diff --git a/.github/workflows/ai-policy.yml b/.github/workflows/ai-policy.yml index c86be86..b3d1ae9 100644 --- a/.github/workflows/ai-policy.yml +++ b/.github/workflows/ai-policy.yml @@ -32,7 +32,9 @@ jobs: - name: Collect PR commit messages id: collect env: - GH_TOKEN: ${{ github.token }} + # Fall back to the default token when the PAT is unavailable + # (e.g. Dependabot- or fork-triggered runs don't receive Actions secrets) + GH_TOKEN: ${{ secrets.COMMAND_BOT_PAT || github.token }} COMMITS_URL: ${{ github.event.pull_request.commits_url }} run: | set -euo pipefail @@ -125,7 +127,9 @@ jobs: - name: Create 'AI assisted' label if absent if: steps.ai_trailers.outputs.ai_assisted == 'true' || steps.agent_signoff.outputs.agent_signoff == 'true' || steps.co_authored.outputs.co_authored == 'true' env: - GH_TOKEN: ${{ github.token }} + # Fall back to the default token when the PAT is unavailable + # (e.g. Dependabot- or fork-triggered runs don't receive Actions secrets) + GH_TOKEN: ${{ secrets.COMMAND_BOT_PAT || github.token }} run: | gh api "repos/${{ github.repository }}/labels" \ --method POST \ @@ -137,11 +141,13 @@ jobs: - name: Label PR as AI assisted if: steps.ai_trailers.outputs.ai_assisted == 'true' || steps.agent_signoff.outputs.agent_signoff == 'true' || steps.co_authored.outputs.co_authored == 'true' env: - GH_TOKEN: ${{ github.token }} + # Fall back to the default token when the PAT is unavailable + # (e.g. Dependabot- or fork-triggered runs don't receive Actions secrets) + GH_TOKEN: ${{ secrets.COMMAND_BOT_PAT || github.token }} run: | - gh pr edit "${{ github.event.pull_request.number }}" \ - --repo "${{ github.repository }}" \ - --add-label "AI assisted" + gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels" \ + --method POST \ + -f "labels[]=AI assisted" echo "Added 'AI assisted' label to PR #${{ github.event.pull_request.number }}" - name: Fail on coding-agent Signed-off-by diff --git a/.github/workflows/dispatch-workflow-repo.yml b/.github/workflows/dispatch-workflow-repo.yml index c6dda7f..39832e8 100644 --- a/.github/workflows/dispatch-workflow-repo.yml +++ b/.github/workflows/dispatch-workflow-repo.yml @@ -69,7 +69,7 @@ jobs: if [ -f "$workflow" ]; then filename=$(basename "$workflow") target_file="./target/.github/workflows/$filename" - + # Only copy if the file exists in the target repository if [ -f "$target_file" ]; then echo "Updating existing workflow: $filename" diff --git a/workflow-templates/ai-policy.yml b/workflow-templates/ai-policy.yml index c86be86..b3d1ae9 100644 --- a/workflow-templates/ai-policy.yml +++ b/workflow-templates/ai-policy.yml @@ -32,7 +32,9 @@ jobs: - name: Collect PR commit messages id: collect env: - GH_TOKEN: ${{ github.token }} + # Fall back to the default token when the PAT is unavailable + # (e.g. Dependabot- or fork-triggered runs don't receive Actions secrets) + GH_TOKEN: ${{ secrets.COMMAND_BOT_PAT || github.token }} COMMITS_URL: ${{ github.event.pull_request.commits_url }} run: | set -euo pipefail @@ -125,7 +127,9 @@ jobs: - name: Create 'AI assisted' label if absent if: steps.ai_trailers.outputs.ai_assisted == 'true' || steps.agent_signoff.outputs.agent_signoff == 'true' || steps.co_authored.outputs.co_authored == 'true' env: - GH_TOKEN: ${{ github.token }} + # Fall back to the default token when the PAT is unavailable + # (e.g. Dependabot- or fork-triggered runs don't receive Actions secrets) + GH_TOKEN: ${{ secrets.COMMAND_BOT_PAT || github.token }} run: | gh api "repos/${{ github.repository }}/labels" \ --method POST \ @@ -137,11 +141,13 @@ jobs: - name: Label PR as AI assisted if: steps.ai_trailers.outputs.ai_assisted == 'true' || steps.agent_signoff.outputs.agent_signoff == 'true' || steps.co_authored.outputs.co_authored == 'true' env: - GH_TOKEN: ${{ github.token }} + # Fall back to the default token when the PAT is unavailable + # (e.g. Dependabot- or