From 80e675e525e04d86fa44babff46396e0076d7c93 Mon Sep 17 00:00:00 2001 From: Jake Bapple <166155028+JakeBapple@users.noreply.github.com> Date: Fri, 20 Dec 2024 11:22:56 -0600 Subject: [PATCH 1/3] VACMS-19894: Remove all composer dependencies from dependabot except content build (#20147) * Update dependabot-updates.md * Update dependabot.yml --- .github/dependabot.yml | 326 +++++++++++++++++++++++++--------- READMES/dependabot-updates.md | 68 +------ 2 files changed, 248 insertions(+), 146 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f31024a796..909bd0467c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,85 +1,245 @@ version: 2 updates: -- package-ecosystem: composer - directory: "/" - schedule: - interval: daily - time: "20:00" - timezone: US/Eastern - open-pull-requests-limit: 25 - allow: - - dependency-type: direct - ignore: - - dependency-name: aws/aws-sdk-php - update-types: - - version-update:semver-patch - - dependency-name: bower-asset/dropzone - versions: - - ">= 5.7.a" - - "< 5.8" - - dependency-name: drupal/admin_toolbar - versions: - - ">= 2.a" - - "< 3" - # Ignore Drupal core updates; - # Dependabot can't perform all the necessary steps. - - dependency-name: drupal/core* - - dependency-name: drupal/linkit - versions: - - ">= 6.a" - - "< 7" - - dependency-name: drupal/rest_menu_tree - versions: - - ">= 2.a" - - "< 3" - - dependency-name: drupal/uswds - versions: - - ">= 2.a" - - "< 3" - - dependency-name: drupal/views_bulk_operations - versions: - - ">= 3.a" - - "< 4" - - dependency-name: drush/drush - versions: - - ">= 10.a" - - "< 11" - - dependency-name: ezyang/htmlpurifier - versions: - - ">= 4.13.a" - - "< 4.14" - - dependency-name: myclabs/deep-copy - versions: - - ">= 1.10.a" - - "< 1.11" - - dependency-name: symfony/browser-kit - versions: - - "> 4.4.3" - - "< 4.5" - - dependency-name: symfony/config - versions: - - ">= 4.a" - - "< 5" - - dependency-name: symfony/finder - versions: - - ">= 4.a" - - "< 5" - - dependency-name: symfony/phpunit-bridge - versions: - - "> 5.1.2" - - "< 5.2" - - dependency-name: symfony/validator - versions: - - "> 3.4.42" - - "< 3.5" - - dependency-name: webmozart/assert - versions: - - "> 1.9.0" - - "< 1.10" - rebase-strategy: disabled -- package-ecosystem: "github-actions" - directory: "/" - schedule: - # Check for updates to GitHub Actions every week - interval: "weekly" - open-pull-requests-limit: 10 + - package-ecosystem: composer + directory: "/" + schedule: + interval: daily + time: "20:00" + timezone: US/Eastern + open-pull-requests-limit: 25 + allow: + - dependency-type: direct + ignore: + - dependency-name: behat/mink + - dependency-name: behat/mink-browserkit-driver + - dependency-name: digitalrevolution/php-codesniffer-baseline + - dependency-name: drupal/devel + - dependency-name: drupal/html_tag_usage + - dependency-name: drupal/media_entity_generic + - dependency-name: palantirnet/drupal-rector + - dependency-name: bower-asset/cropper + - dependency-name: caxy/php-htmldiff + - dependency-name: composer/installers + - dependency-name: consolidation/site-process + - dependency-name: cweagans/composer-patches + - dependency-name: datadog/dd-trace + - dependency-name: dealerdirect/phpcodesniffer-composer-installer + - dependency-name: drupal/address + - dependency-name: drupal/admin_feedback + - dependency-name: drupal/admin_toolbar + - dependency-name: drupal/advancedqueue + - dependency-name: drupal/allow_only_one + - dependency-name: drupal/allowed_formats + - dependency-name: drupal/animated_gif + - dependency-name: drupal/auto_entitylabel + - dependency-name: drupal/better_exposed_filters + - dependency-name: drupal/cer + - dependency-name: drupal/change_labels + - dependency-name: drupal/ckeditor_abbreviation + - dependency-name: drupal/clientside_validation + - dependency-name: drupal/coder + - dependency-name: drupal/codit_batch_operations + - dependency-name: drupal/codit_menu_tools + - dependency-name: drupal/components + - dependency-name: drupal/computed_breadcrumbs + - dependency-name: drupal/config_ignore + - dependency-name: drupal/config_override_warn + - dependency-name: drupal/config_split + - dependency-name: drupal/config_view + - dependency-name: drupal/config_views + - dependency-name: drupal/consumer_image_styles + - dependency-name: drupal/consumers + - dependency-name: