Merge pull request #19787 from wireapp/dev

chore(release): Release Candidate — 2025-11-20

Author: nkaramarko

.browserslistrc

@@ -1,3 +1 @@
-chrome >= 99, not dead
-firefox >= 99, not dead
-edge >= 99, not dead
+>0.5%, baseline widely available, last 1 year, not dead

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,20 +1,29 @@
-## Description
+# Pull Request
 
-<!-- Uncomment this section if your PR has UI changes -->
-<!--
-## Screenshots/Screencast (for UI changes)
--->
+## Summary
 
-## Checklist
+- What did I change and why?
+- Risks and how to roll out / roll back (e.g. feature flags):
 
-- [ ] mentions the JIRA issue in the PR name (Ex. [WPB-XXXX])
-- [ ] PR has been self reviewed by the author;
-- [ ] Hard-to-understand areas of the code have been commented;
-- [ ] If it is a core feature, unit tests have been added;
+---
 
-<!-- Uncomment this section if it is necessary to understand the PR -->
-<!-- ## Important Details for the Reviewers
+## Security Checklist (required)
 
-- use (x) data
-- can be reviewed commit-by-commit
-- be sure to look at ... -->
+- [ ] **External inputs are validated & sanitized** on client and/or server where applicable.
+- [ ] **API responses are validated**; unexpected shapes are handled safely (fallbacks or errors).
+- [ ] **No unsafe HTML is rendered**; if unavoidable, sanitization is applied **and** documented where it happens.
+- [ ] **Injection risks (XSS/SQL/command) are prevented** via safe APIs and/or escaping.
+
+## Standards Acknowledgement (required)
+
+- [ ] I have read and this PR **upholds** our [Coding Standards](https://github.com/wireapp/wire-webapp/tree/docs/coding-standards.md) and [Tech Radar Choices](https://github.com/wireapp/wire-webapp/tree/docs/tech-radar.md).
+
+---
+
+## Screenshots or demo (if the user interface changed)
+
+## Notes for reviewers
+
+- Trade-offs:
+- Follow-ups (linked issues):
+- Linked PRs (e.g. web-packages):

.github/copilot-instructions.md

@@ -0,0 +1,84 @@
+# Copilot — Repository Instructions (Security-first)
+
+## Goals & tone
+
+- Apply our **Web Coding Standards** during **PR description drafting** and **code review**.
+- Prefer **specific, actionable** comments with short code examples.
+- Use severities: **[Blocker]**, **[Important]**, **[Suggestion]**.
+- Do **not** nitpick items handled by automation (formatting, lint rules).
+
+Related docs (important):
+
+- **Coding Standards:** docs/coding-standards.md
+- **Tech Radar:** docs/tech-radar.md
+
+**Additional rules (open when relevant)**
+
+- Security: `.github/instructions/security.instructions.md`
+- Accessibility: `.github/instructions/accessibility.instructions.md`
+- React/UX: `.github/instructions/react.instructions.md`
+- TypeScript: `.github/instructions/typescript.instructions.md`
+
+---
+
+## PR description — Auto-checks Copilot should perform
+
+---
+
+## Security Checklist (required)
+
+- [ ] **External inputs validated & sanitised** (client/server as applicable). _Tick if_ validation/sanitisation is visible before use.
+- [ ] **API responses validated**; unexpected shapes handled (fallbacks/errors). _Tick if_ guards/schemas are present at boundaries.
+- [ ] **No unsafe HTML is rendered**; if unavoidable, sanitisation is applied **and** noted where it happens. _Fail signal:_ `dangerouslySetInnerHTML` without sanitiser (e.g., `DOMPurify.sanitize`).
+- [ ] **Injection risks (XSS/SQL/command) mitigated** via safe APIs/escaping. _Tick if_ sinks are avoided or safely wrapped.
+
+---
+
+## When reviewing pull requests (Copilot)
+
+**Scope & approach**
+
+- Review **from the code diff only**; do not assume runtime behavior.
+- Use severities: **[Blocker]**, **[Important]**, **[Suggestion]**.
+- Provide concise, actionable comments; include a minimal before/after snippet where useful.
+
+### Security (focus of inline review)
+
+- Avoid/flag `dangerouslySetInnerHTML`; if present, require sanitisation and name the sanitizer.
+- No raw DOM insertion into trusted contexts; validate URLs/redirect targets.
+- Validate untrusted inputs and API responses **before** use; prefer schemas/guards.
+- Check for secrets/tokens in code, configs, and tests.
+- Call out missing error/fallback paths on boundary failures.
+
+### Accessibility (minimum check)
+
+- Keyboard access (Esc closes dialogs), visible focus, correct roles/labels.
+- Use of `aria-live` for async status where appropriate.
+
+### Everything else
+
+- For imports/TS/React/testing/naming/readability: **refer to** the [Coding Standards](docs/coding-standards.md).
+  - If a standard is violated, link the relevant section and suggest a minimal change.
+
+### Technology choices
+
+- Compare any new dependencies in `package.json`/lockfiles to the [Tech Radar](docs/tech-radar.md).
+  - If not **Adopt**/**Trial**, mark **[Blocker]** and request an RFC/approval link.
+  - For **Trial**, ensure usage is narrowly scoped and success criteria exist.
+
+---
+
+## Comment format Copilot should use
+
+**Top-level summary**
+
+- Verdict: **Ready** / **Changes requested**, with counts of Blockers/Important/Suggestions.
+- Mini checklist (only items evidenced by diff): Security, Accessibility, Tech choices, (then link to Coding Standards for any non-security notes).
+
+**Inline comments**
+
+- One issue per comment with severity, file:line, brief reason, and (when helpful) a minimal suggested patch.
+
+**Approval**
+
+- Approve only if there are **no Blockers** and Important items are fixed or explicitly deferred with rationale.

