fix(actions): Harden workflows when using variables in strings

Signed-off-by: Joas Schilling <coding@schilljs.com>
2 years ago · 54edf993d6
parent 49c42c36ae
commit 54edf993d6
22 changed files with 78 additions and 87 deletions
--- a/.github/workflows/block-merge-eol.yml
+++ b/.github/workflows/block-merge-eol.yml
@ -26,15 +26,15 @@ jobs:
    runs-on: ubuntu-latest-low

    steps:
-      - name: Download updater config
-        run: curl https://raw.githubusercontent.com/nextcloud/updater_server/production/config/config.php --output config.php
-
      - name: Set server major version environment
        run: |
          # retrieve version number from branch reference
          server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p')
          echo "server_major=$server_major" >> $GITHUB_ENV
+          echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV

      - name: Checking if ${{ env.server_major }} is EOL
        run: |
-          php -r 'echo json_encode(require_once "config.php");' | jq --arg version "${{ env.server_major }}" '.stable[$version]["100"].eol // .beta[$version]["100"].eol // "NotEOL"' | grep -q "NotEOL"
+          curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \
+            | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \
+            | grep -q true
--- a/.github/workflows/block-merge-freeze.yml
+++ b/.github/workflows/block-merge-freeze.yml
@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Download version.php from ${{ github.base_ref }}
-        run: curl https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php --output version.php
+        run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php' --output version.php

      - name: Run check
        run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC'
--- a/.github/workflows/block-outdated-3rdparty.yml
+++ b/.github/workflows/block-outdated-3rdparty.yml
@ -46,8 +46,8 @@ jobs:
      - name: Compare if 3rdparty commits are different
        run: |
          echo '3rdparty/ seems to not point to the last commit of the dedicated branch:'
-          echo "Branch has: ${{ steps.actual.outputs.commit }}"
-          echo "${{ github.base_ref }} has: ${{ steps.target.outputs.commit }}"
+          echo 'Branch has: ${{ steps.actual.outputs.commit }}'
+          echo '${{ github.base_ref }} has: ${{ steps.target.outputs.commit }}'

      - name: Fail if 3rdparty commits are different
        if: ${{ steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }}
--- a/.github/workflows/command-compile.yml
+++ b/.github/workflows/command-compile.yml
@ -37,7 +37,7 @@ jobs:
          token: ${{ secrets.COMMAND_BOT_PAT }}
          repository: ${{ github.event.repository.full_name }}
          comment-id: ${{ github.event.comment.id }}
-          reactions: "+1"
+          reactions: '+1'

      - name: Parse command
        uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v2
@ -77,8 +77,8 @@ jobs:

      - name: Setup git
        run: |
-          git config --local user.email "nextcloud-command@users.noreply.github.com"
-          git config --local user.name "nextcloud-command"
+          git config --local user.email 'nextcloud-command@users.noreply.github.com'
+          git config --local user.name 'nextcloud-command'

      - name: Read package.json node and npm engines version
        uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
@ -94,13 +94,13 @@ jobs:
          cache: npm

      - name: Set up npm ${{ steps.package-engines-versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.package-engines-versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.package-engines-versions.outputs.npmVersion }}'
      
      - name: Rebase to ${{ needs.init.outputs.base_ref }}
        if: ${{ contains(needs.init.outputs.arg1, 'rebase') }}
        run: |
-          git fetch origin ${{ needs.init.outputs.base_ref }}:${{ needs.init.outputs.base_ref }}
-          git rebase origin/${{ needs.init.outputs.base_ref }}
+          git fetch origin '${{ needs.init.outputs.base_ref }}:${{ needs.init.outputs.base_ref }}'
+          git rebase 'origin/${{ needs.init.outputs.base_ref }}'

      - name: Install dependencies & build
        env:
@ -113,30 +113,30 @@ jobs:
      - name: Commit default
        if: ${{ !contains(needs.init.outputs.arg1, 'fixup') && !contains(needs.init.outputs.arg1, 'amend') }}
        run: |
-          git add ${{ github.workspace }}${{ needs.init.outputs.git_path }}
+          git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}'
          git commit --signoff -m 'chore(assets): Recompile assets'
 
      - name: Commit fixup
        if: ${{ contains(needs.init.outputs.arg1, 'fixup') }}
        run: |
-          git add ${{ github.workspace }}${{ needs.init.outputs.git_path }}
+          git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}'
          git commit --fixup=HEAD --signoff

      - name: Commit amend
        if: ${{ contains(needs.init.outputs.arg1, 'amend') }}
        run: |
-          git add ${{ github.workspace }}${{ needs.init.outputs.git_path }}
+          git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}'
          git commit --amend --no-edit --signoff
          # Remove any [skip ci] from the amended commit
          git commit --amend -m "$(git log -1 --format='%B' | sed '/\[skip ci\]/d')"
 
      - name: Push normally
        if: ${{ !contains(needs.init.outputs.arg1, 'rebase') && !contains(needs.init.outputs.arg1, 'amend') }}
-        run: git push origin ${{ needs.init.outputs.head_ref }}
+        run: git push origin '${{ needs.init.outputs.head_ref }}'

      - name: Force push
        if: ${{ contains(needs.init.outputs.arg1, 'rebase') || contains(needs.init.outputs.arg1, 'amend') }}
-        run: git push --force origin ${{ needs.init.outputs.head_ref }}
+        run: git push --force origin '${{ needs.init.outputs.head_ref }}'

      - name: Add reaction on failure
        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
--- a/.github/workflows/command-pull-3rdparty.yml
+++ b/.github/workflows/command-pull-3rdparty.yml
@ -25,7 +25,7 @@ jobs:
          token: ${{ secrets.COMMAND_BOT_PAT }}
          repository: ${{ github.event.repository.full_name }}
          comment-id: ${{ github.event.comment.id }}
-          reactions: "+1"
+          reactions: '+1'

      - name: Init branch
        uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v1
@ -40,16 +40,16 @@ jobs:

      - name: Setup git
        run: |
-          git config --local user.email "nextcloud-command@users.noreply.github.com"
-          git config --local user.name "nextcloud-command"
+          git config --local user.email 'nextcloud-command@users.noreply.github.com'
+          git config --local user.name 'nextcloud-command'

      - name: Pull 3rdparty
-        run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin ${{ github.event.issue.pull_request.base.ref }}; fi'
+        run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ github.event.issue.pull_request.base.ref }}'"'"'; fi'

      - name: Commit and push changes
        run: |
          git add 3rdparty
-          git commit -s -m "Update submodule 3rdparty to latest ${{ github.event.issue.pull_request.base.ref }}"
+          git commit -s -m 'Update submodule 3rdparty to latest ${{ github.event.issue.pull_request.base.ref }}'
          git push

      - name: Add reaction on failure
@ -59,4 +59,4 @@ jobs:
          token: ${{ secrets.COMMAND_BOT_PAT }}
          repository: ${{ github.event.repository.full_name }}
          comment-id: ${{ github.event.comment.id }}
-          reactions: "-1"
+          reactions: '-1'
--- a/.github/workflows/cypress.yml
+++ b/.github/workflows/cypress.yml
@ -17,6 +17,7 @@ concurrency:
 env:
  # Adjust APP_NAME if your repository name is different
  APP_NAME: ${{ github.event.repository.name }}
+
  # Server requires head_ref instead of base_ref, as we want to test the PR branch
  BRANCH: ${{ github.head_ref || github.ref_name }}

@ -52,7 +53,7 @@ jobs:
        id: versions
        with:
          fallbackNode: "^20"
-          fallbackNpm: "^9"
+          fallbackNpm: "^10"

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
@ -60,7 +61,7 @@ jobs:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

      - name: Set up npm ${{ steps.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'

      - name: Install node dependencies & build app
        run: |
@ -85,9 +86,9 @@ jobs:
      matrix:
        # Run multiple copies of the current job in parallel
        # Please increase the number or runners as your tests suite grows (0 based index for e2e tests)
-        containers: ["component", 0, 1, 2, 3, 4, 5]
+        containers: ["component", '0', '1', '2', '3', '4', '5']
        # Hack as strategy.job-total includes the component and GitHub does not allow math expressions
-        # Always aling this number with the total of e2e runners (max. index + 1)
+        # Always align this number with the total of e2e runners (max. index + 1)
        total-containers: [6]

    name: runner ${{ matrix.containers }}
@ -106,7 +107,7 @@ jobs:
          node-version: ${{ needs.init.outputs.nodeVersion }}

      - name: Set up npm ${{ needs.init.outputs.npmVersion }}
-        run: npm i -g npm@"${{ needs.init.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ needs.init.outputs.npmVersion }}'

      - name: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} cypress tests
        uses: cypress-io/github-action@f88a151c986cab2e339cdbede6a5c4468bb62c17 # v6.7.0
--- a/.github/workflows/dependabot-approve-merge.yml
+++ b/.github/workflows/dependabot-approve-merge.yml
@ -31,7 +31,7 @@ jobs:
      pull-requests: write

    steps:
-      # Github actions bot approve
+      # GitHub actions bot approve
      - uses: hmarr/auto-approve-action@b40d6c9ed2fa10c9a2749eca7eb004418a705501 # v2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/files-external-s3.yml
+++ b/.github/workflows/files-external-s3.yml
@ -56,7 +56,7 @@ jobs:
          MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
          MINIO_DEFAULT_BUCKETS: nextcloud
        ports:
-          - "9000:9000"
+          - '9000:9000'

    steps:
      - name: Checkout server
--- a/.github/workflows/files-external-sftp.yml
+++ b/.github/workflows/files-external-sftp.yml
@ -61,7 +61,7 @@ jobs:
        run: |
          sudo mkdir /tmp/sftp
          sudo chown -R 0777 /tmp/sftp
-          if [[ "${{ matrix.sftpd }}" == 'openssh' ]]; then docker run -p 2222:22 --name sftp -d -v /tmp/sftp:/home/test atmoz/sftp "test:test:::data"; fi
+          if [[ '${{ matrix.sftpd }}' == 'openssh' ]]; then docker run -p 2222:22 --name sftp -d -v /tmp/sftp:/home/test atmoz/sftp 'test:test:::data'; fi

      - name: Set up php ${{ matrix.php-versions }}
        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d #v2.25.2
--- a/.github/workflows/lint-eslint.yml
+++ b/.github/workflows/lint-eslint.yml
@ -8,8 +8,7 @@

 name: Lint eslint

-on:
-  pull_request:
+on: pull_request

 permissions:
  contents: read
@ -61,15 +60,15 @@ jobs:
        id: versions
        with:
          fallbackNode: '^20'
-          fallbackNpm: '^9'
+          fallbackNpm: '^10'

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
        with:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

      - name: Set up npm ${{ steps.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'

      - name: Install dependencies
        env:
--- a/.github/workflows/lint-php-cs.yml
+++ b/.github/workflows/lint-php-cs.yml
@ -50,10 +50,11 @@ jobs:
      - name: Checkout
        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

-      - name: Set up php
+      - name: Set up php8.1
        uses: shivammathur/setup-php@c665c7a15b5295c2488ac8a87af9cb806cd72198 # v2
        with:
          php-version: 8.1
+          extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite
          coverage: none
          ini-file: development
        env:
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@ -8,8 +8,7 @@

 name: Lint php

-on:
-  pull_request:
+on: pull_request

 permissions:
  contents: read
@ -21,10 +20,8 @@ concurrency:
 jobs:
  changes:
    runs-on: ubuntu-latest-low
-
    outputs:
      src: ${{ steps.changes.outputs.src}}
-
    steps:
      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        id: changes
@ -50,7 +47,7 @@ jobs:

    strategy:
      matrix:
-        php-versions: [ "8.1", "8.2", "8.3" ]
+        php-versions: [ '8.1', '8.2', '8.3' ]

    name: php-lint

--- a/.github/workflows/node-test.yml
+++ b/.github/workflows/node-test.yml
@ -88,7 +88,7 @@ jobs:
          node-version: ${{ needs.versions.outputs.nodeVersion }}

      - name: Set up npm ${{ needs.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ needs.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ needs.versions.outputs.npmVersion }}'

      - name: Install dependencies & build
        run: |
@ -122,7 +122,7 @@ jobs:
          node-version: ${{ needs.versions.outputs.nodeVersion }}

      - name: Set up npm ${{ needs.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ needs.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ needs.versions.outputs.npmVersion }}'

      - name: Install dependencies
        run: npm ci
@ -150,7 +150,7 @@ jobs:
          node-version: ${{ needs.versions.outputs.nodeVersion }}

      - name: Set up npm ${{ needs.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ needs.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ needs.versions.outputs.npmVersion }}'