drupal/content_lock + - dependency-name: drupal/content_model_documentation + - dependency-name: drupal/core-composer-scaffold + - dependency-name: drupal/core-recommended + - dependency-name: drupal/crop + - dependency-name: drupal/csv_serialization + - dependency-name: drupal/ctools_block + - dependency-name: drupal/default_content_deploy + - dependency-name: drupal/devel_entity_updates + - dependency-name: drupal/diff + - dependency-name: drupal/dropzonejs + - dependency-name: drupal/dynamic_entity_reference + - dependency-name: drupal/easy_breadcrumb + - dependency-name: drupal/eca + - dependency-name: drupal/eca_cm + - dependency-name: drupal/embed + - dependency-name: drupal/entity_block + - dependency-name: drupal/entity_browser + - dependency-name: drupal/entity_browser_table + - dependency-name: drupal/entity_clone + - dependency-name: drupal/entity_diff_ui + - dependency-name: drupal/entity_field_fetch + - dependency-name: drupal/entity_reference_hierarchy + - dependency-name: drupal/entity_reference_revisions + - dependency-name: drupal/entity_reference_unpublished + - dependency-name: drupal/entity_reference_validators + - dependency-name: drupal/entity_route_context + - dependency-name: drupal/entity_update + - dependency-name: drupal/entity_usage + - dependency-name: drupal/entity_usage_addons + - dependency-name: drupal/entityqueue + - dependency-name: drupal/environment_indicator + - dependency-name: drupal/epp + - dependency-name: drupal/expirable_content + - dependency-name: drupal/fast_404 + - dependency-name: drupal/feature_toggle + - dependency-name: drupal/field_group + - dependency-name: drupal/fieldhelptext + - dependency-name: drupal/flag + - dependency-name: drupal/flood_control + - dependency-name: drupal/formdazzle + - dependency-name: drupal/ga4_google_analytics + - dependency-name: drupal/geocoder + - dependency-name: drupal/geofield + - dependency-name: drupal/geofield_map + - dependency-name: drupal/google_analytics + - dependency-name: drupal/govdelivery_bulletins + - dependency-name: drupal/graphql + - dependency-name: drupal/graphql_core + - dependency-name: drupal/graphql_menu + - dependency-name: drupal/graphql_metatag + - dependency-name: drupal/health_check_url + - dependency-name: drupal/hierarchy_manager + - dependency-name: drupal/hms_field + - dependency-name: drupal/hook_event_dispatcher + - dependency-name: drupal/ief_table_view_mode + - dependency-name: drupal/image_style_warmer + - dependency-name: drupal/image_widget_crop + - dependency-name: drupal/jsonapi_extras + - dependency-name: drupal/jsonapi_hypermedia + - dependency-name: drupal/jsonapi_image_styles + - dependency-name: drupal/jsonapi_menu_items + - dependency-name: drupal/jsonapi_resources + - dependency-name: drupal/jsonapi_views + - dependency-name: drupal/libraries + - dependency-name: drupal/limited_field_widgets + - dependency-name: drupal/linkit + - dependency-name: drupal/linky + - dependency-name: drupal/linkychecker + - dependency-name: drupal/linkyreplacer + - dependency-name: drupal/markup + - dependency-name: drupal/media_file_delete + - dependency-name: drupal/memcache + - dependency-name: drupal/memcache_admin + - dependency-name: drupal/menu_breadcrumb + - dependency-name: drupal/menu_export + - dependency-name: drupal/menu_force + - dependency-name: drupal/menu_item_extras + - dependency-name: drupal/menu_link_attributes + - dependency-name: drupal/menu_normalizer + - dependency-name: drupal/message + - dependency-name: drupal/message_notify + - dependency-name: drupal/message_subscribe + - dependency-name: drupal/message_ui + - dependency-name: drupal/metatag + - dependency-name: drupal/migrate_plus + - dependency-name: drupal/migrate_source_csv + - dependency-name: drupal/migrate_source_ui + - dependency-name: drupal/migrate_tools + - dependency-name: drupal/migration_tools + - dependency-name: drupal/mimemail + - dependency-name: drupal/monolog + - dependency-name: drupal/next + - dependency-name: drupal/no_table_drag + - dependency-name: drupal/node_link_report + - dependency-name: drupal/node_revision_delete + - dependency-name: drupal/node_title_help_text + - dependency-name: drupal/office_hours + - dependency-name: drupal/openapi + - dependency-name: drupal/openapi_jsonapi + - dependency-name: drupal/openapi_ui + - dependency-name: drupal/openapi_ui_swagger + - dependency-name: drupal/override_node_options + - dependency-name: drupal/paragraphs + - dependency-name: drupal/paragraphs_browser + - dependency-name: drupal/paragraphs_features + - dependency-name: drupal/paragraphs_usage + - dependency-name: drupal/password_policy + - dependency-name: drupal/password_strength + - dependency-name: drupal/path_redirect_import + - dependency-name: drupal/pathauto + - dependency-name: drupal/pathologic + - dependency-name: drupal/pfm + - dependency-name: drupal/post_api + - dependency-name: drupal/prometheus_exporter + - dependency-name: drupal/raven + - dependency-name: drupal/rdf + - dependency-name: drupal/redirect + - dependency-name: drupal/redirect_options + - dependency-name: drupal/restui + - dependency-name: drupal/role_delegation + - dependency-name: drupal/s3fs + - dependency-name: drupal/schemata + - dependency-name: drupal/search_api + - dependency-name: drupal/seckit + - dependency-name: drupal/simplesamlphp_auth + - dependency-name: drupal/sitewide_alert + - dependency-name: drupal/slack + - dependency-name: drupal/smart_date + - dependency-name: drupal/social_media_links + - dependency-name: drupal/string_field_formatter + - dependency-name: drupal/styleguide + - dependency-name: drupal/tablefield + - dependency-name: drupal/taxonomy_entity_index + - dependency-name: drupal/taxonomy_menu + - dependency-name: drupal/textfield_counter + - dependency-name: drupal/tmgmt + - dependency-name: drupal/toolbar_menu + - dependency-name: drupal/twig_tweak + - dependency-name: drupal/tzfield + - dependency-name: drupal/upgrade_status + - dependency-name: drupal/user_history + - dependency-name: drupal/video_embed_media + - dependency-name: drupal/viewfield + - dependency-name: drupal/views_bulk_edit + - dependency-name: drupal/views_bulk_operations + - dependency-name: drupal/views_conditional + - dependency-name: drupal/views_data_export + - dependency-name: drupal/views_local_tasks + - dependency-name: drupal/workbench_access + - dependency-name: drupal/workbench_menu_access + - dependency-name: drush/drush + - dependency-name: easyrdf/easyrdf + - dependency-name: geocoder-php/mapbox-provider + - dependency-name: giggsey/libphonenumber-for-php + - dependency-name: gitonomy/gitlib + - dependency-name: http-interop/http-factory-guzzle + - dependency-name: knplabs/github-api + - dependency-name: mglaman/phpstan-drupal + - dependency-name: michelf/php-markdown + - dependency-name: mikey179/vfsstream + - dependency-name: mnsami/composer-custom-directory-installer + - dependency-name: npm-asset/dropzone + - dependency-name: npm-asset/jquery-validation + - dependency-name: npm-asset/yarn + - dependency-name: oomphinc/composer-installers-extender + - dependency-name: orakili/composer-drupal-info-file-patch-helper + - dependency-name: php-http/guzzle7-adapter + - dependency-name: phpspec/prophecy + - dependency-name: phpspec/prophecy-phpunit + - dependency-name: phpstan/phpstan + - dependency-name: phpstan/phpstan-deprecation-rules + - dependency-name: phpunit/phpunit + - dependency-name: querypath/querypath + - dependency-name: simplesamlphp/simplesamlphp + - dependency-name: squizlabs/php_codesniffer + - dependency-name: symfony/browser-kit + - dependency-name: symfony/console + - dependency-name: symfony/phpunit-bridge + - dependency-name: symfony/process + - dependency-name: symfony/routing + - dependency-name: vlucas/phpdotenv + - dependency-name: webflo/drupal-finder + - dependency-name: webmozart/path-util + - dependency-name: webonyx/graphql-php + - dependency-name: weitzman/drupal-test-traits + - dependency-name: zaporylie/composer-drupal-optimizations + rebase-strategy: disabled + - package-ecosystem: "github-actions" + directory: "/" + schedule: + # Check for updates to GitHub Actions every week + interval: "weekly" + open-pull-requests-limit: 10 diff --git a/READMES/dependabot-updates.md b/READMES/dependabot-updates.md index 2491ffbfe3..958c243521 100644 --- a/READMES/dependabot-updates.md +++ b/READMES/dependabot-updates.md @@ -1,67 +1,9 @@ -Dependabot automatically scans the `composer.json`, `composer.lock`, `package.json`, and `package-lock.json` files to make sure packages are up to date. This document describes the process for reviewing and merging dependabot updates. Dependabot functionality is described on the [Github documentation page](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically) +Dependabot automatically scans the `composer.json`, `composer.lock`, `package.json`, and `package-lock.json` files to make sure packages are up to date. This document describes the process for reviewing and merging dependabot updates. Dependabot functionality is described on the [Github documentation page](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically) -## Determine the source - -### va-gov/content-build +## Current methodology -The package `va-gov/content-build` is the va.gov content build. This PR can be merged if all tests pass. No other work is needed. - -### Packagist/NPM with release note +Dependabot will now be only used to track updates to the content-build module within the VA. All other modules have been ignored in its tracking. -Updates from packagist and npm with release notes will have collapsed sections containing the details release notes and commits. +## Adding or removing modules -Example PR: https://github.com/department-of-veterans-affairs/va.gov-cms/pull/6069 - -![image](https://user-images.githubusercontent.com/121603/129742778-e08627e4-94bc-4ce2-bdff-1a8ba3eab31f.png) - -Review the release notes and determine if manually testing is required. Most of the time if all tests pass then the PR can be merged but this is a case by case basis. If you have any questions please reach out to your tech lead. - -### Packagist/NPM without release notes - -Most of the time the release notes will be automatically added. In the cases where they are not, go to packagist/npm/github and add links to the release notes. - -Here is an example: https://github.com/department-of-veterans-affairs/va.gov-cms/pull/5665 - -![image](https://user-images.githubusercontent.com/121603/129743349-0facd0e5-8380-4b99-8092-16bd03fbfa4a.png) - -To find the release notes, first start with the packagist/npm package which will link to the source code repository. For the example above, phpmailer is found here: https://packagist.org/packages/phpmailer/phpmailer - -### Drupal - -Dependabot PRs created for Drupal packages will not have release notes or diff. These can be created manually using the following pattern: - -``` -Release Notes: (one link to each of the releases between current and suggested) -- https://www.drupal.org/project//releases/ - -Diff: https://git.drupalcode.org/project//-/compare/... - -``` - -Example: https://github.com/department-of-veterans-affairs/va.gov-cms/pull/5651 - -Blazy module updating from version 8.x-2.2 to 8.x-2.4 - -``` -Release Notes: -* https://www.drupal.org/project/blazy/releases/8.x-2.4 -* https://www.drupal.org/project/blazy/releases/8.x-2.3 - -Diff: https://git.drupalcode.org/project/blazy/-/compare/8.x-2.2...8.x-2.4?from_project_id=59405 -``` - -![image](https://user-images.githubusercontent.com/121603/129744945-deb9d89c-9482-48a8-8c3c-4bcc1e8aa710.png) - -Review the release notes and determine if manually testing is required. Most of the time if all tests pass then the PR can be merged but this is a case by case basis. If you have any questions please reach out to your tech lead. - -It's also useful to review the code diff to look for any API/method changes and see if we use any of the changed code. - -### When Tugboat Fails to Deploy - -The pull request events dispatched from GitHub to Tugboat cross the TIC; therefore, they are subject to inspection and rejection for possibly harmful content. As of now (February 2023), a rejected request still has a 200 HTTP status code, making this difficult to detect. - -If a pull request's body contains code, it is possible that this will be interpreted as an attempt at server-side code injection. For instance, if the message contains "We started using `filter_var()` to check if a variable is boolean.", it may be flagged as attempting PHP code injection and rejected transparently, regardless of the surrounding text. - -The result is that Tugboat will not receive the message and consequently will not know to deploy a PR preview environment, and so the complete suite of tests will not run. - -In this case, commenting `@dependabot recreate` will probably not have any effect. Rather, enter the Tugboat interface, find the branch in the "available to build" list, and build it manually. The tests