From 214db147adbb117bda8aad41e7b156f686f254e2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 20 Apr 2026 01:04:59 +0000
Subject: [PATCH 1/4] build(deps): bump actions/cache in /workflow-templates

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 workflow-templates/command-compile.yml | 2 +-
 workflow-templates/command-openapi.yml | 2 +-
 workflow-templates/cypress.yml         | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml
index f236822..b3989ff 100644
--- a/workflow-templates/command-compile.yml
+++ b/workflow-templates/command-compile.yml
@@ -97,7 +97,7 @@ jobs:
 
     steps:
       - name: Restore cached git repository
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: .git
           key: git-repo
diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml
index 20325da..97f4c69 100644
--- a/workflow-templates/command-openapi.yml
+++ b/workflow-templates/command-openapi.yml
@@ -97,7 +97,7 @@ jobs:
 
     steps:
       - name: Restore cached git repository
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: .git
           key: git-repo
diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml
index 3eff029..b67071a 100644
--- a/workflow-templates/cypress.yml
+++ b/workflow-templates/cypress.yml
@@ -81,7 +81,7 @@ jobs:
           TESTING=true npm run build --if-present
 
       - name: Save context
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           key: cypress-context-${{ github.run_id }}
           path: ./
@@ -101,7 +101,7 @@ jobs:
 
     steps:
       - name: Restore context
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           fail-on-cache-miss: true
           key: cypress-context-${{ github.run_id }}

From 351a8b7f58a9d571dd1ad5134d8044c681be88c1 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 21 Apr 2026 07:45:58 +0200
Subject: [PATCH 2/4] fix(psalm-phpstan): Remove roave/security-advisories

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 workflow-templates/phpstan.yml      | 3 ---
 workflow-templates/psalm-matrix.yml | 3 ---
 workflow-templates/psalm.yml        | 3 ---
 3 files changed, 9 deletions(-)

diff --git a/workflow-templates/phpstan.yml b/workflow-templates/phpstan.yml
index 6244932..cba8d41 100644
--- a/workflow-templates/phpstan.yml
+++ b/workflow-templates/phpstan.yml
@@ -52,9 +52,6 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
-      - name: Check for vulnerable PHP dependencies
-        run: composer require --dev roave/security-advisories:dev-latest
-
       - name: Install nextcloud/ocp
         run: composer require --dev nextcloud/ocp:dev-${{ steps.versions.outputs.branches-max }} --ignore-platform-reqs --with-dependencies
 
diff --git a/workflow-templates/psalm-matrix.yml b/workflow-templates/psalm-matrix.yml
index b22a423..8d6603e 100644
--- a/workflow-templates/psalm-matrix.yml
+++ b/workflow-templates/psalm-matrix.yml
@@ -67,9 +67,6 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
-      - name: Check for vulnerable PHP dependencies
-        run: composer require --dev roave/security-advisories:dev-latest
-
       - name: Install dependencies # zizmor: ignore[template-injection]
         run: composer require --dev 'nextcloud/ocp:${{ matrix.ocp-version }}' --ignore-platform-reqs --with-dependencies
 
diff --git a/workflow-templates/psalm.yml b/workflow-templates/psalm.yml
index d69fd28..4d4a4ec 100644
--- a/workflow-templates/psalm.yml
+++ b/workflow-templates/psalm.yml
@@ -52,9 +52,6 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
-      - name: Check for vulnerable PHP dependencies
-        run: composer require --dev roave/security-advisories:dev-latest
-
       - name: Install nextcloud/ocp
         run: composer require --dev nextcloud/ocp:dev-${{ steps.versions.outputs.branches-max }} --ignore-platform-reqs --with-dependencies
 

From 1eaf9a6a94eb7e537857c31ddf029c04c2d910bb Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 21 Apr 2026 08:28:04 +0200
Subject: [PATCH 3/4] ci(zizmor): Remove adjusted secrets-outside-env rule

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .github/workflows/dispatch-workflow-org.yml        |  4 ++--
 .github/workflows/dispatch-workflow-repo.yml       |  2 +-
 .github/workflows/dispatch-workflow.yml            |  2 +-
 workflow-templates/appstore-build-publish.yml      |  6 +++---
 workflow-templates/command-compile.yml             |  8 ++++----
 workflow-templates/command-openapi.yml             |  8 ++++----
 workflow-templates/cypress.yml                     | 12 ++++++------
 workflow-templates/npm-audit-fix.yml               |  2 +-
 workflow-templates/rector-apply.yml                |  2 +-
 workflow-templates/sync-workflow-templates.yml     |  2 +-
 workflow-templates/update-nextcloud-ocp-matrix.yml |  2 +-
 workflow-templates/update-nextcloud-ocp.yml        |  2 +-
 12 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/dispatch-workflow-org.yml b/.github/workflows/dispatch-workflow-org.yml
index 632a15d..f49b0b6 100644
--- a/.github/workflows/dispatch-workflow-org.yml
+++ b/.github/workflows/dispatch-workflow-org.yml
@@ -25,7 +25,7 @@ jobs:
       - name: Get all repositories
         id: get-repos
         env:
-          GH_TOKEN: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} # zizmor: ignore[secrets-outside-env]
+          GH_TOKEN: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }}
         run: |
           repositories=$(gh api \
             --paginate \
@@ -45,7 +45,7 @@ jobs:
     steps:
       - name: Dispatch update workflow
         env:
-          GH_TOKEN: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} # zizmor: ignore[secrets-outside-env]
+          GH_TOKEN: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }}
         run: |
           gh workflow run dispatch-workflow-repo.yml \
             --repo ${{ github.repository }} \
diff --git a/.github/workflows/dispatch-workflow-repo.yml b/.github/workflows/dispatch-workflow-repo.yml
index e42adb0..198f9bf 100644
--- a/.github/workflows/dispatch-workflow-repo.yml
+++ b/.github/workflows/dispatch-workflow-repo.yml
@@ -93,4 +93,4 @@ jobs:
           signoff: true
           title: '[${{ github.event.inputs.branch }}] ci: update all workflow templates from organization template repository'
           labels: dependencies
-          token: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }}
diff --git a/.github/workflows/dispatch-workflow.yml b/.github/workflows/dispatch-workflow.yml
index 058b553..8271820 100644
--- a/.github/workflows/dispatch-workflow.yml
+++ b/.github/workflows/dispatch-workflow.yml
@@ -109,4 +109,4 @@ jobs:
           signoff: true
           title: 'ci: update ${{ github.event.inputs.name }} workflow from template'
           labels: dependencies
-          token: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.TEMPLATE_WORKFLOW_DISPATCH_PAT }}
diff --git a/workflow-templates/appstore-build-publish.yml b/workflow-templates/appstore-build-publish.yml
index 1e6bd32..fc73fb9 100644
--- a/workflow-templates/appstore-build-publish.yml
+++ b/workflow-templates/appstore-build-publish.yml
@@ -172,7 +172,7 @@ jobs:
           tar -xvf ${{ env.APP_NAME }}.tar.gz
           cd ../../../
           # Setting up keys
-          echo '${{ secrets.APP_PRIVATE_KEY }}' > ${{ env.APP_NAME }}.key # zizmor: ignore[secrets-outside-env]
+          echo '${{ secrets.APP_PRIVATE_KEY }}' > ${{ env.APP_NAME }}.key
           wget --quiet "https://github.com/nextcloud/app-certificate-requests/raw/master/${{ env.APP_NAME }}/${{ env.APP_NAME }}.crt"
           # Signing
           php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}
@@ -194,6 +194,6 @@ jobs:
         uses: nextcloud-releases/nextcloud-appstore-push-action@a011fe619bcf6e77ddebc96f9908e1af4071b9c1 # v1.0.3
         with:
           app_name: ${{ env.APP_NAME }}
-          appstore_token: ${{ secrets.APPSTORE_TOKEN }} # zizmor: ignore[secrets-outside-env]
+          appstore_token: ${{ secrets.APPSTORE_TOKEN }}
           download_url: ${{ steps.attach_to_release.outputs.browser_download_url }}
-          app_private_key: ${{ secrets.APP_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env]
+          app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
diff --git a/workflow-templates/command-compile.yml b/workflow-templates/command-compile.yml
index b3989ff..ba5ea1f 100644
--- a/workflow-templates/command-compile.yml
+++ b/workflow-templates/command-compile.yml
@@ -59,7 +59,7 @@ jobs:
       - name: Add reaction on start
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
           reactions: '+1'
@@ -86,7 +86,7 @@ jobs:
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         if: failure()
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
           reactions: '-1'
@@ -107,7 +107,7 @@ jobs:
         with:
           # Needed to allow force push later
           persist-credentials: true
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           fetch-depth: 0
           ref: ${{ needs.init.outputs.head_ref }}
 
@@ -216,7 +216,7 @@ jobs:
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         if: failure()
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
           reactions: '-1'
diff --git a/workflow-templates/command-openapi.yml b/workflow-templates/command-openapi.yml
index 97f4c69..464bb33 100644
--- a/workflow-templates/command-openapi.yml
+++ b/workflow-templates/command-openapi.yml
@@ -59,7 +59,7 @@ jobs:
       - name: Add reaction on start
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
           reactions: '+1'
@@ -86,7 +86,7 @@ jobs:
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         if: failure()
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
           reactions: '-1'
@@ -107,7 +107,7 @@ jobs:
         with:
           # Needed to allow force push later
           persist-credentials: true
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           fetch-depth: 0
           ref: ${{ needs.init.outputs.head_ref }}
 
@@ -193,7 +193,7 @@ jobs:
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         if: failure()
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
           comment-id: ${{ github.event.comment.id }}
           reactions: '-1'
diff --git a/workflow-templates/cypress.yml b/workflow-templates/cypress.yml
index b67071a..5dc0af2 100644
--- a/workflow-templates/cypress.yml
+++ b/workflow-templates/cypress.yml
@@ -118,14 +118,14 @@ jobs:
       - name: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }} cypress tests
         uses: cypress-io/github-action@783cb3f07983868532cabaedaa1e6c00ff4786a8 # v7.1.9
         with:
-          record: ${{ secrets.CYPRESS_RECORD_KEY && true }} # zizmor: ignore[secrets-outside-env]
-          parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }} # zizmor: ignore[secrets-outside-env]
+          record: ${{ secrets.CYPRESS_RECORD_KEY && true }}
+          parallel: ${{ secrets.CYPRESS_RECORD_KEY && true }}
           # cypress run type
           component: ${{ matrix.containers == 'component' }}
-          group: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_GROUP }} # zizmor: ignore[secrets-outside-env]
+          group: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_GROUP }}
           # cypress env
-          ci-build-id: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_BUILD_ID }} # zizmor: ignore[secrets-outside-env]
-          tag: ${{ secrets.CYPRESS_RECORD_KEY && github.event_name }} # zizmor: ignore[secrets-outside-env]
+          ci-build-id: ${{ secrets.CYPRESS_RECORD_KEY && env.CYPRESS_BUILD_ID }}
+          tag: ${{ secrets.CYPRESS_RECORD_KEY && github.event_name }}
         env:
           # Needs to be prefixed with CYPRESS_
           CYPRESS_BRANCH: ${{ env.BRANCH }}
@@ -134,7 +134,7 @@ jobs:
           # Needed for some specific code workarounds
           TESTING: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} # zizmor: ignore[secrets-outside-env]
+          CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
           CYPRESS_BUILD_ID: ${{ github.sha }}-${{ github.run_number }}
           CYPRESS_GROUP: Run ${{ matrix.containers == 'component' && 'component' || 'E2E' }}
 
diff --git a/workflow-templates/npm-audit-fix.yml b/workflow-templates/npm-audit-fix.yml
index 3e27439..23bae52 100644
--- a/workflow-templates/npm-audit-fix.yml
+++ b/workflow-templates/npm-audit-fix.yml
@@ -71,7 +71,7 @@ jobs:
         if: steps.checkout.outcome == 'success'
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: 'fix(deps): Fix npm audit'
           committer: GitHub <noreply@github.com>
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>
diff --git a/workflow-templates/rector-apply.yml b/workflow-templates/rector-apply.yml
index 6b33ad7..e356a7a 100644
--- a/workflow-templates/rector-apply.yml
+++ b/workflow-templates/rector-apply.yml
@@ -56,7 +56,7 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: 'refactor: Apply rector changes'
           committer: GitHub <noreply@github.com>
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>
diff --git a/workflow-templates/sync-workflow-templates.yml b/workflow-templates/sync-workflow-templates.yml
index c80d194..8e99648 100644
--- a/workflow-templates/sync-workflow-templates.yml
+++ b/workflow-templates/sync-workflow-templates.yml
@@ -122,7 +122,7 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
-          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }}
           commit-message: 'ci(actions): Update workflow templates from organization template repository'
           committer: GitHub <noreply@github.com>
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>
diff --git a/workflow-templates/update-nextcloud-ocp-matrix.yml b/workflow-templates/update-nextcloud-ocp-matrix.yml
index 276934c..b8950bf 100644
--- a/workflow-templates/update-nextcloud-ocp-matrix.yml
+++ b/workflow-templates/update-nextcloud-ocp-matrix.yml
@@ -90,7 +90,7 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: 'chore(dev-deps): Bump nextcloud/ocp package'
           committer: GitHub <noreply@github.com>
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>
diff --git a/workflow-templates/update-nextcloud-ocp.yml b/workflow-templates/update-nextcloud-ocp.yml
index a3c0f23..835f956 100644
--- a/workflow-templates/update-nextcloud-ocp.yml
+++ b/workflow-templates/update-nextcloud-ocp.yml
@@ -99,7 +99,7 @@ jobs:
         if: steps.checkout.outcome == 'success'
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }} # zizmor: ignore[secrets-outside-env]
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: 'chore(dev-deps): Bump nextcloud/ocp package'
           committer: GitHub <noreply@github.com>
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>

From 9ca48081d45cc3eb3e4c5964db8bd025403d5bd4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 25 Apr 2026 01:04:01 +0000
Subject: [PATCH 4/4] ci(deps): bump astral-sh/setup-uv in /.github/workflows

Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 8.0.0 to 8.1.0.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](https://github.com/astral-sh/setup-uv/compare/cec208311dfd045dd5311c1add060b2062131d57...08807647e7069bb48b6ef5acd8ec9567f424441b)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/lint-yaml.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml
index f0ecfe3..3130fa1 100644
--- a/.github/workflows/lint-yaml.yml
+++ b/.github/workflows/lint-yaml.yml
@@ -33,7 +33,7 @@ jobs:
             line-length: warning
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
       - name: Check GitHub actions
         run: uvx zizmor --min-severity medium .github/workflows/*.yml