Skip to content

Commit 344c815

Browse files
authored
Merge pull request #25 from KelvinTegelaar/main
[pull] main from KelvinTegelaar:main
2 parents bbee991 + 6138cf5 commit 344c815

145 files changed

Lines changed: 12694 additions & 3956 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/CodeQL_Analyser.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
1-
---
1+
# OPTIONAL UPGRADE to the existing CodeQL_Analyser.yml (already deployed in CIPP).
2+
# Changes vs. current: adds push trigger on main/dev, security-extended query suite,
3+
# and javascript-typescript language alias.
24
name: "CodeQL"
35
on:
6+
push:
7+
branches: [main, dev]
48
pull_request:
59
branches: [master, main, dev, react]
610
schedule:
@@ -17,14 +21,15 @@ jobs:
1721
strategy:
1822
fail-fast: false
1923
matrix:
20-
language: ["javascript"]
24+
language: ["javascript-typescript"]
2125
steps:
2226
- name: Checkout Repository
2327
uses: actions/checkout@v6
2428
- name: Initialize CodeQL
2529
uses: github/codeql-action/init@v4
2630
with:
2731
languages: ${{ matrix.language }}
32+
queries: security-extended
2833
- name: Autobuild
2934
uses: github/codeql-action/autobuild@v4
3035
- name: Perform CodeQL Analysis
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
name: Conventional Commits Check
2+
3+
on:
4+
# Using pull_request_target instead of pull_request for secure handling of fork PRs
5+
pull_request_target:
6+
# Re-run on title edits so a corrected title clears the check
7+
types: [opened, synchronize, reopened, edited]
8+
# Only check PRs targeting the dev branch
9+
branches:
10+
- dev
11+
12+
permissions:
13+
pull-requests: write
14+
issues: write
15+
16+
jobs:
17+
conventional-commits:
18+
name: Validate Conventional Commits
19+
runs-on: ubuntu-slim
20+
steps:
21+
- name: Validate PR title
22+
uses: actions/github-script@v9
23+
with:
24+
github-token: ${{ secrets.GITHUB_TOKEN }}
25+
script: |
26+
const title = context.payload.pull_request.title || '';
27+
const pattern = /^(feat|fix|docs|style|refactor|perf|test|chore|ci|build|revert)(\(.+\))?!?: .+/;
28+
29+
if (pattern.test(title)) {
30+
console.log(`✓ PR title follows Conventional Commits format: "${title}"`);
31+
return;
32+
}
33+
34+
console.log(`❌ PR title does not follow Conventional Commits format: "${title}"`);
35+
36+
const message = [
37+
'❌ **This PR title does not follow the [Conventional Commits](https://www.conventionalcommits.org/) format.**',
38+
'',
39+
'Expected format: `type(scope)?: description`',
40+
'',
41+
'Allowed types: `feat`, `fix`, `docs`, `style`, `refactor`, `perf`, `test`, `chore`, `ci`, `build`, `revert`',
42+
'',
43+
'Examples:',
44+
'- `feat: add tenant filter to the user table`',
45+
'- `fix(auth): handle expired refresh tokens`',
46+
'- `docs: update self-hosting guide`',
47+
'',
48+
`Received: \`${title}\``,
49+
'',
50+
'🔒 This PR has been automatically closed. Please update the title to match the format above and reopen the PR.'
51+
].join('\n');
52+
53+
await github.rest.issues.createComment({
54+
...context.repo,
55+
issue_number: context.issue.number,
56+
body: message
57+
});
58+
59+
await github.rest.pulls.update({
60+
...context.repo,
61+
pull_number: context.issue.number,
62+
state: 'closed'
63+
});
64+
65+
core.setFailed(`PR title does not follow Conventional Commits format: "${title}"`);

.github/workflows/cipp_dev_build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ jobs:
5454
5555
# Upload to Azure Blob Storage
5656
- name: Azure Blob Upload
57-
uses: LanceMcCarthy/Action-AzureBlobUpload@v3.12.0
57+
uses: LanceMcCarthy/Action-AzureBlobUpload@v3.15.0
5858
with:
5959
connection_string: ${{ secrets.AZURE_CONNECTION_STRING }}
6060
container_name: cipp