will run and work should proceed normally from that point. +When adding or removing modules, make sure to do the same to your module's reference in ignore section of [the dependabot.yml file](../.github/dependabot.yml). From ac98ea3209332e4067500f26bc202fcc2375bda6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Dec 2024 09:58:25 -0800 Subject: [PATCH 2/3] Bump va-gov/content-build from 0.0.3654 to 0.0.3655 (#20151) Bumps [va-gov/content-build](https://github.com/department-of-veterans-affairs/content-build) from 0.0.3654 to 0.0.3655. - [Release notes](https://github.com/department-of-veterans-affairs/content-build/releases) - [Commits](https://github.com/department-of-veterans-affairs/content-build/compare/v0.0.3654...v0.0.3655) --- updated-dependencies: - dependency-name: va-gov/content-build dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- composer.json | 2 +- composer.lock | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/composer.json b/composer.json index a5cdda8dc4..4fd0fa3077 100644 --- a/composer.json +++ b/composer.json @@ -228,7 +228,7 @@ "symfony/phpunit-bridge": "^7.1", "symfony/process": "^6.3", "symfony/routing": "^6.3", - "va-gov/content-build": "^0.0.3654", + "va-gov/content-build": "^0.0.3655", "vlucas/phpdotenv": "^5.6", "webflo/drupal-finder": "1.3.1", "webmozart/path-util": "^2.3", diff --git a/composer.lock b/composer.lock index 425d591c1b..34e203638e 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "66210d18d93fa3289fa2a2dbff43baf8", + "content-hash": "1fa2ffdec82a120fc683f5623ce328b1", "packages": [ { "name": "asm89/stack-cors", @@ -26902,16 +26902,16 @@ }, { "name": "va-gov/content-build", - "version": "v0.0.3654", + "version": "v0.0.3655", "source": { "type": "git", "url": "https://github.com/department-of-veterans-affairs/content-build.git", - "reference": "bebe2c2276d09c13500dc860a272ce6f7b641943" + "reference": "89b09b3660f4e0b7005675ec6f2b3a952c5616b4" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/department-of-veterans-affairs/content-build/zipball/bebe2c2276d09c13500dc860a272ce6f7b641943", - "reference": "bebe2c2276d09c13500dc860a272ce6f7b641943", + "url": "https://api.github.com/repos/department-of-veterans-affairs/content-build/zipball/89b09b3660f4e0b7005675ec6f2b3a952c5616b4", + "reference": "89b09b3660f4e0b7005675ec6f2b3a952c5616b4", "shasum": "" }, "type": "node-project", @@ -26938,9 +26938,9 @@ "description": "Front-end for VA.gov. This repository contains the code that generates the www.va.gov website. It contains a Metalsmith static site builder that uses a Drupal CMS for content. This file is here to publish releases to https://packagist.org/packages/va-gov/content-build, so that the CMS CI system can install it and update it using standard composer processes, and so that we can run tests across both systems. See https://github.com/department-of-veterans-affairs/va.gov-cms for the CMS repo, and stand by for more documentation.", "support": { "issues": "https://github.com/department-of-veterans-affairs/content-build/issues", - "source": "https://github.com/department-of-veterans-affairs/content-build/tree/v0.0.3654" + "source": "https://github.com/department-of-veterans-affairs/content-build/tree/v0.0.3655" }, - "time": "2024-12-17T18:58:38+00:00" + "time": "2024-12-20T15:41:52+00:00" }, { "name": "vlucas/phpdotenv", From 07636030a3eb94ac15646818a60edd487eaeaf36 Mon Sep 17 00:00:00 2001 From: Jill Adams <85581471+jilladams@users.noreply.github.com> Date: Fri, 20 Dec 2024 10:22:21 -0800 Subject: [PATCH 3/3] Update taxonomy-add-term.yml --- .github/ISSUE_TEMPLATE/taxonomy-add-term.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/taxonomy-add-term.yml b/.github/ISSUE_TEMPLATE/taxonomy-add-term.yml index c33a7f6788..c33e87ebb1 100644 --- a/.github/ISSUE_TEMPLATE/taxonomy-add-term.yml +++ b/.github/ISSUE_TEMPLATE/taxonomy-add-term.yml @@ -102,7 +102,8 @@ body: **Launch & Change Management** - [ ] Once Content Review and Technical Coordination are complete, term can be published in Drupal - - [ ] Updates to KB articles and other editor training materials + - [ ] Updates to KB articles and other editor training materials as needed + - [ ] If a Vet Centers service: update https://prod.cms.va.gov/help/vet-centers/how-to-edit-a-vet-center-service - [ ] Announcement to editors validations: required: true