Merge remote-tracking branch 'origin/main' into cache-bust-dynamic-configuration_contribute-main

Author: ybnd

.github/dependabot.yml

@@ -96,6 +96,17 @@ updates:
       # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]
+  # Also automatically update all our GitHub actions on the main branch
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    # Monthly dependency updates
+    schedule:
+      interval: "monthly"
+      time: "05:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
   #####################
   ## dspace-9_x branch
   #####################
@@ -187,6 +198,18 @@ updates:
       # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]
+  # Also automatically update all our GitHub actions on the dspace-9_x branch
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: dspace-9_x
+    # Monthly dependency updates
+    schedule:
+      interval: "monthly"
+      time: "05:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
   #####################
   ## dspace-8_x branch
   #####################
@@ -277,6 +300,18 @@ updates:
       # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]
+  # Also automatically update all our GitHub actions on the dspace-8_x branch
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: dspace-8_x
+    # Monthly dependency updates
+    schedule:
+      interval: "monthly"
+      time: "05:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7
   #####################
   ## dspace-7_x branch
   #####################
@@ -362,3 +397,15 @@ updates:
       # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]
+  # Also automatically update all our GitHub actions on the dspace-7_x branch
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: dspace-7_x
+    # Monthly dependency updates
+    schedule:
+      interval: "monthly"
+      time: "05:00"
+    # Allow updates to be delayed for a configurable number of days to mitigate
+    # some classes of supply chain attacks
+    cooldown:
+      default-days: 7

.github/workflows/build.yml

@@ -24,6 +24,7 @@ jobs:
       # Spin up UI on 127.0.0.1 to avoid host resolution issues in e2e tests with Node 20+
       DSPACE_UI_HOST: 127.0.0.1
       DSPACE_UI_PORT: 4000
+      DSPACE_UI_BASEURL: http://127.0.0.1:4000
       # Ensure all SSR caching is disabled in test environment
       DSPACE_CACHE_SERVERSIDE_BOTCACHE_MAX: 0
       DSPACE_CACHE_SERVERSIDE_ANONYMOUSCACHE_MAX: 0
@@ -51,11 +52,11 @@ jobs:
     steps:
       # https://github.com/actions/checkout
       - name: Checkout codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # https://github.com/actions/setup-node
       - name: Install Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
 
@@ -80,7 +81,7 @@ jobs:
         id: npm-cache-dir
         run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
       - name: Cache NPM dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           # Cache entire NPM cache directory (see previous step)
           path: ${{ steps.npm-cache-dir.outputs.dir }}
@@ -113,7 +114,7 @@ jobs:
       # so that it can be shared with the 'codecov' job (see below)
       # NOTE: Angular CLI only supports code coverage for specs. See https://github.com/angular/angular-cli/issues/6286
       - name: Upload code coverage report to Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         if: matrix.node-version == '20.x'
         with:
           name: coverage-report-${{ matrix.node-version }}
@@ -155,7 +156,7 @@ jobs:
       # Cypress always creates a video of all e2e tests (whether they succeeded or failed)
       # Save those in an Artifact
       - name: Upload e2e test videos to Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         if: always()
         with:
           name: e2e-test-videos-${{ matrix.node-version }}
@@ -164,7 +165,7 @@ jobs:
       # If e2e tests fail, Cypress creates a screenshot of what happened
       # Save those in an Artifact
       - name: Upload e2e test failure screenshots to Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         if: failure()
         with:
           name: e2e-test-screenshots-${{ matrix.node-version }}
@@ -316,19 +317,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # Download artifacts from previous 'tests' job
       - name: Download coverage artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
 
       # Now attempt upload to Codecov using its action.
       # NOTE: We use a retry action to retry the Codecov upload if it fails the first time.
       #
       # Retry action: https://github.com/marketplace/actions/retry-action
       # Codecov action: https://github.com/codecov/codecov-action
       - name: Upload coverage to Codecov.io
-        uses: Wandalen/wretry.action@v1.3.0
+        uses: Wandalen/wretry.action@v3.8.0
         with:
           action: codecov/codecov-action@v4
           # Ensure codecov-action throws an error when it fails to upload

.github/workflows/codescan.yml

@@ -35,19 +35,19 @@ jobs:
     steps:
       # https://github.com/actions/checkout
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       # https://github.com/github/codeql-action
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: javascript
 
       # Autobuild attempts to build any compiled languages
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       # Perform GitHub Code Scanning.
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

.github/workflows/docker.yml

@@ -74,13 +74,15 @@ jobs:
       DSPACE_REST_HOST: 127.0.0.1
       # Override default dspace.ui.url to also use 127.0.0.1.
       dspace__P__ui__P__url: http://127.0.0.1:4000
+      # Override default ui.baseUrl to also use 127.0.0.1. This must match 'dspace.ui.url' for SSR to be enabled.
+      DSPACE_UI_BASEURL: http://127.0.0.1:4000
     steps:
       # Checkout our codebase (to get access to Docker Compose scripts)
       - name: Checkout codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       # Download Docker image artifacts (which were just built by reusable-docker-build.yml)
       - name: Download Docker image artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           # Download all amd64 Docker images (TAR files) into the /tmp/docker directory
           pattern: docker-image-*-linux-amd64

.github/workflows/issue_opened.yml

@@ -16,7 +16,7 @@ jobs:
       # Only add to project board if issue is flagged as "needs triage" or has no labels
       # NOTE: By default we flag new issues as "needs triage" in our issue template
       if: (contains(github.event.issue.labels.*.name, 'needs triage') || join(github.event.issue.labels.*.name) == '')
-      uses: actions/add-to-project@v1.0.0
+      uses: actions/add-to-project@v1.0.2
       # Note, the authentication token below is an ORG level Secret. 
       # It must be created/recreated manually via a personal access token with admin:org, project, public_repo permissions
       # See: https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token

.github/workflows/port_merged_pull_request.yml

@@ -23,7 +23,7 @@ jobs:
     if: github.event.pull_request.merged
     steps:
       # Checkout code
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       # Port PR to other branch (ONLY if labeled with "port to")
       # See https://github.com/korthout/backport-action
       - name: Create backport pull requests

.github/workflows/pull_request_opened.yml

@@ -21,4 +21,4 @@ jobs:
     # Assign the PR to whomever created it. This is useful for visualizing assignments on project boards
     # See https://github.com/toshimaru/auto-author-assign
     - name: Assign PR to creator
-      uses: toshimaru/auto-author-assign@v2.1.0
+      uses: toshimaru/auto-author-assign@v3.0.1

config/config.example.yml

@@ -8,6 +8,9 @@ ui:
   ssl: false
   host: localhost
   port: 4000
+  # Specify the public URL that this user interface responds to. This corresponds to the "dspace.ui.url" property in your backend's local.cfg.
+  # SSR is only enabled when the client's "Host" HTTP header matches this baseUrl. The baseUrl is also used for redirects and SEO links (in robots.txt).
+  baseUrl: http://localhost:4000
   # NOTE: Space is capitalized because 'namespace' is a reserved string in TypeScript
   nameSpace: /
   # The rateLimiter settings limit each IP to a 'limit' of 500 requests per 'windowMs' (1 minute).
@@ -240,7 +243,12 @@ submission:
         - value: default
           style: text-muted
           icon: fa-circle-xmark
-
+      # Icons to be displayed next to an authority controlled value, to give indication of the source.
+      sourceIcons:
+        # Example of configuration for authority logo based on sources.
+        # The configured icon will be displayed next to the authority value in submission and on item page or search results.
+        - source: orcid
+        - path: assets/images/orcid.logo.icon.svg
 #  Fallback language in which the UI will be rendered if the user's browser language is not an active language
 fallbackLanguage: en
 
@@ -400,6 +408,30 @@ item:
     pageSize: 5
     # Show the bitstream access status label on the item page
     showAccessStatuses: false
+  # Configuration of metadata to be displayed in the item metadata link view popover
+  metadataLinkViewPopoverData:
+    # Metdadata list to be displayed for entities without a specific configuration
+    fallbackMetdataList:
+      - dc.description.abstract
+      - dc.description.note
+    # Configuration for each entity type
+    entityDataConfig:
+      - entityType: Person
+        # Descriptive metadata (popover body)
+        metadataList:
+          - person.affiliation.name
+          - person.email
+        # Title metadata (popover header)
+        titleMetadataList:
+          - person.givenName
+          - person.familyName
+    # Configuration for identifier subtypes, based on metadata like dc.identifier.ror where ror is the subtype.
+    # This is used to map the layout of the identifier in the popover and the icon displayed next to the metadata value.
+    identifierSubtypes:
+      - name: ror
+        icon: assets/images/ror.logo.icon.svg
+        iconPosition: IdentifierSubtypesIconPositionEnum.LEFT
+        link: https://ror.org
 
 # Community Page Config
 community:
@@ -649,3 +681,62 @@ geospatialMapViewer:
 accessibility:
   # The duration in days after which the accessibility settings cookie expires
   cookieExpirationDuration: 7
+
+# Configuration for layout customization of metadata rendering in Item page
+# Currently only the authority reference config is available, more will follow with the integration of the so called CRIS layout.
+layout:
+  # Configuration of icons and styles to be used for each authority controlled link
+  authorityRef:
+    - entityType: DEFAULT
+      entityStyle:
+        default:
+          icon: fa fa-user
+          style: text-info
+    - entityType: PERSON
+      entityStyle:
+        person:
+          icon: fa fa-user
+          style: text-success
+        default:
+          icon: fa fa-user
+          style: text-info
+    - entityType: ORGUNIT
+      entityStyle:
+        default:
+          icon: fa fa-university
+          style: text-success
+    - entityType: PROJECT
+      entityStyle:
+        default:
+          icon: fas fa-project-diagram
+          style: text-success
+
+# Configuration for customization of search results
+searchResults:
+  # Metadata fields to be displayed in the search results under the standard ones
+  additionalMetadataFields:
+    - dc.contributor.author
+    - dc.date.issued
+    - dc.type
+  # Metadata fields to be displayed in the search results for the author section
+  authorMetadata:
+    - dc.contributor.author
+    - dc.creator
+    - dc.contributor.*
+  # When the search results are retrieved, for each item type the metadata with a valid authority value are inspected.
+  # Referenced items will be fetched with a find all by id strategy to avoid individual rest requests
+  # to efficiently display the search results.
+  followAuthorityMetadata:
+    - type: Publication
+      metadata: dc.contributor.author
+    - type: Product
+      metadata: dc.contributor.author
+
+  # The maximum number of item to process when following authority metadata values.
+  followAuthorityMaxItemLimit: 100
+
+  # The maximum number of metadata values to process for each metadata key
+  # when following authority metadata values.
+  followAuthorityMetadataValuesLimit: 5
+
+

cypress/e2e/limit-public-config.cy.ts

@@ -0,0 +1,16 @@
+describe('Limit public config properties', () => {
+  it('Should not include cache.serverSide properties in the html source code',
+    () => {
+      cy.request('/').its('body').then((text: string) => {
+        expect(text).to.not.contain('"serverSide":');
+      });
+    },
+  );
+  it('Should not include cache.serverSide properties in the config.json',
+    () => {
+      cy.request('/assets/config.json').its('body').then((obj: any) => {
+        expect(obj.cache).to.not.haveOwnProperty('serverSide');
+      });
+    },
+  );
+});

docker/cli.assetstore.yml

@@ -16,7 +16,7 @@ services:
   dspace-cli:
     environment:
       # This assetstore zip is available from https://github.com/DSpace-Labs/AIP-Files/releases/tag/demo-entities-data
-      - LOADASSETS=https://github.com/DSpace-Labs/AIP-Files/releases/download/demo-entities-data/assetstore.tar.gz
+      - LOADASSETS=${LOADASSETS:-https://github.com/DSpace-Labs/AIP-Files/releases/download/demo-entities-data/assetstore.tar.gz}
     entrypoint:
       - /bin/bash
       - '-c'