Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

Release: merge development into beta#67

Open
github-actions[bot] wants to merge 21 commits into
betafrom
development
Open

Release: merge development into beta#67
github-actions[bot] wants to merge 21 commits into
betafrom
development

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Automated PR to sync development changes to beta for beta release.

Merging this PR will trigger the beta release workflow.

Reminder: Add a major, minor, or patch label to this PR to control the version bump. Default is patch.

Hydra Pipeline and others added 20 commits May 2, 2026 16:29
… SourceBinding

Two findings from Clyde Barcode's full-branch security audit on PR #29
(see #32 for the tracking issue, the verdict
comments on PR #29, and the dogfood context).

1. SSRF defence-in-depth — ExternalReleaseInstallerService.php
   authenticatedDownload() and verifyChecksum() fetched URLs from the
   GitHub API browser_download_url field without
   'nextcloud' => ['allow_local_address' => false]. A malicious release
   in a trusted-source-listed repo could redirect the download to an
   internal address, forwarding the PAT Bearer token. PatValidator
   already sets this option correctly — mirrored the pattern in both
   methods. (OWASP A10:2021)

2. Path-traversal guard — SourceBinding.php
   The constructor accepted any string for owner/repo. fnmatch in
   TrustedSourceList lets `*` match `/`, so `ConductionNL/../../../x`
   passes the allowlist. Adding preg_match validation to the constructor
   rejects invalid characters at the boundary; charset matches GitHub's
   own owner/repo rules (alphanumerics, dot, dash, underscore).
   (CWE-22 / OWASP A01:2021)

Both fixes mirror Conduction's existing patterns in the same app and
do not introduce new dependencies. Bounded mechanical changes, no
behaviour change for legitimate inputs.

Bundles 31 SPDX header additions + the gate-9 #[NoAdminRequired] batch
removal from Juan Claude van Damme's earlier review run (commit 1cc7df9
on the pr-branch ref) in the same PR.
chore(quality): apply Hydra full-branch review findings — SPDX, gate-9, SSRF, path-traversal
…elopment) (#39)

Stand up the journeydoc docs surface for App Versions. The app is in
development; this PR provides the brand landing page and a tutorial
skeleton anchored on the version-management / external-sources /
pat-management specs, so app-versions.conduction.nl resolves to a real
Docusaurus site while the admin UI matures.

- docs/ tree copied from nextcloud-app-template's canonical scaffold
  (Docusaurus + @conduction/docusaurus-preset 2.6.1, en-only i18n,
  custom prism + mermaid themes, brand-theme swizzles)
- landing page: version-rows glyph, NL-Conduction tagline corrected
  off the info.xml summary (NOT the stale 'scaffold/template' framing
  that lives on conduction-website's apps-catalog), three token-built
  mock panels (Installed apps + current version, Available versions
  per source, Recent rollbacks), 'In development' hero status
- intro.md rewritten to describe what App Versions actually does
  (multi-source version picker, rollback or pin, audit-trailed) and
  links the four canonical specs on GitHub
- user track collapses to a single 'who is this for?' pointer page
  (App Versions is admin-only); admin track gets three intent-stating
  pages mapped to specs: 01 first launch, 02 rollback
  (version-management), 03 connect a GitHub source (external-sources
  + pat-management)
- documentation.yml: triggers on [documentation] only (canonical
  post-revert deploy model), cname app-versions.conduction.nl
- CNAME static + docusaurus.config url / editUrl / GitHub link all
  point at app-versions
- Add 1200x630 brand OG card with the app's wordmark.
- Set themeConfig.image to reference the new card.
- Correct llms.txt docs links to /docs/intro + /api.
Drop the local docs/scripts/validate-ai-baseline.mjs copy and call the
bin command shipped by @conduction/docusaurus-preset >=3.5.0 instead.

Why: keeps the validator in one place across the fleet. Future check
additions ship via a preset bump rather than 17 parallel PRs.
Validator behaviour is identical (same 8 universal checks).
Preset 3.6.0 ships the traditional-SEO baseline (sitemap lastmod,
drops priority/changefreq per Google 2026 guidance, fixes the legal-
link 404s on subdomain footers, adds searchConsoleVerification opt).

