fix(actions): Harden workflows when using variables in strings

Signed-off-by: Joas Schilling <coding@schilljs.com>
nextcloud · Jun 7, 2024 · c2073b0 · c2073b0
1 parent 3237123
commit c2073b0
Show file tree

Hide file tree

Showing 22 changed files with 78 additions and 87 deletions.
diff --git a/.github/workflows/block-merge-eol.yml b/.github/workflows/block-merge-eol.yml
@@ -26,15 +26,15 @@ jobs:
     runs-on: ubuntu-latest-low
 
     steps:
-      - name: Download updater config
-        run: curl https://raw.githubusercontent.com/nextcloud/updater_server/production/config/config.php --output config.php
-
       - name: Set server major version environment
         run: |
           # retrieve version number from branch reference
           server_major=$(echo "${{ github.base_ref }}" | sed -En 's/stable//p')
           echo "server_major=$server_major" >> $GITHUB_ENV
+          echo "current_month=$(date +%Y-%m)" >> $GITHUB_ENV
 
       - name: Checking if ${{ env.server_major }} is EOL
         run: |
-          php -r 'echo json_encode(require_once "config.php");' | jq --arg version "${{ env.server_major }}" '.stable[$version]["100"].eol // .beta[$version]["100"].eol // "NotEOL"' | grep -q "NotEOL"
+          curl -s https://raw.githubusercontent.com/nextcloud-releases/updater_server/production/config/major_versions.json \
+            | jq '.["${{ env.server_major }}"]["eol"] // "9999-99" | . >= "${{ env.current_month }}"' \
+            | grep -q true
diff --git a/.github/workflows/block-merge-freeze.yml b/.github/workflows/block-merge-freeze.yml
@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Download version.php from ${{ github.base_ref }}
-        run: curl https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php --output version.php
+        run: curl 'https://raw.githubusercontent.com/nextcloud/server/${{ github.base_ref }}/version.php' --output version.php
 
       - name: Run check
         run: cat version.php | grep 'OC_VersionString' | grep -i -v 'RC'
diff --git a/.github/workflows/block-outdated-3rdparty.yml b/.github/workflows/block-outdated-3rdparty.yml
@@ -46,8 +46,8 @@ jobs:
       - name: Compare if 3rdparty commits are different
         run: |
           echo '3rdparty/ seems to not point to the last commit of the dedicated branch:'
-          echo "Branch has: ${{ steps.actual.outputs.commit }}"
-          echo "${{ github.base_ref }} has: ${{ steps.target.outputs.commit }}"
+          echo 'Branch has: ${{ steps.actual.outputs.commit }}'
+          echo '${{ github.base_ref }} has: ${{ steps.target.outputs.commit }}'
 
       - name: Fail if 3rdparty commits are different
         if: ${{ steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }}

diff --git a/.github/workflows/command-compile.yml b/.github/workflows/command-compile.yml
@@ -37,7 +37,7 @@ jobs:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
-          reactions: "+1"
+          reactions: '+1'
 
       - name: Parse command
         uses: skjnldsv/parse-command-comment@5c955203c52424151e6d0e58fb9de8a9f6a605a1 # v2
@@ -77,8 +77,8 @@ jobs:
 
       - name: Setup git
         run: |
-          git config --local user.email "nextcloud-command@users.noreply.github.com"
-          git config --local user.name "nextcloud-command"
+          git config --local user.email 'nextcloud-command@users.noreply.github.com'
+          git config --local user.name 'nextcloud-command'
 
       - name: Read package.json node and npm engines version
         uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
@@ -94,13 +94,13 @@ jobs:
           cache: npm
 
       - name: Set up npm ${{ steps.package-engines-versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.package-engines-versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.package-engines-versions.outputs.npmVersion }}'
 
       - name: Rebase to ${{ needs.init.outputs.base_ref }}
         if: ${{ contains(needs.init.outputs.arg1, 'rebase') }}
         run: |
-          git fetch origin ${{ needs.init.outputs.base_ref }}:${{ needs.init.outputs.base_ref }}
-          git rebase origin/${{ needs.init.outputs.base_ref }}
+          git fetch origin '${{ needs.init.outputs.base_ref }}:${{ needs.init.outputs.base_ref }}'
+          git rebase 'origin/${{ needs.init.outputs.base_ref }}'
 
       - name: Install dependencies & build
         env:
@@ -113,30 +113,30 @@ jobs:
       - name: Commit default
         if: ${{ !contains(needs.init.outputs.arg1, 'fixup') && !contains(needs.init.outputs.arg1, 'amend') }}
         run: |
-          git add ${{ github.workspace }}${{ needs.init.outputs.git_path }}
+          git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}'
           git commit --signoff -m 'chore(assets): Recompile assets'
  
       - name: Commit fixup
         if: ${{ contains(needs.init.outputs.arg1, 'fixup') }}
         run: |
-          git add ${{ github.workspace }}${{ needs.init.outputs.git_path }}
+          git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}'
           git commit --fixup=HEAD --signoff
 
       - name: Commit amend
         if: ${{ contains(needs.init.outputs.arg1, 'amend') }}
         run: |
-          git add ${{ github.workspace }}${{ needs.init.outputs.git_path }}
+          git add '${{ github.workspace }}${{ needs.init.outputs.git_path }}'
           git commit --amend --no-edit --signoff
           # Remove any [skip ci] from the amended commit
           git commit --amend -m "$(git log -1 --format='%B' | sed '/\[skip ci\]/d')"
  
       - name: Push normally
         if: ${{ !contains(needs.init.outputs.arg1, 'rebase') && !contains(needs.init.outputs.arg1, 'amend') }}
-        run: git push origin ${{ needs.init.outputs.head_ref }}
+        run: git push origin '${{ needs.init.outputs.head_ref }}'
 
       - name: Force push
         if: ${{ contains(needs.init.outputs.arg1, 'rebase') || contains(needs.init.outputs.arg1, 'amend') }}
-        run: git push --force origin ${{ needs.init.outputs.head_ref }}
+        run: git push --force origin '${{ needs.init.outputs.head_ref }}'
 
       - name: Add reaction on failure
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0

diff --git a/.github/workflows/command-pull-3rdparty.yml b/.github/workflows/command-pull-3rdparty.yml
@@ -25,7 +25,7 @@ jobs:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
-          reactions: "+1"
+          reactions: '+1'
 
       - name: Init branch
         uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v1
@@ -40,16 +40,16 @@ jobs:
 
       - name: Setup git
         run: |
-          git config --local user.email "nextcloud-command@users.noreply.github.com"
-          git config --local user.name "nextcloud-command"
+          git config --local user.email 'nextcloud-command@users.noreply.github.com'
+          git config --local user.name 'nextcloud-command'
 
       - name: Pull 3rdparty
-        run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin ${{ github.event.issue.pull_request.base.ref }}; fi'
+        run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ github.event.issue.pull_request.base.ref }}'"'"'; fi'
 
       - name: Commit and push changes
         run: |
           git add 3rdparty
-          git commit -s -m "Update submodule 3rdparty to latest ${{ github.event.issue.pull_request.base.ref }}"
+          git commit -s -m 'Update submodule 3rdparty to latest ${{ github.event.issue.pull_request.base.ref }}'
           git push
 
       - name: Add reaction on failure
@@ -59,4 +59,4 @@ jobs:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
-          reactions: "-1"
+          reactions: '-1'
diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml
@@ -17,6 +17,7 @@ concurrency:
 env:
   # Adjust APP_NAME if your repository name is different
   APP_NAME: ${{ github.event.repository.name }}
+
   # Server requires head_ref instead of base_ref, as we want to test the PR branch
   BRANCH: ${{ github.head_ref || github.ref_name }}
 
@@ -52,15 +53,15 @@ jobs:
         id: versions
         with:
           fallbackNode: "^20"
-          fallbackNpm: "^9"
+          fallbackNpm: "^10"
 
       - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: ${{ steps.versions.outputs.nodeVersion }}
 
       - name: Set up npm ${{ steps.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
 
       - name: Install node dependencies & build app
         run: |
@@ -85,9 +86,9 @@ jobs:
       matrix:
         # Run multiple copies of the current job in parallel
         # Please increase the number or runners as your tests suite grows (0 based index for e2e tests)
-        containers: ["component", 0, 1, 2, 3, 4, 5]
+        containers: ["component", '0', '1', '2', '3', '4', '5']
         # Hack as strategy.job-total includes the component and GitHub does not allow math expressions
-        # Always aling this number with the total of e2e runners (max. index + 1)
+        # Always align this number with the total of e2e runners (max. index + 1)
         total-containers: [6]
 
     name: runner ${{ matrix.containers }}
@@ -106,7 +107,7 @@ jobs:
           node-version: ${{ needs.init.outputs.nodeVersion }}
 
       - name: Set up npm ${{ needs.init.outputs.npmVersion }}
-        run: npm i -g npm@"${{ needs.init.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ needs.init.outputs.npmVersion }}'
 