fork-triggered runs don't receive Actions secrets) + GH_TOKEN: ${{ secrets.COMMAND_BOT_PAT || github.token }} run: | - gh pr edit "${{ github.event.pull_request.number }}" \ - --repo "${{ github.repository }}" \ - --add-label "AI assisted" + gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels" \ + --method POST \ + -f "labels[]=AI assisted" echo "Added 'AI assisted' label to PR #${{ github.event.pull_request.number }}" - name: Fail on coding-agent Signed-off-by diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml index 37be7c6..ecc088e 100644 --- a/workflow-templates/cypress.yml +++ b/workflow-templates/cypress.yml @@ -55,7 +55,9 @@ jobs: - name: Install composer dependencies if: steps.check_composer.outputs.files_exists == 'true' - run: composer install --no-dev + uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 + with: + composer-options: '--no-dev' - name: Set up node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 diff --git a/workflow-templates/phpstan.yml b/workflow-templates/phpstan.yml index 7c1f25d..fc89a06 100644 --- a/workflow-templates/phpstan.yml +++ b/workflow-templates/phpstan.yml @@ -47,12 +47,14 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Install dependencies + - name: Remove nextcloud/ocp run: | composer remove nextcloud/ocp --dev --no-scripts - composer i - - name: Install nextcloud/ocp + - name: Install composer dependencies + uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 + + - name: Install nextcloud/ocp:dev-${{ steps.versions.outputs.branches-max }} run: composer require --dev nextcloud/ocp:dev-${{ steps.versions.outputs.branches-max }} --ignore-platform-reqs --with-dependencies - name: Run coding standards check diff --git a/workflow-templates/rector-apply.yml b/workflow-templates/rector-apply.yml index 48a746a..c61c5b1 100644 --- a/workflow-templates/rector-apply.yml +++ b/workflow-templates/rector-apply.yml @@ -45,10 +45,12 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Install dependencies + - name: Remove nextcloud/ocp run: | composer remove nextcloud/ocp --dev --no-scripts - composer i + + - name: Install composer dependencies + uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0 - name: Rector run: composer run rector diff --git a/workflow-templates/release-relay.properties.json b/workflow-templates/release-relay.properties.json new file mode 100644 index 0000000..53bdc97 --- /dev/null +++ b/workflow-templates/release-relay.properties.json @@ -0,0 +1,5 @@ +{ + "name": "Release Relay", + "description": "Dispatches the repository information and tag of a release to a relay for further release processing", + "iconName": "octicon robot" +} diff --git a/workflow-templates/release-relay.yml b/workflow-templates/release-relay.yml new file mode 100644 index 0000000..0890831 --- /dev/null +++ b/workflow-templates/release-relay.yml @@ -0,0 +1,38 @@ +# This workflow is provided via the organization template repository +# +# https://github.com/nextcloud/.github +# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization +# +# SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors +# SPDX-License-Identifier: MIT + +name: Notify release-relay on release + +on: + release: + types: [published] + +permissions: + contents: read + +jobs: + notify: + name: Dispatch release to release-relay + runs-on: ubuntu-latest + + # Only allowed to run on nextcloud-releases repositories + if: ${{ github.repository_owner == 'nextcloud-releases' }} + + steps: + - name: Check actor permission + uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0 + with: + require: write + + - name: Dispatch to release-relay + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 + with: + token: ${{ secrets.DISPATCH_PAT }} + repository: nextcloud-gmbh/release-relay + event-type: app-tagged + client-payload: '{"app": "${{ github.repository }}", "tag": "${{ github.event.release.tag_name }}"}'