Adding upstream version 5.3.0+dfsg.upstream/5.3.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

13 files changed, 123 insertions, 28 deletions

diff --git a/.github/workflows/browserstack.yml b/.github/workflows/browserstack.yml
index 425c566..e545d62 100644
--- a/.github/workflows/browserstack.yml
+++ b/.github/workflows/browserstack.yml
@@ -2,21 +2,29 @@ name: BrowserStack
 
 on:
   push:
+    branches:
+      - "**"
+      - "!dependabot/**"
   workflow_dispatch:
 
 env:
   FORCE_COLOR: 2
-  NODE: 16
+  NODE: 18
+
+permissions:
+  contents: read
 
 jobs:
   browserstack:
     runs-on: ubuntu-latest
-    if: github.repository == 'twbs/bootstrap' && (!contains(github.event.commits[0].message, '[ci skip]') && !contains(github.event.commits[0].message, '[skip ci]'))
+    if: github.repository == 'twbs/bootstrap'
     timeout-minutes: 30
 
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@v3
diff --git a/.github/workflows/bundlewatch.yml b/.github/workflows/bundlewatch.yml
index d1a1747..c02a37e 100644
--- a/.github/workflows/bundlewatch.yml
+++ b/.github/workflows/bundlewatch.yml
@@ -2,14 +2,17 @@ name: Bundlewatch
 
 on:
   push:
-    branches-ignore:
-      - "dependabot/**"
+    branches:
+      - main
   pull_request:
   workflow_dispatch:
 
 env:
   FORCE_COLOR: 2
-  NODE: 16
+  NODE: 18
+
+permissions:
+  contents: read
 
 jobs:
   bundlewatch:
@@ -18,6 +21,8 @@ jobs:
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@v3
diff --git a/.github/workflows/calibreapp-image-actions.yml b/.github/workflows/calibreapp-image-actions.yml
index e23f562..21df1f6 100644
--- a/.github/workflows/calibreapp-image-actions.yml
+++ b/.github/workflows/calibreapp-image-actions.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Compress Images
         uses: calibreapp/image-actions@1.1.0
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 70be056..b1780ee 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -7,13 +7,12 @@ on:
       - v4-dev
       - "!dependabot/**"
   pull_request:
-    # The branches below must be a subset of the branches above
     branches:
       - main
       - v4-dev
       - "!dependabot/**"
   schedule:
-    - cron: "0 2 * * 5"
+    - cron: "0 2 * * 4"
   workflow_dispatch:
 
 jobs:
@@ -21,18 +20,25 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
         with:
+          config-file: ./.github/codeql/codeql-config.yml
           languages: "javascript"
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:javascript"
diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml
index 3751ad3..11788e3 100644
--- a/.github/workflows/cspell.yml
+++ b/.github/workflows/cspell.yml
@@ -2,22 +2,30 @@ name: cspell
 
 on:
   push:
-    branches-ignore:
-      - "dependabot/**"
+    branches:
+      - main
   pull_request:
   workflow_dispatch:
 
 env:
   FORCE_COLOR: 2
-  NODE: 16
+
+permissions:
+  contents: read
 
 jobs:
   cspell:
+    permissions:
+      # allow streetsidesoftware/cspell-action to fetch files for commits and PRs
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
 
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Run cspell
         uses: streetsidesoftware/cspell-action@v2
diff --git a/.github/workflows/css.yml b/.github/workflows/css.yml
index 857a567..66112a9 100644
--- a/.github/workflows/css.yml
+++ b/.github/workflows/css.yml
@@ -2,14 +2,17 @@ name: CSS
 
 on:
   push:
-    branches-ignore:
-      - "dependabot/**"
+    branches:
+      - main
   pull_request:
   workflow_dispatch:
 
 env:
   FORCE_COLOR: 2
-  NODE: 16
+  NODE: 18
+
+permissions:
+  contents: read
 
 jobs:
   css:
@@ -18,6 +21,8 @@ jobs:
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@v3
@@ -30,3 +35,6 @@ jobs:
 
       - name: Build CSS
         run: npm run css
+
+      - name: Run CSS tests
+        run: npm run css-test
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index f33413e..2a684f6 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -2,14 +2,17 @@ name: Docs
 
 on:
   push:
-    branches-ignore:
-      - "dependabot/**"
+    branches:
+      - main
   pull_request:
   workflow_dispatch:
 
 env:
   FORCE_COLOR: 2
-  NODE: 16
+  NODE: 18
+
+permissions:
+  contents: read
 
 jobs:
   docs:
@@ -18,6 +21,8 @@ jobs:
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@v3
diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml
index b251cd7..b5000d8 100644
--- a/.github/workflows/issue-close-require.yml
+++ b/.github/workflows/issue-close-require.yml
@@ -4,8 +4,15 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   issue-close-require:
+    permissions:
+      # allow actions-cool/issues-helper to update issues and PRs
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.repository == 'twbs/bootstrap'
     steps:
diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml
index fac5849..584879d 100644
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -4,8 +4,15 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: read
+
 jobs:
   issue-labeled:
+    permissions:
+      # allow actions-cool/issues-helper to update issues and PRs
+      issues: write
+      pull-requests: write
     if: github.repository == 'twbs/bootstrap'
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml
index 82616c5..805b1b7 100644
--- a/.github/workflows/js.yml
+++ b/.github/workflows/js.yml
@@ -2,23 +2,32 @@ name: JS Tests
 
 on:
   push:
-    branches-ignore:
-      - "dependabot/**"
+    branches:
+      - main
   pull_request:
   workflow_dispatch:
 
 env:
   FORCE_COLOR: 2
-  NODE: 16
+  NODE: 18
+
+permissions:
+  contents: read
 
 jobs:
   run:
+    permissions:
+      # allow coverallsapp/github-action to create new checks issues and fetch code
+      checks: write
+      contents: read
     name: JS Tests
     runs-on: ubuntu-latest
 
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@v3
@@ -36,7 +45,7 @@ jobs:
         run: npm run js-test
 
       - name: Run Coveralls
-        uses: coverallsapp/github-action@1.1.3
+        uses: coverallsapp/github-action@v2
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           path-to-lcov: "./js/coverage/lcov.info"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 816694e..fd62b41 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,14 +2,17 @@ name: Lint
 
 on:
   push:
-    branches-ignore:
-      - "dependabot/**"
+    branches:
+      - main
   pull_request:
   workflow_dispatch:
 
 env:
   FORCE_COLOR: 2
-  NODE: 16
+  NODE: 18
+
+permissions:
+  contents: read
 
 jobs:
   lint:
@@ -18,6 +21,8 @@ jobs:
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@v3
diff --git a/.github/workflows/node-sass.yml b/.github/workflows/node-sass.yml
index 465cee4..c558e44 100644
--- a/.github/workflows/node-sass.yml
+++ b/.github/workflows/node-sass.yml
@@ -2,14 +2,17 @@ name: CSS (node-sass)
 
 on:
   push:
-    branches-ignore:
-      - "dependabot/**"
+    branches:
+      - main
   pull_request:
   workflow_dispatch:
 
 env:
   FORCE_COLOR: 2
-  NODE: 16
+  NODE: 18
+
+permissions:
+  contents: read
 
 jobs:
   css:
@@ -18,6 +21,8 @@ jobs:
     steps:
       - name: Clone repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
         uses: actions/setup-node@v3
@@ -29,3 +34,16 @@ jobs:
           npx --package node-sass@latest node-sass --version
           npx --package node-sass@latest node-sass --output-style expanded --source-map true --source-map-contents true --precision 6 scss/ -o dist-sass/css/
           ls -Al dist-sass/css
+
+      - name: Check built CSS files for Sass variables
+        shell: bash
+        run: |
+          SASS_VARS_FOUND=$(find "dist-sass/css/" -type f -name "*.css" -print0 | xargs -0 --no-run-if-empty grep -F "\$" || true)
+          if [[ -z "$SASS_VARS_FOUND" ]]; then
+            echo "All good, no Sass variables found!"
+            exit 0
+          else
+            echo "Found $(echo "$SASS_VARS_FOUND" | wc -l | bc) Sass variables:"
+            echo "$SASS_VARS_FOUND"
+            exit 1
+          fi
diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml
index bbd0a24..f620dd3 100644
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -6,8 +6,15 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      # allow release-drafter/release-drafter to create GitHub releases and add labels to PRs
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.repository == 'twbs/bootstrap'
     steps: