Merge branch 'main' into widget-richtext

Author: martinjagodic

.github/workflows/nodejs.yml

@@ -1,7 +1,14 @@
 name: Node CI
 
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
+    branches:
+      - main
+      - master
   pull_request:
     types: [opened, synchronize, reopened]
 
@@ -11,51 +18,91 @@ jobs:
     outputs:
       cms: ${{ steps.filter.outputs.cms }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: dorny/paths-filter@v2
         id: filter
         with:
           filters: |
             cms:
               - '!website/**'
 
-  build:
+  build-unit:
     needs: changes
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [macos-latest, windows-latest, ubuntu-latest]
-        node-version: [20.x, 22.x]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [24.x]
+        include:
+          - os: ubuntu-latest
+            node-version: 22.x
       fail-fast: true
     if: ${{ needs.changes.outputs.cms == 'true' }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           check-latest: true
           cache: 'npm'
       - name: log versions
-        run: node --version && npm --version && yarn --version
-      - name: install dependencies
+        run: node --version && npm --version
+      - name: install dependencies (skip Cypress binary)
         run: npm ci
-      - name: run unit tests
+        env:
+          CYPRESS_INSTALL_BINARY: 0
+      - name: run lint + types + unit tests
         run: npm run test:ci
+
+  e2e:
+    needs: changes
+    if: ${{ needs.changes.outputs.cms == 'true' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        machine: [1, 2, 3, 4]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js 24.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24.x
+          check-latest: true
+          cache: 'npm'
+      - name: Cache Nx local cache
+        uses: actions/cache@v4
+        with:
+          path: .nx/cache
+          key: nx-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            nx-${{ runner.os }}-
+      - name: Cache Cypress binary
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/Cypress
+          key: cypress-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            cypress-${{ runner.os }}-
+      - name: install dependencies
+        run: npm ci
       - name: build demo site
         run: npm run build:demo
-      - name: run e2e tests
-        if: matrix.os == 'ubuntu-latest' && matrix.node-version == '22.x'
+      - name: run e2e tests (parallel)
         run: npm run test:e2e:run-ci
         env:
+          CI_BUILD_ID: ${{ github.run_id }}-${{ github.run_attempt }}
           IS_FORK: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true || github.repository_owner != 'decaporg' }}
+          MACHINE_INDEX: ${{ matrix.machine }}
+          MACHINE_COUNT: 4
           CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
           NODE_OPTIONS: --max-old-space-size=4096
           TZ: Europe/Amsterdam
       - uses: actions/upload-artifact@v4
-        if: matrix.os == 'ubuntu-latest' && matrix.node-version == '22.x' && failure()
+        if: failure()
         with:
-          name: cypress-results
+          name: cypress-results-${{ matrix.machine }}
           path: |
             cypress/screenshots
             cypress/videos

.github/workflows/publish.yml

@@ -0,0 +1,70 @@
+name: Publish Packages
+
+on:
+  push:
+    tags:
+      - 'decap-*@*'
+
+permissions:
+  contents: read
+  id-token: write  # Required for OIDC trusted publishers
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: production  # Optional: adds approval requirements and deployment protection
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Required for Lerna to detect changes
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build packages
+        run: npm run build
+
+      - name: Run tests
+        run: npm run test:ci
+
+      - name: Debug
+        run: |
+          echo "::group::Node & npm versions"
+          node -v
+          npm -v
+          echo "::endgroup::"
+
+          echo "::group::npm config (redacted)"
+          npm config get registry || true
+          npm config list -l | sed 's/_authToken.*/_authToken=[REDACTED]/' || true
+          echo "::endgroup::"
+
+          echo "::group::Env checks"
+          if [ -n "${NODE_AUTH_TOKEN}" ]; then echo "NODE_AUTH_TOKEN set? yes"; else echo "NODE_AUTH_TOKEN set? no"; fi
+          if [ -n "${NPM_CONFIG_USERCONFIG}" ]; then echo "NPM_CONFIG_USERCONFIG set? yes"; else echo "NPM_CONFIG_USERCONFIG set? no"; fi
+          echo "::endgroup::"
+
+          echo "::group::Git state"
+          git status --porcelain || true
+          git tag --list --points-at HEAD || true
+          echo "::endgroup::"
+
+          echo "::group::Registry package info"
+          npm view decap-server version || true
+          npm view decap-server versions --json || true
+          echo "::endgroup::"
+
+          echo "::group::Lerna packages"
+          npx lerna ls --json || true
+          echo "::endgroup::"
+
+      - name: Publish to npm
+        run: npm run lerna:publish -- --loglevel silly
+        # No NODE_AUTH_TOKEN needed - uses OIDC automatically via trusted publishers