       - name: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} cypress tests
         uses: cypress-io/github-action@f88a151c986cab2e339cdbede6a5c4468bb62c17 # v6.7.0

diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml
@@ -31,7 +31,7 @@ jobs:
       pull-requests: write
 
     steps:
-      # Github actions bot approve
+      # GitHub actions bot approve
       - uses: hmarr/auto-approve-action@b40d6c9ed2fa10c9a2749eca7eb004418a705501 # v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/files-external-s3.yml b/.github/workflows/files-external-s3.yml
@@ -56,7 +56,7 @@ jobs:
           MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
           MINIO_DEFAULT_BUCKETS: nextcloud
         ports:
-          - "9000:9000"
+          - '9000:9000'
 
     steps:
       - name: Checkout server

diff --git a/.github/workflows/files-external-sftp.yml b/.github/workflows/files-external-sftp.yml
@@ -61,7 +61,7 @@ jobs:
         run: |
           sudo mkdir /tmp/sftp
           sudo chown -R 0777 /tmp/sftp
-          if [[ "${{ matrix.sftpd }}" == 'openssh' ]]; then docker run -p 2222:22 --name sftp -d -v /tmp/sftp:/home/test atmoz/sftp "test:test:::data"; fi
+          if [[ '${{ matrix.sftpd }}' == 'openssh' ]]; then docker run -p 2222:22 --name sftp -d -v /tmp/sftp:/home/test atmoz/sftp 'test:test:::data'; fi
 
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d #v2.25.2

diff --git a/.github/workflows/lint-eslint.yml b/.github/workflows/lint-eslint.yml
@@ -8,8 +8,7 @@
 
 name: Lint eslint
 
-on:
-  pull_request:
+on: pull_request
 
 permissions:
   contents: read
@@ -61,15 +60,15 @@ jobs:
         id: versions
         with:
           fallbackNode: '^20'
-          fallbackNpm: '^9'
+          fallbackNpm: '^10'
 
       - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ steps.versions.outputs.nodeVersion }}
 
       - name: Set up npm ${{ steps.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
 
       - name: Install dependencies
         env:

diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml
@@ -50,10 +50,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
-      - name: Set up php
+      - name: Set up php8.1
         uses: shivammathur/setup-php@c665c7a15b5295c2488ac8a87af9cb806cd72198 # v2
         with:
           php-version: 8.1
+          extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite
           coverage: none
           ini-file: development
         env:

diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml
@@ -8,8 +8,7 @@
 
 name: Lint php
 
-on:
-  pull_request:
+on: pull_request
 
 permissions:
   contents: read
@@ -21,10 +20,8 @@ concurrency:
 jobs:
   changes:
     runs-on: ubuntu-latest-low
-
     outputs:
       src: ${{ steps.changes.outputs.src}}
-
     steps:
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: changes
@@ -50,7 +47,7 @@ jobs:
 
     strategy:
       matrix:
-        php-versions: [ "8.1", "8.2", "8.3" ]
+        php-versions: [ '8.1', '8.2', '8.3' ]
 
     name: php-lint
 

diff --git a/.github/workflows/node-test.yml b/.github/workflows/node-test.yml
@@ -88,7 +88,7 @@ jobs:
           node-version: ${{ needs.versions.outputs.nodeVersion }}
 
       - name: Set up npm ${{ needs.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ needs.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ needs.versions.outputs.npmVersion }}'
 
       - name: Install dependencies & build
         run: |
@@ -122,7 +122,7 @@ jobs:
           node-version: ${{ needs.versions.outputs.nodeVersion }}
 
       - name: Set up npm ${{ needs.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ needs.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ needs.versions.outputs.npmVersion }}'
 
       - name: Install dependencies
         run: npm ci
@@ -150,7 +150,7 @@ jobs:
           node-version: ${{ needs.versions.outputs.nodeVersion }}
 
       - name: Set up npm ${{ needs.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ needs.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ needs.versions.outputs.npmVersion }}'
 
       - name: Install dependencies
         run: npm ci

diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml
@@ -8,8 +8,7 @@
 
 name: Node
 
-on:
-  pull_request:
+on: pull_request
 
 permissions:
   contents: read
@@ -58,15 +57,15 @@ jobs:
         id: versions
         with:
           fallbackNode: '^20'
-          fallbackNpm: '^9'
+          fallbackNpm: '^10'
 
       - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ steps.versions.outputs.nodeVersion }}
 
       - name: Set up npm ${{ steps.versions.outputs.npmVersion }}
-        run: npm i -g npm@"${{ steps.versions.outputs.npmVersion }}"
+        run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
 
       - name: Install dependencies & build
         env: