Merge pull request #344 from puzzle/security-updates

chrira · web-flow · commit db32c56981a0 · 2025-04-23T17:22:13.000+02:00
Security updates
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "packageRules": [
+    {
+      "matchPackageNames": ["/floryn90/hugo/", "/nginxinc/nginx-unprivileged/"],
+      "matchDatasources": ["docker"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    },
+    {
+      "description": "Automerge GitHub Action updates",
+      "matchDepTypes": ["action"],
+      "matchDatasources": ["github-tags"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    },
+    {
+      "description": "Automerge dev-dependencies",
+      "matchDepTypes": ["devDependencies"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    }
+  ],
+  "ignoreDeps": ["mongo", "rocketchat/rocket.chat", "jenkins/jenkins"]
+}
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -9,7 +9,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@v4
         with:
           submodules: recursive
       -
@@ -107,6 +107,5 @@ jobs:
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           message: |
-
            PR Environments:
            *  puzzle <https://jenkins-techlab-pr-${{ github.event.pull_request.number }}.ocp.cloudscale.puzzle.ch>
diff --git a/.github/workflows/pr-cleanup.yaml b/.github/workflows/pr-cleanup.yaml
@@ -4,12 +4,12 @@ on:
     types: [closed]
 
 jobs:
-  deployment:
+  pr-cleanup:
     runs-on: 'ubuntu-latest'
     steps:
       -
         name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@v4
         with:
           submodules: recursive
       -
diff --git a/.github/workflows/push-main.yaml b/.github/workflows/push-main.yaml
@@ -11,7 +11,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@v4
         with:
           submodules: recursive
       -
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,6 @@
 Thumbs.db
 .DS_Store
 .dist
-.hugo_build.lock
 .tmp
 .sass-cache
 npm-debug.log
@@ -11,6 +10,7 @@ public
 .env
 resources
 .idea/
+.hugo_build.lock
 id_rsa
 id_rsa.pub
 *.bak
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM klakegg/hugo:0.111.3-ext-ubuntu AS builder
+FROM docker.io/floryn90/hugo:0.146.6-ext-ubuntu AS builder
 
 ARG TRAINING_HUGO_ENV=default
 
@@ -8,7 +8,7 @@ RUN hugo --environment ${TRAINING_HUGO_ENV} --minify
 
 RUN /src/reveal-slides/build-slides.sh
 
-FROM ubuntu:noble AS wkhtmltopdf
+FROM docker.io/ubuntu:noble AS wkhtmltopdf
 RUN apt-get update \
     && apt-get install -y curl \
     && curl -L https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6.1-2/wkhtmltox_0.12.6.1-2.jammy_amd64.deb --output wkhtmltox_0.12.6.1-2.jammy_amd64.deb \
@@ -19,16 +19,22 @@ RUN apt-get update \
 
 COPY --from=builder /src/public /
 
-RUN wkhtmltopdf --outline-depth 4 --enable-internal-links --enable-local-file-access  ./pdf/index.html /pdf.pdf
-
-FROM nginxinc/nginx-unprivileged:1.27-alpine
-
-LABEL maintainer puzzle.ch
-LABEL org.opencontainers.image.title "puzzle.ch's Jenkins Techlab"
-LABEL org.opencontainers.image.description "Container with puzzle.ch's Jenkins Techlab content"
-LABEL org.opencontainers.image.authors puzzle.ch
-LABEL org.opencontainers.image.source https://github.com/puzzle/jenkins-techlab/
-LABEL org.opencontainers.image.licenses CC-BY-SA-4.0
+RUN wkhtmltopdf --outline-depth 4 \
+    --margin-top 35mm --margin-bottom 22mm --margin-left 15mm --margin-right 10mm \
+    --enable-internal-links --enable-local-file-access \
+    /pdf/index.html /pdf.pdf
+
+FROM docker.io/nginxinc/nginx-unprivileged:1.27-alpine
+USER root
+COPY nginx.conf /etc/nginx/nginx.conf
+USER 101
+
+LABEL maintainer=puzzle.ch
+LABEL org.opencontainers.image.title="puzzle.ch's Jenkins Techlab"
+LABEL org.opencontainers.image.description="Container with puzzle.ch's Jenkins Techlab content"
+LABEL org.opencontainers.image.authors="puzzle.ch"
+LABEL org.opencontainers.image.source="https://github.com/puzzle/jenkins-techlab/"
+LABEL org.opencontainers.image.licenses="CC-BY-SA-4.0"
 
