Release OpenProject 16.5.0

Author: ulferts

.github/dependabot.yml

@@ -5,38 +5,45 @@ updates:
     schedule:
       interval: "daily"
     target-branch: "dev"
-    open-pull-requests-limit: 3
-    versioning-strategy: lockfile-only
     groups:
       angular:
         patterns:
           - '@angular*'
+      blocknote:
+        patterns:
+          - '@blocknote/*'
       fullcalendar:
         patterns:
-          - '@fullcalendar*'
+          - '@fullcalendar/*'
+      html-eslint:
+        patterns:
+          - '@html-eslint/*'
+      ng-select:
+        patterns:
+          - '@ng-select/*'
       appsignal:
         patterns:
-          - '@appsignal*'
+          - '@appsignal/*'
     ignore:
       - dependency-name: "@angular*"
         update-types: ["version-update:semver-major"]
+      - dependency-name: "@openproject/octicons"
       - dependency-name: "@openproject/primer-view-components"
   - package-ecosystem: "bundler"
     directory: "/"
     schedule:
       interval: "daily"
     target-branch: "dev"
-    open-pull-requests-limit: 3
-    versioning-strategy: lockfile-only
     groups:
       aws-gems:
         patterns:
           - "aws-*"
     ignore:
+      - dependency-name: "openproject-octicons"
+      - dependency-name: "openproject-octicons_helper"
       - dependency-name: "openproject-primer_view_components"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     target-branch: "dev"
-    open-pull-requests-limit: 3

.github/workflows/cla.yml

@@ -0,0 +1,86 @@
+name: "CLA Assistant"
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened,closed,synchronize]
+
+# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
+permissions:
+  actions: write
+  contents: read # this can be 'read' if the signatures are in remote repository
+  pull-requests: write
+  statuses: write
+
+jobs:
+  CLAAssistant:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "CLA Assistant"
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.OPENPROJECTCI_GH_LEGAL_TOKEN }}
+        with:
+          path-to-signatures: 'contributor-license-agreement/signatures/version1.json'
+          path-to-document: 'https://www.openproject.org/legal/contributor-license-agreement' # e.g. a CLA or a DCO document
+          # branch should not be protected
+          branch: 'main'
+          allowlist: >
+            Daten-David,
+            EinLama,
+            HDinger,
+            JanKeppler,
+            Kharonus,
+            Lucas-Knechtel,
+            MayaBerd,
+            NobodysNightmare,
+            RobinWagner,
+            akabiru,
+            as-op,
+            astock2,
+            ba1ash,
+            birthe,
+            brunopagno,
+            bsatarnejad,
+            cbliard,
+            corinnaguenther,
+            crohr,
+            dependabot[bot],
+            dombesz,
+            dominic-brauenlein,
+            dsteiner,
+            dtohmucu,
+            gleone-art,
+            judithroth,
+            klaustopher,
+            kluedecke,
+            lindenthal,
+            machisuji,
+            marcalcobe,
+            mereghost,
+            mrmir,
+            myabc,
+            oliverguenther,
+            openprojectci,
+            psatyal,
+            samachon,
+            shiroginne,
+            toy,
+            ulferts,
+            vonTronje,
+            vspielau,
+            wielinde,
+            yanzubrytskyi
+
+          # the followings are the optional inputs - If the optional inputs are not given, then default values will be taken
+          remote-organization-name: opf
+          remote-repository-name: legal
+          #create-file-commit-message: 'For example: Creating file for storing CLA Signatures'
+          #signed-commit-message: 'For example: $contributorName has signed the CLA in $owner/$repo#$pullRequestNo'
+          #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign'
+          #custom-pr-sign-comment: 'The signature to be committed in order to sign the CLA'
+          #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.'
+          #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true)
+          #use-dco-flag: true - If you are using DCO instead of CLA

.github/workflows/docker-release.yml

@@ -0,0 +1,71 @@
+name: Docker / Tagged builds
+
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The tag to release. Note that this happens by default on the tag push. Only run this action when something went wrong!"
+        required: false
+
+jobs:
+  compute-inputs:
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.compute.outputs.tag }}
+      branch: ${{ steps.compute.outputs.branch }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.ref }}
+      - name: Compute tags and branch
+        id: compute
+        run: |
+          if [[ ${{ github.event_name }} == 'push' ]]; then
+            # Tag push e.g. refs/tags/v16.3.0 => v16.3.0
+            TAG_REF="${GITHUB_REF#refs/tags/}"
+            BRANCH_REF="$GITHUB_REF"
+          elif [[ ${{ github.event_name }} == 'workflow_dispatch' && -n "${{ inputs.tag }}" ]]; then
+            # Manual dispatch with tag
+            TAG_REF="${{ inputs.tag }}"
+            BRANCH_REF="${{ inputs.tag }}"
+          else
+            # Fallback to dev
+            TAG_REF="dev"
+            BRANCH_REF="dev"
+          fi
+
+          echo "branch=$BRANCH_REF" | tee -a "$GITHUB_OUTPUT"
+          echo "tag=$TAG_REF" | tee -a "$GITHUB_OUTPUT"
+
+  build:
+    needs: compute-inputs
+    uses: ./.github/workflows/docker.yml
+    with:
+      branch: ${{ needs.compute-inputs.outputs.branch }}
+      tag: ${{ needs.compute-inputs.outputs.tag }}
+    secrets: inherit
+
+  trigger_helm_release:
+    if: ${{ github.repository == 'opf/openproject' }}
+    needs: [compute-inputs, build]
+    permissions:
+      contents: none
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Helm charts release
+        env:
+          TOKEN: ${{ secrets.OPENPROJECT_CI_TOKEN }}
+          REPOSITORY: opf/helm-charts
+          WORKFLOW_ID: core_release.yml
+        run: |
+          # FIXME: re-enable once workflows are confirmed to be doing the right thing
+          echo "Would have triggered helm charts release with tag: ${{ needs.compute-inputs.outputs.tag }}"
+          exit 0
+          curl -i --fail-with-body -H"authorization: Bearer $TOKEN" \
+            -XPOST -H"Accept: application/vnd.github.v3+json" \
+            https://api.github.com/repos/$REPOSITORY/actions/workflows/$WORKFLOW_ID/dispatches \
+            -d '{"ref": "main", "inputs": { "tag" : "${{ needs.compute-inputs.outputs.tag }}" }}'

.github/workflows/docker-scheduled.yml

@@ -0,0 +1,29 @@
+name: Docker / Scheduled builds
+
+on:
+  # build dev and release branches daily
+  schedule:
+    - cron: "20 2 * * *" # Daily at 02:20
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  generate-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Generate matrix
+        id: set-matrix
+        run: ruby script/gh/docker-tags.rb --matrix
+
+  build:
+    needs: generate-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+      fail-fast: false
+    uses: ./.github/workflows/docker.yml
+    with:
+      branch: ${{ matrix.branch }}
+      tag: ${{ matrix.tag }}
+    secrets: inherit