ci: Pin more actions, images and permissions

Signed-off-by: Joas Schilling <coding@schilljs.com>
8 months ago · 519d77db33
parent d22a4cab90
commit 519d77db33
33 changed files with 151 additions and 54 deletions
--- a/.github/workflows/block-outdated-3rdparty.yml
+++ b/.github/workflows/block-outdated-3rdparty.yml
@ -32,6 +32,8 @@ jobs:

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: 3rdparty commit hash on current branch
        id: actual
--- a/.github/workflows/command-pull-3rdparty.yml
+++ b/.github/workflows/command-pull-3rdparty.yml
@ -38,8 +38,9 @@ jobs:
        id: comment-branch

      - name: Checkout ${{ steps.comment-branch.outputs.head_ref }}
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          fetch-depth: 0
          token: ${{ secrets.COMMAND_BOT_PAT }}
          ref: ${{ steps.comment-branch.outputs.head_ref }}
--- a/.github/workflows/files-external-ftp.yml
+++ b/.github/workflows/files-external-ftp.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: files-external-ftp-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -53,8 +56,9 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up ftpd
--- a/.github/workflows/files-external-s3.yml
+++ b/.github/workflows/files-external-s3.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: files-external-s3-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -50,7 +53,7 @@ jobs:

    services:
      minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
        env:
          MINIO_ROOT_USER: nextcloud
          MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
@ -60,8 +63,9 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
@ -136,14 +140,15 @@ jobs:
        env:
          SERVICES: s3
          DEBUG: 1
-        image: localstack/localstack
+        image: localstack/localstack@sha256:b52c16663c70b7234f217cb993a339b46686e30a1a5d9279cb5feeb2202f837c # v4.4.0
        ports:
          - "4566:4566"

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/files-external-sftp.yml
+++ b/.github/workflows/files-external-sftp.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: files-external-sftp-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -53,8 +56,9 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up sftpd
--- a/.github/workflows/files-external-smb-kerberos.yml
+++ b/.github/workflows/files-external-smb-kerberos.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: files-external-smb-kerberos-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -43,13 +46,15 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Checkout user_saml
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          repository: nextcloud/user_saml
          path: apps/user_saml

--- a/.github/workflows/files-external-smb.yml
+++ b/.github/workflows/files-external-smb.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: files-external-smb-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -50,14 +53,15 @@ jobs:

    services:
      samba:
-        image: ghcr.io/nextcloud/continuous-integration-samba:latest
+        image: ghcr.io/nextcloud/continuous-integration-samba:latest # zizmor: ignore[unpinned-images]
        ports:
          - 445:445

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/files-external-webdav.yml
+++ b/.github/workflows/files-external-webdav.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: files-external-webdav-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -50,14 +53,15 @@ jobs:

    services:
      apache:
-        image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest
+        image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest # zizmor: ignore[unpinned-images]
        ports:
          - 8081:80

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/files-external.yml
+++ b/.github/workflows/files-external.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: files-external-generic-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -49,8 +52,9 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/integration-dav.yml
+++ b/.github/workflows/integration-dav.yml
@ -4,6 +4,9 @@ name: DAV integration tests
 on:
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: integration-caldav-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -51,8 +54,9 @@ jobs:

    steps:
        - name: Checkout server
-          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
          with:
+            persist-credentials: false
            submodules: true

        - name: Set up php ${{ matrix.php-versions }}
@ -67,7 +71,7 @@ jobs:
            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

        - name: Set up Python
-          uses: LizardByte/setup-python-action@master
+          uses: LizardByte/setup-python-action@f4367d0377eceec7e5e26da8f3863dd365b95a94 # v2025.426.160528
          with:
            python-version: '2.7'

--- a/.github/workflows/integration-litmus.yml
+++ b/.github/workflows/integration-litmus.yml
@ -4,6 +4,9 @@ name: Litmus integration tests
 on:
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: integration-litmus-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -50,8 +53,9 @@ jobs:

    steps:
        - name: Checkout server
-          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
          with:
+            persist-credentials: false
            submodules: true

        - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/integration-s3-primary.yml
+++ b/.github/workflows/integration-s3-primary.yml
@ -4,6 +4,9 @@ name: S3 primary storage integration tests
 on:
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: integration-s3-primary-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -50,12 +53,12 @@ jobs:

    services:
      redis:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
        ports:
          - 6379:6379/tcp
      minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
        env:
          MINIO_ROOT_USER: nextcloud
          MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
@ -65,8 +68,9 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/integration-sqlite.yml
+++ b/.github/workflows/integration-sqlite.yml
@ -77,12 +77,12 @@ jobs:

    services:
      redis:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
        ports:
          - 6379:6379/tcp
      openldap:
-        image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7
+        image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 # zizmor: ignore[unpinned-images]
        ports:
          - 389:389
        env:
@ -95,12 +95,14 @@ jobs:
      - name: Checkout server
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Checkout Talk app
        if: ${{ matrix.test-suite == 'videoverification_features' }}
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          repository: nextcloud/spreed
          path: apps/spreed
          ref: ${{ matrix.spreed-versions }}
@ -109,6 +111,7 @@ jobs:
        if: ${{ matrix.test-suite == 'sharing_features' }}
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          repository: nextcloud/activity
          path: apps/activity
          ref: ${{ matrix.activity-versions }}
--- a/.github/workflows/lint-php-cs.yml
+++ b/.github/workflows/lint-php-cs.yml
@ -49,6 +49,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Set up php8.1
        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
--- a/.github/workflows/node-test.yml
+++ b/.github/workflows/node-test.yml
@ -86,6 +86,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Set up node ${{ needs.versions.outputs.nodeVersion }}
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
@ -124,6 +126,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Set up node ${{ needs.versions.outputs.nodeVersion }}
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
@ -152,6 +156,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Set up node ${{ needs.versions.outputs.nodeVersion }}
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
--- a/.github/workflows/object-storage-azure.yml
+++ b/.github/workflows/object-storage-azure.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "15 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: object-storage-azure-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -54,7 +57,7 @@ jobs:

    services:
      azurite:
-        image: mcr.microsoft.com/azure-storage/azurite
+        image: mcr.microsoft.com/azure-storage/azurite@sha256:0a47e12e3693483cef5c71f35468b91d751611f172d2f97414e9c69113b106d9 # v3.34.0
        env:
          AZURITE_ACCOUNTS: nextcloud:bmV4dGNsb3Vk
        ports:
@ -62,15 +65,16 @@ jobs:
        options: --health-cmd="nc 127.0.0.1 10000 -z" --health-interval=1s --health-retries=30

      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/object-storage-s3.yml
+++ b/.github/workflows/object-storage-s3.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "15 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: object-storage-s3-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -54,13 +57,13 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3

      minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
        env:
          MINIO_ROOT_USER: nextcloud
          MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
@ -70,8 +73,9 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/object-storage-swift.yml
+++ b/.github/workflows/object-storage-swift.yml
@ -6,6 +6,9 @@ on:
  schedule:
    - cron: "15 2 * * *"

+permissions:
+  contents: read
+
 concurrency:
  group: object-storage-swift-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -54,21 +57,22 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3

      swift:
-        image: ghcr.io/cscfi/docker-keystone-swift
+        image: ghcr.io/cscfi/docker-keystone-swift@sha256:e8b1ec21120ab9adc6ac6a2b98785fd273676439a8633fe898e37f2aea7e0712
        ports:
          - 5000:5000
          - 8080:8080

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/performance.yml
+++ b/.github/workflows/performance.yml
@ -4,6 +4,9 @@ name: Performance testing
 on:
  pull_request:

+permissions:
+  contents: read
+
 concurrency:
  group: performance-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -14,6 +17,9 @@ jobs:

    if: ${{ github.repository_owner != 'nextcloud-gmbh' }}

+    permissions:
+      pull-requests: write
+
    strategy:
      fail-fast: false
      matrix:
@ -29,8 +35,9 @@ jobs:
          exit 1

      - name: Checkout server before PR
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true
          ref: ${{ github.event.pull_request.base.ref }}

--- a/.github/workflows/phpunit-32bits.yml
+++ b/.github/workflows/phpunit-32bits.yml
@ -32,8 +32,9 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Install tools
--- a/.github/workflows/phpunit-mariadb.yml
+++ b/.github/workflows/phpunit-mariadb.yml
@ -71,7 +71,7 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
--- a/.github/workflows/phpunit-memcached.yml
+++ b/.github/workflows/phpunit-memcached.yml
@ -64,15 +64,16 @@ jobs:

    services:
      memcached:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 11212:11212/tcp
          - 11212:11212/udp

