diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
new file mode 100644
index 000000000..d08f4181a
--- /dev/null
+++ b/.github/workflows/analysis.yml
@@ -0,0 +1,54 @@
+# synced from @nextcloud/android-config
+name: "Analysis"
+
+on:
+    pull_request:
+        branches: [ "master", "main", "stable-*" ]
+    push:
+        branches: [ "master", "main", "stable-*" ]
+
+permissions:
+    pull-requests: write
+    contents: write
+
+concurrency:
+    group: analysis-wrapper-${{ github.head_ref || github.run_id }}
+    cancel-in-progress: true
+
+jobs:
+    analysis:
+        runs-on: ubuntu-22.04
+        steps:
+            -   name: Setup variables
+                id: get-vars
+                run: |
+                    if [ -z "$GITHUB_HEAD_REF" ]; then
+                        # push
+                        echo "branch=$GITHUB_REF_NAME" >> "$GITHUB_OUTPUT"
+                        echo "pr=$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"
+                        echo "repo=${{ github.repository }}" >> "$GITHUB_OUTPUT"
+                    else
+                        # pull request
+                        echo "branch=$GITHUB_HEAD_REF" >> "$GITHUB_OUTPUT"
+                        echo "pr=${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+                        echo "repo=${{ github.event.pull_request.head.repo.full_name }}" >> "$GITHUB_OUTPUT"
+                    fi
+            -   uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+                with:
+                    repository: ${{ steps.get-vars.outputs.repo }}
+                    ref: ${{ steps.get-vars.outputs.branch }}
+            -   name: Set up JDK 17
+                uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+                with:
+                    distribution: "temurin"
+                    java-version: 17
+            -   name: Install dependencies
+                run: |
+                    python3 -m pip install defusedxml
+            -   name: Run analysis wrapper
+                env:
+                    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                run: |
+                    mkdir -p $HOME/.gradle
+                    echo "org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError" > $HOME/.gradle/gradle.properties
+                    scripts/analysis/analysis-wrapper.sh ${{ steps.get-vars.outputs.branch }} ${{ secrets.LOG_USERNAME }} ${{ secrets.LOG_PASSWORD }} $GITHUB_RUN_NUMBER ${{ steps.get-vars.outputs.pr }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 432398d34..781faa613 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -26,17 +26,17 @@ jobs:
         language: [ 'java' ]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4 # v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Set Swap Space
         uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c # v1.0
         with:
           swap-size-gb: 10
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           languages: ${{ matrix.language }}
       - name: Set up JDK 17
-        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
         with:
           distribution: "temurin"
           java-version: 17
@@ -46,4 +46,4 @@ jobs:
           echo "org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError" > "$HOME/.gradle/gradle.properties"
           ./gradlew assembleDebug
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
index 9ee02aa6e..1ecd60deb 100644
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@@ -18,5 +18,5 @@ jobs:
         name: "Validation"
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4 # v3.5.3
-            - uses: gradle/wrapper-validation-action@8d49e559aae34d3e0eb16cde532684bc9702762b # v1.0.6
+            - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+            - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # v1.1.0
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 35f294044..c243d507d 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4 # v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
@@ -37,6 +37,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           sarif_file: results.sarif
diff --git a/scripts/analysis/analysis-wrapper.sh b/scripts/analysis/analysis-wrapper.sh
new file mode 100755
index 000000000..0fdcf0910
--- /dev/null
+++ b/scripts/analysis/analysis-wrapper.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+exit 0