 EXPOSE 8080
 
diff --git a/README.md b/README.md
@@ -27,14 +27,15 @@ The slides will be generated in the `public/slides/intro` directory
 
 This site is built using the static page generator [Hugo](https://gohugo.io/).
 
-The page uses the [docsy theme](https://github.com/google/docsy) which is included as a Git Submodule.
-Docsy is being enhanced using [docsy-plus](https://github.com/acend/docsy-plus/) as well as [docsy-puzzle](https://github.com/puzzle/docsy-puzzle/)
+The page uses the [docsy theme](https://github.com/google/docsy) which is included as a Hugo Module.
+Docsy is being enhanced using [docsy-plus](https://github.com/acend/docsy-plus/) as well as
+[docsy-acend](https://github.com/acend/docsy-acend/) and [docsy-puzzle](https://github.com/puzzle/docsy-puzzle/)
 for brand specific settings.
 
-After cloning the main repo, you need to initialize the submodule like this:
+After cloning the main repo, you need to initialize the Hugo Module like this:
 
 ```bash
-git submodule update --init --recursive
+hugo mod get
 ```
 
 The default configuration uses the puzzle setup from [config/_default](config/_default/config.toml).
@@ -52,11 +53,14 @@ Further, specialized environments can be added in the `config` directory.
 Run the following command to update all submodules with their newest upstream version:
 
 ```bash
-git submodule update --remote
+hugo mod get -u
 ```
 
 
-## Build using Docker
+## Build production image locally
+
+
+### Docker
 
 Build the image:
 
@@ -67,49 +71,51 @@ docker build -t puzzle/jenkins-techlab:latest .
 Run it locally:
 
 ```bash
-docker run -i -p 8080:8080 puzzle/jenkins-techlab
+docker run --rm -p 8080:8080 puzzle/jenkins-techlab
 ```
 
 
-### Using Buildah and Podman
+### Buildah and Podman
 
 Build the image:
 
 ```bash
 buildah build-using-dockerfile -t puzzle/jenkins-techlab:latest .
 ```
 
-Run it locally with the following command. Beware that `--rmi` automatically removes the built image when the container stops, so you either have to rebuild it or remove the parameter from the command.
+Run it locally:
 
 ```bash
-podman run --rm --rmi --interactive --publish 8080:8080 localhost/puzzle/jenkins-techlab
+podman run --rm --rmi --publish 8080:8080 localhost/puzzle/jenkins-techlab
 ```
 
+**Note:** Beware that `--rmi` automatically removes the built image when the container stops, so you either have to rebuild it or remove the parameter from the command.
+
 
 ## How to develop locally
 
 To develop locally we don't want to rebuild the entire container image every time something changed, and it is also important to use the same hugo versions like in production.
 We simply mount the working directory into a running container, where hugo is started in the server mode.
 
 ```bash
-export HUGO_VERSION=$(grep "FROM klakegg/hugo" Dockerfile | sed 's/FROM klakegg\/hugo://g' | sed 's/ AS builder//g')
-docker run \
-  --rm --interactive \
-  --publish 8081:8081 \
-  -v $(pwd):/src \
-  klakegg/hugo:${HUGO_VERSION} \
-  server -p 8081 --bind 0.0.0.0
+export HUGO_VERSION=$(grep "FROM docker.io/floryn90/hugo" Dockerfile | sed 's/FROM docker.io\/floryn90\/hugo://g' | sed 's/ AS builder//g')
+docker run --rm --publish 8080:8080 -v $(pwd):/src docker.io/floryn90/hugo:${HUGO_VERSION} server -p 8080
 ```
 
