Merge branch 'develop' of https://github.com/dnnsoftware/Dnn.Platform into async-mvc-actions

Author: dimarobert

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -72,7 +72,7 @@ body:
       **NOTE:** _If your version is not listed, please upgrade to the latest version. If you cannot upgrade at this time, please open a [Discussion](https://github.com/dnnsoftware/Dnn.Platform/discussions) instead._
     multiple: true
     options:
-    - 10.3.0 (latest release)
+    - 10.3.1 (latest release)
     - develop build (unreleased)
   validations:
     required: true

.github/dependabot.yml

@@ -6,15 +6,19 @@ updates:
       interval: "daily"
     labels:
       - "Type: Build/Release"
-      - "Type: Maintenance"
+      - "Type: Maintenance"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "monthly"
     labels:
       - "javascript"
-      - "Type: Maintenance"
+      - "Type: Maintenance"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "dotnet-sdk"
     directory: "/"
@@ -23,7 +27,9 @@ updates:
       day: "wednesday"
     labels:
       - ".NET"
-      - "Type: Maintenance"
+      - "Type: Maintenance"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "nuget"
     directory: "/"
@@ -65,3 +71,5 @@ updates:
       CodeAnalysis:
         patterns:
           - "Microsoft.CodeAnalysis.*"
+    cooldown:
+      default-days: 7

.github/workflows/browserslist-update-db.yml

@@ -4,20 +4,25 @@ on:
   schedule:
     - cron: "0 2 1,15 * *"
 
-permissions:
-  contents: "read"
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   update-browserslist-database:
+    name: "Update Browserslist database"
     runs-on: "ubuntu-latest"
     permissions:
-      contents: "write"
-      pull-requests: "write"
+      contents: "write" # creates a commmit for the pull request
+      pull-requests: "write" # creates a pull request if there's an update
     steps:
       - name: "Checkout repository"
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: "Configure git"
         run: |
           # Setup for commiting using built-in token. See https://github.com/actions/checkout#push-a-commit-using-the-built-in-token

.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: "Build and Validate"
+name: "Build and Validate"
 
 env:
   CAKE_TARGET: "BuildAll"
@@ -7,11 +7,10 @@ env:
   RUN_TESTS: "true"
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: "read"
+permissions: {}
 
 on:
   push:
@@ -131,7 +130,7 @@ jobs:
 
       - name: "Publish Artifacts"
         id: "publish-artifacts-step"
-        uses: "actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f" # v7.0.0
+        uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" # v7.0.1
         if: ${{ !cancelled() }}
         with:
           path: "Artifacts"

.github/workflows/dependency-review.yml

@@ -1,10 +1,19 @@
 name: "Dependency Review"
-on: ["pull_request"]
-permissions:
-  contents: "read"
+
+on: 
+  - pull_request
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   dependency-review:
     runs-on: "ubuntu-latest"
+    permissions:
+      contents: "read"
     steps:
       - name: "Checkout Repository"
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2

.github/workflows/image-actions.yml

@@ -1,4 +1,5 @@
 name: "Compress images"
+
 on:
   pull_request: # PRs with image (but we can't push changes back to other forks)
     paths:
@@ -7,14 +8,22 @@ on:
       - "**.png"
       - "**.webp"
       - "**.avif"
+
   push:
     branches:
       - development # merging PRs from other forks (will open a new PR)
+
   workflow_dispatch: # on demand
+
   schedule:
     - cron: "0 0 * * 0" # every Sunday at midnight
-permissions:
-  contents: "read"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   build:
     if: | # Only run on main repo on and PRs that match the main repo.
@@ -23,9 +32,13 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     name: "calibreapp/image-actions"
     runs-on: "ubuntu-latest"
+    permissions:
+      contents: "read"
     steps:
       - name: "Checkout Repo"
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: "Compress Images"
         id: "compress_images"
@@ -37,7 +50,7 @@ jobs:
       - name: "Create Pull Request"
         if: | # If it's not a Pull Request then commit any changes as a new PR.
           github.event_name != 'pull_request' && steps.compress_images.outputs.markdown != ''
-        uses: "peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0" # v8.1.0
+        uses: "peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1" # v8.1.1
         with:
           title: "Auto Compress Images"
           branch-suffix: "timestamp"

.github/workflows/ossf-scorecard.yml

@@ -9,21 +9,23 @@ on:
   schedule:
     - cron: "45 10 * * 0"
   push:
-    branches: ["develop"]
+    branches:
+    - develop
 
-# Declare default permissions as read only.
-permissions: "read-all"
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   analysis:
     name: "Scorecard analysis"
     runs-on: "ubuntu-latest"
     if: ${{ github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' }}
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: "write"
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: "write"
+      security-events: "write" # Needed to upload the results to code-scanning dashboard.
+      id-token: "write" # Needed to publish results and get a badge (see publish_results below).
 
     steps:
       - name: "Checkout code"
@@ -47,7 +49,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: "actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f" # v7.0.0
+        uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" # v7.0.1
         with:
           name: "SARIF file"
           path: "results.sarif"
@@ -56,6 +58,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: "github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13" # v4.35.1
+        uses: "github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225" # v4.35.2
         with:
           sarif_file: "results.sarif"

.github/workflows/zizmor.yml

@@ -0,0 +1,33 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches:
+      - master
+      - develop
+  pull_request:
+    branches:
+      - "**"
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+      contents: read         # Only needed for private repos. Needed to clone the repo.
+      actions: read          # Only needed for private repos. Needed for upload-sarif to read workflow run info.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

.github/zizmor.yml

@@ -0,0 +1,5 @@
+rules:
+  secrets-outside-env:
+    config:
+      allow:
+        - SCORECARD_TOKEN

.yarnrc.yml

@@ -2,7 +2,7 @@ compressionLevel: mixed
 
 nodeLinker: node-modules
 
-npmMinimalAgeGate: 1440
+npmMinimalAgeGate: "1d"
 
 npmPreapprovedPackages:
   - "@dnncommunity/dnn-elements"