Closes Issue #1303: Backport GitHub Actions changes to allow successful Dependabot PRs.

.eslintignore

@@ -3,5 +3,6 @@
 **/vendor/
 /_site/
 /js/coverage/
+/site/assets/js/ie-emulation-modes-warning.js
 /site/static/sw.js
 /site/layouts/partials/

.github/workflows/cdn-deploy-head.yml

@@ -8,18 +8,18 @@ on:
 jobs:
   deploy:
     name: Build & deploy CDN assets
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
+          aws-region: ${{ secrets.AWS_REGION }}
 
       - name: Deploy 2.x CDN assets to S3 + CloudFront
         if: ${{ github.ref_name  == '2.x' }}

.github/workflows/cdn-deploy-release.yml

@@ -7,20 +7,20 @@ on:
 jobs:
   deploy:
     name: Build & deploy CDN assets
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.client_payload.ref }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
+          aws-region: ${{ secrets.AWS_REGION }}
 
       - name: Deploy CDN assets to S3 + CloudFront
         run: |

.github/workflows/release.yml

@@ -6,41 +6,45 @@ on:
       version:
         description: The version to tag and release
         required: true
+env:
+  AZ_EPHEMERALIMAGENAME: ${{ vars.AZ_EPHEMERALIMAGENAME }}
 
 jobs:
   release:
     name: Create Release
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    permissions: write-all
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           token: ${{ secrets.REPO_DISPATCH_TOKEN }}
           ref: 2.x
 
       - name: Set variables for Docker images
         run: |
           oldhash=${{ hashFiles('Dockerfile', 'package.json', 'package-lock.json', 'scripts/*') }}
-          registry='ghcr.io'
-          imageprefix="${registry}/${GITHUB_REPOSITORY}/"
-          imagename='az-nodejs-ephemeral'
-          imagestem="${imageprefix}${imagename}:"
-          echo "AZ_DOCKER_REGISTRY=${registry}" >> ${GITHUB_ENV}
+          imageprefix=${{ vars.AZ_DOCKER_REGISTRY }}"/${GITHUB_REPOSITORY}/"
+          imagestem="${imageprefix}${AZ_EPHEMERALIMAGENAME}:"
           echo "AZ_OLD_HASH=${oldhash}" >> ${GITHUB_ENV}
           echo "AZ_IMAGE_STEM=${imagestem}" >> ${GITHUB_ENV}
           echo "AZ_BOOTSTRAP_SOURCE_DIR=/arizona-bootstrap-source" >> ${GITHUB_ENV}
           echo "AZ_BOOTSTRAP_FROZEN_DIR=/azbuild/arizona-bootstrap" >> ${GITHUB_ENV}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Docker authentication
-        run: |
-          docker login "$AZ_DOCKER_REGISTRY" -u "$GITHUB_ACTOR" -p ${{ secrets.GITHUB_TOKEN }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.AZ_DOCKER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Unconditionally rebuild and save the Docker image
         run: |
-          workingtitle=$(docker build -q . )
+          workingtitle="${AZ_EPHEMERALIMAGENAME}:working"
+          docker buildx build --load --platform=linux/amd64 --no-cache -t "$workingtitle" --build-arg AZ_BOOTSTRAP_FROZEN_DIR . \
           tempname="old${AZ_OLD_HASH}"
           docker run --name "$tempname" "$workingtitle" true
           docker cp -a "${tempname}:${AZ_BOOTSTRAP_FROZEN_DIR}/." .
@@ -86,7 +90,7 @@ jobs:
           echo "{\"sha\": \"$(git rev-parse HEAD)\"}" > ${{ runner.temp }}/variables.json
 
       - name: Upload variables
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: variables-json-artifact
           path: ${{ runner.temp }}/variables.json
@@ -102,7 +106,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download variables
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: variables-json-artifact
           path: ${{ runner.temp }}
@@ -114,7 +118,7 @@ jobs:
           echo "BRANCH_NAME=${GITHUB_REF_NAME}" >> ${GITHUB_ENV}
 
       - name: Notify dependencies
-        uses: peter-evans/repository-dispatch@v2
+        uses: peter-evans/repository-dispatch@v3
         with:
           token: ${{ secrets.REPO_DISPATCH_TOKEN }}
           repository: ${{ matrix.repo }}

.github/workflows/review-site.yml

@@ -9,32 +9,37 @@ on:
     branches:
       - main
       - 2.x
-
+env:
+  AZ_SITE_HOST: ${{ vars.AZ_SITE_HOST }}
+  AZ_EPHEMERALIMAGENAME: ${{ vars.AZ_EPHEMERALIMAGENAME }}
 jobs:
   lint-code:
     name: Check code for linting errors
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
     steps:
       - name: Checkout repository to workspace
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set variables for Docker images
         run: |
           oldhash=${{ hashFiles('Dockerfile', 'package.json', 'package-lock.json', 'scripts/*') }}
-          registry='ghcr.io'
-          imageprefix="${registry}/${GITHUB_REPOSITORY}/"
-          imagename='az-nodejs-ephemeral'
-          imagestem="${imageprefix}${imagename}:"
-          echo "AZ_DOCKER_REGISTRY=${registry}" >> ${GITHUB_ENV}
+          imageprefix=${{ vars.AZ_DOCKER_REGISTRY }}"/${GITHUB_REPOSITORY}/"
+          imagestem="${imageprefix}${AZ_EPHEMERALIMAGENAME}:"
           echo "AZ_OLD_HASH=${oldhash}" >> ${GITHUB_ENV}
           echo "AZ_IMAGE_STEM=${imagestem}" >> ${GITHUB_ENV}
           echo "AZ_EPHEMERAL_IMAGE=${imagestem}${oldhash}" >> ${GITHUB_ENV}
           echo "AZ_BOOTSTRAP_SOURCE_DIR=/arizona-bootstrap-source" >> ${GITHUB_ENV}
           echo "AZ_BOOTSTRAP_FROZEN_DIR=/azbuild/arizona-bootstrap" >> ${GITHUB_ENV}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Docker authentication
-        run: |
-          docker login "$AZ_DOCKER_REGISTRY" -u "$GITHUB_ACTOR" -p ${{ secrets.AZ_DOCKER_REGISTRY_TOKEN }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.AZ_DOCKER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Search for Docker image
         id: dockerpull
         continue-on-error: true
@@ -43,7 +48,8 @@ jobs:
       - name: Conditionally rebuild and save the Docker image
         if: ${{ steps.dockerpull.outcome == 'failure' }}
         run: |
-          workingtitle=$(docker build -q . )
+          workingtitle="${AZ_EPHEMERALIMAGENAME}:working"
+          docker buildx build --load --platform=linux/amd64 --no-cache -t "$workingtitle" --build-arg AZ_BOOTSTRAP_FROZEN_DIR .
           tempname="old${AZ_OLD_HASH}"
           docker run --name "$tempname" "$workingtitle" true
           docker cp -a "${tempname}:${AZ_BOOTSTRAP_FROZEN_DIR}/." .
@@ -62,12 +68,16 @@ jobs:
   review-site:
     name: Build & deploy review site
     needs: lint-code
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      pull-requests: write
     steps:
       - name: Checkout repository to workspace
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
-          token: ${{ secrets.REPO_DISPATCH_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 20
       - name: Find the push source branch name
         if: ${{ github.event_name != 'pull_request' }}
@@ -78,21 +88,21 @@ jobs:
       - name: Set variables for Docker images
         run: |
           oldhash=${{ hashFiles('Dockerfile', 'package.json', 'package-lock.json', 'scripts/*') }}
-          registry='ghcr.io'
-          imageprefix="${registry}/${GITHUB_REPOSITORY}/"
-          imagename='az-nodejs-ephemeral'
-          imagestem="${imageprefix}${imagename}:"
-          echo "AZ_DOCKER_REGISTRY=${registry}" >> ${GITHUB_ENV}
+          imageprefix=${{ vars.AZ_DOCKER_REGISTRY }}"/${GITHUB_REPOSITORY}/"
+          imagestem="${imageprefix}${AZ_EPHEMERALIMAGENAME}:"
           echo "AZ_OLD_HASH=${oldhash}" >> ${GITHUB_ENV}
           echo "AZ_IMAGE_STEM=${imagestem}" >> ${GITHUB_ENV}
           echo "AZ_EPHEMERAL_IMAGE=${imagestem}${oldhash}" >> ${GITHUB_ENV}
           echo "AZ_BOOTSTRAP_SOURCE_DIR=/arizona-bootstrap-source" >> ${GITHUB_ENV}
           echo "AZ_BOOTSTRAP_FROZEN_DIR=/azbuild/arizona-bootstrap" >> ${GITHUB_ENV}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Docker authentication
-        run: |
-          docker login "$AZ_DOCKER_REGISTRY" -u "$GITHUB_ACTOR" -p ${{ secrets.GITHUB_TOKEN }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.AZ_DOCKER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Search for Docker image
         id: dockerpull
         continue-on-error: true
@@ -101,7 +111,8 @@ jobs:
       - name: Conditionally rebuild and save the Docker image
         if: ${{ steps.dockerpull.outcome == 'failure' }}
         run: |
-          workingtitle=$(docker build -q . )
+          workingtitle="${AZ_EPHEMERALIMAGENAME}:working"
+          docker buildx build --load --platform=linux/amd64 --no-cache -t "$workingtitle" --build-arg AZ_BOOTSTRAP_FROZEN_DIR .
           tempname="old${AZ_OLD_HASH}"
           docker run --name "$tempname" "$workingtitle" true
           docker cp -a "${tempname}:${AZ_BOOTSTRAP_FROZEN_DIR}/." .
@@ -114,7 +125,6 @@ jobs:
       - name: Build variables
         run: |
           echo "AZ_REVIEW_BASEURL=/arizona-bootstrap/${AZ_TRIMMED_REF}" >> ${GITHUB_ENV}
-          echo "AZ_SITE_HOST=https://review.digital.arizona.edu" >> ${GITHUB_ENV}
       - name: Build review site artifact
         run: |
           sudo touch config.yml
@@ -132,11 +142,11 @@ jobs:
           fi
         shell: sh
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
+          aws-region: ${{ secrets.AWS_REGION }}
       - name: Deploy review site artifact to S3 + CloudFront
         run: |
           aws s3 sync --delete _site/ s3://${{ secrets.REVIEW_BUCKET }}${AZ_REVIEW_BASEURL}/