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/phpunit-mysql-sharding.yml
+++ b/.github/workflows/phpunit-mysql-sharding.yml
@ -62,13 +62,13 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3

      mysql:
-        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest
+        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images]
        ports:
          - 4444:3306/tcp
        env:
@ -78,7 +78,7 @@ jobs:
          MYSQL_DATABASE: oc_autotest
        options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10
      shard1:
-        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest
+        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images]
        ports:
          - 5001:3306/tcp
        env:
@ -88,7 +88,7 @@ jobs:
          MYSQL_DATABASE: nextcloud
        options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10
      shard2:
-        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest
+        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images]
        ports:
          - 5002:3306/tcp
        env:
@ -98,7 +98,7 @@ jobs:
          MYSQL_DATABASE: nextcloud
        options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10
      shard3:
-        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest
+        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images]
        ports:
          - 5003:3306/tcp
        env:
@ -108,7 +108,7 @@ jobs:
          MYSQL_DATABASE: nextcloud
        options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 10
      shard4:
-        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest
+        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images]
        ports:
          - 5004:3306/tcp
        env:
@ -120,8 +120,9 @@ jobs:

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/phpunit-mysql.yml
+++ b/.github/workflows/phpunit-mysql.yml
@ -71,13 +71,13 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3

      mysql:
-        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest
+        image: ghcr.io/nextcloud/continuous-integration-mysql-${{ matrix.mysql-versions }}:latest # zizmor: ignore[unpinned-images]
        ports:
          - 4444:3306/tcp
        env:
--- a/.github/workflows/phpunit-nodb.yml
+++ b/.github/workflows/phpunit-nodb.yml
@ -67,15 +67,16 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3

    steps:
      - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Set up php ${{ matrix.php-versions }}
--- a/.github/workflows/phpunit-oci.yml
+++ b/.github/workflows/phpunit-oci.yml
@ -76,7 +76,7 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
--- a/.github/workflows/phpunit-pgsql.yml
+++ b/.github/workflows/phpunit-pgsql.yml
@ -72,13 +72,13 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3

      postgres:
-        image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest
+        image: ghcr.io/nextcloud/continuous-integration-postgres-${{ matrix.postgres-versions }}:latest # zizmor: ignore[unpinned-images]
        ports:
          - 4444:5432/tcp
        env:
--- a/.github/workflows/phpunit-sqlite.yml
+++ b/.github/workflows/phpunit-sqlite.yml
@ -67,7 +67,7 @@ jobs:

    services:
      cache:
-        image: ghcr.io/nextcloud/continuous-integration-redis:latest
+        image: ghcr.io/nextcloud/continuous-integration-redis:latest # zizmor: ignore[unpinned-images]
        ports:
          - 6379:6379/tcp
        options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -7,6 +7,9 @@ on:
  schedule:
    - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  stale:
    runs-on: ubuntu-latest
--- a/.github/workflows/static-code-analysis.yml
+++ b/.github/workflows/static-code-analysis.yml
@ -13,6 +13,9 @@ on:
      - '.github/workflows/static-code-analysis.yml'
      - '**.php'

+permissions:
+  contents: read
+
 concurrency:
  group: static-code-analysis-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
--- a/.github/workflows/update-cacert-bundle.yml
+++ b/.github/workflows/update-cacert-bundle.yml
@ -7,6 +7,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 jobs:
  update-ca-certificate-bundle:
    runs-on: ubuntu-latest
@ -19,8 +22,9 @@ jobs:
    name: update-ca-certificate-bundle-${{ matrix.branches }}

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          ref: ${{ matrix.branches }}
          submodules: true

--- a/.github/workflows/update-code-signing-crl.yml
+++ b/.github/workflows/update-code-signing-crl.yml
@ -7,6 +7,9 @@ on:
  schedule:
    - cron: "5 2 * * *"

+permissions:
+  contents: read
+
 jobs:
  update-code-signing-crl:
    runs-on: ubuntu-latest
@ -19,8 +22,9 @@ jobs:
    name: update-code-signing-crl-${{ matrix.branches }}

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          ref: ${{ matrix.branches }}
          submodules: true

--- a/.github/workflows/update-min-supported-desktop.yml
+++ b/.github/workflows/update-min-supported-desktop.yml
@ -7,13 +7,17 @@ on:
  schedule:
    - cron: "0 0 * * 1"

+permissions:
+  contents: read
+
 jobs:
  update-minimum-supported-desktop-version:
    runs-on: ubuntu-latest-low

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
+          persist-credentials: false
          submodules: true

      - name: Download desktop client version file from 5 years ago