Merge pull request #377 from itk-dev/feature/security-update

Security update

Author: rimi-itk

.docker/nginx.conf

@@ -7,7 +7,6 @@ events {
     worker_connections  1024;
 }
 
-
 http {
     proxy_temp_path /tmp/proxy_temp;
     client_body_temp_path /tmp/client_temp;

.docker/templates/default.conf.template

@@ -84,10 +84,6 @@ server {
 
         fastcgi_intercept_errors on;
         fastcgi_pass ${NGINX_FPM_SERVICE};
-
-        # @TODO Can we fall back to the default value here if NGINX_FASTCGI_READ_TIMEOUT is not defined?
-        # Cf. https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_read_timeout
-        fastcgi_read_timeout ${NGINX_FASTCGI_READ_TIMEOUT};
     }
 
     # Enforce clean URLs

.env

@@ -1,3 +1,3 @@
 COMPOSE_PROJECT_NAME=os2loop
 COMPOSE_DOMAIN=os2loop.local.itkdev.dk
-
+ITKDEV_TEMPLATE=drupal-10

.github/workflows/build_release.yml

@@ -1,7 +1,7 @@
 on:
   push:
     tags:
-      - '*.*.*'
+      - "*.*.*"
 
 name: Create Github Release
 

.github/workflows/changelog.yaml

@@ -0,0 +1,29 @@
+# Do not edit this file! Make a pull request on changing
+# github/workflows/changelog.yaml in
+# https://github.com/itk-dev/devops_itkdev-docker if need be.
+
+### ### Changelog
+###
+### Checks that changelog has been updated
+
+name: Changelog
+
+on:
+  pull_request:
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 2
+
+      - name: Git fetch
+        run: git fetch
+
+      - name: Check that changelog has been updated.
+        run: git diff --exit-code origin/${{ github.base_ref }} -- CHANGELOG.md && exit 1 || exit 0

.github/workflows/composer.yaml

@@ -0,0 +1,80 @@
+# Do not edit this file! Make a pull request on changing
+# github/workflows/composer.yaml in
+# https://github.com/itk-dev/devops_itkdev-docker if need be.
+
+### ### Composer
+###
+### Validates composer.json and checks that it's normalized.
+###
+### #### Assumptions
+###
+### 1. A docker compose service named `phpfpm` can be run and `composer` can be
+###    run inside the `phpfpm` service.
+### 2. [ergebnis/composer-normalize](https://github.com/ergebnis/composer-normalize)
+###    is a dev requirement in `composer.json`:
+###
+###    ``` shell
+###    docker compose run --rm phpfpm composer require --dev ergebnis/composer-normalize
+###    ```
+###
+###    Normalize `composer.json` by running
+###
+###    ``` shell
+###    docker compose run --rm phpfpm composer normalize
+###    ```
+
+name: Composer
+
+env:
+  COMPOSE_USER: root
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - develop
+
+jobs:
+  composer-validate:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Create docker network
+        run: |
+          docker network create frontend
+
+      - run: |
+          docker compose run --rm phpfpm composer validate --strict
+
+  composer-normalized:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Create docker network
+        run: |
+          docker network create frontend
+
+      - run: |
+          docker compose run --rm phpfpm composer install
+          docker compose run --rm phpfpm composer normalize --dry-run
+
+  composer-audit:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Create docker network
+        run: |
+          docker network create frontend
+
+      - run: |
+          docker compose run --rm phpfpm composer audit

.github/workflows/javascript.yaml

@@ -0,0 +1,37 @@
+# Do not edit this file! Make a pull request on changing
+# github/workflows/drupal/javascript.yaml in
+# https://github.com/itk-dev/devops_itkdev-docker if need be.
+
+### ### Drupal JavaScript (and TypeScript)
+###
+### Validates JavaScript files.
+###
+### #### Assumptions
+###
+### 1. A docker compose service named `prettier` for running
+###    [Prettier](https://prettier.io/) exists.
+
+name: JavaScript
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - develop
+
+jobs:
+  javascript-lint:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Create docker network
+        run: |
+          docker network create frontend
+
+      - run: |
+          docker compose run --rm prettier 'web/**/custom/**/js/**/*.js' --check

.github/workflows/markdown.yaml

@@ -0,0 +1,44 @@
+# Do not edit this file! Make a pull request on changing
+# github/workflows/markdown.yaml in
+# https://github.com/itk-dev/devops_itkdev-docker if need be.
+
+### ### Markdown
+###
+### Lints Markdown files (`**/*.md`) in the project.
+###
+### [markdownlint-cli configuration
+### files](https://github.com/igorshubovych/markdownlint-cli?tab=readme-ov-file#configuration),
+### `.markdownlint.jsonc` and `.markdownlintignore`, control what is actually
+### linted and how.
+###
+### #### Assumptions
+###
+### 1. A docker compose service named `markdownlint` for running `markdownlint`
+###    (from
+###    [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli))
+###    exists.
+
+name: Markdown
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - develop
+
+jobs:
+  markdown-lint:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Create docker network
+        run: |
+          docker network create frontend
+
+      - run: |
+          docker compose run --rm markdownlint markdownlint '**/*.md'

.github/workflows/php.yaml

@@ -0,0 +1,59 @@
+# Do not edit this file! Make a pull request on changing
+# github/workflows/drupal/php.yaml in
+# https://github.com/itk-dev/devops_itkdev-docker if need be.
+
+### ### Drupal PHP
+###
+### Checks that PHP code adheres to the [Drupal coding
+### standards](https://www.drupal.org/docs/develop/standards).
+###
+### #### Assumptions
+###
+### 1. A docker compose service named `phpfpm` can be run and `composer` can be
+###    run inside the `phpfpm` service.
+### 2. [drupal/coder](https://www.drupal.org/project/coder) is a dev requirement
+### in `composer.json`:
+###
+###    ``` shell
+###    docker compose run --rm phpfpm composer require --dev drupal/coder
+###    ```
+###
+###    Clean up and check code by running
+###
+###    ``` shell
+###    docker compose run --rm phpfpm vendor/bin/phpcbf
+###    docker compose run --rm phpfpm vendor/bin/phpcs
+###    ```
+###
+### > [!NOTE]
+### > The template adds `.phpcs.xml.dist` as [a configuration file for
+### > PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer/wiki/Advanced-Usage#using-a-default-configuration-file)
+### > and this makes it possible to override the actual configuration used in a
+### > project by adding a more important configuration file, e.g. `.phpcs.xml`.
+
+name: PHP
+
+env:
+  COMPOSE_USER: root
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - develop
+
+jobs:
+  coding-standards:
+    name: PHP - Check Coding Standards
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Create docker network
+        run: |
+          docker network create frontend
+
+      - run: |
+          docker compose run --rm phpfpm composer install
+          docker compose run --rm phpfpm vendor/bin/phpcs