[stable33] ci: Migrate to composer-bin and add sync workflow

.github/dependabot.yml

@@ -1,24 +1,66 @@
 version: 2
 updates:
-- package-ecosystem: composer
-  directory: "/"
-  schedule:
-    interval: weekly
-    day: saturday
-    time: "03:00"
-    timezone: Europe/Paris
-  open-pull-requests-limit: 10
-  labels:
-  - 3. to review
-  - dependencies
-- package-ecosystem: composer
-  directory: "/tests/Integration"
-  schedule:
-    interval: weekly
-    day: saturday
-    time: "03:00"
-    timezone: Europe/Paris
-  open-pull-requests-limit: 10
-  labels:
-  - 3. to review
-  - dependencies
+  - package-ecosystem: composer
+    directories:
+      - "/"
+      - "/tests/Integration"
+      - "/vendor-bin/csfixer"
+      - "/vendor-bin/openapi-extractor"
+      - "/vendor-bin/phpunit"
+      - "/vendor-bin/psalm"
+      - "/vendor-bin/rector"
+    schedule:
+      interval: weekly
+      day: saturday
+      time: "03:00"
+      timezone: Europe/Paris
+    commit-message:
+      prefix: "build"
+      include: "scope"
+    versioning-strategy: "increase"
+    labels:
+      - 3. to review
+      - dependencies
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "github-actions"
+    directory: ".github/workflows"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    schedule:
+      interval: weekly
+      day: saturday
+      time: "03:00"
+      timezone: Europe/Berlin
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "github-actions"
+    target-branch: stable33
+    directory: ".github/workflows"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    schedule:
+      interval: weekly
+      day: saturday
+      time: "03:00"
+      timezone: Europe/Berlin
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "github-actions"
+    target-branch: stable32
+    directory: ".github/workflows"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    schedule:
+      interval: weekly
+      day: saturday
+      time: "03:00"
+      timezone: Europe/Berlin
+    cooldown:
+      default-days: 7