-Access the local documentation: <localhost:8081>
+Use the following command to set the hugo environment
+
+```bash
+export HUGO_VERSION=$(grep "FROM docker.io/floryn90/hugo" Dockerfile | sed 's/FROM docker.io\/floryn90\/hugo://g' | sed 's/ AS builder//g')
+docker run --rm --publish 8080:8080 -v $(pwd):/src docker.io/floryn90/hugo:${HUGO_VERSION} server --environment=<environment> -p 8080
+```
 
 
 ## Linting of Markdown content
 
 Markdown files are linted with <https://github.com/DavidAnson/markdownlint>.
 Custom rules are in `.markdownlint.json`.
 There's a GitHub Action `.github/workflows/markdownlint.yaml` for CI.
-For local checks, you can either use Visual Studio Code with the corresponding extension (markdownlint), or the command line like this:
+For local checks, you can either use Visual Studio Code with the corresponding extension, or the command line like this:
 
 ```shell script
 npm install
@@ -119,8 +125,14 @@ npm run mdlint
 Npm not installed? no problem
 
 ```bash
-export HUGO_VERSION=$(grep "FROM klakegg/hugo" Dockerfile | sed 's/FROM klakegg\/hugo://g' | sed 's/ AS builder//g')
-docker run --rm --interactive -v $(pwd):/src klakegg/hugo:${HUGO_VERSION}-ci /bin/bash -c "set -euo pipefail;npm install; npm run mdlint;"
+export HUGO_VERSION=$(grep "FROM docker.io/floryn90/hugo" Dockerfile | sed 's/FROM docker.io\/floryn90\/hugo://g' | sed 's/ AS builder//g')
+docker run --rm -v $(pwd):/src docker.io/floryn90/hugo:${HUGO_VERSION}-ci /bin/bash -c "npm install && npm run mdlint"
+```
+
+Automatically fix errors if possible:
+
+```bash
+npm run mdlint-fix
 ```
 
 
diff --git a/config/_default/config.toml b/config/_default/config.toml
@@ -84,8 +84,8 @@ breadcrumb_disable = false
 sidebar_search_disable = false
 #  Set to false if you don't want to display a logo (/assets/icons/logo.svg) in the top nav bar
 navbar_logo = true
-# Set to true to disable the About link in the site footer
-footer_about_disable = true
+# Set to false to disable the About link in the site footer
+footer_about_enable = false
 
 ############################## social links ##############################
 [params.links]
@@ -106,6 +106,9 @@ url = "https://linkedin.com/company/puzzle-itc"
 
 # puzzle design
 [module]
+  # uncomment line below for temporary local development of module
+  # replacements = "github.com/google/docsy -> ../../docsy"
+  # replacements = "github.com/acend/docsy-plus -> ../../docsy-plus"
   [module.hugoVersion]
     extended = true
     min = "0.100.0"
diff --git a/go.mod b/go.mod
@@ -3,9 +3,11 @@ module github.com/puzzle/jenkins-techlab
 go 1.19
 
 require (
+	github.com/FortAwesome/Font-Awesome v0.0.0-20240716171331-37eff7fa00de // indirect
 	github.com/acend/docsy-acend v1.0.0 // indirect
-	github.com/acend/docsy-plus v1.0.0 // indirect
-	github.com/google/docsy v0.4.0 // indirect
-	github.com/google/docsy/dependencies v0.4.0 // indirect
+	github.com/acend/docsy-plus v1.2.0 // indirect
+	github.com/google/docsy v0.11.0 // indirect
+	github.com/google/docsy/dependencies v0.7.2 // indirect
 	github.com/puzzle/docsy-puzzle v0.0.0-20230123144731-757054047a02 // indirect
+	github.com/twbs/bootstrap v5.3.5+incompatible // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,15 +1,31 @@
 github.com/FortAwesome/Font-Awesome v0.0.0-20210804190922-7d3d774145ac/go.mod h1:IUgezN/MFpCDIlFezw3L8j83oeiIuYoj28Miwr/KUYo=
+github.com/FortAwesome/Font-Awesome v0.0.0-20230327165841-0698449d50f2/go.mod h1:IUgezN/MFpCDIlFezw3L8j83oeiIuYoj28Miwr/KUYo=
+github.com/FortAwesome/Font-Awesome v0.0.0-20240716171331-37eff7fa00de h1:JvHOfdSqvArF+7cffH9oWU8oLhn6YFYI60Pms8M/6tI=
+github.com/FortAwesome/Font-Awesome v0.0.0-20240716171331-37eff7fa00de/go.mod h1:IUgezN/MFpCDIlFezw3L8j83oeiIuYoj28Miwr/KUYo=
 github.com/acend/docsy-acend v0.0.0-20220406070448-8027986336dc h1:kNDPVcZCXsbJxqDstPoesa9YqWx84BVowj9cgxG6dnE=
 github.com/acend/docsy-acend v0.0.0-20220406070448-8027986336dc/go.mod h1:92hTJB3aPssEooTK+gv0i84vwTjah30HKaLGdupJaPA=
+github.com/acend/docsy-acend v1.0.0 h1:TwmHoH3z6lh5zcNj6zUpMP4lYOhQ+OOgcbBwr7AqVoo=
 github.com/acend/docsy-acend v1.0.0/go.mod h1:h8XZkPe1VufdOQfFXcLVQ7FvOJyIMKr8rJcSvWStG2g=
 github.com/acend/docsy-plus v0.0.0-20220428195954-da462686a1f4 h1:NH8RTlmPMcTPxfZYlqYWWcqoQ5STebCQikKByJVRnAA=
 github.com/acend/docsy-plus v0.0.0-20220428195954-da462686a1f4/go.mod h1:FUTTPmi3S92rVMbCYqXdGNxixdyqACBrFTK7dOuMttQ=
+github.com/acend/docsy-plus v1.0.0 h1:Ag2xQv15gwqPnsvWSBP8GKAnRrctVkADwaG3Qymt5ww=
 github.com/acend/docsy-plus v1.0.0/go.mod h1:YDHqf+DCZcx5HvKGzaBluPmLfgHQ2GKkYjggvF98jR4=
+github.com/acend/docsy-plus v1.2.0 h1:MJaMdkqXU6ws7A+6Lzhx4qGvncifund3NF44Tzs7iVM=
+github.com/acend/docsy-plus v1.2.0/go.mod h1:LPbI0Ljrhzt0YHUg8qozWVUXjrMVI1cFVPn3TyQxbcY=
 github.com/google/docsy v0.4.0 h1:Eyt2aiDC1fnw/Qq/9xnIqUU5n5Yyk4c8gX3nBDdTv/4=
 github.com/google/docsy v0.4.0/go.mod h1:vJjGkHNaw9bO42gpFTWwAUzHZWZEVlK46Kx7ikY5c7Y=
+github.com/google/docsy v0.11.0 h1:QnV40cc28QwS++kP9qINtrIv4hlASruhC/K3FqkHAmM=
+github.com/google/docsy v0.11.0/go.mod h1:hGGW0OjNuG5ZbH5JRtALY3yvN8ybbEP/v2iaK4bwOUI=
 github.com/google/docsy/dependencies v0.4.0 h1:FXwyjtuFfPIPBauU2t7uIAgS6VYfJf+OD5pzxGvkQsQ=
 github.com/google/docsy/dependencies v0.4.0/go.mod h1:2zZxHF+2qvkyXhLZtsbnqMotxMukJXLaf8fAZER48oo=
+github.com/google/docsy/dependencies v0.7.2 h1:+t5ufoADQAj4XneFphz4A+UU0ICAxmNaRHVWtMYXPSI=
+github.com/google/docsy/dependencies v0.7.2/go.mod h1:gihhs5gmgeO+wuoay4FwOzob+jYJVyQbNaQOh788lD4=
 github.com/puzzle/docsy-puzzle v0.0.0-20220406081603-2cd9f7c8d79a h1:ivuXhwliGTmfp4Zn9dqHiIHPUbniLhsbSYKrsQIoFKM=
 github.com/puzzle/docsy-puzzle v0.0.0-20220406081603-2cd9f7c8d79a/go.mod h1:FHtQEgHYfsiO5d1XXaF/mD5C51PQw1kea8JwTGBs93o=
+github.com/puzzle/docsy-puzzle v0.0.0-20230123144731-757054047a02 h1:80gTlzoKpnRjr4F70KAXmNs6UsTAkPgYEyyVguDwheg=
 github.com/puzzle/docsy-puzzle v0.0.0-20230123144731-757054047a02/go.mod h1:q4bPnnpLaz5IDdFmQFxCHr85uwAsK9ayut5NNmC4w3I=
