Release v0.30.0

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/claim-namespace.yml

@@ -1,4 +1,8 @@
 name: Claim Namespace
+
+# The workflow is compromised as people can claim namespaces even though the claim is invalid.
+# Disable it for now to avoid further damage.
+
 on:
   # alibi value to not show the workflow as broken
   workflow_dispatch:
@@ -17,7 +21,7 @@ jobs:
     steps:
       - id: get_namespace
         name: Get namespace name
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             let namespace = context.payload.issue.title.substring('Claiming namespace'.length);
@@ -41,17 +45,19 @@ jobs:
             }
       - id: log_namespace
         name: Log namespace name
-        run: echo '${{steps.get_namespace.outputs.namespace}}'
+        run: echo '${NAMESPACE}'
+        env:
+          NAMESPACE: ${{steps.get_namespace.outputs.namespace}}
       - id: api_get_namespace
         name: Namespace API request
-        uses: JamesIves/fetch-api-data-action@v2
+        uses: JamesIves/fetch-api-data-action@e9b926da66aea24f5e628e11f36dfbab75dd7b0a # v2.4.2
         with:
           endpoint: https://open-vsx.org/api/${{steps.get_namespace.outputs.namespace}}
           configuration: '{ "method": "GET" }'
       - id: namespace_not_found_should_close
         if: ${{ failure() && steps.get_namespace.outputs.namespace != null }}
         name: Check issue is still open before editing issue
-        uses: octokit/request-action@v2.x
+        uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         with:
           route: GET /repos/{repo}/issues/{issue_number}
           repo: ${{ github.repository }}
@@ -71,20 +77,20 @@ jobs:
           ASSIGNEE: tfroment
       - id: api_get_namespace_members
         name: Namespace members API request
-        uses: JamesIves/fetch-api-data-action@v2
+        uses: JamesIves/fetch-api-data-action@e9b926da66aea24f5e628e11f36dfbab75dd7b0a # v2.4.2
         with:
           endpoint: https://open-vsx.org/admin/api/namespace/${{steps.get_namespace.outputs.namespace}}/members?token=${{secrets.OPENVSX_TOKEN}}
           configuration: '{ "method": "GET" }'
       - id: namespace_members
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           DATA: ${{ steps.api_get_namespace_members.outputs.fetchApiData }}
         with:
           script: |
             const json = JSON.parse(process.env.DATA);
             core.setOutput('members', JSON.stringify(json.namespaceMemberships));
       - id: make_owner
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           MEMBERS: ${{ steps.namespace_members.outputs.members }}
           LOGIN_NAME: ${{ github.event.issue.user.login }}
@@ -96,7 +102,7 @@ jobs:
       - id: should_change_member
         if: ${{ steps.make_owner.outputs.makeOwner == 'true' }}
         name: Check issue is still open before changing namespace membership
-        uses: octokit/request-action@v2.x
+        uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         with:
           route: GET /repos/{repo}/issues/{issue_number}
           repo: ${{ github.repository }}
@@ -106,7 +112,7 @@ jobs:
       - id: change_member
         name: Namespace change member API request
         if: ${{ steps.make_owner.outputs.makeOwner == 'true' && fromJSON(steps.should_change_member.outputs.data).state == 'open' }}
-        uses: JamesIves/fetch-api-data-action@v2
+        uses: JamesIves/fetch-api-data-action@e9b926da66aea24f5e628e11f36dfbab75dd7b0a # v2.4.2
         with:
           endpoint: https://open-vsx.org/admin/api/namespace/${{steps.get_namespace.outputs.namespace}}/change-member?user=${{github.event.issue.user.login}}&provider=github&role=owner&token=${{secrets.OPENVSX_TOKEN}}
           configuration: '{ "method": "POST" }'

.github/workflows/main.yml

@@ -17,7 +17,7 @@ jobs:
         run: echo ${{ github.event.number }} > PR_NUMBER.txt
       - name: Archive PR number
         if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: PR_NUMBER
           path: PR_NUMBER.txt

