Merge pull request #53115 from nextcloud/ci/noid/more-action-hardening

Author: provokateurin

.github/workflows/block-outdated-3rdparty.yml

@@ -56,22 +56,24 @@ jobs:
                 core.exportVariable('server_ref', match[0]);
                 console.log('Setting server_ref to ' + match[0]);
               } else {
-                console.log('Not based on master/main/stable*, so skipping freeze check');
+                console.log('Not based on master/main/stable*, so skipping outdated 3rdparty check');
               }
             }
 
       - name: Last 3rdparty commit on target branch
+        if: ${{ env.server_ref != '' }}
         id: target
         run: |
           echo "commit=$(git ls-remote https://github.com/nextcloud/3rdparty refs/heads/${{ env.server_ref }} | awk '{ print $1}')" >> "$GITHUB_OUTPUT"
 
       - name: Compare if 3rdparty commits are different
+        if: ${{ env.server_ref != '' }}
         run: |
           echo '3rdparty/ seems to not point to the last commit of the dedicated branch:'
           echo 'Branch has: ${{ steps.actual.outputs.commit }}'
           echo '${{ env.server_ref }} has: ${{ steps.target.outputs.commit }}'
 
       - name: Fail if 3rdparty commits are different
-        if: ${{ steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }}
+        if: ${{ env.server_ref != '' && steps.changes.outputs.src != 'false' && steps.actual.outputs.commit != steps.target.outputs.commit }}
         run: |
           exit 1

.github/workflows/command-pull-3rdparty.yml

@@ -61,7 +61,7 @@ jobs:
                 core.exportVariable('server_ref', match[0]);
                 console.log('Setting server_ref to ' + match[0]);
               } else {
-                console.log('Not based on master/main/stable*, so skipping freeze check');
+                console.log('Not based on master/main/stable*, so skipping pull 3rdparty command');
               }
             }
 

.github/workflows/generate-release-changelog.yml

@@ -50,8 +50,9 @@ jobs:
           PREVIOUS_TAG=$(echo "$TAGS" | grep -v 'rc\|beta\|alpha' | sed -n '2p')
           echo "CURRENT_TAG=$CURRENT_TAG" >> $GITHUB_ENV
           echo "PREVIOUS_TAG=$PREVIOUS_TAG" >> $GITHUB_ENV
-          
-      - name: Verify current tag
+
+      # Since this action only runs on nextcloud-releases, ignoring is okay
+      - name: Verify current tag # zizmor: ignore[template-injection]
         run: |
          if [ "${{ github.ref_name }}" != "${{ env.CURRENT_TAG }}" ]; then
            echo "Current tag does not match the release tag. Exiting."
@@ -71,15 +72,17 @@ jobs:
         run: |
           echo '{"username": "github-actions"}' > github_helper/credentials.json
 
-      - name: Generate changelog between ${{ env.PREVIOUS_TAG }} and ${{ github.ref_name }}
+      # Since this action only runs on nextcloud-releases, ignoring is okay
+      - name: Generate changelog between ${{ env.PREVIOUS_TAG }} and ${{ github.ref_name }} # zizmor: ignore[template-injection]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           cd github_helper/changelog
           composer install
           php index.php generate:changelog --no-bots --format=forum server ${{ env.PREVIOUS_TAG }} ${{ github.ref_name }} > changelog.md
 
-      - name: Set changelog to release
+      # Since this action only runs on nextcloud-releases, ignoring is okay
+      - name: Set changelog to release # zizmor: ignore[template-injection]
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |