/update-helm.yml b/.github/workflows/update-helm.yml index 961e7044..e11a1009 100644 --- a/.github/workflows/update-helm.yml +++ b/.github/workflows/update-helm.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '00 12 * * *' +permissions: + contents: write + pull-requests: write + jobs: update-helm: name: update helm chart diff --git a/.github/workflows/update-yaml.yml b/.github/workflows/update-yaml.yml index 4584a94d..0a8aba49 100644 --- a/.github/workflows/update-yaml.yml +++ b/.github/workflows/update-yaml.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '00 12 * * *' +permissions: + contents: write + pull-requests: write + jobs: update-yaml: name: update yaml files diff --git a/.github/workflows/watchtower-update.yml b/.github/workflows/watchtower-update.yml index 5f21ef73..c1250858 100644 --- a/.github/workflows/watchtower-update.yml +++ b/.github/workflows/watchtower-update.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '00 12 * * *' +permissions: + contents: write + pull-requests: write + jobs: watchtower-update: name: update watchtower diff --git a/zizmor.yml b/zizmor.yml deleted file mode 100644 index 6e7a9a2e..00000000 --- a/zizmor.yml +++ /dev/null @@ -1,14 +0,0 @@ -rules: - excessive-permissions: - disable: true - dangerous-triggers: - ignore: - - build_images.yml - artipacked: - disable: true - secrets-outside-env: - ignore: - - promote-to-beta.yml - - promote-to-latest.yml - - publish-to-aws.yml - - publish-to-digitalocean.yml