Merge pull request #48 from JSPaste/dev

Merge dev into stable

.github/dependabot.yml

@@ -0,0 +1,14 @@
+version: 2
+updates:
+    - package-ecosystem: github-actions
+      directory: '/'
+      target-branch: dev
+      schedule:
+          interval: weekly
+      assignees:
+          - inetol
+      commit-message:
+          prefix: GHA
+          include: scope
+      labels:
+          - dependency

.github/workflows/container.yml

@@ -1,13 +1,13 @@
-# TODO: Experimental feature
 name: 'CD -> Container'
 on:
     workflow_dispatch:
     push:
-        branches: ['stable']
+        branches:
+            - stable
 
 concurrency:
-    group: '${{ github.workflow }}-${{ github.ref }}'
-    cancel-in-progress: true
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: false
 
 permissions:
     contents: read
@@ -18,27 +18,29 @@ jobs:
         name: 'Build container image'
         runs-on: ubuntu-latest
         permissions:
+            id-token: write
             packages: write
 
         env:
-            REGISTRY: 'ghcr.io'
-            IMAGE_NAME: '${{ github.repository }}'
+            REGISTRY: ghcr.io
+            IMAGE_NAME: ${{ github.repository }}
 
         steps:
             - name: 'Harden Runner'
-              uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+              uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
               with:
-                  egress-policy: audit
+                  policy: cd-container
 
             - name: 'Checkout'
               uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
             - name: 'Setup QEMU'
               run: |
-                  sudo apt-get update && sudo apt-get install -y qemu-user-static
+                  sudo apt-get update
+                  sudo apt-get install -y qemu-user-static
 
             - name: 'Setup tags'
-              id: setup_tags
+              id: setup-tags
               run: |
                   TIMESTAMP="$(date +%Y.%m.%d)"
                   SHA_SHORT="${GITHUB_SHA::7}"
@@ -48,17 +50,18 @@ jobs:
                   TAGS+=("${GITHUB_SHA}")
                   TAGS+=("${TIMESTAMP}-${SHA_SHORT}")
 
-                  echo "build_tags=${TAGS[*]}" >> $GITHUB_OUTPUT
+                  echo "build-tags=${TAGS[*]}" >> $GITHUB_OUTPUT
 
             - name: 'Build image'
-              id: build_image
-              uses: redhat-actions/buildah-build@c79846fb306beeba490e89fb75d2d1af95831e79 # master (Update to node20)
+              id: build-image
+              uses: redhat-actions/buildah-build@c79846fb306beeba490e89fb75d2d1af95831e79 # master
               with:
-                  containerfiles: ./Containerfile
+                  archs: amd64, arm64
+                  containerfiles: Containerfile
                   image: ${{ env.IMAGE_NAME }}
-                  platforms: linux/amd64, linux/arm64
-                  tags: ${{ steps.setup_tags.outputs.build_tags }}
-                  oci: false
+                  layers: true
+                  oci: true
+                  tags: ${{ steps.setup-tags.outputs.build-tags }}
 
             - name: 'Push to GHCR'
               uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
@@ -67,8 +70,8 @@ jobs:
                   REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
 
               with:
-                  image: ${{ steps.build_image.outputs.image }}
-                  tags: ${{ steps.build_image.outputs.tags }}
+                  image: ${{ steps.build-image.outputs.image }}
+                  tags: ${{ steps.build-image.outputs.tags }}
                   registry: ${{ env.REGISTRY }}
                   username: ${{ env.REGISTRY_USER }}
                   password: ${{ env.REGISTRY_PASSWORD }}

.github/workflows/security-dependencies.yml

@@ -1,6 +1,7 @@
 # TODO: Experimental feature
 name: 'CI -> Security-Dependencies'
-on: [pull_request]
+on:
+    - pull_request
 
 permissions:
     contents: read
@@ -11,7 +12,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: 'Harden Runner'
-              uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+              uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
               with:
                   egress-policy: audit
 

.github/workflows/security.yml

@@ -2,40 +2,55 @@ name: 'CI -> Security'
 on:
     schedule:
         - cron: '33 3 * * 1'
+
     push:
-        branches: ['dev']
-        paths-ignore: ['*.md', '.*ignore']
+        branches:
+            - dev
+        paths-ignore:
+            - '*.md'
+            - '.*ignore'
+
     pull_request:
-        branches: ['dev']
-        paths-ignore: ['*.md', '.*ignore']
+        branches:
+            - dev
+        paths-ignore:
+            - '*.md'
+            - '.*ignore'
 
 permissions: read-all
 
 jobs:
     codeql:
         name: 'CodeQL analysis'
         runs-on: ubuntu-latest
+        strategy:
+            fail-fast: false
+            matrix:
+                language:
+                    - javascript-typescript
+
         permissions:
             security-events: write
+            id-token: write
 
         steps:
             - name: 'Harden Runner'
-              uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+              uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
               with:
-                  egress-policy: audit
+                  policy: ci-security
 
             - name: 'Checkout'
               uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
             - name: 'Setup CodeQL'
-              uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+              uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
               with:
-                  languages: '${{ matrix.language }}'
+                  languages: ${{ matrix.language }}
 
             - name: 'Run analysis'
-              uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+              uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
               with:
-                  category: '/language:javascript-typescript'
+                  category: '/language:${{ matrix.language }}'
 
     scoreboard:
         name: 'Scorecard analysis'
@@ -46,9 +61,9 @@ jobs:
 
         steps:
             - name: 'Harden Runner'
-              uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+              uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
               with:
-                  egress-policy: audit
+                  policy: ci-security
 
             - name: 'Checkout'
               uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -60,9 +75,9 @@ jobs:
               with:
                   results_file: scoreboard.sarif
                   results_format: sarif
-                  publish_results: true
+                  publish_results: false
 
             - name: 'Upload to code-scanning'
-              uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+              uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
               with:
                   sarif_file: scoreboard.sarif

.gitignore

@@ -83,10 +83,8 @@ web_modules/
 
 # dotenv environment variable files
 .env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
+.env.*
+!.env.example
 
 # parcel-bundler cache (https://parceljs.org/)
 .cache