The lockfile bump uses --min-release-age=0 per .npmrc cooldown
override (required for fresh @conduction/* releases under the
24h supply-chain cooldown).
Preset 3.6.0 shipped with a JSDoc parse bug (literal */ inside backticks
closed the comment early). 3.6.1 fixed it; this lockfile bump pulls
the patched version so the Documentation workflow's npm ci succeeds
and the deploy finally fires with the AI baseline.
…d) (#54)

3.7.0's 90% sitemap-lastmod threshold was too strict; Docusaurus
auto-generated routes don't have source mtime. 3.7.1 lowers to 50%
(still catches preset-wrap regressions, tolerates the realistic
mix of markdown content + auto-routes).
…icle + IndexNow) (#56)

3.8.0 adds:
- BreadcrumbList JSON-LD on marketing pages via <DetailHero>
- TechArticle JSON-LD on docs pages via DocItem/Content swizzle
- IndexNow plugin (sites need to set indexnow.key to enable Bing pings)

Pure lockfile bump; package.json range ^3.7.0 already satisfies.
3.9.0 adds a hard-fail validator check for TechArticle JSON-LD on
docs pages, on top of the swizzle that ships the schema (3.8.0).
Pure lockfile bump; package.json range ^3.7.0 already satisfies.
Brings the composer require.php constraint in line with the runtime
the container + CI already use (PHP 8.3). Drops formal support for
PHP 8.1 and 8.2. Several vendor packages (e.g. azjezz/psl@4.3.0) use
PHP 8.3 typed class constants, making the codebase functionally
8.3-only already.

Part of the fleet-wide PHP 8.3 sweep.
Aligns the composer platform pin with the runtime constraint
('require.php' bumped to ^8.3 fleet-wide yesterday). Keeps composer's
resolver consistent — it'll pick package versions assuming PHP 8.3 is
the target runtime, which matches what the container (PHP 8.3.30) and
CI matrices already use.

Part of the fleet-wide PHP 8.3 sweep.
…ling (#65)

Aligns appinfo/info.xml with the fleet canonical:

- <php min-version="8.3"> — matches the
  composer require.php constraint (^8.3 fleet-wide)
- <nextcloud min-version="28" max-version="34">
  — converge the fleet on one NC support range
- <licence>agpl</licence> — fix the casing/value drift
  (fleet had agpl / eupl / EUPL-1.2 / AGPL-3.0-or-later — 4 spellings).
  Stays on "agpl" workaround per the EUPL store-listing pattern;
  switch to "EUPL-1.2" once NC 34 is the fleet floor
  (ConductionNL/.github#98).

Per-app fields (<id>, <name>, <description>, <version>, etc.) are
preserved.

Drift surfaced in
https://github.com/ConductionNL/nextcloud-app-template/blob/development/docs/fleet-drift-deeper.md#4-appinfoinfoxml--significant-drift
Per the fleet drift research in
[nextcloud-app-template/docs/fleet-drift-deeper.md §3](https://github.com/ConductionNL/nextcloud-app-template/blob/development/docs/fleet-drift-deeper.md#3-ci-workflows-githubworkflowsyml),
app-versions carried 14 workflows — almost all legacy / one-off
predecessors of the canonical fleet set.

Deletes 12 legacy workflows:
- block-unconventional-commits.yml, fixup.yml
- lint-eslint.yml, lint-info-xml.yml, lint-php-cs.yml, lint-php.yml,
  lint-stylelint.yml (folded into code-quality.yml)
- node.yml, npm-audit-fix.yml
- psalm-matrix.yml (folded into code-quality.yml)
- update-nextcloud-ocp-approve-merge.yml, update-nextcloud-ocp-matrix.yml

Adds 9 canonical workflows from the template:
- branch-protection.yml, code-quality.yml, issue-triage.yml,
  openspec-sync.yml, pull-request-lint-check.yaml, release-beta.yml,
  release-stable.yml, spec-validation.yml, sync-to-beta.yml

Keeps:
- documentation.yml (already canonical)
- openapi.yml (upstream Nextcloud org workflow, out of fleet scope)
Maps all 70 uncovered Controller/Service/Listener methods to the four
existing capability specs (version-management, external-sources,
pat-management, app-discovery) via @SPEC docblock tags. No new REQs were
needed — the specs already describe every method's behaviour. Drives
gate-16 spec-coverage to 0 uncovered backend methods.
@github-actions

Copy link
Copy Markdown
Contributor Author

Quality Report — ConductionNL/app-versions @ 9d63ff6

Check PHP Vue Security License Tests
lint
phpcs
phpmd
psalm
phpstan
phpmetrics
eslint
stylelint
composer
npm ✅ 282/282
PHPUnit ⏭️
Newman ⏭️
Playwright ⏭️

Quality workflow — 2026-05-25 20:11 UTC

Download the full PDF report from the workflow artifacts.

@github-actions

Copy link
Copy Markdown
Contributor Author

Quality Report — ConductionNL/app-versions @ dcf32b7

Check PHP Vue Security License Tests
lint
phpcs
phpmd
psalm
phpstan
phpmetrics
eslint
stylelint
composer ✅ 7/7
npm ✅ 282/282
PHPUnit ⏭️
Newman ⏭️
Playwright ⏭️

Quality workflow — 2026-05-25 23:49 UTC

Download the full PDF report from the workflow artifacts.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant