Release v0.30.0

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/main.yml

@@ -17,7 +17,7 @@ jobs:
         run: echo ${{ github.event.number }} > PR_NUMBER.txt
       - name: Archive PR number
         if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: PR_NUMBER
           path: PR_NUMBER.txt

.github/workflows/scorecard-analysis.yml

@@ -0,0 +1,36 @@
+name: Scorecard analysis workflow
+on:
+  push:
+    branches:
+    - main
+    - production
+  schedule:
+    # Weekly on Saturdays.
+    - cron:  '30 1 * * 6'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: read-all
+
+jobs:
+  analysis:
+    if: github.repository_owner == 'EclipseFdn'
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true

.github/workflows/smoketest.yml

@@ -10,14 +10,16 @@ jobs:
     timeout-minutes: 60
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           path: open-vsx.org
-      - uses: actions/checkout@v4
+          persist-credentials: false
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           repository: eclipse/openvsx
           path: openvsx
-      - uses: actions/setup-node@v4
+          persist-credentials: false
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: 18.x
       - name: Install dependencies
@@ -36,7 +38,7 @@ jobs:
         run: sleep 10m
       - name: Get running server version
         id: running_version
-        uses: fjogeleit/http-request-action@v1
+        uses: fjogeleit/http-request-action@1297c6fc63a79b147d1676540a3fd9d2e37817c5 # v1.16.5
         with:
           url: "https://open-vsx.org/api/version"
           method: GET
@@ -48,15 +50,17 @@ jobs:
         if: steps.check_version.outputs.is_version == 'true'
         working-directory: ./openvsx/webui
         run: yarn smoke-tests
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         if: steps.check_version.outputs.is_version == 'true'
         with:
           name: playwright-report
           path: openvsx/webui/playwright-report/
           retention-days: 30
       - name: Fail smoke test
         if: steps.check_version.outputs.is_version != 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          VERSION: ${{ steps.read_version.outputs.version }}
         with:
           script: |
-            core.setFailed('Deployed version is not ${{ steps.read_version.outputs.version }}')
+            core.setFailed(`Deployed version is not ${process.env.VERSION}`)

.github/workflows/sonar.yml

@@ -9,13 +9,13 @@ jobs:
     permissions:
       pull-requests: read
     runs-on: ubuntu-latest
-    if: github.event.workflow_run.conclusion == 'success'
+    if: github.repository == 'EclipseFdn/open-vsx.org' && github.event.workflow_run.conclusion == 'success'
     steps:
     - name: Create artifacts directory
       run: mkdir -p ${{ runner.temp }}/artifacts
     - name: Download PR number artifact
       if: github.event.workflow_run.event == 'pull_request'
-      uses: dawidd6/action-download-artifact@v6
+      uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
       with:
         workflow: Build
         run_id: ${{ github.event.workflow_run.id }}
@@ -24,37 +24,43 @@ jobs:
     - name: Read PR_NUMBER.txt
       if: github.event.workflow_run.event == 'pull_request'
       id: pr_number
-      uses: juliangruber/read-file-action@v1
+      uses: juliangruber/read-file-action@b549046febe0fe86f8cb4f93c24e284433f9ab58 # v1.1.7
       with:
         path: ${{ runner.temp }}/artifacts/PR_NUMBER.txt
     - name: Request GitHub API for PR data
       if: github.event.workflow_run.event == 'pull_request'
-      uses: octokit/request-action@v2.x
+      uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
       id: get_pr_data
       with:
         route: GET /repos/{full_name}/pulls/{number}
         number: ${{ steps.pr_number.outputs.content }}
         full_name: ${{ github.event.repository.full_name }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/checkout@v4
+    - name: Checkout head branch on push
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.event.repository.full_name
       with:
           repository: ${{ github.event.workflow_run.head_repository.full_name }}
           ref: ${{ github.event.workflow_run.head_branch }}
           fetch-depth: 0
-    - name: Checkout base branch
+          persist-credentials: false
+    - name: Checkout head branch on pull_request
       if: github.event.workflow_run.event == 'pull_request'
       env:
         HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+        CLONE_URL: ${{ github.event.repository.clone_url }}
       run: |
-        git remote add upstream ${{ github.event.repository.clone_url }}
+        BASE_REF="${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}"
+
+        git remote add upstream ${CLONE_URL}
         git fetch upstream
-        git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
-        git checkout $HEAD_BRANCH
+        git checkout -B ${BASE_REF} upstream/${BASE_REF}
+        git checkout ${HEAD_BRANCH}
         git clean -ffdx && git reset --hard HEAD
     - name: SonarCloud Scan on PR
       if: github.event.workflow_run.event == 'pull_request'
-      uses: SonarSource/sonarqube-scan-action@master
+      uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -66,7 +72,7 @@ jobs:
           -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
     - name: SonarCloud Scan on push
       if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.event.repository.full_name
-      uses: SonarSource/sonarqube-scan-action@master
+      uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Dockerfile