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 node:20.13.1-bookworm-slim
+FROM node:20.18.0-bookworm-slim
 
 ENV LANG C.UTF-8
 
@@ -37,7 +37,7 @@ RUN apt-get update \
   && chmod 755 /root \
   && touch /root/.npmrc \
   && chmod 644 /root/.npmrc \
-  && npm install --location=global npm-check-updates@16.14.20 \
+  && npm install --location=global npm-check-updates@17.1.3 \
   && curl 'https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip' -o /tmp/awscliv2.zip \
   && unzip -d /tmp /tmp/awscliv2.zip \
   && /tmp/aws/install \
@@ -49,8 +49,8 @@ WORKDIR $AZ_BOOTSTRAP_FROZEN_DIR
 RUN mkdir /home/node/.npm \
   && chown node:node /home/node/.npm \
   && npm config set cache='/home/node/.npm' \
-  && npm install \
-  && find node_modules -name '.DS_Store' -exec rm {} \; \ 
+  && npm install --foreground-scripts=true --loglevel=verbose \
+  && find node_modules -name '.DS_Store' -exec rm {} \; \
   && chown -R node:node "$AZ_BOOTSTRAP_FROZEN_DIR"
 
 USER node:node

build/postcss.config.js

@@ -1,5 +1,6 @@
 'use strict'
 
+/* eslint-disable-next-line unicorn/no-anonymous-default-export */
 module.exports = ctx => {
   return {
     map: ctx.file.dirname.includes('examples') ?