Merge pull request #9386 from IQSS/develop

v5.13

Author: kcondon

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,11 +1,13 @@
 ---
 name: Bug report
-about: Did you encounter something unexpected or incorrect in the Dataverse software? We'd like to hear about it!
+about: Did you encounter something unexpected or incorrect in the Dataverse software?
+  We'd like to hear about it!
 title: ''
 labels: ''
 assignees: ''
 
 ---
+
 <!--
 Thank you for contributing to the Dataverse Project through the creation of a bug report!
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -6,6 +6,7 @@ labels: ''
 assignees: ''
 
 ---
+
 <!--
 Thank you for contributing to the Dataverse Project through the creation of a feature request!
 
@@ -32,4 +33,4 @@ Start below this comment section.
 **Any brand new behavior do you want to add to Dataverse?**
 
 
-**Any related open or closed issues to this feature request?**
+**Any open or closed issues related to this feature request?**

.github/SECURITY.md

@@ -0,0 +1,7 @@
+# Security
+
+To report a security vulnerability please email [email protected] as explained at https://guides.dataverse.org/en/latest/installation/config.html#reporting-security-issues
+
+Advice on securing your installation can be found at https://guides.dataverse.org/en/latest/installation/config.html#securing-your-installation
+
+Security practices and procedures used by the Dataverse team are described at https://guides.dataverse.org/en/latest/developers/security.html

.github/workflows/container_base_push.yml

@@ -0,0 +1,85 @@
+---
+name: Container Base Module
+
+on:
+    push:
+        branches:
+            - 'develop'
+            - 'master'
+        paths:
+            - 'modules/container-base/**'
+            - 'modules/dataverse-parent/pom.xml'
+            - '.github/workflows/container_base_push.yml'
+    pull_request:
+        branches:
+            - 'develop'
+            - 'master'
+        paths:
+            - 'modules/container-base/**'
+            - 'modules/dataverse-parent/pom.xml'
+            - '.github/workflows/container_base_push.yml'
+
+env:
+    IMAGE_TAG: unstable
+
+jobs:
+    build:
+        name: Build image
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            packages: read
+        strategy:
+            matrix:
+                jdk: [ '11' ]
+        # Only run in upstream repo - avoid unnecessary runs in forks
+        if: ${{ github.repository_owner == 'IQSS' }}
+
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v3
+
+            - name: Set up JDK ${{ matrix.jdk }}
+              uses: actions/setup-java@v3
+              with:
+                  java-version: ${{ matrix.jdk }}
+                  distribution: 'adopt'
+            - name: Cache Maven packages
+              uses: actions/cache@v3
+              with:
+                  path: ~/.m2
+                  key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+                  restore-keys: ${{ runner.os }}-m2
+
+            - name: Build base container image with local architecture
+              run: mvn -f modules/container-base -Pct package
+
+            # Run anything below only if this is not a pull request.
+            # Accessing, pushing tags etc. to DockerHub will only succeed in upstream because secrets.
+
+            - if: ${{ github.event_name == 'push' && github.ref_name == 'develop' }}
+              name: Push description to DockerHub
+              uses: peter-evans/dockerhub-description@v3
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+                  repository: gdcc/base
+                  short-description: "Dataverse Base Container image providing Payara application server and optimized configuration"
+                  readme-filepath: ./modules/container-base/README.md
+
+            - if: ${{ github.event_name != 'pull_request' }}
+              name: Log in to the Container registry
+              uses: docker/login-action@v2
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - if: ${{ github.event_name != 'pull_request' }}
+              name: Set up QEMU for multi-arch builds
+              uses: docker/setup-qemu-action@v2
+            - name: Re-set image tag based on branch
+              if: ${{ github.ref_name == 'master' }}
+              run: echo "IMAGE_TAG=stable"
+            - if: ${{ github.event_name != 'pull_request' }}
+              name: Deploy multi-arch base container image to Docker Hub
+              run: mvn -f modules/container-base -Pct deploy -Dbase.image.tag=${{ env.IMAGE_TAG }}

.github/workflows/shellcheck.yml

@@ -0,0 +1,24 @@
+name: "Shellcheck"
+on:
+    push:
+        paths:
+            - conf/solr/**
+            - modules/container-base/**
+    pull_request:
+        paths:
+            - conf/solr/**
+            - modules/container-base/**
+jobs:
+    shellcheck:
+        name: Shellcheck
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v2
+            - name: shellcheck
+              uses: reviewdog/action-shellcheck@v1
+              with:
+                  github_token: ${{ secrets.github_token }}
+                  reporter: github-pr-review # Change reporter.
+                  fail_on_error: true
+                  # Container base image uses dumb-init shebang, so nail to using bash
+                  shellcheck_flags: "--shell=bash --external-sources"

.github/workflows/shellspec.yml

@@ -13,18 +13,6 @@ on:
 env:
     SHELLSPEC_VERSION: 0.28.1
 jobs:
-    shellcheck:
-        name: Shellcheck
-        runs-on: ubuntu-latest
-        steps:
-            - uses: actions/checkout@v2
-            - name: shellcheck
-              uses: reviewdog/action-shellcheck@v1
-              with:
-                  github_token: ${{ secrets.github_token }}
-                  reporter: github-pr-review # Change reporter.
-                  fail_on_error: true
-                  exclude: "./tests/shell/*"
     shellspec-ubuntu:
         name: "Ubuntu"
         runs-on: ubuntu-latest

conf/keycloak/docker-compose.yml

@@ -0,0 +1,15 @@
+version: "3.9"
+
+services:
+
+  keycloak:
+    image: 'jboss/keycloak:16.1.1'
+    environment:
+      - KEYCLOAK_USER=kcadmin
+      - KEYCLOAK_PASSWORD=kcpassword
+      - KEYCLOAK_IMPORT=/tmp/oidc-realm.json
+      - KEYCLOAK_LOGLEVEL=DEBUG
+    ports:
+      - "8090:8080"
+    volumes:
+      - './oidc-realm.json:/tmp/oidc-realm.json'

conf/keycloak/oidc-keycloak-auth-provider.json

@@ -0,0 +1,8 @@
+{
+  "id": "oidc-keycloak",
+  "factoryAlias": "oidc",
+  "title": "OIDC-Keycloak",
+  "subtitle": "OIDC-Keycloak",
+  "factoryData": "type: oidc | issuer: http://localhost:8090/auth/realms/oidc-realm | clientId: oidc-client | clientSecret: ss6gE8mODCDfqesQaSG3gwUwZqZt547E",
+  "enabled": true
+}