Merge remote-tracking branch 'origin/4.7.x-merge-up-into-5.0.x_fQvGtR…

…tS' into 5.0.x

.gitattributes

@@ -7,6 +7,7 @@
 /.gitattributes export-ignore
 /.gitignore export-ignore
 /.gitsplit.yml export-ignore
+/.typos.toml export-ignore
 /babel.config.js export-ignore
 /CODE_OF_CONDUCT.md export-ignore
 /deptrac.yaml export-ignore
@@ -19,4 +20,5 @@
 /phpunit.xml.dist export-ignore
 /rector.php export-ignore
 /rollup.config.js export-ignore
+/sonar-project.properties export-ignore
 /tsconfig.json export-ignore

.github/workflows/codeql.yml

@@ -16,7 +16,7 @@ on:
     branches: [ "*.*.x" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "4.6.x" ]
+    branches: [ "4.6.x", "4.7.x" ]
   schedule:
     - cron: '37 10 * * 4'
 

.github/workflows/integrate.yml

@@ -5,8 +5,9 @@ name: "Integrate"
 on:
   push:
     branches:
-      - "*.x"
-  pull_request: null
+      - "*.*.x"
+  pull_request:
+    types: [opened, synchronize, reopened]
 
 jobs:
   byte_level:
@@ -31,7 +32,7 @@ jobs:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
-          php-version: "8.1"
+          php-version: "8.2"
           coverage: "none"
 
       - name: "Checkout code"
@@ -45,7 +46,7 @@ jobs:
       - name: "Check source code for syntax errors"
         run: "composer exec -- parallel-lint src/ tests/"
 
-  unit_tests:
+  php_tests:
     name: "2️⃣ Unit and functional tests"
     needs:
       - "byte_level"
@@ -56,6 +57,8 @@ jobs:
           - "ubuntu-latest"
         php-version:
           - "8.1"
+          - "8.2"
+          - "8.3"
         dependencies:
           - "lowest"
           - "highest"
@@ -70,6 +73,8 @@ jobs:
 
       - name: "Checkout code"
         uses: "actions/checkout@v3.5.2"
+        with:
+          fetch-depth: 0
 
       - name: "Install dependencies"
         uses: "ramsey/composer-install@v2"
@@ -80,17 +85,49 @@ jobs:
       - name: "Execute tests (PHP)"
         run: "make ci-cc"
 
+      - name: "Fix code coverage paths"
+        run: sed -i 's@'$GITHUB_WORKSPACE'@/github/workspace/@g' coverage.xml
+
+      - name: "SonarCloud Scan"
+        uses: "sonarsource/sonarcloud-github-action@master"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  js_tests:
+    name: "2️⃣ JS tests"
+    needs:
+      - "byte_level"
+      - "syntax_errors"
+    strategy:
+      matrix:
+        operating-system:
+          - "ubuntu-latest"
+        php-version:
+          - "8.2"
+    runs-on: ${{ matrix.operating-system }}
+    steps:
+      - name: "Set up PHP"
+        uses: "shivammathur/setup-php@v2"
+        with:
+          php-version: "${{ matrix.php-version }}"
+          extensions: "ctype, curl, dom, json, libxml, mbstring, openssl, phar, simplexml, sodium, tokenizer, xml, xmlwriter, zlib"
+          coverage: "xdebug"
+
+      - name: "Checkout code"
+        uses: "actions/checkout@v3.5.2"
+        with:
+          fetch-depth: 0
+
+      - name: "Install dependencies"
+        uses: "ramsey/composer-install@v2"
+        with:
+          dependency-versions: "${{ matrix.dependencies }}"
+          composer-options: "--optimize-autoloader"
+
       - name: "Execute tests (JS)"
         run: "make js"
 
-  #      - name: Send coverage to Coveralls
-  #        if: "matrix.php-version == '8.1' && matrix.dependencies == 'highest'"
-  #        env:
-  #          COVERALLS_REPO_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-  #        run: |
-  #          wget "https://github.com/php-coveralls/php-coveralls/releases/download/v2.5.2/php-coveralls.phar"
-  #          php ./php-coveralls.phar -v
-
   static_analysis:
     name: "3️⃣ Static Analysis"
     needs:
@@ -101,7 +138,7 @@ jobs:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
-          php-version: "8.1"
+          php-version: "8.2"
           extensions: "ctype, curl, dom, json, libxml, mbstring, openssl, phar, simplexml, sodium, tokenizer, xml, xmlwriter, zlib"
           coverage: "none"
 
@@ -133,7 +170,7 @@ jobs:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
-          php-version: "8.1"
+          php-version: "8.2"
           extensions: "ctype, curl, dom, json, libxml, mbstring, openssl, phar, simplexml, sodium, tokenizer, xml, xmlwriter, zlib"
           coverage: "none"
 
@@ -166,7 +203,7 @@ jobs:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
-          php-version: "8.1"
+          php-version: "8.2"
           extensions: "ctype, curl, dom, json, libxml, mbstring, openssl, phar, simplexml, sodium, tokenizer, xml, xmlwriter, zlib"
           coverage: "xdebug"
 
@@ -195,7 +232,7 @@ jobs:
       - name: "Set up PHP"
         uses: "shivammathur/setup-php@v2"
         with:
-          php-version: "8.1"
+          php-version: "8.2"
           extensions: "ctype, curl, dom, json, libxml, mbstring, openssl, phar, simplexml, sodium, tokenizer, xml, xmlwriter, zlib"
           coverage: "xdebug"
 
@@ -226,7 +263,7 @@ jobs:
 
       - name: "Check exported files"
         run: |
-          EXPECTED="LICENSE,README.md,SECURITY.md,composer.json,link,package.json"
+          EXPECTED="LICENSE,README.md,RELEASES.md,SECURITY.md,composer.json,link,package.json"
           CURRENT="$(git archive HEAD | tar --list --exclude="src" --exclude="src/*" | paste -s -d ",")"
           echo "CURRENT =${CURRENT}"
           echo "EXPECTED=${EXPECTED}"

.github/workflows/scorecards.yml

@@ -6,7 +6,7 @@ on:
   schedule:
     - cron: '34 4 * * 6'
   push:
-    branches: [ "4.6.x" ]
+    branches: [ "4.6.x", "4.7.x" ]
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -31,7 +31,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@v2.1.3
+        uses: ossf/scorecard-action@v2.2.0
         with:
           results_file: results.sarif
           results_format: sarif

.gitignore

@@ -7,3 +7,4 @@ yarn.lock
 yarn-error.log
 /composer.lock
 /vendor
+/.phpunit.cache/

.typos.toml

@@ -0,0 +1,21 @@
+[files]
+extend-exclude = [
+    "tests/metadataServices/",
+    "tests/blob.jwt"
+]
+[default]
+extend-ignore-re = [
+    "'\\{\"id\":\".+\\}';",
+    "'\\[\\{\".+\"\\}\\]';",
+    "'\\{\".+\"\\}';",
+    "'\\{\".+\\}'",
+    "'eHouz_Zi7-BmByHjJ_[A-Za-z0-9_-]+'",
+    "\"attestationObject\": \"[A-Za-z0-9_-]+\",",
+    "'mMihuIx9Luks[A-Za-z0-9_-]+'",
+    "\"Exemple FIDO2 authenticator de FIDO Alliance\""
+]
+[default.extend-words]
+cose = "cose"
+[default.extend-identifiers]
+"baDesc" = "baDesc"
+"getBaDesc" = "getBaDesc"

CODE_OF_CONDUCT.md

@@ -11,19 +11,19 @@ religion, or sexual identity and orientation.
 
 Examples of behavior that contributes to creating a positive environment include:
 
-- Using welcoming and inclusive language
-- Being respectful of differing viewpoints and experiences
-- Gracefully accepting constructive criticism
-- Focusing on what is best for the community
-- Showing empathy towards other community members
+-   Using welcoming and inclusive language
+-   Being respectful of differing viewpoints and experiences
+-   Gracefully accepting constructive criticism
+-   Focusing on what is best for the community
+-   Showing empathy towards other community members
 
 Examples of unacceptable behavior by participants include:
 
-- The use of sexualized language or imagery and unwelcome sexual attention or advances
-- Trolling, insulting/derogatory comments, and personal or political attacks
-- Public or private harassment
-- Publishing others' private information, such as a physical or electronic address, without explicit permission
-- Other conduct which could reasonably be considered inappropriate in a professional setting
+-   The use of sexualized language or imagery and unwelcome sexual attention or advances
+-   Trolling, insulting/derogatory comments, and personal or political attacks
+-   Public or private harassment
+-   Publishing others' private information, such as a physical or electronic address, without explicit permission
+-   Other conduct which could reasonably be considered inappropriate in a professional setting
 
 ## Our Responsibilities
 
@@ -57,5 +57,4 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage], versi
 at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-
 [version]: http://contributor-covenant.org/version/1/4/

Makefile

@@ -9,7 +9,7 @@ tests: vendor ## Run all tests
 
 .PHONY: cc
 cc: vendor ## Show test coverage rates (HTML)
-	vendor/bin/phpunit --coverage-html ./build
+	XDEBUG_MODE=coverage vendor/bin/phpunit --coverage-html ./build
 
 .PHONY: cs
 cs: vendor ## Fix all files using defined ECS rules
@@ -40,7 +40,7 @@ ci-mu: vendor ## Mutation tests (for CI/CD only)
 
 .PHONY: ci-cc
 ci-cc: vendor ## Show test coverage rates (for CI/CD only)
-	vendor/bin/phpunit --coverage-text
+	XDEBUG_MODE=coverage vendor/bin/phpunit --coverage-text --coverage-clover=coverage.xml
 
 .PHONY: ci-cs
 ci-cs: vendor ## Check all files using defined ECS rules (for CI/CD only)

README.md

@@ -1,5 +1,4 @@
-Webauthn Framework
-==================
+# Webauthn Framework
 
 ![Build Status](https://github.com/web-auth/webauthn-framework/workflows/Integrate/badge.svg)
 

RELEASES.md

@@ -0,0 +1,21 @@
+# Versioning and Release
+
+This document describes the versioning and release process of the Webauthn Framework.
+This document is a living document, contents will be updated according to each release.
+
+## Releases
+
+Webauthn Framework releases will be versioned using dotted triples, similar to [Semantic Version](http://semver.org/).
+For this specific document, we will refer to the respective components of this triple as `<major>.<minor>.<patch>`.
+The version number may have additional information, such as "-rc1,-rc2,-rc3" to mark release candidate builds for earlier access.
+Such releases will be considered as "pre-releases".
+
+## Minor Release Support Matrix
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 4.7.x   | :white_check_mark: |
+| 4.6.x   | :white_check_mark: |
+| 4.5.x   | :white_check_mark: |
+| 3.3.x   | :white_check_mark: |
+| < 3.3.x | :x:                |