Release OpenProject 17.2.0

Author: machisuji

.dockerignore

@@ -41,5 +41,7 @@ frontend/node_modules
 node_modules
 # travis
 vendor/bundle
+# Local checkout; all-in-one copies hocuspocus from its dedicated image.
+vendor/hocuspocus
 /public/assets
 /config/frontend_assets.manifest.json

.env.example

@@ -44,6 +44,10 @@ PORT=3000
 FE_HOST=localhost
 FE_PORT=4200
 
+# Hocuspocus (collaborative editing) - local development
+OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__URL=ws://localhost:1234
+OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__SECRET=secret12345
+
 # Default TLD for docker dev stack (e.g. when set to "local", services will be openproject.local, nextcloud.local, etc.)
 OPENPROJECT_DOCKER_DEV_TLD=local
 

.github/dependabot.yml

@@ -5,6 +5,11 @@ updates:
     schedule:
       interval: "daily"
     target-branch: "dev"
+    cooldown:
+      default-days: 5
+      semver-major-days: 30
+      semver-minor-days: 14
+      semver-patch-days: 5
     groups:
       angular:
         patterns:
@@ -40,6 +45,11 @@ updates:
     schedule:
       interval: "daily"
     target-branch: "dev"
+    cooldown:
+      default-days: 5
+      semver-major-days: 30
+      semver-minor-days: 14
+      semver-patch-days: 5
     groups:
       aws-gems:
         patterns:
@@ -48,6 +58,22 @@ updates:
       - dependency-name: "openproject-octicons"
       - dependency-name: "openproject-octicons_helper"
       - dependency-name: "openproject-primer_view_components"
+  - package-ecosystem: "npm"
+    directory: "/extensions/op-blocknote-hocuspocus"
+    schedule:
+      interval: "weekly"
+    target-branch: "dev"
+    commit-message:
+      prefix: "deps(hocuspocus)"
+    labels:
+      - "dependencies"
+    groups:
+      npm-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

.github/workflows/cla.yml

@@ -3,7 +3,7 @@ on:
   issue_comment:
     types: [created]
   pull_request_target:
-    types: [opened,closed,synchronize]
+    types: [opened, closed, synchronize]
 
 # explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
 permissions:
@@ -14,6 +14,7 @@ permissions:
 
 jobs:
   CLAAssistant:
+    if: github.repository == 'opf/openproject'
     runs-on: ubuntu-latest
     steps:
       - name: "CLA Assistant"
@@ -23,11 +24,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.OPENPROJECTCI_GH_LEGAL_TOKEN }}
         with:
-          path-to-signatures: 'contributor-license-agreement/signatures/version1.json'
-          path-to-document: 'https://www.openproject.org/legal/contributor-license-agreement' # e.g. a CLA or a DCO document
+          path-to-signatures: "contributor-license-agreement/signatures/version1.json"
+          path-to-document: "https://www.openproject.org/legal/contributor-license-agreement" # e.g. a CLA or a DCO document
           # branch should not be protected
-          branch: 'main'
+          branch: "main"
           allowlist: >
+            *[bot]*,
             Copilot,
             Daten-David,
             EinLama,
@@ -72,6 +74,7 @@ jobs:
             samachon,
             shiroginne,
             toy,
+            tiroessler,
             ulferts,
             vonTronje,
             vspielau,

.github/workflows/codeql-scan-core.yml

@@ -2,18 +2,19 @@ name: codeql
 
 on:
   push:
-    branches: [ "dev", "release/*", "stable/*" ]
+    branches: ["dev", "release/*", "stable/*"]
   pull_request:
-    branches: [ "dev", "release/*", "stable/*" ]
+    branches: ["dev", "release/*", "stable/*"]
     paths-ignore:
-      - 'docs/**'
+      - "docs/**"
   schedule:
-    - cron: '32 1 * * 2'
+    - cron: "32 1 * * 2"
 
 jobs:
   analyze:
+    if: github.repository == 'opf/openproject'
     name: Analyze
-    runs-on: 'ubuntu-latest'
+    runs-on: "ubuntu-latest"
     timeout-minutes: 120
     permissions:
       # required for all workflows
@@ -26,7 +27,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript-typescript', 'ruby' ]
+        language: ["javascript-typescript", "ruby"]
 