      - name: Install dependencies
        run: npm ci
--- a/.github/workflows/node.yml
+++ b/.github/workflows/node.yml
@ -8,8 +8,7 @@

 name: Node

-on:
-  pull_request:
+on: pull_request

 permissions:
  contents: read
@ -59,15 +58,15 @@ jobs:
        id: versions
        with:
          fallbackNode: '^20'
-          fallbackNpm: '^9'
+          fallbackNpm: '^10'

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
        with:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

      - name: Set up npm ${{ steps.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'

      - name: Install dependencies & build
        env:
--- a/.github/workflows/npm-audit-fix.yml
+++ b/.github/workflows/npm-audit-fix.yml
@ -21,7 +21,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        branches: ["main", "master", "stable29", "stable28", "stable27"]
+        branches: ['main', 'master', 'stable29', 'stable28', 'stable27']

    name: npm-audit-fix-${{ matrix.branches }}

@ -36,25 +36,24 @@ jobs:
        id: versions
        with:
          fallbackNode: '^20'
-          fallbackNpm: '^9'
+          fallbackNpm: '^10'

      - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
        with:
          node-version: ${{ steps.versions.outputs.nodeVersion }}

      - name: Set up npm ${{ steps.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'

      - name: Fix npm audit
-        run: |
-          npm audit fix
+        id: npm-audit
+        uses: nextcloud-libraries/npm-audit-action@2a60bd2e79cc77f2cc4d9a3fe40f1a69896f3a87 # v0.1.0

      - name: Run npm ci and npm run build
        if: always()
        env:
          CYPRESS_INSTALL_BINARY: 0
-          PUPPETEER_SKIP_DOWNLOAD: true
        run: |
          npm ci
          npm run build --if-present
@ -64,14 +63,13 @@ jobs:
        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
-          commit-message: "fix(deps): fix npm audit"
+          commit-message: 'fix(deps): Fix npm audit'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          signoff: true
          branch: automated/noid/${{ matrix.branches }}-fix-npm-audit
-          title: "[${{ matrix.branches }}] Fix npm audit"
-          body: |
-            Auto-generated fix of npm audit
+          title: '[${{ matrix.branches }}] Fix npm audit'
+          body: ${{ steps.npm-audit.outputs.markdown }}
          labels: |
            dependencies
            3. to review
--- a/.github/workflows/openapi.yml
+++ b/.github/workflows/openapi.yml
@ -34,10 +34,11 @@ jobs:
          php-version: '8.2'
          extensions: xml
          coverage: none
+          ini-file: development
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

-      - name: Composer install
+      - name: Set up dependencies
        run: composer i

      - name: OpenAPI checker
--- a/.github/workflows/performance.yml
+++ b/.github/workflows/performance.yml
@ -62,9 +62,9 @@ jobs:

      - name: Apply PR
        run: |
-          git remote add pr ${{ github.event.pull_request.head.repo.clone_url }}
-          git fetch pr ${{ github.event.pull_request.head.ref }}
-          git checkout -b pr/${{ github.event.pull_request.head.ref }}
+          git remote add pr '${{ github.event.pull_request.head.repo.clone_url }}'
+          git fetch pr '${{ github.event.pull_request.head.ref }}'
+          git checkout -b 'pr/${{ github.event.pull_request.head.ref }}'
          git submodule update

          ./occ upgrade
--- a/.github/workflows/phpunit-mariadb.yml
+++ b/.github/workflows/phpunit-mariadb.yml
@ -105,7 +105,7 @@ jobs:
      - name: Enable ONLY_FULL_GROUP_BY MariaDB option
        run: |
          echo "SET GLOBAL sql_mode=(SELECT CONCAT(@@sql_mode,',ONLY_FULL_GROUP_BY'));" | mysql -h 127.0.0.1 -P 4444 -u root -prootpassword
-          echo "SELECT @@sql_mode;" | mysql -h 127.0.0.1 -P 4444 -u root -prootpassword
+          echo 'SELECT @@sql_mode;' | mysql -h 127.0.0.1 -P 4444 -u root -prootpassword

      - name: Set up Nextcloud
        env:
@ -127,11 +127,6 @@ jobs:
          files: ./clover.db.xml
          flags: phpunit-mariadb

-      - name: Print logs
-        if: always()
-        run: |
-          cat data/nextcloud.log
-
  summary:
    permissions:
      contents: none
--- a/.github/workflows/pr-feedback.yml
+++ b/.github/workflows/pr-feedback.yml
@ -35,7 +35,7 @@ jobs:
        with:
          feedback-message: |
            Hello there,
-            Thank you so much for taking the time and effort to create a pull request to our Nextcloud project. 
+            Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

            We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

@ -45,6 +45,6 @@ jobs:

            (If you believe you should not receive this message, you can add yourself to the [blocklist](https://github.com/nextcloud/.github/blob/master/non-community-usernames.txt).)
          days-before-feedback: 14
-          start-date: "2024-04-30"
-          exempt-authors: "${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }},nextcloud-command,nextcloud-android-bot"
+          start-date: '2024-04-30'
+          exempt-authors: '${{ steps.blocklist.outputs.blocklist }},${{ steps.scrape.outputs.users }},nextcloud-command,nextcloud-android-bot'
          exempt-bots: true
--- a/.github/workflows/update-cacert-bundle.yml
+++ b/.github/workflows/update-cacert-bundle.yml
@ -14,7 +14,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        branches: ["master", "stable29",  "stable28",  "stable27", "stable26", "stable25", "stable24", "stable23", "stable22"]
+        branches: ['master', 'stable29',  'stable28',  'stable27', 'stable26', 'stable25', 'stable24', 'stable23', 'stable22']

    name: update-ca-certificate-bundle-${{ matrix.branches }}

@ -31,12 +31,12 @@ jobs:
        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
-          commit-message: "fix(security): Update CA certificate bundle"
+          commit-message: 'fix(security): Update CA certificate bundle'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          signoff: true
-          branch: automated/noid/${{ matrix.branches }}-update-ca-cert-bundle
-          title: "[${{ matrix.branches }}] fix(security): Update CA certificate bundle"
+          branch: 'automated/noid/${{ matrix.branches }}-update-ca-cert-bundle'
+          title: '[${{ matrix.branches }}] fix(security): Update CA certificate bundle'
          body: |
            Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html)
          labels: |
--- a/.github/workflows/update-code-signing-crl.yml
+++ b/.github/workflows/update-code-signing-crl.yml
@ -14,7 +14,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        branches: ["master", "stable28",  "stable27", "stable26", "stable25", "stable24", "stable23", "stable22"]
+        branches: ['master', 'stable29',  'stable28',  'stable27', 'stable26', 'stable25', 'stable24', 'stable23', 'stable22']

    name: update-code-signing-crl-${{ matrix.branches }}

@ -34,12 +34,12 @@ jobs:
        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
-          commit-message: "fix(security): Update code signing revocation list"
+          commit-message: 'fix(security): Update code signing revocation list'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          signoff: true
-          branch: automated/noid/${{ matrix.branches }}-update-code-signing-crl
-          title: "[${{ matrix.branches }}] fix(security): Update code signing revocation list"
+          branch: 'automated/noid/${{ matrix.branches }}-update-code-signing-crl'
+          title: '[${{ matrix.branches }}] fix(security): Update code signing revocation list'
          body: |
            Auto-generated update of code signing revocation list from [Appstore](https://github.com/nextcloud/appstore/commits/master/nextcloudappstore/certificate/nextcloud.crl)
          labels: |
--- a/.github/workflows/update-psalm-baseline.yml
+++ b/.github/workflows/update-psalm-baseline.yml
@ -16,7 +16,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        branches: ["master", "stable29", "stable28", "stable27"]
+        branches: ['master', 'stable29', 'stable28', 'stable27']

    name: update-psalm-baseline-${{ matrix.branches }}

@ -55,12 +55,12 @@ jobs:
        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
-          commit-message: "chore(tests): Update psalm baseline"
+          commit-message: 'chore(tests): Update psalm baseline'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          signoff: true
-          branch: automated/noid/${{ matrix.branches }}-update-psalm-baseline
-          title: "[${{ matrix.branches }}] Update psalm-baseline.xml"
+          branch: 'automated/noid/${{ matrix.branches }}-update-psalm-baseline'
+          title: '[${{ matrix.branches }}] Update psalm-baseline.xml'
          body: |
            Auto-generated update psalm-baseline.xml with fixed psalm warnings
          labels: |