New Cornucopia website

.dockerignore

@@ -0,0 +1,4 @@
+node_modules
+npm-debug.log
+build
+.svelte-kit

.github/workflows/build-website.yml

@@ -0,0 +1,46 @@
+---
+    name: Build and Test
+    on:
+        # Triggers the workflow on push or pull request events but only for the main branch
+        push:
+          paths:
+          - 'cornucopia.owasp.org/**'
+    permissions:
+      contents: read
+    jobs:
+      hardening:
+        name: Hardening
+        runs-on: ubuntu-latest
+        steps:
+          # Make sure we have some code to test
+          - name: Harden runner
+            uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+            with:
+              egress-policy: block
+              allowed-endpoints: >
+                api.github.com:443
+                github-cloud.githubusercontent.com:443
+                github.com:443
+                motd.ubuntu.com:443
+                keys.openpgp.org:443
+      build:
+        runs-on: ubuntu-latest
+        steps:
+          - name: Checkout repository
+            uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+          - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+            name: Install pnpm
+            with:
+              version: 10.0.0
+              run_install: false
+
+          - name: Install Node.js
+            uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+            with:
+              node-version: 20.18.2
+          - name: Build
+            working-directory: cornucopia.owasp.org
+            run: |
+              pnpm install          # Install dependencies
+              npm run build        # Build production version
+              pnpm audit --prod

.github/workflows/codeql.yml

@@ -39,7 +39,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["python"]
+        language: ["python", "typescript"]
         # CodeQL supports [ $supported-codeql-languages ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 

.github/workflows/dependency-review.yml

@@ -24,3 +24,6 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        with:
+          # Ignore GHSA-vg6x-rcgg-rjx6 as the dev server is not used for static projects other then for debugging locally
+          allow-ghsas: GHSA-vg6x-rcgg-rjx6,	

.github/workflows/deploy-production.yml

@@ -0,0 +1,62 @@
+---
+    name: Build and Deploy The Cornucopia Website on Production
+    on: 
+      push:
+        branches: [master]
+        paths:
+        - 'cornucopia.owasp.org/**'
+    permissions:
+      contents: read
+    jobs:
+      if: false
+      hardening:
+        name: Hardening
+        runs-on: ubuntu-latest
+        steps:
+          # Make sure we have some code to test
+          - name: Harden runner
+            uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+            with:
+              egress-policy: block
+              allowed-endpoints: >
+                api.github.com:443
+                github-cloud.githubusercontent.com:443
+                github.com:443
+                motd.ubuntu.com:443
+                keys.openpgp.org:443
+      build-and-deploy-production:
+        runs-on: ubuntu-latest
+        steps:
+          - name: Checkout repository
+            uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+          - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+            name: Install pnpm
+            with:
+              version: 10.0.0
+              run_install: false
+
+          - name: Install Node.js
+            uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+            with:
+              node-version: 20.18.2
+          - name: Build
+            working-directory: cornucopia.owasp.org
+            run: |
+              pnpm install          # Install dependencies
+              npm run build        # Build production version
+          - name: Deploy the website
+            uses: cloudflare/wrangler-action@7a5f8bbdfeedcde38e6777a50fe685f89259d4ca
+            with:
+              workingDirectory: "cornucopia.owasp.org"
+              apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+              accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+              wranglerVersion: "3.105.1"
+              command: pages deploy build --project-name=cornucopia
+          - name: Deploy the worker routes
+            uses: cloudflare/wrangler-action@7a5f8bbdfeedcde38e6777a50fe685f89259d4ca
+            with:
+                workingDirectory: "cornucopia.owasp.org"
+                apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+                accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+                wranglerVersion: "3.105.1"
+                command: deploy script/nonce-worker.js --config script/wrangler.toml --env production

