merge master into prod in preparation of release v2.0.0

.github/workflows/build-and-deploy-dev.yml

@@ -0,0 +1,49 @@
+# This workflow will build a docker image, push it to ghcr.io, and deploy it to an Azure WebApp.
+name: Build and Deploy -- DEV
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [master]
+
+jobs:
+  upload-package-lock-json:
+    name: Upload package-lock.json from this repo
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.1
+
+      - name: Upload package-lock.json
+        uses: actions/upload-artifact@v4
+        with:
+          name: package-lock.json
+          path: package-lock.json
+
+  make-react-secret-available:
+    name: Make REACT_APP_GA_TRACKINGID_DEV secret available in env
+    runs-on: ubuntu-latest
+    outputs:
+      trackingid: "${{ env.REACT_APP_GA_TRACKINGID }}"
+    steps:
+      - name: Make secret available
+        run: |
+          echo "REACT_APP_GA_TRACKINGID=$REACT_APP_GA_TRACKINGID_DEV" >> $GITHUB_ENV
+
+  build-and-deploy:
+    name: Build and Deploy
+    needs: [upload-package-lock-json, make-react-secret-available]
+    uses: clearlydefined/operations/.github/workflows/app-build-and-deploy.yml@v3.1.2
+    secrets: 
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+      AZURE_WEBAPP_PUBLISH_PROFILE: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }}
+      DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
+      PRODUCTION_DEPLOYERS: ${{ secrets.PRODUCTION_DEPLOYERS }}
+    with:
+      deploy-env: dev
+      application-type: ui
+      azure-app-base-name: clearlydefined
+      azure-app-name-postfix: -dev
+      docker-build-args: |
+        REACT_APP_SERVER=https://dev-api.clearlydefined.io
+        REACT_APP_GA_TRACKINGID=${{ needs.make-react-secret-available.outputs.trackingid }}

.github/workflows/build-and-deploy-prod.yml

@@ -0,0 +1,23 @@
+# This workflow will build a docker image, push it to ghcr.io, and deploy it to an Azure WebApp.
+name: Build and Deploy -- PROD
+
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+jobs:
+  build-and-deploy-prod:
+    uses: clearlydefined/operations/.github/workflows/app-build-and-deploy.yml@v1.1.0
+    secrets: 
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+      AZURE_WEBAPP_PUBLISH_PROFILE: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}
+      AZURE_SECONDARY_WEBAPP_PUBLISH_PROFILE: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}
+      DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
+      PRODUCTION_DEPLOYERS: ${{ secrets.PRODUCTION_DEPLOYERS }}
+    with:
+      deploy-env: prod
+      application-type: ui
+      azure-app-base-name: clearlydefined
+      azure-app-name-postfix: -prod
+      secondary-azure-app-name-postfix: -prod-europe

.github/workflows/test.yml

@@ -0,0 +1,42 @@
+name: Run Docker build and tests
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Run tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 14
+          cache: 'npm'
+
+      - name: Update npm
+        run: npm install -g npm@9
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test
+
+  docker-build:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Docker build
+        run: docker build .

.nvmrc

@@ -1 +1 @@
-10.15.3
+14.21.3

DevDockerfile

@@ -1,11 +1,12 @@
 # Copyright (c) Microsoft Corporation and others. Licensed under the MIT license.
 # SPDX-License-Identifier: MIT
-FROM node:10-alpine as builder
+FROM node:14-alpine as builder
 COPY . /opt/website
 WORKDIR /opt/website
 ARG REACT_APP_SERVER=http://localhost:4000
 ARG REACT_APP_GA_TRACKINGID
 RUN apk add --no-cache git
+RUN npm install -g npm@9
 RUN npm install
 
 EXPOSE 3000

Dockerfile

@@ -1,15 +1,30 @@
 # Copyright (c) Microsoft Corporation and others. Licensed under the MIT license.
 # SPDX-License-Identifier: MIT
-FROM node:10-alpine as builder
+FROM node:14-alpine as builder
 COPY . /opt/website
 WORKDIR /opt/website
+
+# Set environment variables from build arguments
+ARG APP_VERSION="UNKNOWN"
+ENV APP_VERSION=$APP_VERSION
+ARG BUILD_SHA="UNKNOWN"
+ENV BUILD_SHA=$BUILD_SHA
+
 ARG REACT_APP_SERVER=http://localhost:4000
 ARG REACT_APP_GA_TRACKINGID
 RUN apk add --no-cache git
+RUN npm install -g npm@9
 RUN npm install
 RUN npm run build
 
