Merge branch 'main' into 52-notes-pane

Author: EstoesMoises

.eslintrc.js

@@ -6,7 +6,13 @@ const packages = fs
   .map(dirent => dirent.name);
 
 module.exports = {
-  parser: 'babel-eslint',
+  parser: '@babel/eslint-parser',
+  parserOptions: {
+    requireConfigFile: false,
+    babelOptions: {
+      presets: ['@babel/preset-react'],
+    },
+  },
   extends: [
     'eslint:recommended',
     'plugin:react/recommended',

.github/workflows/nodejs.yml

@@ -1,7 +1,14 @@
 name: Node CI
 
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
+    branches:
+      - main
+      - master
   pull_request:
     types: [opened, synchronize, reopened]
 
@@ -11,51 +18,91 @@ jobs:
     outputs:
       cms: ${{ steps.filter.outputs.cms }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: dorny/paths-filter@v2
         id: filter
         with:
           filters: |
             cms:
               - '!website/**'
 
-  build:
+  build-unit:
     needs: changes
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [macos-latest, windows-latest, ubuntu-latest]
-        node-version: [20.x, 22.x]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [24.x]
+        include:
+          - os: ubuntu-latest
+            node-version: 22.x
       fail-fast: true
     if: ${{ needs.changes.outputs.cms == 'true' }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           check-latest: true
           cache: 'npm'
       - name: log versions
-        run: node --version && npm --version && yarn --version
-      - name: install dependencies
+        run: node --version && npm --version
+      - name: install dependencies (skip Cypress binary)
         run: npm ci
-      - name: run unit tests
+        env:
+          CYPRESS_INSTALL_BINARY: 0
+      - name: run lint + types + unit tests
         run: npm run test:ci
+
+  e2e:
+    needs: changes
+    if: ${{ needs.changes.outputs.cms == 'true' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        machine: [1, 2, 3, 4]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js 24.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24.x
+          check-latest: true
+          cache: 'npm'
+      - name: Cache Nx local cache
+        uses: actions/cache@v4
+        with:
+          path: .nx/cache
+          key: nx-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            nx-${{ runner.os }}-
+      - name: Cache Cypress binary
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/Cypress
+          key: cypress-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            cypress-${{ runner.os }}-
+      - name: install dependencies
+        run: npm ci
       - name: build demo site
         run: npm run build:demo
-      - name: run e2e tests
-        if: matrix.os == 'ubuntu-latest' && matrix.node-version == '22.x'
+      - name: run e2e tests (parallel)
         run: npm run test:e2e:run-ci
         env:
+          CI_BUILD_ID: ${{ github.run_id }}-${{ github.run_attempt }}
           IS_FORK: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true || github.repository_owner != 'decaporg' }}
+          MACHINE_INDEX: ${{ matrix.machine }}
+          MACHINE_COUNT: 4
           CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
           NODE_OPTIONS: --max-old-space-size=4096
           TZ: Europe/Amsterdam
       - uses: actions/upload-artifact@v4
-        if: matrix.os == 'ubuntu-latest' && matrix.node-version == '22.x' && failure()
+        if: failure()
         with:
-          name: cypress-results
+          name: cypress-results-${{ matrix.machine }}
           path: |
             cypress/screenshots
             cypress/videos

.github/workflows/publish.yml

@@ -0,0 +1,70 @@
+name: Publish Packages
+
+on:
+  push:
+    tags:
+      - 'decap-*@*'
+
+permissions:
+  contents: read
+  id-token: write  # Required for OIDC trusted publishers
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: production  # Optional: adds approval requirements and deployment protection
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Required for Lerna to detect changes
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build packages
+        run: npm run build
+
+      - name: Run tests
+        run: npm run test:ci
+
+      - name: Debug
+        run: |
+          echo "::group::Node & npm versions"
+          node -v
+          npm -v
+          echo "::endgroup::"
+
+          echo "::group::npm config (redacted)"
+          npm config get registry || true
+          npm config list -l | sed 's/_authToken.*/_authToken=[REDACTED]/' || true
+          echo "::endgroup::"
+
+          echo "::group::Env checks"
+          if [ -n "${NODE_AUTH_TOKEN}" ]; then echo "NODE_AUTH_TOKEN set? yes"; else echo "NODE_AUTH_TOKEN set? no"; fi
+          if [ -n "${NPM_CONFIG_USERCONFIG}" ]; then echo "NPM_CONFIG_USERCONFIG set? yes"; else echo "NPM_CONFIG_USERCONFIG set? no"; fi
+          echo "::endgroup::"
+
+          echo "::group::Git state"
+          git status --porcelain || true
+          git tag --list --points-at HEAD || true
+          echo "::endgroup::"
+
+          echo "::group::Registry package info"
+          npm view decap-server version || true
+          npm view decap-server versions --json || true
+          echo "::endgroup::"
+
+          echo "::group::Lerna packages"
+          npx lerna ls --json || true
+          echo "::endgroup::"
+
+      - name: Publish to npm
+        run: npm run lerna:publish -- --loglevel silly
+        # No NODE_AUTH_TOKEN needed - uses OIDC automatically via trusted publishers

.gitignore

@@ -8,6 +8,7 @@ npm-debug.log
 yarn-error.log
 .vscode/
 .idea/
+.claude/
 manifest.yml
 .imdone/
 cypress/videos

.npmrc

@@ -1,2 +1 @@
 legacy-peer-deps=true
-lockfileVersion=3

.nvmrc

@@ -1 +1 @@
---lts
+lts/*

.stylelintrc

@@ -1,7 +1,6 @@
 {
-  "processors": ["stylelint-processor-styled-components"],
-  "extends": ["stylelint-config-standard-scss", "stylelint-config-styled-components"],
-  "customSyntax": "postcss-scss",
+  "extends": ["stylelint-config-standard-scss"],
+  "customSyntax": "postcss-styled-syntax",
   "rules": {
     "block-no-empty": null,
     "no-duplicate-selectors": null,
@@ -19,15 +18,21 @@
     "keyframes-name-pattern": null,
     "value-list-comma-newline-after": null,
     "no-descending-specificity": null,
+    "indentation": null,
+    "no-empty-first-line": null,
+    "no-eol-whitespace": null,
+    "no-missing-end-of-source-newline": null,
+    "scss/operator-no-unspaced": null,
+    "scss/operator-no-newline-after": null,
+    "value-keyword-case": null,
+    "function-name-case": null,
+    "function-whitespace-after": null,
+    "selector-max-empty-lines": null,
     "selector-type-no-unknown": [
       true,
       {
         "ignoreTypes": ["$dummyValue"]
       }
-    ],
-    "value-keyword-case": [
-      "lower",
-      { "ignoreKeywords": ["dummyValue"], "camelCaseSvgKeywords": true }
     ]
   },
   "ignoreFiles": ["packages/decap-cms-lib-auth/index.d.ts"]

CONTRIBUTING.md

@@ -193,6 +193,63 @@ npx jest -t "true on p" ".+backend-gitlab/.+/API.spec.js"
 
 For more information about running tests exactly the way you want, check out the official documentation for [Jest CLI](https://jestjs.io/docs/cli).
 
+## Releasing
+
+Decap CMS uses NPM trusted publishers with OIDC for secure, automated package publishing.
+
+### How It Works
+
+- Publishing is automated via GitHub Actions when version tags are pushed
+- Uses OpenID Connect (OIDC) for authentication. No NPM tokens required
+- Each package has a trusted publisher configured on npmjs.com
+- Workflow generates short-lived, cryptographically-signed tokens automatically
+- Publishes all changed packages in the monorepo via Lerna
+
+### Release Process
+
+1. **Prepare the release:**
+  ```sh
+  # Ensure your local `main` branch is up to date
+  npm prune
+  npm install
+  npm run test
+
+  # Bump versions for changed packages
+  npx lerna version
+
+  # This will:
+  # - Detect changed packages since last release
+  # - Bump versions according to conventional commits
+  # - Update CHANGELOG.md
+  # - Create git commit and tags
+  # - Push to upstream
+  ```
+
+2. **Automated publishing:**
+   - Tags pushed to `main` trigger the publish workflow automatically
+   - GitHub Actions runs tests and builds packages
+   - Lerna publishes changed packages to npm using OIDC
+   - Provenance attestations are generated automatically
+
+3. **Create GitHub release:**
+   - Go to [Releases](https://github.com/decaporg/decap-cms/releases)
+   - Draft a new release from the tag
+   - Add release notes highlighting changes
+
+### Manual Publishing (Emergency Only)
+
+If automated publishing fails and you need to publish manually:
+
+```sh
+# Authenticate with npm (uses session-based auth with 2FA)
+npm login
+
+# Publish changed packages
+npm run lerna:publish
+```
+
+Note: Manual publishing still requires 2FA. Use recovery codes if you don't have access to your 2FA device.
+
 ## License
 
 By contributing to Decap CMS, you agree that your contributions will be licensed

SECURITY.md

@@ -0,0 +1,47 @@
+# Security Policy
+
+Decap CMS takes security seriously. This document outlines our security policy, supported versions, and how to report security vulnerabilities.
+
+## Supported Versions
+
+Security updates are provided for:
+
+| Version | Status | Lifecycle |
+|---------|--------|-----------|
+| 3.x | ✅ Actively Supported | Current stable release |
+| 2.x (Netlify CMS) | ❌ Unsupported | Legacy - no updates |
+| 1.x (Netlify CMS) | ❌ Unsupported | Legacy - no updates |
+
+**Note:** Decap CMS was renamed from Netlify CMS in February 2023. Versions 1.x and 2.x are no longer maintained. We recommend upgrading to version 3.x for security updates and new features.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Decap CMS, please report it **confidentially** through GitHub Security Advisories. This allows us to investigate and address the issue without exposing it to the public until a fix is ready.
+
+**Submit your report at:** https://github.com/decaporg/decap-cms/security/advisories/new
+
+### What NOT to Do
+
+- Do not open a public GitHub issue for the vulnerability
+- Do not post details on social media or public forums
+- Do not attempt to exploit the vulnerability beyond confirming it exists
+- Do not access data beyond what's necessary to demonstrate the issue
+
+## Response Timeline
+
+This project follows a 90-day disclosure timeline.
+
+## Security Practices
+
+- Dependabot is enabled for automated security update checks
+- All code changes are tested in CI, including linting
+- End-to-end tests provide coverage of critical functionality
+- All pull requests require code review before merging
+- Passwords are not stored by Decap CMS; authentication is delegated to providers
+
+## Known Limitations
+
+- This is a **community-maintained open-source project**, not a commercial product with dedicated security resources
+- Security depends on the stability and practices of underlying dependencies and backend providers
+- Some vulnerabilities in dependencies may not be immediately patchable if they break backwards compatibility
+- This is a project with a long history, and many legacy dependencies can't be updated without significant refactoring