.npmrc

@@ -1,2 +1 @@
 legacy-peer-deps=true
-lockfileVersion=3

CONTRIBUTING.md

@@ -193,6 +193,63 @@ npx jest -t "true on p" ".+backend-gitlab/.+/API.spec.js"
 
 For more information about running tests exactly the way you want, check out the official documentation for [Jest CLI](https://jestjs.io/docs/cli).
 
+## Releasing
+
+Decap CMS uses NPM trusted publishers with OIDC for secure, automated package publishing.
+
+### How It Works
+
+- Publishing is automated via GitHub Actions when version tags are pushed
+- Uses OpenID Connect (OIDC) for authentication. No NPM tokens required
+- Each package has a trusted publisher configured on npmjs.com
+- Workflow generates short-lived, cryptographically-signed tokens automatically
+- Publishes all changed packages in the monorepo via Lerna
+
+### Release Process
+
+1. **Prepare the release:**
+  ```sh
+  # Ensure your local `main` branch is up to date
+  npm prune
+  npm install
+  npm run test
+
+  # Bump versions for changed packages
+  npx lerna version
+
+  # This will:
+  # - Detect changed packages since last release
+  # - Bump versions according to conventional commits
+  # - Update CHANGELOG.md
+  # - Create git commit and tags
+  # - Push to upstream
+  ```
+
+2. **Automated publishing:**
+   - Tags pushed to `main` trigger the publish workflow automatically
+   - GitHub Actions runs tests and builds packages
+   - Lerna publishes changed packages to npm using OIDC
+   - Provenance attestations are generated automatically
+
+3. **Create GitHub release:**
+   - Go to [Releases](https://github.com/decaporg/decap-cms/releases)
+   - Draft a new release from the tag
+   - Add release notes highlighting changes
+
+### Manual Publishing (Emergency Only)
+
+If automated publishing fails and you need to publish manually:
+
+```sh
+# Authenticate with npm (uses session-based auth with 2FA)
+npm login
+
+# Publish changed packages
+npm run lerna:publish
+```
+
+Note: Manual publishing still requires 2FA. Use recovery codes if you don't have access to your 2FA device.
+
 ## License
 
 By contributing to Decap CMS, you agree that your contributions will be licensed

SECURITY.md

@@ -0,0 +1,47 @@
+# Security Policy
+
+Decap CMS takes security seriously. This document outlines our security policy, supported versions, and how to report security vulnerabilities.
+
+## Supported Versions
+
+Security updates are provided for:
+
+| Version | Status | Lifecycle |
+|---------|--------|-----------|
+| 3.x | ✅ Actively Supported | Current stable release |
+| 2.x (Netlify CMS) | ❌ Unsupported | Legacy - no updates |
+| 1.x (Netlify CMS) | ❌ Unsupported | Legacy - no updates |
+
+**Note:** Decap CMS was renamed from Netlify CMS in February 2023. Versions 1.x and 2.x are no longer maintained. We recommend upgrading to version 3.x for security updates and new features.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Decap CMS, please report it **confidentially** through GitHub Security Advisories. This allows us to investigate and address the issue without exposing it to the public until a fix is ready.
+
+**Submit your report at:** https://github.com/decaporg/decap-cms/security/advisories/new
+
+### What NOT to Do
+
+- Do not open a public GitHub issue for the vulnerability
+- Do not post details on social media or public forums
+- Do not attempt to exploit the vulnerability beyond confirming it exists
+- Do not access data beyond what's necessary to demonstrate the issue
+
+## Response Timeline
+
+This project follows a 90-day disclosure timeline.
+
+## Security Practices
+
+- Dependabot is enabled for automated security update checks
+- All code changes are tested in CI, including linting
+- End-to-end tests provide coverage of critical functionality
+- All pull requests require code review before merging
+- Passwords are not stored by Decap CMS; authentication is delegated to providers
+
+## Known Limitations
+
+- This is a **community-maintained open-source project**, not a commercial product with dedicated security resources
+- Security depends on the stability and practices of underlying dependencies and backend providers
+- Some vulnerabilities in dependencies may not be immediately patchable if they break backwards compatibility
+- This is a project with a long history, and many legacy dependencies can't be updated without significant refactoring