     steps:
       - name: Checkout repository

.github/workflows/continuous-delivery.yml

@@ -21,8 +21,10 @@ jobs:
           REPOSITORY: opf/openproject-flavours
           WORKFLOW_ID: ci.yml
           REF_NAME: ${{ github.ref_name }}
+          THIS_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
         run: |
-          PAYLOAD=$(jq -n --arg ref "$REF_NAME" '{"ref": "dev", "inputs": {"ref": $ref}}')
+          PAYLOAD=$(jq -n --arg ref "$REF_NAME" --arg triggered_by_url "$THIS_RUN_URL" \
+            '{"ref": "dev", "inputs": {"ref": $ref, "triggered_by_url": $triggered_by_url}}')
           curl -i --fail-with-body -H"authorization: Bearer $TOKEN" \
             -XPOST -H"Accept: application/vnd.github.v3+json" \
             https://api.github.com/repos/$REPOSITORY/actions/workflows/$WORKFLOW_ID/dispatches \

.github/workflows/create-merge-from-previous-release-branch-pr.yml

@@ -1,48 +1,49 @@
 name: create-merge-from-previous-release-branch
 on:
   push:
-    branches: [ "release/*" ]
+    branches: ["release/*"]
   workflow_dispatch:
 
 permissions: {}
 jobs:
   setup:
+    if: github.repository == 'opf/openproject'
     runs-on: ubuntu-latest
     outputs:
       previous_release_branch: ${{ steps.find_previous_release.outputs.branch }}
       latest_release_branch: ${{ steps.find_latest_release.outputs.branch }}
     steps:
-    - id: find_previous_release
-      env:
-        GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
-        GITHUB_REPOSITORY: ${{ github.repository }}
-      run: |
-        BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
-          https://api.github.com/repos/$GITHUB_REPOSITORY/branches?protected=true | \
-          jq -r '.[].name' | grep '^release/' | sort --version-sort | tail -2 | head -1
-        )
-        if [ "$BRANCH" = "" ]; then
-          echo "Invalid release branch found: $BRANCH"
-          exit 1
-        fi
-        echo "Found previous release branch: $BRANCH"
-        echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
-    - id: find_latest_release
-      env:
-        GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
-        GITHUB_REPOSITORY: ${{ github.repository }}
-      run: |
-        BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
-          https://api.github.com/repos/$GITHUB_REPOSITORY/branches?protected=true | \
-          jq -r '.[].name' | grep '^release/' | sort --version-sort | tail -1
-        )
-        if [ "$BRANCH" = "" ]; then
-          echo "Invalid release branch found: $BRANCH"
-          exit 1
-        fi
-        
-        echo "Found current release branch: $BRANCH"
-        echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
+      - id: find_previous_release
+        env:
+          GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
+            https://api.github.com/repos/$GITHUB_REPOSITORY/branches?protected=true | \
+            jq -r '.[].name' | grep '^release/' | sort --version-sort | tail -2 | head -1
+          )
+          if [ "$BRANCH" = "" ]; then
+            echo "Invalid release branch found: $BRANCH"
+            exit 1
+          fi
+          echo "Found previous release branch: $BRANCH"
+          echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
+      - id: find_latest_release
+        env:
+          GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
+            https://api.github.com/repos/$GITHUB_REPOSITORY/branches?protected=true | \
+            jq -r '.[].name' | grep '^release/' | sort --version-sort | tail -1
+          )
+          if [ "$BRANCH" = "" ]; then
+            echo "Invalid release branch found: $BRANCH"
+            exit 1
+          fi
+
+          echo "Found current release branch: $BRANCH"
+          echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
   merge-or-create-pr:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == needs.setup.outputs.previous_release_branch)
     env:
@@ -67,11 +68,11 @@ jobs:
           # Calculate a reasonable date to fetch from (e.g., 6 months ago)
           SINCE_DATE=$(date -d '3 months ago' '+%Y-%m-%d')
           echo "Fetching commits since: $SINCE_DATE"
-          
+
           # Fetch both branches with commits since the calculated date
           git fetch --shallow-since="$SINCE_DATE" origin "$RELEASE_BRANCH" "$PREVIOUS_RELEASE_BRANCH" || {
             echo "Shallow-since fetch failed, trying with depth strategy..."
-            
+
             # Fallback: Use progressive deepening
             git fetch --depth=50 origin "$RELEASE_BRANCH" "$PREVIOUS_RELEASE_BRANCH"
             for depth in 100 200 500 1000; do
@@ -98,7 +99,7 @@ jobs:
           else
             echo "⚠️ Could not find merge-base, operations may be limited"
           fi
-          
+
           echo "Branch $RELEASE_BRANCH has $(git rev-list --count origin/$RELEASE_BRANCH) commits"
           echo "Branch $PREVIOUS_RELEASE_BRANCH has $(git rev-list --count origin/$PREVIOUS_RELEASE_BRANCH) commits"
 

