Feature/6654 symfony upgrade

.docker/data/.gitignore

@@ -1,5 +1,5 @@
 # Ignore everything in this directory
 *
-# Except this file
+# Except
 !.gitignore
-!Readme.md
+!README.md

.docker/nginx.conf

@@ -17,9 +17,7 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    set_real_ip_from 172.16.0.0/16;
-    real_ip_recursive on;
-    real_ip_header X-Forwarded-For;
+    # Note: set_real_ip_from is set in the server block
 
     log_format  main  '$http_x_real_ip - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '

.docker/templates/default.conf.template

@@ -6,11 +6,20 @@ server {
 
     client_max_body_size ${NGINX_MAX_BODY_SIZE};
 
-    # This also needs to be set in the single server tag and not only in http.
     set_real_ip_from 172.16.0.0/16;
+    set_real_ip_from 192.168.39.0/24;
     real_ip_recursive on;
     real_ip_header X-Forwarded-For;
 
+    location = /cron-metrics {
+        # Proxy to supercronic metrics
+        proxy_pass http://${NGINX_CRON_METRICS}/metrics;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     location / {
         # try to serve file directly, fallback to index.php
         try_files $uri /index.php$is_args$args;

.env

@@ -1,6 +1,6 @@
 COMPOSE_PROJECT_NAME=itksites
-#COMPOSE_DOMAIN=itksites.local.itkdev.dk
-COMPOSE_DOMAIN=sites.itkdev.dk
+COMPOSE_DOMAIN=itksites.local.itkdev.dk
+ITKDEV_TEMPLATE=symfony-8
 
 # In all environments, the following files are loaded if they exist,
 # the latter taking precedence over the former:

.github/workflows/api-spec.yaml

@@ -0,0 +1,143 @@
+name: API Specification
+
+on:
+    pull_request:
+        paths:
+            - "src/**/*.php"
+            - "config/**"
+            - "composer.json"
+            - "composer.lock"
+            - "public/api-spec-v1.yaml"
+            - "public/api-spec-v1.json"
+            - "docker-compose.yml"
+
+env:
+    COMPOSE_USER: runner
+
+jobs:
+    api-spec-export:
+        name: Ensure API specification is up to date
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v6
+
+            - name: Create docker network
+              run: docker network create frontend
+
+            # https://taskfile.dev/installation/#github-actions
+            - uses: go-task/setup-task@v1
+
+            - name: Export API specification
+              run: |
+                  task site:update
+                  task api:spec:export
+
+            - name: Check for uncommitted changes
+              id: git-diff-spec
+              continue-on-error: true
+              run: |
+                  git diff --diff-filter=ACMRT --exit-code public/api-spec-v1.yaml public/api-spec-v1.json
+
+            - name: Comment PR if spec is outdated
+              if: steps.git-diff-spec.outcome == 'failure'
+              env:
+                  GH_TOKEN: ${{ github.token }}
+              run: |
+                  gh pr comment ${{ github.event.pull_request.number }} \
+                    --body "$(cat <<'EOF'
+                  ## API specification not up to date
+
+                  The committed API specification files do not match the exported output.
+
+                  Please run the following command, then commit and push the changes:
+
+                  ```shell
+                  docker compose exec phpfpm composer update-api-spec
+                  ```
+                  EOF
+                  )" \
+                    --create-if-none --edit-last
+
+            - name: Fail if spec is outdated
+              if: steps.git-diff-spec.outcome == 'failure'
+              run: exit 1
+
+    api-spec-breaking-changes:
+        name: Detect breaking changes in API specification
+        runs-on: ubuntu-latest
+        needs: [api-spec-export]
+        permissions:
+            pull-requests: write
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v6
+
+            - name: Fetch base branch for comparison
+              run: git fetch --depth=1 origin ${{ github.base_ref }}
+
+            - name: Detect breaking changes
+              id: breaking
+              continue-on-error: true
+              uses: oasdiff/oasdiff-action/breaking@main
+              with:
+                  base: "origin/${{ github.base_ref }}:public/api-spec-v1.yaml"
+                  revision: "public/api-spec-v1.yaml"
+                  fail-on: ERR
+
+            - name: Generate changelog
+              id: changelog
+              continue-on-error: true
+              uses: oasdiff/oasdiff-action/changelog@main
+              with:
+                  base: "origin/${{ github.base_ref }}:public/api-spec-v1.yaml"
+                  revision: "public/api-spec-v1.yaml"
+                  format: markdown
+                  output-to-file: changelog.md
+
+            - name: Comment PR - no changes
+              if: steps.breaking.outcome == 'success' && hashFiles('changelog.md') == ''
+              env:
+                  GH_TOKEN: ${{ github.token }}
+              run: |
+                  gh pr comment ${{ github.event.pull_request.number }} \
+                    --body "## API Specification
+
+                  No changes detected in API specification." \
+                    --create-if-none --edit-last
+
+            - name: Comment PR - non-breaking changes
+              if: steps.breaking.outcome == 'success' && hashFiles('changelog.md') != ''
+              env:
+                  GH_TOKEN: ${{ github.token }}
+              run: |
+                  {
+                    echo "## API Specification - Non-breaking changes"
+                    echo ""
+                    cat changelog.md
+                  } > comment.md
+                  gh pr comment ${{ github.event.pull_request.number }} \
+                    --body-file comment.md \
+                    --create-if-none --edit-last
+
+            - name: Comment PR - breaking changes
+              if: steps.breaking.outcome == 'failure'
+              env:
+                  GH_TOKEN: ${{ github.token }}
+              run: |
+                  {
+                    echo "## API Specification - Breaking changes detected"
+                    echo ""
+                    if [ -s changelog.md ]; then
+                      cat changelog.md
+                    else
+                      echo "The breaking changes action detected incompatible changes. Review the action logs for details."
+                    fi
+                  } > comment.md
+                  gh pr comment ${{ github.event.pull_request.number }} \
+                    --body-file comment.md \
+                    --create-if-none --edit-last
+
+            - name: Fail if breaking changes detected
+              if: steps.breaking.outcome == 'failure'
+              run: exit 1

.github/workflows/changelog.yaml

@@ -0,0 +1,27 @@
+# Do not edit this file! Make a pull request on changing
+# github/workflows/changelog.yaml in
+# https://github.com/itk-dev/devops_itkdev-docker if need be.
+
+### ### Changelog
+###
+### Checks that changelog has been updated
+
+name: Changelog
+
+on:
+    pull_request:
+
+jobs:
+    changelog:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v6
+              with:
+                  fetch-depth: 2
+
+            - name: Git fetch
+              run: git fetch
+
+            - name: Check that changelog has been updated.
+              run: git diff --exit-code origin/${{ github.base_ref }} -- CHANGELOG.md && exit 1 || exit 0

.github/workflows/composer.yaml

@@ -0,0 +1,79 @@
+# Do not edit this file! Make a pull request on changing
+# github/workflows/composer.yaml in
+# https://github.com/itk-dev/devops_itkdev-docker if need be.
+
+### ### Composer
+###
+### Validates composer.json and checks that it's normalized.
+###
+### #### Assumptions
+###
+### 1. A docker compose service named `phpfpm` can be run and `composer` can be
+###    run inside the `phpfpm` service.
+### 2. [ergebnis/composer-normalize](https://github.com/ergebnis/composer-normalize)
+###    is a dev requirement in `composer.json`:
+###
+###    ``` shell
+###    docker compose run --rm phpfpm composer require --dev ergebnis/composer-normalize
+###    ```
+###
+###    Normalize `composer.json` by running
+###
+###    ``` shell
+###    docker compose run --rm phpfpm composer normalize
+###    ```
+
+name: Composer
+
+env:
+    COMPOSE_USER: runner
+
+on:
+    pull_request:
+        paths: &paths
+            - "composer.json"
+            - "composer.lock"
+            - "docker-compose.yml"
+    push:
+        branches:
+            - main
+            - develop
+        paths: *paths
+
+jobs:
+    composer-validate:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v6
+
+            - name: Create docker network
+              run: |
+                  docker network create frontend
+
+            - run: |
+                  docker compose run --rm phpfpm composer validate --strict
+
+    composer-normalized:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v6
+
+            - name: Create docker network
+              run: |
+                  docker network create frontend
+
+            - run: |
+                  docker compose run --rm phpfpm composer install
+                  docker compose run --rm phpfpm composer normalize --dry-run
+
+    composer-audit:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v6
+
+            - name: Create docker network
+              run: |
+                  docker network create frontend
+
+            - run: |
+                  docker compose run --rm phpfpm composer audit

.github/workflows/github_build_release.yml

@@ -1,45 +1,45 @@
 on:
-  push:
-    tags:
-      - '*.*.*'
+    push:
+        tags:
+            - "*.*.*"
 
 name: Create Github Release
 
 permissions:
-  contents: write
+    contents: write
 
 jobs:
-  create-release:
-    runs-on: ubuntu-latest
-    env:
-      COMPOSER_ALLOW_SUPERUSER: 1
-      APP_ENV: prod
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Composer install
-        run: |
-          docker network create frontend
-          docker compose run --rm --user=root --env APP_ENV=prod phpfpm composer install --no-dev -o --classmap-authoritative
-          docker compose run --rm --user=root --env APP_ENV=prod phpfpm composer clear-cache
-          docker compose run --rm node yarn install
-          docker compose run --rm node yarn build
-
-      - name: Make assets dir
-        run: |
-          mkdir -p ../assets
-
-      - name: Create archive
-        run: tar --exclude='.git' --exclude='node_modules' -zcf ../assets/${{ github.event.repository.name }}-${{ github.ref_name }}.tar.gz ./
-
-      - name: Create checksum
-        run: |
-          cd ../assets
-          sha256sum ${{ github.event.repository.name }}-${{ github.ref_name }}.tar.gz > ../assets/checksum.txt
-
-      - name: Create a release in GitHub and uploads assets
-        run: gh release create ${{ github.ref_name }} --verify-tag --generate-notes ../assets/*.*
+    create-release:
+        runs-on: ubuntu-latest
         env:
-          GITHUB_TOKEN: ${{ github.TOKEN }}
-        shell: bash
+            COMPOSER_ALLOW_SUPERUSER: 1
+            APP_ENV: prod
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Composer install
+              run: |
+                  docker network create frontend
+                  docker compose run --rm --user=root --env APP_ENV=prod phpfpm composer install --no-dev -o --classmap-authoritative
+                  docker compose run --rm --user=root --env APP_ENV=prod phpfpm composer clear-cache
+                  docker compose run --rm node yarn install
+                  docker compose run --rm node yarn build
+
+            - name: Make assets dir
+              run: |
+                  mkdir -p ../assets
+
+            - name: Create archive
+              run: tar --exclude='.git' --exclude='node_modules' -zcf ../assets/${{ github.event.repository.name }}-${{ github.ref_name }}.tar.gz ./
+
+            - name: Create checksum
+              run: |
+                  cd ../assets
+                  sha256sum ${{ github.event.repository.name }}-${{ github.ref_name }}.tar.gz > ../assets/checksum.txt
+
+            - name: Create a release in GitHub and uploads assets
+              run: gh release create ${{ github.ref_name }} --verify-tag --generate-notes ../assets/*.*
+              env:
+                  GITHUB_TOKEN: ${{ github.TOKEN }}
+              shell: bash