From 1907bca23a4bac1a30945589fc2332b78a9c63ea Mon Sep 17 00:00:00 2001
From: Marcel Hibbe <dev@mhibbe.de>
Date: Mon, 17 Mar 2025 11:09:50 +0100
Subject: [PATCH] update workflows

see https://github.com/nextcloud/.github?tab=readme-ov-file#update-workflows-with-a-script

Signed-off-by: Marcel Hibbe <dev@mhibbe.de>
---
 .github/workflows/pr-feedback.yml            | 2 +-
 .github/workflows/renovate-approve-merge.yml | 6 +++---
 .github/workflows/reuse.yml                  | 3 +++
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pr-feedback.yml b/.github/workflows/pr-feedback.yml
index 7d4966907..98e9fada7 100644
--- a/.github/workflows/pr-feedback.yml
+++ b/.github/workflows/pr-feedback.yml
@@ -36,7 +36,7 @@ jobs:
           blocklist=$(curl https://raw.githubusercontent.com/nextcloud/.github/master/non-community-usernames.txt | paste -s -d, -)
           echo "blocklist=$blocklist" >> "$GITHUB_OUTPUT"
 
-      - uses: marcelklehr/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4
+      - uses: nextcloud/pr-feedback-action@1883b38a033fb16f576875e0cf45f98b857655c4 # main
         with:
           feedback-message: |
             Hello there,
diff --git a/.github/workflows/renovate-approve-merge.yml b/.github/workflows/renovate-approve-merge.yml
index 48b98e91a..ccfed3974 100644
--- a/.github/workflows/renovate-approve-merge.yml
+++ b/.github/workflows/renovate-approve-merge.yml
@@ -9,7 +9,7 @@
 name: Auto approve renovate PRs
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     branches:
       - main
       - master
@@ -24,7 +24,7 @@ concurrency:
 
 jobs:
   auto-approve-merge:
-    if: github.actor == 'renovate[bot]'
+    if: github.event.pull_request.user.login == 'renovate[bot]'
     runs-on: ubuntu-latest
     permissions:
       # for hmarr/auto-approve-action to approve PRs
@@ -52,7 +52,7 @@ jobs:
 
       # Enable GitHub auto merge
       - name: Auto merge
-        uses: alexwilson/enable-github-automerge-action@main
+        uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff # v2.0.0
         if: startsWith(steps.branchname.outputs.branch, 'renovate/')
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index b6828556a..0d8e1962a 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -11,6 +11,9 @@ name: REUSE Compliance Check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest