City-of-Helsinki · hyrsky · Feb 9, 2024 · Feb 1, 2024 · Feb 2, 2024 · Feb 2, 2024
diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml
@@ -0,0 +1,69 @@
+name: Npm audit
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 12 * * 0'  # Run every fortnight on Sunday at 12
+
+jobs:
+  npm_audit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run npm audit
+        id: npm_audit
+        run: |
+          find public/modules/custom public/themes/custom -type f -name ".nvmrc" -exec sh -c '
+            dir=$(dirname "$1")
+            node_version=$(cat "$1")
+            echo "Using Node.js version $node_version in $dir"
+            cd "$dir"
+            export NVM_DIR="$HOME/.nvm" && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
+            nvm install $node_version
+            nvm use $node_version
+            set +e
+            npm audit --package-lock-only --loglevel=error;
+            # The npm audit command will exit with a 0 exit code if no vulnerabilities were found.
+            if [ $? -gt 0 ]; then
+              npm audit fix --package-lock-only --loglevel=error;
+              if [ $? -gt 0 ]; then
+                echo "BC_BREAK=:exclamation: NPM Audit fix could not fix all vulnerabilities. Fix them manually by running \`npm audit fix --force\` and test the functionalities thoroughly as there might be breaking changes. :exclamation:" >> $GITHUB_ENV;
+              fi;
+              echo "CREATE_PR=true" >> $GITHUB_OUTPUT;
+            fi;
+            set -e
+          ' sh {} \;
+
+
+      - name: Create Pull Request
+        if: steps.npm_audit.outputs.CREATE_PR == 'true'
+        uses: peter-evans/create-pull-request@v4
+        with:
+          committer: GitHub <[email protected]>
+          author: actions-bot <[email protected]>
+          commit-message: Updated node modules based on npm audit fix
+          title: Automatic npm audit fix
+          labels: auto-update
+          body: |
+            # Npm audit
+
+            ${{ env.BC_BREAK }}
+
+            ## How to install
+
+            * Update the HDBT theme
+               * `git fetch --all`
+               * `git checkout automation/npm-audit`
+               * `git pull origin automation/npm-audit`
+            * In the custom module or custom theme folder, run `nvm use && npm i && npm run build`
+
+            ## How to test
+            Run `npm audit`
+
+            * [ ] Check that the `npm audit` prints `found 0 vulnerabilities`
+            * [ ] Check that the changes for distributed files are sensible
+
+          branch: automation/npm-audit
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -40,8 +40,11 @@ jobs:
 
       - name: Run PHPCS
         run: |
-          vendor/bin/phpcs public/modules/custom/ --ignore="*.js,*.css" --extensions=php,module,install --standard=Drupal
-          vendor/bin/phpcs public/themes/custom/ --ignore="*.js,*.css" --extensions=php,theme --standard=Drupal
+          vendor/bin/phpcs public/modules/custom/ --ignore="*.js,*.css" --extensions=php,module,install --standard=Drupal,DrupalPractice
+          vendor/bin/phpcs public/themes/custom/ --ignore="*.js,*.css" --extensions=php,theme --standard=Drupal,DrupalPractice
+
+      - name: Run phpstan
+        run: vendor/bin/phpstan analyze
 
       - name: Download latest dump
         env:

diff --git a/.platform/ignore b/.platform/ignore
@@ -0,0 +1 @@
+docker-compose.yml
diff --git a/.platform/schema b/.platform/schema
@@ -1 +1 @@
-4
+5
diff --git a/composer.json b/composer.json
@@ -15,6 +15,7 @@
         "drupal/helfi_azure_fs": "^2.0",
         "drupal/helfi_drupal_tools": "dev-main",
         "drupal/helfi_platform_config": "^4.0.0",
+        "drupal/raven": "^5.0",
         "drupal/real_aes": "^2.5",
         "drupal/smtp": "^1.2",
         "drupal/tfa": "^1.3",
@@ -44,7 +45,8 @@
             "composer/installers": true,
             "cweagans/composer-patches": true,
             "drupal/core-composer-scaffold": true,
-            "phpstan/extension-installer": true
+            "phpstan/extension-installer": true,
+            "php-http/discovery": false
         },
         "audit": {
             "abandoned": "report"
@@ -89,6 +91,9 @@
             "drush/Commands/{$name}": [
                 "type:drupal-drush"
             ]
+        },
+        "patchLevel": {
+            "drupal/core": "-p2"
         }
     },
     "autoload-dev": {