.github/workflows/create-merge-release-into-dev-pr.yml

@@ -2,33 +2,34 @@ name: create-merge-release-into-dev-pr
 on:
   workflow_dispatch:
   schedule:
-    - cron: '30 3 * * *' # Daily at 03:30
+    - cron: "30 3 * * *" # Daily at 03:30
 
 env:
   BASE_BRANCH: dev
 
 permissions: {}
 jobs:
   setup:
+    if: github.repository == 'opf/openproject'
     runs-on: ubuntu-latest
     outputs:
       latest_release_branch: ${{ steps.find_latest_release.outputs.branch }}
     steps:
-    - id: find_latest_release
-      env:
-        GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
-        GITHUB_REPOSITORY: ${{ github.repository }}
-      run: |
-        BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
-          https://api.github.com/repos/$GITHUB_REPOSITORY/branches?protected=true | \
-          jq -r '.[].name' | grep '^release/' | sort --version-sort | tail -1
-        )
-        if [ "$BRANCH" = "" ]; then
-          echo "Invalid release branch found: $BRANCH"
-          exit 1
-        fi
-
-        echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
+      - id: find_latest_release
+        env:
+          GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
+            https://api.github.com/repos/$GITHUB_REPOSITORY/branches?protected=true | \
+            jq -r '.[].name' | grep '^release/' | sort --version-sort | tail -1
+          )
+          if [ "$BRANCH" = "" ]; then
+            echo "Invalid release branch found: $BRANCH"
+            exit 1
+          fi
+
+          echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
 
   merge-or-create-pr:
     env:

.github/workflows/crowdin.yml

@@ -2,30 +2,31 @@ name: crowdin
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 3 * * *' # Daily at 03:00
+    - cron: "0 3 * * *" # Daily at 03:00
 
 permissions: {}
 jobs:
   setup:
+    if: github.repository == 'opf/openproject'
     runs-on: ubuntu-latest
     outputs:
       latest_release_branch: ${{ steps.find_latest_release.outputs.branch }}
     steps:
-    - id: find_latest_release
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GITHUB_REPOSITORY: ${{ github.repository }}
-      run: |
-        BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
-          https://api.github.com/repos/$GITHUB_REPOSITORY/branches?protected=true | \
-          jq -r '.[].name' | grep '^release/' | sort --version-sort | tail -1
-        )
-        if [ "$BRANCH" = "" ]; then
-          echo "Invalid release branch found: $BRANCH"
-          exit 1
-        fi
+      - id: find_latest_release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
+            https://api.github.com/repos/$GITHUB_REPOSITORY/branches?protected=true | \
+            jq -r '.[].name' | grep '^release/' | sort --version-sort | tail -1
+          )
+          if [ "$BRANCH" = "" ]; then
+            echo "Invalid release branch found: $BRANCH"
+            exit 1
+          fi
 
-        echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
+          echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
 
   crowdin:
     permissions:

.github/workflows/docker-release.yml

@@ -12,6 +12,7 @@ on:
 
 jobs:
   compute-inputs:
+    if: github.repository == 'opf/openproject'
     runs-on: ubuntu-latest
     outputs:
       tag: ${{ steps.compute.outputs.tag }}
@@ -45,7 +46,7 @@ jobs:
           echo "tag=$TAG_REF" | tee -a "$GITHUB_OUTPUT"
 
   build:
-    needs: compute-inputs
+    needs: [compute-inputs]
     uses: ./.github/workflows/docker.yml
     with:
       branch: ${{ needs.compute-inputs.outputs.branch }}