Merge pull request #2634 from nextcloud/chore/noid/ghActionHashes

Add hashes to github action versions

.github/workflows/analysis.yml

@@ -28,12 +28,12 @@ jobs:
               echo "::set-output name=pr::${{ github.event.pull_request.number }}"
               echo "::set-output name=repo::${{ github.event.pull_request.head.repo.full_name }}"
           fi
-            -   uses: actions/checkout@v3
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
         with:
           repository: ${{ steps.get-vars.outputs.repo }}
           ref: ${{ steps.get-vars.outputs.branch }}
       - name: Set up JDK 11
-                uses: actions/setup-java@v3
+        uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # v3
         with:
           distribution: "temurin"
           java-version: 11

.github/workflows/assembleFlavors.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   flavor:
     runs-on: ubuntu-latest
@@ -12,9 +15,9 @@ jobs:
       matrix:
         flavor: [ Generic, Gplay ]
     steps:
-      -   uses: actions/checkout@v3
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
       - name: set up JDK 11
-          uses: actions/setup-java@v3
+        uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # v3
         with:
           distribution: "temurin"
           java-version: 11
@@ -23,7 +26,7 @@ jobs:
           echo "org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError" >> gradle.properties
           ./gradlew assemble${{ matrix.flavor }}
       - name: Archive apk
-          uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3
         if: ${{ always() }}
         with:
           name: Nextcloud-APK

.github/workflows/autoApproveDependabot.yml

@@ -3,11 +3,14 @@ on:
   pull_request_target:
     branches: [ master, stable-* ]
 
+permissions:
+  pull-requests: write
+
 jobs:
   auto-approve:
     runs-on: ubuntu-latest
     steps:
-            -   uses: hmarr/auto-approve-action@v3.1.0
+      - uses: hmarr/auto-approve-action@de8ae18c173c131e182d4adf2c874d8d2308a85b # v3.1.0
         if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/check.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   check:
     runs-on: ubuntu-latest
@@ -12,9 +15,9 @@ jobs:
       matrix:
         task: [ detekt, ktlintCheck ]
     steps:
-            -   uses: actions/checkout@v3
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
       - name: Set up JDK 11
-                uses: actions/setup-java@v3
+        uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # v3
         with:
           distribution: "temurin"
           java-version: 11

.github/workflows/command-rebase.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Add reaction on start
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # v2
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
@@ -31,18 +31,18 @@ jobs:
           reaction-type: "+1"
 
       - name: Checkout the latest code
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
         with:
           fetch-depth: 0
           token: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.7
+        uses: cirrus-actions/rebase@6e572f08c244e2f04f9beb85a943eb618218714d # 1.7
         env:
           GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Add reaction on failure
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # v2
         if: failure()
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}

.github/workflows/fixup.yml

@@ -15,6 +15,6 @@ jobs:
 
     steps:
       - name: Run check
-        uses: xt0rted/block-autosquash-commits-action@v2
+        uses: xt0rted/block-autosquash-commits-action@79880c36b4811fe549cfffe20233df88876024e7 # v2
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/gradle-wrapper-validation.yml

@@ -4,10 +4,13 @@ on:
   pull_request:
     branches: [ master, stable-* ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   validation:
     name: "Validation"
     runs-on: ubuntu-latest
     steps:
-            -   uses: actions/checkout@v3
-            -   uses: gradle/wrapper-validation-action@v1
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
+      - uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6 # v1

.github/workflows/qa.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     branches: [ master, stable-* ]
 
+permissions:
+  pull-requests: write
+  contents: read
+
 jobs:
   qa:
     runs-on: ubuntu-latest
@@ -11,11 +15,11 @@ jobs:
       - name: Check if secrets are available
         run: echo "::set-output name=ok::${{ secrets.KS_PASS != '' }}"
         id: check-secrets
-            -   uses: actions/checkout@v3
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
         if: ${{ steps.check-secrets.outputs.ok == 'true' }}
       - name: set up JDK 11
+        uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # v3
         if: ${{ steps.check-secrets.outputs.ok == 'true' }}
-                uses: actions/setup-java@v3
         with:
           distribution: "temurin"
           java-version: 11

.github/workflows/stale.yml

@@ -22,7 +22,5 @@ jobs:
           only-labels: 'bug,needs info'
           exempt-issue-labels: 'no-stale'
           stale-issue-message: >-
-            This bug report did not receive an update in the last 4 weeks.
-            Please take a look again and update the issue with new details,
-            otherwise the issue will be automatically closed in 2 weeks. Thank you!
+            This bug report did not receive an update in the last 4 weeks. Please take a look again and update the issue with new details, otherwise the issue will be automatically closed in 2 weeks. Thank you!
           exempt-all-pr-milestones: true