Merge branch 'master' into fix/2631-play-card-lifecycle-guard

Author: sydseter

.github/workflows/build-website-staging.yml

@@ -42,22 +42,10 @@
               pnpm install          # Install dependencies
               npm run build-stage   # Build staging version
               npm run coverage
-          - name: Install smoke test tools
+          - name: Smoke Test - Application Verification
             working-directory: cornucopia.owasp.org
             run: |
-             pnpm add -D serve wait-on
-
-          - name: Smoke test
-            working-directory: cornucopia.owasp.org
-            run: |
-             pnpm exec serve build -l 3000 &
-             sleep 2
-             pnpm exec wait-on http://localhost:3000
-             
-          - name: Smoke test
-            working-directory: cornucopia.owasp.org
-            run: |
-              pnpm exec serve build &
+              pnpm exec serve build -l 3000 &
               pnpm exec wait-on http://localhost:3000
               npm run smoke-test
               kill $(jobs -p) || true

.github/workflows/build-website.yml

@@ -64,10 +64,10 @@
               echo "Max retries reached, skipping audit due to transient registry errors"
               exit 0
 
-          - name: Smoke test
+          - name: Smoke Test - Application Verification
             working-directory: cornucopia.owasp.org
             run: |
-              pnpm exec serve build &
+              pnpm exec serve build -l 3000 &
               pnpm exec wait-on http://localhost:3000
               npm run smoke-test
 
@@ -80,5 +80,3 @@
              total-parts-count: 3
              add-prefix: cornucopia.owasp.org
              files: cornucopia.owasp.org/coverage/lcov.info
-              kill $(jobs -p) || true
-

.github/workflows/run-tests-generate-output.yaml

@@ -35,7 +35,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          # use the commit that triggered this workflow to avoid any wildcard fetch
+          ref: ${{ github.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           persist-credentials: false
       # Set the pip environment up

.github/workflows/zap-nightly-scan-website.yml

@@ -0,0 +1,95 @@
+---
+name: "ZAP Nightly Scan - Cornucopia Website"
+
+on:
+  schedule:
+    - cron: '30 0 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  zap-scan:
+    name: "OWASP ZAP DAST Scan - Website"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Build website Docker image
+        working-directory: cornucopia.owasp.org
+        run: docker build -t cornucopia-website .
+
+      - name: Start website container
+        run: |
+          docker run -d --name cornucopia-website -p 8080:80 cornucopia-website
+          timeout 60 bash -c 'until curl -f http://localhost:8080 > /dev/null 2>&1; do sleep 2; done'
+
+      - name: Run ZAP Full Scan with AJAX Spider
+        run: |
+          mkdir -p zap-reports
+          sudo chown 1000:1000 zap-reports
+          docker run --network="host" \
+            --user 1000:1000 \
+            -v $(pwd)/zap-reports:/zap/wrk/:rw \
+            -t ghcr.io/zaproxy/zaproxy:2.16.1 \
+            zap-full-scan.py \
+            -t http://localhost:8080 \
+            -j \
+            -r website_dast_report.html \
+            -w website_dast_report.md \
+            -J website_dast_report.json \
+            -x website_dast_report.xml \
+            -a \
+            -d \
+            -z "-config ajaxSpider.maxDuration=10 -config scanner.maxScanDurationInMins=180" \
+            || true
+
+      - name: Stop website container
+        if: always()
+        run: |
+          docker stop cornucopia-website || true
+          docker rm cornucopia-website || true
+
+      - name: Upload ZAP reports as artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: zap-website-dast-reports
+          path: zap-reports/
+          retention-days: 30
+
+      - name: Check for high-risk vulnerabilities
+        if: always()
+        run: |
+          if [ -f zap-reports/website_dast_report.json ]; then
+            HIGH_RISK=$(jq '[.site[].alerts[] | select(.riskcode == "3")] | length' zap-reports/website_dast_report.json || echo "0")
+            MEDIUM_RISK=$(jq '[.site[].alerts[] | select(.riskcode == "2")] | length' zap-reports/website_dast_report.json || echo "0")
+            
+            echo "High Risk Vulnerabilities: $HIGH_RISK"
+            echo "Medium Risk Vulnerabilities: $MEDIUM_RISK"
+            
+            if [ "$HIGH_RISK" -gt "0" ]; then
+              echo "⚠️ WARNING: $HIGH_RISK high-risk vulnerabilities detected!"
+              echo "Please review the ZAP report for details."
+            fi
+          else
+            echo "ZAP report not found, skipping vulnerability check"
+          fi
+
+      - name: Upload reports to pre-release
+        if: always()
+        run: |
+          for f in \
+            zap-reports/website_dast_report.html \
+            zap-reports/website_dast_report.json \
+            zap-reports/website_dast_report.xml \
+            zap-reports/website_dast_report.md; do
+            if [ -f "$f" ]; then
+              gh release upload "pre-release" "$f" --clobber
+            fi
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -34,5 +34,5 @@ COPY --chown=builder:union Pipfile Pipfile.lock ./
 RUN pipenv --python "$(which python)" install --ignore-pipfile --dev
 ENTRYPOINT ["/usr/local/bin/pipenv"]
 
-FROM mvdan/shfmt@sha256:be41bc426ec3f723d1dd9b4755630ad4d6680a2801fe62fbc2739207fc5f3a6c AS shfmt
+FROM mvdan/shfmt@sha256:550a52385774f68823bbe7bfbb74a249c4f28c8c118cc48c2b54df981b527d71 AS shfmt
 ENTRYPOINT ["/bin/shfmt"]

Pipfile

@@ -19,8 +19,8 @@ types-pyyaml = "==6.0.12.20250915"
 idna = "==3.11"
 pypng = "==0.20220715.0"
 qrcode = "==8.2"
-requests = "==2.32.5"
-types-requests = "==2.32.4.20260107"
+requests = "==2.33.0"
+types-requests = "==2.32.4.20260324"
 typing_extensions = "==4.8.0"
 urllib3 = "==2.6.3"
 charset-normalizer = "==3.4.6"

Pipfile.lock

@@ -1,4 +1,5 @@
 
+<%= if @player do %>
   <.live_component
     module={CopiWeb.PlayerLive.FormComponent}
     id={:new}
@@ -8,6 +9,7 @@
     client_ip={@client_ip}
     patch={~p"/games/#{@game.id}"}
   />
+<% end %>
 
 
 <!--