-FROM nginx:alpine
-ADD nginx.conf /etc/nginx/conf.d/default.conf
+FROM nginx:1.19.6-alpine
+
+ARG APP_VERSION="UNKNOWN"
+ENV APP_VERSION=$APP_VERSION
+ARG BUILD_SHA="UNKNOWN"
+ENV BUILD_SHA=$BUILD_SHA
+
+RUN mkdir /etc/nginx/templates
+COPY default.conf.template /etc/nginx/templates
 COPY --from=builder /opt/website/build /usr/share/nginx/html
 EXPOSE 80

SECURITY.md

@@ -0,0 +1,71 @@
+# Vulnerability Disclosure and Embargo Policy
+
+The ClearlyDefined project welcomes the responsible disclosure of vulnerabilities, including those discovered in:
+
+- [ClearlyDefined website](https://github.com/clearlydefined/website/security/advisories/new)
+- [ClearlyDefined service](https://github.com/clearlydefined/service/security/advisories/new)
+- [ClearlyDefined crawler](https://github.com/clearlydefined/crawler/security/advisories/new)
+- [ClearlyDefined documentation](https://github.com/clearlydefined/clearlydefined/security/advisories/new)
+
+## Initial Contact
+
+All security bugs in ClearlyDefined should be reported to the security team.
+To do so, please reach out in the form of a
+[Github Security Advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities).
+
+You will be invited to join this private area to discuss specifics. Doing so
+allows us to start with a high level of confidentiality and relax it if the
+issue is less critical, moving to work on the fix in the open.
+
+Your initial contact will be acknowledged within 48 hours, and you’ll receive
+a more detailed response within 96 hours indicating the next steps in handling
+your report.
+
+After the initial reply to your report, the security team will endeavor to
+keep you informed of the progress being made towards a fix and full
+announcement. As recommended by
+[RFPolicy](https://dl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt),
+these updates will be sent at least every five working days.
+
+## Disclosure Policy
+
+The ClearlyDefined project has a 5 step disclosure process.
+
+1. Contact is established, a private channel created, and the security report
+   is received and is assigned a primary handler. This person will coordinate
+   the fix and release process.
+2. The problem is confirmed and a list of all affected versions is determined.
+   If an embargo is needed (see below), details of the embargo are decided.
+3. Code is audited to find any potential similar problems.
+4. Fixes are prepared for all releases which are still under maintenance. In
+   case of embargo, these fixes are not committed to the public repository but
+   rather held in a private fork pending the announcement.
+5. The changes are pushed to the public repository and new builds are deployed.
+
+This process can take some time, especially when coordination is required
+with maintainers of other projects. Every effort will be made to handle the bug
+in as timely a manner as possible, however it is important that we follow the
+release process above to ensure that the disclosure is handled in a consistent
+manner.
+
+## Embargoes
+
+While the ClearlyDefined project aims to follow the highest standards of
+transparency and openness, handling some security issues may pose such an
+immediate threat to various stakeholders and require coordination between
+various actors that it cannot be made immediately public.
+
+In this case, security issues will fall under an embargo.
+
+An embargo can be called for in various cases:
+
+- when disclosing the issue without simultaneously providing a mitigation
+  would seriously endanger users,
+- when producing a fix requires coordinating between multiple actors (such as
+  upstream or downstream/dependency projects), or simply
+- when proper analysis of the issue and its ramifications demands time.
+
+If we determine that an issue you report requires an embargo, we will discuss
+this with you and try to find a reasonable expiry date (aka “embargo
+completion date”), as well as who should be included in the list of
+need-to-know people.

nginx.conf → default.conf.template

@@ -12,6 +12,11 @@ server {
         etag off;
     }
 
+    location /health {
+      add_header 'Content-Type' 'application/json';
+      return 200 '{"status":"OK", "version": "${APP_VERSION}", "sha": "${BUILD_SHA}"}';
+    }
+
     # redirect server error pages to the static page /50x.html
     #
     error_page   500 502 503 504  /50x.html;