@@ -1,4 +1,5 @@
-ARG SERVER_VERSION=v0.29.1
+ARG SERVER_VERSION=62c3ef7
+ARG SERVER_VERSION_STRING=v0.29.1-post-migration
 
 # Builder image to compile the website
 FROM ubuntu AS builder
@@ -19,20 +20,22 @@ RUN apt-get update \
   && corepack prepare yarn@stable --activate
 
 # bump to update website
-ENV WEBSITE_VERSION 0.16.4
+ENV WEBSITE_VERSION 0.17.0
 COPY . /workdir
 
 RUN /usr/bin/yarn --cwd website \
   && /usr/bin/yarn --cwd website compile \
   && /usr/bin/yarn --cwd website build
 
 # Main image derived from openvsx-server
-FROM ghcr.io/eclipse/openvsx-server:${SERVER_VERSION}
+FROM ghcr.io/netomi/openvsx-server:${SERVER_VERSION}
 ARG SERVER_VERSION
+ARG SERVER_VERSION_STRING
 
 COPY --from=builder --chown=openvsx:openvsx /workdir/website/static/ BOOT-INF/classes/static/
 COPY --from=builder --chown=openvsx:openvsx /workdir/configuration/application.yml config/
 COPY --from=builder --chown=openvsx:openvsx /workdir/configuration/logback-spring.xml BOOT-INF/classes/
+COPY --from=builder --chown=openvsx:openvsx /workdir/mail-templates BOOT-INF/classes/mail-templates
 
 # Replace version placeholder with arg value
-RUN sed -i "s/<SERVER_VERSION>/$SERVER_VERSION/g" config/application.yml
+RUN sed -i "s/<SERVER_VERSION>/${SERVER_VERSION_STRING}/g" config/application.yml

README.md

@@ -1,3 +1,18 @@
+<h1 align="center">
+
+<a href="https://open-vsx.org">
+  <img src="https://outreach.eclipse.foundation/hs-fs/hubfs/OpenVSX-logo.png?width=369&height=117&name=OpenVSX-logo.png">
+</a>
+
+</h1>
+
+<p align="center">
+  <a href="https://join.slack.com/t/openvsxworkinggroup/shared_invite/zt-2y07y1ggy-ct3IfJljjGI6xWUQ9llv6A"><img alt="Slack workspace" src="https://img.shields.io/badge/Slack-Join%20workspace-4A154B?logo=slack&logoColor=white" /></a>
+  <a href="https://github.com/EclipseFdn/open-vsx.org/blob/main/LICENSE"><img alt="EPLv2 License" src="https://img.shields.io/github/license/EclipseFdn/open-vsx.org" /></a>
+  <a href="https://github.com/EclipseFdn/open-vsx.org/actions/workflows/main.yml?query=branch%3Aproduction"><img alt="Build Status @ production" src="https://github.com/EclipseFdn/open-vsx.org/actions/workflows/main.yml/badge.svg?branch:main" /></a>
+  <a href="https://scorecard.dev/viewer/?uri=github.com/EclipseFdn/open-vsx.org"><img alt="OpenSSF Scorecard" src="https://api.securityscorecards.dev/projects/github.com/EclipseFdn/open-vsx.org/badge" /></a>
+</p>
+
 # open-vsx.org
 
 This repository contains the source of [open-vsx.org](https://open-vsx.org), the public instance of [Eclipse Open VSX](https://github.com/eclipse/openvsx). Most of the code is maintained in [eclipse/openvsx](https://github.com/eclipse/openvsx), while here you'll find only adaptations specific to the public instance.
@@ -62,4 +77,4 @@ Have a bug or a feature request? Please search for existing and closed issues. I
 
 ## Copyright and license
 
-Copyright 2021-2022 the [Eclipse Foundation, Inc.](https://www.eclipse.org) and the [open-vsx.org authors](https://github.com/eclipsefdn/open-vsx.org/graphs/contributors). Code released under the [Eclipse Public License Version 2.0 (EPL-2.0)](https://github.com/EclipseFdn/open-vsx.org/blob/main/LICENSE).
+Copyright 2021-2025 the [Eclipse Foundation, Inc.](https://www.eclipse.org) and the [open-vsx.org authors](https://github.com/eclipsefdn/open-vsx.org/graphs/contributors). Code released under the [Eclipse Public License Version 2.0 (EPL-2.0)](https://github.com/EclipseFdn/open-vsx.org/blob/main/LICENSE).