.github/workflows/sync-workflow-templates.yml

@@ -0,0 +1,140 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+#
+# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: MIT
+
+# This workflow will update all workflow templates
+# Additionally it will reapply `workflow.yml.patch` files after syncing and only then commit the result
+name: Update workflows
+on:
+  workflow_dispatch:
+  schedule:
+      - cron: "5 2 * * 0"
+
+permissions:
+  contents: read
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        branches:
+          - ${{ github.event.repository.default_branch }}
+          - 'stable33'
+          - 'stable32'
+
+    name: Update workflows in ${{ matrix.branches }}
+
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Check actor permission
+        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
+        with:
+          require: admin
+
+      - name: Checkout workflow repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          path: source
+          repository: nextcloud/.github
+
+      - name: Checkout app
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          path: target
+          ref: ${{ matrix.branches }}
+
+      - name: Copy all workflow templates
+        run: |
+          echo 'SUMMARY<<EOF' >> $GITHUB_ENV
+          draft_only=0
+          for workflow in ./source/workflow-templates/*.yml; do
+            echo "❓ Looking for $workflow"
+            if [ -f "$workflow" ]; then
+              filename=$(basename "$workflow")
+              target_file="./target/.github/workflows/$filename"
+
+              # Only copy if the file exists in the target repository
+              if [ -f "$target_file" ]; then
+                if [ -f "./target/.github/actions-lock.txt" ]; then
+                  locked_version=$(grep " $filename" ./target/.github/actions-lock.txt | cat)
+                else
+                  echo "# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors" >> ./target/.github/actions-lock.txt
+                  echo "# SPDX-License""-Identifier: MIT" >> ./target/.github/actions-lock.txt
+                  locked_version=""
+                fi
+                locked_version=$(echo $locked_version | cut -f 1 -d " ")
+                new_version=$(md5sum $workflow | cut -f 1 -d " ")
+
+                # Only update if the action changes
+                if [[ "$locked_version" != "$new_version" ]]; then
+                  echo "ℹ️ Locked version: $locked_version"
+                  echo "ℹ️ Current version: $new_version"
+                  echo "🆙 Updating existing workflow: $filename"
+                  echo "- 🆙 Updated [$filename](https://github.com/nextcloud/.github/commits/master/workflow-templates/$filename)" >> $GITHUB_ENV
+
+                  cp "$workflow" "$target_file"
+
+                  # Apply patch if one exists
+                  if [ -f "$target_file.patch" ]; then
+                    echo "🩹 Applying patch"
+                    cd ./target
+                    set +e
+                    patch -p1 < ".github/workflows/$filename.patch"
+                    patch_worked=$?
+                    set -e
+                    cd -
+                    if [[ "$patch_worked" == "0" ]]; then
+                      echo "  - Patch applied" >> $GITHUB_ENV
+                    else
+                      echo "  - [ ] ❌ Patch failed" >> $GITHUB_ENV
+                      draft_only=1
+                    fi
+                  fi
+
+                  if [[ "$locked_version" != "" ]]; then
+                    sed -i "s/$locked_version $filename/$new_version $filename/" ./target/.github/actions-lock.txt
+                  else
+                    echo "$new_version $filename" >> ./target/.github/actions-lock.txt
+                  fi
+                else
+                  echo "✅ Skipping $filename: already up to date"
+                fi
+              else
+                echo "⏭️ Skipping $filename: does not exist in target repository"
+              fi
+            fi
+          done
+          echo 'EOF' >> $GITHUB_ENV
+          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
+          commit-message: 'ci(actions): Update workflow templates from organization template repository'
+          committer: GitHub <noreply@github.com>
+          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
+          path: target
+          signoff: true
+          branch: 'automated/noid/${{ matrix.branches }}-update-workflows'
+          title: '[${{ matrix.branches }}] ci(actions): Update workflow templates from organization template repository'
+          draft: ${{ env.DRAFT_ONLY == 1 }}
+          add-paths: .github/workflows/*.yml,.github/actions-lock.txt
+          body: |
+            Automated update of all workflow templates from [nextcloud/.github](https://github.com/nextcloud/.github)
+            ${{ env.SUMMARY }}
+          labels: |
+            dependencies
+            3. to review

.github/workflows/update-nextcloud-ocp.yml

@@ -65,7 +65,7 @@ jobs:
       - name: Composer update nextcloud/ocp # zizmor: ignore[template-injection]
         id: update_branch
         if: ${{ steps.checkout.outcome == 'success' && matrix.branches != 'main' }}
-        run: composer require --dev 'nextcloud/ocp:dev-${{ matrix.branches }}'
+        run: composer bin nextcloud-ocp require --dev 'nextcloud/ocp:dev-${{ matrix.branches }}'
 
       - name: Raise on issue on failure
         uses: dacbd/create-issue-action@cdb57ab6ff8862aa09fee2be6ba77a59581921c2 # v2.0.0

.github/workflows/update-nextcloud-ocp.yml.patch

@@ -0,0 +1,13 @@
+diff --git a/.github/workflows/update-nextcloud-ocp.yml b/.github/workflows/update-nextcloud-ocp.yml
+index 873bf119..760faece 100644
+--- a/.github/workflows/update-nextcloud-ocp.yml
++++ b/.github/workflows/update-nextcloud-ocp.yml
+@@ -65,7 +65,7 @@ jobs:
+       - name: Composer update nextcloud/ocp # zizmor: ignore[template-injection]
+         id: update_branch
+         if: ${{ steps.checkout.outcome == 'success' && matrix.branches != 'main' }}
+-        run: composer require --dev 'nextcloud/ocp:dev-${{ matrix.branches }}'
++        run: composer bin nextcloud-ocp require --dev 'nextcloud/ocp:dev-${{ matrix.branches }}'
+
+       - name: Raise on issue on failure
+         uses: dacbd/create-issue-action@cdb57ab6ff8862aa09fee2be6ba77a59581921c2 # v2.0.0

