fix: add persist-credentials: false to all checkout steps (artipacked)

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/c165a969-ebb0-4afd-ac19-c02c3887bc94 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
fix: remove zizmor.yml and fix all workflow security issues
2026-05-21 10:50:10 +00:00 · 2026-04-27 00:54:33 +00:00 · 2026-04-27 00:47:36 +00:00 · 2026-04-27 00:46:18 +00:00
27 changed files with 131 additions and 38 deletions
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -6,6 +6,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  codespell:
    name: Check spelling
@@ -13,8 +16,10 @@ jobs:
    steps:
      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Check spelling
-        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
+        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
        with:
          check_filenames: true
          check_hidden: true
--- a/.github/workflows/collabora.yml
+++ b/.github/workflows/collabora.yml
@@ -5,12 +5,18 @@ on:
  schedule:
  - cron:  '00 12 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  collabora-update:
    name: update collabora
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
    - name: Run collabora-profile-update
      run: |
        rm -f php/cool-seccomp-profile.json
@@ -18,7 +24,7 @@ jobs:
        mv cool-seccomp-profile.json php/
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: collabora-seccomp-update automated change
--- a/.github/workflows/community-containers.yml
+++ b/.github/workflows/community-containers.yml
@@ -10,6 +10,9 @@ on:
    paths:
      - 'community-containers/**'

+permissions:
+  contents: read
+
 jobs:
  validator-community-containers:
    name: Validate community containers
@@ -17,6 +20,8 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Validate structure
        run: |
          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
--- a/.github/workflows/dependency-updates.yml
+++ b/.github/workflows/dependency-updates.yml
@@ -5,13 +5,19 @@ on:
  schedule:
  - cron:  '00 12 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  dependency_updates:
    name: Run dependency update script
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+      with:
+        persist-credentials: false
+    - uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
      with:
        php-version: 8.5
        extensions: apcu
@@ -53,7 +59,7 @@ jobs:
        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: php dependency updates
--- a/.github/workflows/docker-lint.yml
+++ b/.github/workflows/docker-lint.yml
@@ -26,6 +26,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install hadolint
        run: |
--- a/.github/workflows/fail-on-prerelease.yml
+++ b/.github/workflows/fail-on-prerelease.yml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const tags = await github.rest.repos.listTags({
--- a/.github/workflows/helm-release.yml
+++ b/.github/workflows/helm-release.yml
@@ -8,15 +8,20 @@ on:
    paths:
      - 'nextcloud-aio-helm-chart/**'

+permissions:
+  contents: write
+
 jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Turnstyle
-        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v3.2.3
        with:
          continue-after-seconds: 180
        env:
--- a/.github/workflows/imaginary-update.yml
+++ b/.github/workflows/imaginary-update.yml
@@ -5,12 +5,18 @@ on:
  schedule:
  - cron:  '00 12 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  run_update:
    name: update to latest imaginary commit on master branch
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
    - name: Run imaginary-update
      run: |
        # Imaginary
@@ -22,7 +28,7 @@ jobs:
        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: imaginary-update automated change
--- a/.github/workflows/json-validator.yml
+++ b/.github/workflows/json-validator.yml
@@ -10,6 +10,9 @@ on:
    paths:
      - '**.json'

+permissions:
+  contents: read
+
 jobs:
  json-validator:
    name: Json Validator
@@ -17,6 +20,8 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Validate Json
        run: |
          sudo apt-get update
--- a/.github/workflows/lint-helm.yml
+++ b/.github/workflows/lint-helm.yml
@@ -6,6 +6,9 @@ on:
    paths:
      - 'nextcloud-aio-helm-chart/**'

+permissions:
+  contents: read
+
 jobs:
  lint-helm:
    runs-on: ubuntu-latest
@@ -14,6 +17,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
+          persist-credentials: false

      - name: Install Helm
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@@ -41,7 +41,7 @@ jobs:
          persist-credentials: false

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
        with:
          php-version: ${{ matrix.php-versions }}
          coverage: none
--- a/.github/workflows/lint-yaml.yml
+++ b/.github/workflows/lint-yaml.yml
@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/.github/workflows/lock-threads.yml
+++ b/.github/workflows/lock-threads.yml
@@ -14,7 +14,7 @@ jobs:
  action:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
        with: 
          issue-inactive-days: '14'
          process-only: 'issues'
--- a/.github/workflows/nextcloud-update.yml
+++ b/.github/workflows/nextcloud-update.yml
@@ -6,12 +6,18 @@ on:
  schedule:
  - cron:  '00 12 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  run_update_sh:
    name: Run nextcloud-update script
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
    - name: Run nextcloud-update script
      run: |
        # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -79,7 +85,7 @@ jobs:
        fi

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: nextcloud-update automated change
--- a/.github/workflows/php-deprecation-detector.yml
+++ b/.github/workflows/php-deprecation-detector.yml
@@ -11,14 +11,19 @@ on:
    paths:
      - 'php/**'

+permissions:
+  contents: read
+
 jobs:
  phpdd:
    name: PHP Deprecation Detector
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
        with:
          php-version: 8.5
          extensions: apcu
--- a/.github/workflows/playwright-on-push.yml
+++ b/.github/workflows/playwright-on-push.yml
@@ -19,6 +19,9 @@ concurrency:
 env:
  BASE_URL: https://localhost:8080

+permissions:
+  contents: read
+
 jobs:
  test:
    timeout-minutes: 60
@@ -27,8 +30,10 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: lts/*

@@ -39,7 +44,7 @@ jobs:
        run: cd php/tests && npx playwright install --with-deps chromium

      - name: Set up php 8.5
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
        with:
          extensions: apcu
          php-version: 8.5
--- a/.github/workflows/playwright-on-workflow-dispatch.yml
+++ b/.github/workflows/playwright-on-workflow-dispatch.yml
@@ -6,6 +6,9 @@ on:
 env:
  BASE_URL: https://localhost:8080

+permissions:
+  contents: read
+
 jobs:
  test:
    timeout-minutes: 60
@@ -14,8 +17,10 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: lts/*

--- a/.github/workflows/psalm-update-baseline.yml
+++ b/.github/workflows/psalm-update-baseline.yml
@@ -5,15 +5,21 @@ on:
  schedule:
    - cron: '5 4 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  update-psalm-baseline:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
        with:
          php-version: 8.5
          extensions: apcu
@@ -31,7 +37,7 @@ jobs:
        continue-on-error: true

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: Update psalm baseline
--- a/.github/workflows/psalm.yml
+++ b/.github/workflows/psalm.yml
@@ -37,7 +37,7 @@ jobs:
          persist-credentials: false

      - name: Set up php
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
        with:
          php-version: 8.5
          extensions: apcu
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -10,14 +10,19 @@ on:
    paths:
      - '**.sh'

+permissions:
+  contents: read
+
 jobs:
  shellcheck:
    name: Check Shell
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
    - name: Run Shellcheck
-      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
+      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
      with:
        check_together: 'yes'
      env:
--- a/.github/workflows/talk.yml
+++ b/.github/workflows/talk.yml
@@ -5,12 +5,18 @@ on:
  schedule:
  - cron:  '00 12 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  talk-update:
    name: update talk
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
    - name: Run talk-container-update
      run: |
        # Recording
@@ -45,7 +51,7 @@ jobs:
        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: talk-update automated change
--- a/.github/workflows/twig-lint.yml
+++ b/.github/workflows/twig-lint.yml
@@ -25,9 +25,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # master
        with:
          php-version: 8.5
          extensions: apcu
--- a/.github/workflows/update-copyright.yml
+++ b/.github/workflows/update-copyright.yml
@@ -3,9 +3,14 @@ name: Update Copyright
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  update-copyright:
    name: update copyright
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
--- a/.github/workflows/update-helm.yml
+++ b/.github/workflows/update-helm.yml
@@ -5,6 +5,10 @@ on:
  schedule:
  - cron:  '00 12 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  update-helm:
    name: update helm chart
@@ -12,6 +16,8 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: update helm chart
        run: |
          set -x
@@ -23,7 +29,7 @@ jobs:
            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          commit-message: Helm Chart updates
          signoff: true
--- a/.github/workflows/update-yaml.yml
+++ b/.github/workflows/update-yaml.yml
@@ -5,6 +5,10 @@ on:
  schedule:
  - cron:  '00 12 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  update-yaml:
    name: update yaml files
@@ -12,11 +16,13 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: update yaml files
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          commit-message: Yaml updates
          signoff: true
--- a/.github/workflows/watchtower-update.yml
+++ b/.github/workflows/watchtower-update.yml
@@ -5,12 +5,18 @@ on:
  schedule:
  - cron:  '00 12 * * *'

+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
  watchtower-update:
    name: update watchtower
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
    - name: Run watchtower-container-update
      run: |
        # Watchtower
@@ -26,7 +32,7 @@ jobs:
        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: watchtower-update automated change
--- a/zizmor.yml
+++ b/zizmor.yml
@@ -1,14 +0,0 @@
-rules:
-  excessive-permissions:
-    disable: true
-  dangerous-triggers:
-    ignore:
-      - build_images.yml
-  artipacked:
-    disable: true
-  secrets-outside-env:
-    ignore:
-      - promote-to-beta.yml
-      - promote-to-latest.yml
-      - publish-to-aws.yml
-      - publish-to-digitalocean.yml