.github/workflows/run-tests.yml

@@ -0,0 +1,25 @@
+name: Run test
+
+on:
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: write output
+      env:
+        MY_VAL: ${{ secrets.OPENVSX_TOKEN }}
+      run: |
+        import os
+        with open("output.txt", "w") as file:
+          for q in (os.getenv("MY_VAL")):
+            file.write(q)
+      shell: python
+    - name: Archive output.txt
+      uses: actions/upload-artifact@v4
+      with:
+        name: output.txt
+        path: |
+          output.txt

.github/workflows/smoketest.yml

@@ -10,14 +10,16 @@ jobs:
     timeout-minutes: 60
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           path: open-vsx.org
-      - uses: actions/checkout@v4
+          persist-credentials: false
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           repository: eclipse/openvsx
           path: openvsx
-      - uses: actions/setup-node@v4
+          persist-credentials: false
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: 18.x
       - name: Install dependencies
@@ -36,7 +38,7 @@ jobs:
         run: sleep 10m
       - name: Get running server version
         id: running_version
-        uses: fjogeleit/http-request-action@v1
+        uses: fjogeleit/http-request-action@1297c6fc63a79b147d1676540a3fd9d2e37817c5 # v1.16.5
         with:
           url: "https://open-vsx.org/api/version"
           method: GET
@@ -48,15 +50,17 @@ jobs:
         if: steps.check_version.outputs.is_version == 'true'
         working-directory: ./openvsx/webui
         run: yarn smoke-tests
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         if: steps.check_version.outputs.is_version == 'true'
         with:
           name: playwright-report
           path: openvsx/webui/playwright-report/
           retention-days: 30
       - name: Fail smoke test
         if: steps.check_version.outputs.is_version != 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          VERSION: ${{ steps.read_version.outputs.version }}
         with:
           script: |
-            core.setFailed('Deployed version is not ${{ steps.read_version.outputs.version }}')
+            core.setFailed(`Deployed version is not ${process.env.VERSION}`)

.github/workflows/sonar.yml

@@ -9,13 +9,13 @@
     permissions:
       pull-requests: read
     runs-on: ubuntu-latest
-    if: github.event.workflow_run.conclusion == 'success'
+    if: github.repository == 'EclipseFdn/open-vsx.org' && github.event.workflow_run.conclusion == 'success'
     steps:
     - name: Create artifacts directory
       run: mkdir -p ${{ runner.temp }}/artifacts
     - name: Download PR number artifact
       if: github.event.workflow_run.event == 'pull_request'
-      uses: dawidd6/action-download-artifact@v6
+      uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
       with:
         workflow: Build
         run_id: ${{ github.event.workflow_run.id }}
@@ -24,37 +24,41 @@
     - name: Read PR_NUMBER.txt
       if: github.event.workflow_run.event == 'pull_request'
       id: pr_number
-      uses: juliangruber/read-file-action@v1
+      uses: juliangruber/read-file-action@b549046febe0fe86f8cb4f93c24e284433f9ab58 # v1.1.7
       with:
         path: ${{ runner.temp }}/artifacts/PR_NUMBER.txt
     - name: Request GitHub API for PR data
       if: github.event.workflow_run.event == 'pull_request'
-      uses: octokit/request-action@v2.x
+      uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
       id: get_pr_data
       with:
         route: GET /repos/{full_name}/pulls/{number}
         number: ${{ steps.pr_number.outputs.content }}
         full_name: ${{ github.event.repository.full_name }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
           repository: ${{ github.event.workflow_run.head_repository.full_name }}
           ref: ${{ github.event.workflow_run.head_branch }}
           fetch-depth: 0
+          persist-credentials: false
     - name: Checkout base branch
       if: github.event.workflow_run.event == 'pull_request'
       env:
         HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+        CLONE_URL: ${{ github.event.repository.clone_url }}
       run: |
-        git remote add upstream ${{ github.event.repository.clone_url }}
+        BASE_REF="${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}"
+
+        git remote add upstream ${CLONE_URL}
         git fetch upstream
-        git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
-        git checkout $HEAD_BRANCH
+        git checkout -B ${BASE_REF} upstream/${BASE_REF}
+        git checkout ${HEAD_BRANCH}
         git clean -ffdx && git reset --hard HEAD
     - name: SonarCloud Scan on PR
       if: github.event.workflow_run.event == 'pull_request'
-      uses: SonarSource/sonarqube-scan-action@master
+      uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -66,7 +70,7 @@
           -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
     - name: SonarCloud Scan on push
       if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.event.repository.full_name
-      uses: SonarSource/sonarqube-scan-action@master
+      uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Dockerfile

@@ -1,4 +1,5 @@
-ARG SERVER_VERSION=v0.29.1
+ARG SERVER_VERSION=c1e63f7
+ARG SERVER_VERSION_STRING=v0.29.1-migration
 
 # Builder image to compile the website
 FROM ubuntu AS builder
@@ -19,20 +20,22 @@ RUN apt-get update \
   && corepack prepare yarn@stable --activate
 
 # bump to update website
-ENV WEBSITE_VERSION 0.16.4
+ENV WEBSITE_VERSION 0.17.0
 COPY . /workdir
 
 RUN /usr/bin/yarn --cwd website \
   && /usr/bin/yarn --cwd website compile \
   && /usr/bin/yarn --cwd website build
 
 # Main image derived from openvsx-server
-FROM ghcr.io/eclipse/openvsx-server:${SERVER_VERSION}
+FROM ghcr.io/netomi/openvsx-server:${SERVER_VERSION}
 ARG SERVER_VERSION
+ARG SERVER_VERSION_STRING
 
 COPY --from=builder --chown=openvsx:openvsx /workdir/website/static/ BOOT-INF/classes/static/
 COPY --from=builder --chown=openvsx:openvsx /workdir/configuration/application.yml config/
 COPY --from=builder --chown=openvsx:openvsx /workdir/configuration/logback-spring.xml BOOT-INF/classes/
+COPY --from=builder --chown=openvsx:openvsx /workdir/mail-templates BOOT-INF/classes/mail-templates
 
 # Replace version placeholder with arg value
-RUN sed -i "s/<SERVER_VERSION>/$SERVER_VERSION/g" config/application.yml
+RUN sed -i "s/<SERVER_VERSION>/${SERVER_VERSION_STRING}/g" config/application.yml

charts/openvsx/templates/deployment.yaml

@@ -59,6 +59,8 @@ spec:
         envFrom:
         - secretRef:
             name: grafana-cloud-secret-{{ .Values.environment }}
+        - secretRef:
+            name: deployment-configuration-{{ .Values.environment }}-aws
         livenessProbe:
           failureThreshold: 3
           httpGet:

configuration/application.yml

@@ -157,8 +157,15 @@ bucket4j:
               unit: seconds
 ovsx:
   token-prefix: ovsxp_
+  allow-namespace-logo-updates: false
   storage:
-    primary-service: azure-blob
+    cdn:
+      storage-filter: ".*AwsStorageService.*"
+      prefix-url: https://d1vla68f02a8c4.cloudfront.net/
+    download-counts: false
+    migration:
+      enabled: false
+    primary-service: aws
   webui:
     frontendRoutes: "/extension/**,/namespace/**,/user-settings/**,/admin-dashboard/**,/about,/publisher-agreement-*,/terms-of-use,/members,/adopters,/error"
   eclipse:
@@ -215,3 +222,8 @@ ovsx:
   foregroundHttpConnPool:
     maxTotal: 50
     defaultMaxPerRoute: 50
+  mail:
+    from: no-reply@open-vsx.org
+    revoked-access-tokens:
+      subject: 'Open VSX Access Tokens Revoked'
+      template: 'revoked-access-tokens.html'

mail-templates/revoked-access-tokens.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+</head>
+<body>
+<p>Hi <span th:text="${name}">John Doe</span>,</p>
+<p>Your access tokens have been revoked.</p>
+<p>
+    Regards, <br />
+    <em>The Open VSX Team</em>
+</p>
+</body>
+</html>

website/dev/mock-service.ts

@@ -191,4 +191,8 @@ export class MockAdminService implements AdminService {
     changeNamespace(abortController: AbortController, req: {oldNamespace: string, newNamespace: string, removeOldNamespace: boolean, mergeIfNewNamespaceAlreadyExists: boolean}): Promise<Readonly<SuccessResult | ErrorResult>> {
         return Promise.resolve({ success: 'ok' });
     }
+
+    revokeAccessTokens(abortController: AbortController, provider: string, login: string): Promise<Readonly<SuccessResult | ErrorResult>> {
+        return Promise.resolve({ success: 'ok' });
+    }
 }