babel.config.js

@@ -9,15 +9,7 @@ const isESM = process.env.NODE_ENV === 'esm';
 console.log('Build Package:', path.basename(process.cwd()));
 
 // Always enabled plugins
-const basePlugins = [
-  [
-    'babel-plugin-transform-builtin-extend',
-    {
-      globals: ['Error'],
-    },
-  ],
-  'babel-plugin-inline-json-import',
-];
+const basePlugins = ['babel-plugin-inline-json-import'];
 
 // All legacy transforms have been removed as they are now included in @babel/preset-env
 // Features like class properties, optional chaining, nullish coalescing are now standard in modern JS

cypress/run.mjs

@@ -10,23 +10,30 @@ async function runCypress() {
     process.exit(1);
   }
 
-  if (process.env.IS_FORK === 'true') {
-    const machineIndex = parseInt(process.env.MACHINE_INDEX);
-    const machineCount = parseInt(process.env.MACHINE_COUNT);
+  const machineIndex = Number(process.env.MACHINE_INDEX || 0);
+  const machineCount = Number(process.env.MACHINE_COUNT || 0);
+
+  if (machineIndex && machineCount) {
     const specsPerMachine = Math.floor(specs.length / machineCount);
     const start = (machineIndex - 1) * specsPerMachine;
     const machineSpecs =
       machineIndex === machineCount
         ? specs.slice(start)
         : specs.slice(start, start + specsPerMachine);
 
+    console.log(
+      `Sharding specs manually: machine ${machineIndex}/${machineCount} running ${machineSpecs.length} specs`,
+    );
     args.push('--spec', machineSpecs.join(','));
   } else {
+    const ciBuildId =
+      process.env.CI_BUILD_ID || process.env.GITHUB_RUN_ID || process.env.GITHUB_SHA;
+
     args.push(
       '--record',
       '--parallel',
       '--ci-build-id',
-      process.env.GITHUB_SHA,
+      ciBuildId,
       '--group',
       'GitHub CI',
       '--spec',
@@ -35,7 +42,11 @@ async function runCypress() {
   }
 
   console.log('Running Cypress with args:', args.join(' '));
-  await execa('cypress', args, { stdio: 'inherit', preferLocal: true });
+  await execa('cypress', args, {
+    stdio: 'inherit',
+    preferLocal: true,
+    timeout: 60 * 60 * 1000, // 1 hour
+  });
 }
 
 runCypress();

cypress/utils/config.js

@@ -1,6 +1,6 @@
 const fs = require('fs-extra');
 const path = require('path');
-const yaml = require('js-yaml');
+const { parse, stringify } = require('yaml');
 
 const devTestDirectory = path.join(__dirname, '..', '..', 'dev-test');
 const backendsDirectory = path.join(devTestDirectory, 'backends');
@@ -18,10 +18,10 @@ async function copyBackendFiles(backend) {
 
 async function updateConfig(configModifier) {
   const configFile = path.join(devTestDirectory, 'config.yml');
-  const configContent = await fs.readFile(configFile);
-  const config = yaml.load(configContent);
+  const configContent = await fs.readFile(configFile, 'utf8');
+  const config = parse(configContent);
   await configModifier(config);
-  await fs.writeFileSync(configFile, yaml.dump(config));
+  await fs.writeFile(configFile, stringify(config));
 }
 
 async function switchVersion(version) {