 github.com/twbs/bootstrap v4.6.1+incompatible/go.mod h1:fZTSrkpSf0/HkL0IIJzvVspTt1r9zuf7XlZau8kpcY0=
+github.com/twbs/bootstrap v5.2.3+incompatible/go.mod h1:fZTSrkpSf0/HkL0IIJzvVspTt1r9zuf7XlZau8kpcY0=
+github.com/twbs/bootstrap v5.3.3+incompatible/go.mod h1:fZTSrkpSf0/HkL0IIJzvVspTt1r9zuf7XlZau8kpcY0=
+github.com/twbs/bootstrap v5.3.5+incompatible h1:6XrrFNMsiTTFcVTBf2886FO2XUNtwSE+QPv1os0uAA4=
+github.com/twbs/bootstrap v5.3.5+incompatible/go.mod h1:fZTSrkpSf0/HkL0IIJzvVspTt1r9zuf7XlZau8kpcY0=
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
@@ -11,12 +11,14 @@ acendTraining:
       ingress:
         emptyTLS: true
         ingressClassName: openshift-public
+        useDefaultSecret: true
         labels:
           public: "true"
-        useDefaultSecret: true
         appname: jenkins-techlab
         domainmain: puzzle.ch
         domain: ocp.cloudscale.puzzle.ch
+
+
 nameOverride: "jenkins-techlab"
 fullnameOverride: ""
 
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,59 @@
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    port_in_redirect        off;
+    proxy_temp_path         /tmp/proxy_temp;
+    client_body_temp_path   /tmp/client_temp;
+    fastcgi_temp_path       /tmp/fastcgi_temp;
+    uwsgi_temp_path         /tmp/uwsgi_temp;
+    scgi_temp_path          /tmp/scgi_temp;
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log          /var/log/nginx/access.log  main;
+    sendfile            on;
+    keepalive_timeout   65;
+
+    server {
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header Cross-Origin-Embedder-Policy "require-corp";
+        add_header Cross-Origin-Resource-Policy "same-origin";
+        add_header Cross-Origin-Opener-Policy "same-origin";
+        add_header X-Permitted-Cross-Domain-Policies "none";
+        add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=()";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' unpkg.com cdn.jsdelivr.net code.jquery.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net; font-src 'self' fonts.gstatic.com cdn.jsdelivr.net";
+
+        proxy_hide_header X-Powered-By;
+
+        listen       8080;
+        server_name  localhost;
+        server_tokens off;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
diff --git a/renovate.json b/renovate.json

Original file line number	Diff line number	Diff line change
`@@ -4,12 +4,12 @@ on:`
`4`	`4`	`types: [closed]`
`5`	`5`
`6`	`6`	`jobs:`
`7`		`- deployment:`
	`7`	`+ pr-cleanup:`
`8`	`8`	`runs-on: 'ubuntu-latest'`
`9`	`9`	`steps:`
`10`	`10`	`-`
`11`	`11`	`name: Checkout`
`12`		`- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4`
	`12`	`+ uses: actions/checkout@v4`
`13`	`13`	`with:`
`14`	`14`	`submodules: recursive`
`15`	`15`	`-`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ jobs:`
`11`	`11`	`steps:`
`12`	`12`	`-`
`13`	`13`	`name: Checkout`
`14`		`- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4`
	`14`	`+ uses: actions/checkout@v4`
`15`	`15`	`with:`
`16`	`16`	`submodules: recursive`
`17`	`17`	`-`