.github/workflows/cipp_frontend_build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ jobs:
5454
5555
# Upload to Azure Blob Storage
5656
- name: Azure Blob Upload
57-
uses: LanceMcCarthy/Action-AzureBlobUpload@v3.12.0
57+
uses: LanceMcCarthy/Action-AzureBlobUpload@v3.15.0
5858
with:
5959
connection_string: ${{ secrets.AZURE_CONNECTION_STRING }}
6060
container_name: cipp
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# SCA: Fails PRs that introduce dependencies with known vulnerabilities
2+
# ISO 27001:2022 A.8.28/8.29 evidence — Software Composition Analysis at merge time
3+
name: Dependency Review
4+
on:
5+
pull_request:
6+
branches: [main, dev]
7+
8+
permissions:
9+
contents: read
10+
pull-requests: write
11+
12+
jobs:
13+
dependency-review:
14+
if: github.repository_owner == 'KelvinTegelaar'
15+
runs-on: ubuntu-latest
16+
steps:
17+
- name: Checkout repository
18+
uses: actions/checkout@v6
19+
20+
- name: Dependency review
21+
uses: actions/dependency-review-action@v5
22+
with:
23+
# Block merge on known vulnerabilities of moderate severity or higher
24+
fail-on-severity: moderate
25+
# Surface results as a PR comment for contributor visibility
26+
comment-summary-in-pr: on-failure
27+
# Optional: block copyleft-incompatible licenses (adjust for AGPL-3.0 project policy)
28+
# deny-licenses: GPL-1.0-only

.github/workflows/zap-scan.yml

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
# DAST: OWASP ZAP scans against the CIPP staging deployment
2+
# ISO 27001:2022 A.8.29 evidence — Dynamic Application Security Testing
3+
#
4+
# Prerequisites:
5+
# - Repo variable STAGING_URL pointing at a staging deployment (test-tenant data only, never production)
6+
# - Optional: .zap/rules.tsv to suppress documented false positives (annotate each with justification)
7+
name: DAST - OWASP ZAP Scan
8+
on:
9+
schedule:
10+
- cron: "0 4 * * 1" # Weekly, Monday 04:00 UTC
11+
workflow_dispatch: # Run on demand before each versioned release
12+
inputs:
13+
full_scan:
14+
description: "Run full (active) scan instead of baseline"
15+
type: boolean
16+
default: false
17+
18+
permissions:
19+
contents: read
20+
issues: write # ZAP action files findings as GitHub issues
21+
22+
jobs:
23+
zap_baseline:
24+
if: github.repository_owner == 'KelvinTegelaar' && (github.event_name == 'schedule' || !inputs.full_scan)
25+
name: ZAP Baseline Scan (passive)
26+
runs-on: ubuntu-latest
27+
steps:
28+
- name: Checkout (for .zap rules file)
29+
uses: actions/checkout@v6
30+
31+
- name: ZAP baseline scan
32+
uses: zaproxy/action-baseline@v0.15.0
33+
with:
34+
target: ${{ vars.STAGING_URL }}
35+
rules_file_name: ".zap/rules.tsv"
36+
allow_issue_writing: true
37+
issue_title: "ZAP baseline scan findings"
38+
artifact_name: zap-baseline-report
39+
40+
zap_full:
41+
if: github.repository_owner == 'KelvinTegelaar' && github.event_name == 'workflow_dispatch' && inputs.full_scan
42+
name: ZAP Full Scan (active, pre-release)
43+
runs-on: ubuntu-latest
44+
steps:
45+
- name: Checkout (for .zap rules file)
46+
uses: actions/checkout@v6
47+
48+
- name: ZAP full scan
49+
uses: zaproxy/action-full-scan@v0.13.0
50+
with:
51+
target: ${{ vars.STAGING_URL }}
52+
rules_file_name: ".zap/rules.tsv"
53+
allow_issue_writing: true
54+
issue_title: "ZAP full scan findings (pre-release)"
55+
artifact_name: zap-full-report

package.json

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "cipp",
3-
"version": "10.5.5",
3+
"version": "10.6.0",
44
"author": "CIPP Contributors",
55
"homepage": "https://cipp.app/",
66
"bugs": {
@@ -42,20 +42,20 @@
4242
"@react-pdf/renderer": "^4.5.1",
4343
"@reduxjs/toolkit": "^2.12.0",
4444
"@tanstack/query-sync-storage-persister": "^5.90.25",
45-
"@tanstack/react-query": "^5.100.10",
46-
"@tanstack/react-query-devtools": "^5.100.10",
47-
"@tanstack/react-query-persist-client": "^5.96.2",
45+
"@tanstack/react-query": "^5.101.2",
46+
"@tanstack/react-query-devtools": "^5.101.2",
47+
"@tanstack/react-query-persist-client": "^5.101.2",
4848
"@tanstack/react-table": "^8.19.2",
4949
"@tiptap/core": "^3.22.3",
5050
"@tiptap/extension-heading": "^3.22.3",
5151
"@tiptap/extension-table": "^3.20.5",
52-
"@tiptap/pm": "^3.22.3",
52+
"@tiptap/pm": "^3.27.3",
5353
"@tiptap/react": "^3.20.5",
5454
"@tiptap/starter-kit": "^3.20.5",
5555
"@vvo/tzdb": "^6.198.0",
56-
"apexcharts": "5.14.0",
56+
"apexcharts": "5.16.0",
5757
"axios": "1.16.1",
58-
"date-fns": "4.1.0",
58+
"date-fns": "4.4.0",
5959
"diff": "^8.0.3",
6060
"dompurify": "^3.4.9",
6161
"driver.js": "^1.4.0",
@@ -65,25 +65,25 @@
6565
"gray-matter": "4.0.3",
6666
"javascript-time-ago": "^2.6.2",
6767
"jspdf": "^4.2.0",
68-
"jspdf-autotable": "^5.0.7",
68+
"jspdf-autotable": "^5.0.8",
6969
"leaflet": "^1.9.4",
7070
"leaflet.markercluster": "^1.5.3",
7171
"lodash": "^4.18.1",
7272
"lodash.isequal": "4.5.0",
7373
"material-react-table": "^3.0.1",
7474
"monaco-editor": "^0.55.1",
7575
"mui-tiptap": "^1.31.0",
76-
"next": "^16.2.2",
76+
"next": "^16.2.10",
7777
"nprogress": "0.2.0",
7878
"numeral": "2.0.6",
7979
"prop-types": "15.8.1",
8080
"punycode": "^2.3.1",
8181
"react": "19.2.6",
82-
"react-apexcharts": "2.1.0",
82+
"react-apexcharts": "2.1.1",
8383
"react-beautiful-dnd": "13.1.1",
8484
"react-dom": "19.2.6",
8585
"react-dropzone": "15.0.0",
86-
"react-error-boundary": "^6.1.1",
86+
"react-error-boundary": "^6.1.2",
8787
"react-hook-form": "^7.76.1",
8888
"react-hot-toast": "2.6.0",
8989
"react-html-parser": "^2.0.2",
@@ -93,7 +93,7 @@
9393
"react-media-hook": "^0.5.0",
9494
"react-papaparse": "^4.4.0",
9595
"react-quill": "^2.0.0",
96-
"react-redux": "9.2.0",
96+
"react-redux": "9.3.0",
9797
"react-syntax-highlighter": "^16.1.0",
9898
"react-time-ago": "^7.3.3",
9999
"react-virtuoso": "^4.18.7",
@@ -112,7 +112,7 @@
112112
"devDependencies": {
113113
"@svgr/webpack": "8.1.0",
114114
"eslint": "^9.39.4",
115-
"eslint-config-next": "^16.2.3",
115+
"eslint-config-next": "^16.2.10",
116116
"eslint-config-prettier": "^10.1.8",
117117
"prettier": "^3.8.1"
118118
}

public/version.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
{
2-
"version": "10.5.5"
2+
"version": "10.6.0"
33
}

0 commit comments

Comments
 (0)