ci: Pin more actions, images and permissions

Signed-off-by: Joas Schilling <[email protected]>

Author: nickvergessen

.github/workflows/block-outdated-3rdparty.yml

@@ -32,6 +32,8 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: 3rdparty commit hash on current branch
         id: actual

.github/workflows/command-pull-3rdparty.yml

@@ -38,8 +38,9 @@ jobs:
         id: comment-branch
 
       - name: Checkout ${{ steps.comment-branch.outputs.head_ref }}
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
           token: ${{ secrets.COMMAND_BOT_PAT }}
           ref: ${{ steps.comment-branch.outputs.head_ref }}

.github/workflows/files-external-ftp.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-ftp-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -53,8 +56,9 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up ftpd

.github/workflows/files-external-s3.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-s3-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -50,7 +53,7 @@ jobs:
 
     services:
       minio:
-        image: bitnami/minio
+        image: bitnami/minio@sha256:50cec18ac4184af4671a78aedd5554942c8ae105d51a465fa82037949046da01 # v2025.4.22
         env:
           MINIO_ROOT_USER: nextcloud
           MINIO_ROOT_PASSWORD: bWluaW8tc2VjcmV0LWtleS1uZXh0Y2xvdWQ=
@@ -60,8 +63,9 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up php ${{ matrix.php-versions }}
@@ -136,14 +140,15 @@ jobs:
         env:
           SERVICES: s3
           DEBUG: 1
-        image: localstack/localstack
+        image: localstack/localstack@sha256:b52c16663c70b7234f217cb993a339b46686e30a1a5d9279cb5feeb2202f837c # v4.4.0
         ports:
           - "4566:4566"
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up php ${{ matrix.php-versions }}

.github/workflows/files-external-sftp.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-sftp-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -53,8 +56,9 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up sftpd

.github/workflows/files-external-smb-kerberos.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-smb-kerberos-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -43,13 +46,15 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Checkout user_saml
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           repository: nextcloud/user_saml
           path: apps/user_saml
 

.github/workflows/files-external-smb.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-smb-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -50,14 +53,15 @@ jobs:
 
     services:
       samba:
-        image: ghcr.io/nextcloud/continuous-integration-samba:latest
+        image: ghcr.io/nextcloud/continuous-integration-samba:latest # zizmor: ignore[unpinned-images]
         ports:
           - 445:445
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up php ${{ matrix.php-versions }}

.github/workflows/files-external-webdav.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-webdav-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -50,14 +53,15 @@ jobs:
 
     services:
       apache:
-        image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest
+        image: ghcr.io/nextcloud/continuous-integration-webdav-apache:latest # zizmor: ignore[unpinned-images]
         ports:
           - 8081:80
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up php ${{ matrix.php-versions }}

.github/workflows/files-external.yml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "5 2 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   group: files-external-generic-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -49,8 +52,9 @@ jobs:
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           submodules: true
 
       - name: Set up php ${{ matrix.php-versions }}

.github/workflows/integration-dav.yml

@@ -4,6 +4,9 @@ name: DAV integration tests
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: integration-caldav-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -51,8 +54,9 @@ jobs:
 
     steps:
         - name: Checkout server
-          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
           with:
+            persist-credentials: false
             submodules: true
 
         - name: Set up php ${{ matrix.php-versions }}
@@ -67,7 +71,7 @@ jobs:
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
         - name: Set up Python
-          uses: LizardByte/setup-python-action@master
+          uses: LizardByte/setup-python-action@f4367d0377eceec7e5e26da8f3863dd365b95a94 # v2025.426.160528
           with:
             python-version: '2.7'