Merge branch 'master' into analytics-consent

sillsdev · Dec 18, 2024 · 4f8f7c2 · 4f8f7c2
2 parents 17b5582 + 5251099
commit 4f8f7c2
Show file tree

Hide file tree

Showing 80 changed files with 788 additions and 416 deletions.
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -35,15 +35,14 @@ jobs:
             github.com:443
             md-hdd-t032zjxllntc.z26.blob.storage.azure.net:443
             objects.githubusercontent.com:443
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup dotnet
         uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
         with:
           dotnet-version: ${{ matrix.dotnet }}
       - name: Install ffmpeg
         uses: FedericoCarboni/setup-ffmpeg@36c6454b5a2348e7794ba2d82a21506605921e3d # v3
-
-      # Coverage.
       - name: Run coverage tests
         run: dotnet test Backend.Tests/Backend.Tests.csproj
         shell: bash
@@ -54,19 +53,16 @@ jobs:
           name: coverage
           path: Backend.Tests/coverage.cobertura.xml
           retention-days: 7
-
-      # Development build.
-      - run: dotnet build BackendFramework.sln
-
-      # Release build.
-      - run: dotnet publish BackendFramework.sln
-
-      # Fmt.
-      - run: dotnet format --verify-no-changes
+      - name: Development build
+        run: dotnet build BackendFramework.sln
+      - name: Release build
+        run: dotnet publish BackendFramework.sln
+      - name: Format check
+        run: dotnet format --verify-no-changes
 
   upload_coverage:
     needs: test_build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -77,12 +73,10 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
-            api.codecov.io:443
             cli.codecov.io:443
-            codecov.io:443
             github.com:443
+            ingest.codecov.io:443
             storage.googleapis.com:443
-            uploader.codecov.io:443
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Download coverage artifact
@@ -146,8 +140,8 @@ jobs:
         uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
 
   docker_build:
+    if: ${{ github.event.type }} == "PullRequest"
     runs-on: ubuntu-22.04
-    #    if: ${{ github.event.type }} == "PullRequest"
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -170,7 +164,8 @@ jobs:
             ts-crl.ws.symantec.com:80
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build backend

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: ["master"]
+    branches: [master]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: ["master"]
+    branches: [master]
   schedule:
     - cron: "21 8 * * 3"
 
@@ -26,7 +26,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read

diff --git a/.github/workflows/combine_deploy_image.yml b/.github/workflows/combine_deploy_image.yml
@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -22,10 +22,10 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.ecr-public.us-east-1.amazonaws.com:443
-            api.github.com:443
             archive.ubuntu.com:80
             auth.docker.io:443
             cdn.dl.k8s.io:443
+            deb.debian.org:80
             dl.k8s.io:443
             files.pythonhosted.org:443
             get.helm.sh:443
@@ -40,7 +40,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
@@ -54,7 +54,7 @@ jobs:
           username: ${{ secrets.AWS_ACCESS_KEY_ID }}
           password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       - name: Build combine_deploy
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        uses: docker/build-push-action@v6.10.0
         with:
           context: "{{defaultContext}}:deploy"
           push: true

diff --git a/.github/workflows/commit_message_check.yml b/.github/workflows/commit_message_check.yml
@@ -10,4 +10,4 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   commit-message-lint:
-    uses: sillsdev/FieldWorks/.github/workflows/CommitMessage.yml@ba50e637df9593a2a972b29bf670226e89c0a21b
+    uses: sillsdev/FieldWorks/.github/workflows/CommitMessage.yml@22859ef68af99ffbd016eca4e503278db8007913
diff --git a/.github/workflows/database.yml b/.github/workflows/database.yml
@@ -10,7 +10,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   docker_build:
     if: ${{ github.event.type }} == "PullRequest"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -26,7 +26,8 @@ jobs:
             registry-1.docker.io:443
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build database image

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
@@ -24,4 +24,4 @@ jobs:
       - name: "Checkout Repository"
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
diff --git a/.github/workflows/deploy_qa.yml b/.github/workflows/deploy_qa.yml
@@ -13,7 +13,7 @@ jobs:
       matrix:
         component: [frontend, backend, maintenance, database]
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       image_tag: ${{ steps.build_combine.outputs.image_tag }}
     steps:
@@ -26,6 +26,7 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             *.actions.githubusercontent.com:443
+            *.cloudfront.net:443
             *.data.mcr.microsoft.com:443
             ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com
             api.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
@@ -42,6 +43,7 @@ jobs:
             github.com:443
             mcr.microsoft.com:443
             production.cloudflare.docker.com:443
+            public.ecr.aws:443
             pypi.org:443
             registry-1.docker.io:443
             registry.npmjs.org:443
@@ -64,7 +66,7 @@ jobs:
           build_component: ${{ matrix.component }}
   clean_ecr_repo:
     needs: build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.

diff --git a/.github/workflows/deploy_release.yml b/.github/workflows/deploy_release.yml
@@ -13,7 +13,7 @@ jobs:
     strategy:
       matrix:
         component: [frontend, backend, maintenance, database]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       image_tag: ${{ steps.build_combine.outputs.image_tag }}
     steps:
@@ -25,6 +25,7 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             *.actions.githubusercontent.com:443
+            *.cloudfront.net:443
             *.data.mcr.microsoft.com:443
             api.ecr-public.us-east-1.amazonaws.com:443
             api.github.com:443

diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   lint_build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         node-version: [20]
@@ -31,7 +31,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm ci
@@ -40,7 +40,7 @@ jobs:
       - run: npm run build
 
   test_coverage:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         node-version: [20]
@@ -60,11 +60,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm ci
-      - run: npm run test-frontend:coverage
+      - name: Run tests and generate coverage
+        run: npm run test-frontend:coverage
         env:
           CI: true
       - name: Upload coverage artifact
@@ -77,7 +78,7 @@ jobs:
 
   upload_coverage:
     needs: test_coverage
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -88,12 +89,10 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
-            api.codecov.io:443
             cli.codecov.io:443
-            codecov.io:443
             github.com:443
+            ingest.codecov.io:443
             storage.googleapis.com:443
-            uploader.codecov.io:443
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Download coverage artifact
@@ -110,8 +109,8 @@ jobs:
           name: Frontend
 
   docker_build:
-    runs-on: ubuntu-latest
     if: ${{ github.event.type }} == "PullRequest"
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -128,7 +127,8 @@ jobs:
             pypi.org:443
             registry-1.docker.io:443
             registry.npmjs.org:443
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build frontend

diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
@@ -10,7 +10,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   docker_build:
     if: ${{ github.event.type }} == "PullRequest"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -20,17 +20,20 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            *.cloudfront.net:443
             archive.ubuntu.com:80
             auth.docker.io:443
             files.pythonhosted.org:443
             github.com:443
             production.cloudflare.docker.com:443
+            public.ecr.aws:443
             pypi.org:443
             registry-1.docker.io:443
             security.ubuntu.com:80
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build maintenance image

diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -12,7 +12,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -26,7 +26,7 @@ jobs:
             github.com:443
             pypi.org:443
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: 3.12
       - name: Install dependencies

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   tox:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         python-version: ["3.12"]
@@ -30,7 +30,7 @@ jobs:
             pypi.org:443
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -21,7 +21,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecards analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write