.gitignore

@@ -62,6 +62,7 @@ build/
 
 # Composer
 /vendor/
+/vendor-bin/*/vendor/
 /tests/Integration/output/
 /tests/Integration/vendor/
 

.php-cs-fixer.dist.php

@@ -6,7 +6,7 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
-require_once './vendor/autoload.php';
+require_once './vendor-bin/csfixer/vendor/autoload.php';
 
 use Nextcloud\CodingStandard\Config;
 

REUSE.toml

@@ -6,7 +6,7 @@ SPDX-PackageSupplier = "Nextcloud <info@nextcloud.com>"
 SPDX-PackageDownloadLocation = "https://github.com/nextcloud/files_accesscontrol"
 
 [[annotations]]
-path = [".gitattributes", ".github/CODEOWNERS", ".github/dependabot.yml", ".github/workflows/*.patch", ".editorconfig", "composer.json", "composer.lock", "psalm.xml", "tests/psalm-baseline.xml", "tests/Integration/composer.json", "tests/phpunit.xml", "tests/Integration/composer.lock", ".gitignore", "tests/Integration/data/*", ".tx/config"]
+path = [".gitattributes", ".github/CODEOWNERS", ".github/dependabot.yml", ".editorconfig", "composer.json", "composer.lock", "**/composer.json", "**/composer.lock", "psalm.xml", "tests/psalm-baseline.xml", "tests/Integration/composer.json", "tests/phpunit.xml", "tests/Integration/composer.lock", ".gitignore", "tests/Integration/data/*", ".tx/config"]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "none"
 SPDX-License-Identifier = "CC0-1.0"
@@ -18,7 +18,7 @@ SPDX-FileCopyrightText = "2023 Nextcloud GmbH and Nextcloud contributors"
 SPDX-License-Identifier = "CC0-1.0"
 
 [[annotations]]
-path = [".github/issue_template.md", ".github/contributing.md"]
+path = [".github/issue_template.md", ".github/contributing.md", ".github/workflows/*.patch"]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "2016 Nextcloud GmbH and Nextcloud contributors"
 SPDX-License-Identifier = "CC0-1.0"

composer.json

@@ -8,25 +8,34 @@
 		"optimize-autoloader": true,
 		"classmap-authoritative": true,
 		"platform": {
-			"php": "8.1.32"
+			"php": "8.2"
 		},
-		"sort-packages": true
+		"sort-packages": true,
+		"allow-plugins": {
+			"bamarni/composer-bin-plugin": true
+		}
 	},
 	"scripts": {
+		"post-install-cmd": [
+			"@composer bin all install --ansi",
+			"composer dump-autoload"
+		],
+		"post-update-cmd": [
+			"@composer bin all install --ansi",
+			"composer dump-autoload"
+		],
 		"cs:check": "php-cs-fixer fix --dry-run --diff",
 		"cs:fix": "php-cs-fixer fix",
-		"lint": "find . -name \\*.php -not -path './vendor/*' -not -path './build/*' -not -path './tests/integration/vendor/*' -print0 | xargs -0 -n1 php -l",
+		"lint": "find . -name \\*.php -not -path './vendor/*' -not -path './vendor-bin/*' -not -path './build/*' -not -path './tests/integration/vendor/*' -print0 | xargs -0 -n1 php -l",
 		"psalm": "psalm --no-cache --threads=$(nproc)",
 		"psalm:dev": "@psalm",
 		"psalm:update-baseline": "psalm --threads=1 --update-baseline",
-		"test:unit": "vendor/bin/phpunit --color -c tests/phpunit.xml",
+		"rector:check": "rector --dry-run --clear-cache",
+		"rector:fix": "rector",
+		"test:unit": "phpunit --color -c tests/phpunit.xml",
 		"test:integration": "cd tests/Integration && ./run.sh"
 	},
-	"require-dev": {
-		"friendsofphp/php-cs-fixer": "^3.82.0",
-		"nextcloud/coding-standard": "^1.2.1",
-		"nextcloud/ocp": "dev-stable33",
-		"phpunit/phpunit": "^10.5.28",
-		"vimeo/psalm": "^6.12"
+	"require": {
+		"bamarni/composer-bin-plugin": "^1.9.1"
 	}
 }