diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
new file mode 100644
index 000000000..6faea7699
--- /dev/null
+++ b/.github/workflows/analysis.yml
@@ -0,0 +1,54 @@
+# synced from @nextcloud/android-config
+name: "Analysis"
+
+on:
+    pull_request:
+        branches: [ "master", "main", "stable-*" ]
+    push:
+        branches: [ "master", "main", "stable-*" ]
+
+permissions:
+    pull-requests: write
+    contents: write
+
+concurrency:
+    group: analysis-wrapper-${{ github.head_ref || github.run_id }}
+    cancel-in-progress: true
+
+jobs:
+    analysis:
+        runs-on: ubuntu-latest
+        steps:
+            -   name: Setup variables
+                id: get-vars
+                run: |
+                    if [ -z "$GITHUB_HEAD_REF" ]; then
+                        # push
+                        echo "branch=$GITHUB_REF_NAME" >> "$GITHUB_OUTPUT"
+                        echo "pr=$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"
+                        echo "repo=${{ github.repository }}" >> "$GITHUB_OUTPUT"
+                    else
+                        # pull request
+                        echo "branch=$GITHUB_HEAD_REF" >> "$GITHUB_OUTPUT"
+                        echo "pr=${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+                        echo "repo=${{ github.event.pull_request.head.repo.full_name }}" >> "$GITHUB_OUTPUT"
+                    fi
+            -   uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+                with:
+                    repository: ${{ steps.get-vars.outputs.repo }}
+                    ref: ${{ steps.get-vars.outputs.branch }}
+            -   name: Set up JDK 17
+                uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0
+                with:
+                    distribution: "temurin"
+                    java-version: 17
+            -   name: Install dependencies
+                run: |
+                    python3 -m pip install defusedxml
+            -   name: Run analysis wrapper
+                env:
+                    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                run: |
+                    mkdir -p $HOME/.gradle
+                    echo "org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError" > $HOME/.gradle/gradle.properties
+                    scripts/analysis/analysis-wrapper.sh ${{ steps.get-vars.outputs.branch }} ${{ secrets.LOG_USERNAME }} ${{ secrets.LOG_PASSWORD }} $GITHUB_RUN_NUMBER ${{ steps.get-vars.outputs.pr }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index bcec17064..38a7a6855 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -32,11 +32,11 @@ jobs:
         with:
           swap-size-gb: 10
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
+        uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
         with:
           languages: ${{ matrix.language }}
       - name: Set up JDK 17
-        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0
         with:
           distribution: "temurin"
           java-version: 17
@@ -46,4 +46,4 @@ jobs:
           echo "org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError" > "$HOME/.gradle/gradle.properties"
           ./gradlew assembleDebug
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
+        uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
index 830820b08..5e42770e8 100644
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@@ -19,4 +19,4 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-            - uses: gradle/wrapper-validation-action@8d49e559aae34d3e0eb16cde532684bc9702762b # v1.0.6
+            - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # v1.1.0
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 274ca43a4..c0a2f471e 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -29,7 +29,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -37,6 +37,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
+        uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
         with:
           sarif_file: results.sarif