.github/instructions/accessibility.instructions.md

@@ -0,0 +1,10 @@
+---
+appliesTo:
+  paths:
+    - 'src/**/*'
+---
+
+# Copilot — Accessibility
+
+- Ensure keyboard access is coded: focusable controls; Escape key closes dialogs; trap & restore focus in dialogs.
+- Use semantic elements; provide names/labels; add `aria-live` for async status updates where relevant.

.github/instructions/react.instructions.md

@@ -0,0 +1,13 @@
+---
+appliesTo:
+  paths:
+    - 'src/**/*.tsx'
+---
+
+# Copilot — React code review rules
+
+- Prefer event handlers or a data tool over `useEffect`.
+- If an effect is necessary, it must: (1) do one thing, (2) have stable deps, (3) avoid inline objects/functions in deps.
+- No derived state from props unless justified.
+- Keys in lists: stable unique ids; never array indexes.
+- Keep UI components “dumb”: render from props; move business logic to a separate module or hook.

.github/instructions/security.instructions.md

@@ -0,0 +1,11 @@
+---
+appliesTo:
+  paths:
+    - 'src/**/*'
+---
+
+# Copilot — Security hygiene
+
+- Validate and sanitise **all untrusted input** and **all API responses**.
+- Avoid `dangerouslySetInnerHTML`. If used, it must be sanitised and commented with the sanitizer reference.
+- Avoid raw DOM insertion and unvalidated URLs; suggest safe helpers.

.github/instructions/typescript.instructions.md

@@ -0,0 +1,12 @@
+---
+appliesTo:
+  paths:
+    - 'src/**/*.ts'
+    - 'src/**/*.tsx'
+---
+
+# Copilot — TypeScript safety
+
+- Do not use `any`, type casts (`as T`/`<T>`), or the non-null operator `!`.
+- Exported APIs must have explicit types. Narrow with type guards (or schemas) at boundaries.
+- Handle `null`/`undefined` explicitly; avoid `@ts-ignore` (unless narrowly scoped with a reason).

.github/workflows/jira-lint-and-link.yml

@@ -8,11 +8,11 @@ jobs:
     if: ${{ github.actor != 'dependabot[bot]' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: cakeinpanic/jira-description-action@v0.9.0
+      - uses: cakeinpanic/jira-description-action@master
         name: jira-description-action
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           jira-token: ${{ secrets.JIRA_TOKEN }}
           jira-base-url: https://wearezeta.atlassian.net
           skip-branches: '^(dev|master|release\/*)$'
-          fail-when-jira-issue-not-found: false
+          fail-when-jira-issue-not-found: true

.github/workflows/playwright-cells-crit-flow-tests-manual.yml

@@ -20,3 +20,4 @@ jobs:
       environment: ${{ github.event.inputs.environment }}
     secrets:
       OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      WIRE_CELLS_E2E_TEST_BOT_WEBHOOK_URL: ${{ secrets.WIRE_CELLS_E2E_TEST_BOT_WEBHOOK_URL }}

.github/workflows/playwright-cells-crit-flow-tests-scheduled.yml

@@ -16,3 +16,4 @@ jobs:
       environment: ${{ matrix.environment }}
     secrets:
       OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      WIRE_CELLS_E2E_TEST_BOT_WEBHOOK_URL: ${{ secrets.WIRE_CELLS_E2E_TEST_BOT_WEBHOOK_URL }}