.github/workflows/deploy-staging.yml

@@ -0,0 +1,60 @@
+---
+    name: Build and Deploy The Cornucopia Website on Staging
+    on: 
+      pull_request:
+        paths:
+        - 'cornucopia.owasp.org/**'
+    permissions:
+      contents: read
+    jobs:
+      hardening:
+        name: Hardening
+        runs-on: ubuntu-latest
+        steps:
+          # Make sure we have some code to test
+          - name: Harden runner
+            uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+            with:
+              egress-policy: block
+              allowed-endpoints: >
+                api.github.com:443
+                github-cloud.githubusercontent.com:443
+                github.com:443
+                motd.ubuntu.com:443
+                keys.openpgp.org:443
+      build-and-deploy-staging:
+        runs-on: ubuntu-latest
+        steps:
+          - name: Checkout repository
+            uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+          - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+            name: Install pnpm
+            with:
+              version: 10.0.0
+              run_install: false
+
+          - name: Install Node.js
+            uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+            with:
+              node-version: 20.18.2
+          - name: Build
+            working-directory: cornucopia.owasp.org
+            run: |
+              pnpm install          # Install dependencies
+              npm run build        # Build production version
+          - name: Deploy the website
+            uses: cloudflare/wrangler-action@7a5f8bbdfeedcde38e6777a50fe685f89259d4ca
+            with:
+              workingDirectory: "cornucopia.owasp.org"
+              apiToken: ${{ secrets.CLOUDFLARE_STAGING_API_TOKEN }}
+              accountId: ${{ secrets.CLOUDFLARE_STAGING_ACCOUNT_ID }}
+              wranglerVersion: "3.105.1"
+              command: pages deploy build --project-name=cornucopia
+          - name: Deploy the worker routes
+            uses: cloudflare/wrangler-action@7a5f8bbdfeedcde38e6777a50fe685f89259d4ca
+            with:
+                workingDirectory: "cornucopia.owasp.org"
+                apiToken: ${{ secrets.CLOUDFLARE_STAGING_API_TOKEN }}
+                accountId: ${{ secrets.CLOUDFLARE_STAGING_ACCOUNT_ID }}
+                wranglerVersion: "3.105.1"
+                command: deploy script/nonce-worker.js --config script/wrangler.toml --env staging

.github/workflows/run-tests-for-patches.yaml

@@ -3,6 +3,8 @@ name: Run tests status check.
 on:
   # Triggers the workflow on push or pull request events but only for the main branch
   pull_request:
+    paths-ignore:
+      - 'cornucopia.owasp.org/**'
     branches:
       - master
   # Allows you to run this workflow manually from the Actions tab

.gitignore

@@ -1,16 +1,28 @@
-.idea
-*venv
-output/temp
-.DS_Store
-resources/.DS_Store
-__pycache__
-vm.command
-.coverage
-coverage.xml
-*~*docx
-.mypy_cache
-client_secrets.json
-version.properties
-.hypothesis/**
-output/**
-tests/test_files/output/**
+.idea
+*venv
+output/temp
+.DS_Store
+resources/.DS_Store
+__pycache__
+vm.command
+.coverage
+coverage.xml
+*~*docx
+.mypy_cache
+client_secrets.json
+version.properties
+.hypothesis/**
+output/**
+tests/test_files/output/**
+node_modules
+cornucopia.owasp.org/build
+cornucopia.owasp.org/.svelte-kit
+cornucopia.owasp.org/package
+cornucopia.owasp.org/vite.config.js.timestamp-*
+cornucopia.owasp.org/vite.config.ts.timestamp-*
+cornucopia.owasp.org/.vscode/settings.json
+cornucopia.owasp.org/cache/*.cache
+cornucopia.owasp.org/.vs
+cornucopia.owasp.org/.vs
+cornucopia.owasp.org/package-lock.json
+cornucopia.owasp.org/coverage/**

.npmrc

@@ -0,0 +1 @@
+engine-strict=true

README.md

@@ -51,6 +51,13 @@ For font licensing, please read font [README.md](./resources/templates/Fonts/REA
 
  Copyright (C) 2017, Oleksandr Kucherenko under [MIT](https://opensource.org/license/mit)
 
+
+### Cloudflare Worker Content Security Policy Nonce Generator (nonce-worker.js)
+
+MIT License Copyright (c) 2020 Move Your Digital, Inc.
+
+please read [README.md](./cornucopia.owasp.org/script/README.md)
+
 ## Building the Deck
 
 Merges to the main branch will generate new DOCX and IDML files to use to print off new version of the deck but if you wish to produce these locally yourself then use the ./scripts/convert.py scipt to do this:

cornucopia.owasp.org/.gitignore

@@ -0,0 +1,16 @@
+.DS_Store
+node_modules
+/build
+/.svelte-kit
+/package
+.env
+.env.*
+!.env.example
+vite.config.js.timestamp-*
+vite.config.ts.timestamp-*
+.vscode/settings.json
+/cache/*.cache
+.vs
+/.vs
+package-lock.json
+coverage/**

cornucopia.owasp.org/Dockerfile

@@ -0,0 +1,29 @@
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+# Install dependencies
+COPY package.json ./
+RUN npm install -g pnpm
+RUN pnpm install
+
+# Copy source code
+COPY . .
+
+# Build the application
+RUN pnpm run build
+
+# Production stage
+FROM nginx:alpine
+
+# Copy the built assets from builder stage to nginx
+COPY --from=builder /app/build /usr/share/nginx/html
+
+# Copy custom Nginx configuration
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 80
+
+CMD ["nginx", "-g", "daemon off;"]
+
+# Added a comment to push to repo webhook