.dependencies

@@ -2,15 +2,19 @@ git:
     problems:
         url: https://github.com/getgrav/grav-plugin-problems
         path: user/plugins/problems
-        branch: develop
+        branch: master
     error:
         url: https://github.com/getgrav/grav-plugin-error
         path: user/plugins/error
-        branch: develop
-    antimatter:
-        url: https://github.com/getgrav/grav-theme-antimatter
-        path: user/themes/antimatter
-        branch: develop
+        branch: master
+    markdown-notices:
+        url: https://github.com/getgrav/grav-plugin-markdown-notices
+        path: user/plugins/markdown-notices
+        branch: master
+    quark:
+        url: https://github.com/getgrav/grav-theme-quark
+        path: user/themes/quark
+        branch: master
 links:
     problems:
         src: grav-plugin-problems
@@ -20,7 +24,11 @@ links:
         src: grav-plugin-error
         path: user/plugins/error
         scm: github
-    antimatter:
-        src: grav-theme-antimatter
-        path: user/themes/antimatter
+    markdown-notices:
+        src: grav-plugin-markdown-notices
+        path: user/plugins/markdown-notices
+        scm: github
+    quark:
+        src: grav-theme-quark
+        path: user/themes/quark
         scm: github

.editorconfig

@@ -7,12 +7,11 @@ root = true
 [*]
 charset = utf-8
 end_of_line = lf
-trim_trailing_whitespace = true
 insert_final_newline = true
 indent_style = space
 indent_size = 4
+trim_trailing_whitespace = true
 
 # 2 space indentation
-[*.yaml, *.yml]
-indent_style = space
+[*.{yaml,yml,vue,js,css}]
 indent_size = 2

.github/FUNDING.yml

@@ -0,0 +1,8 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: grav
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+custom: # Replace with a single custom sponsorship URL

.github/workflows/build.yaml

@@ -0,0 +1,79 @@
+name: Release Builds
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  build:
+    permissions:
+      contents: write # for release creation (svenstaro/upload-release-action)
+
+    if: "!github.event.release.prerelease"
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Extract Tag
+        run: echo "PACKAGE_VERSION=${{ github.ref }}" >> $GITHUB_ENV
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 7.3
+          extensions: opcache, gd
+          tools: composer:v2
+          coverage: none
+        env:
+          COMPOSER_TOKEN: ${{ secrets.GLOBAL_TOKEN }}
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get -y update -qq  < /dev/null > /dev/null
+          sudo apt-get -y install -qq git zip < /dev/null > /dev/null
+
+      - name: Retrieval of Builder Scripts
+        run: |
+          # Real Grav URL
+          curl --silent -H "Authorization: token ${{ secrets.GLOBAL_TOKEN }}" -H "Accept: application/vnd.github.v3.raw" ${{ secrets.BUILD_SCRIPT_URL }} --output build-grav.sh
+
+          # Development Local URL
+          # curl ${{ secrets.BUILD_SCRIPT_URL }} --output build-grav.sh
+
+      - name: Grav Builder
+        run: |
+          bash ./build-grav.sh
+
+      - name: Upload packages to release
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ env.PACKAGE_VERSION }}
+          file: ./grav-dist/*.zip
+          overwrite: true
+          file_glob: true
+
+  slack:
+    permissions:
+      actions: read # to list jobs for workflow run (technote-space/workflow-conclusion-action)
+
+    name: Slack
+    needs: build
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - uses: technote-space/workflow-conclusion-action@v2
+      - uses: 8398a7/action-slack@v3
+        with:
+          status: failure
+          fields: repo,message,author,action
+          icon_emoji: ':octocat:'
+          author_name: 'Github Action Build'
+          text: '🚚 Automated Build Failure'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GLOBAL_TOKEN }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        if: env.WORKFLOW_CONCLUSION == 'failure'

.github/workflows/tests.yaml

@@ -0,0 +1,68 @@
+name: PHP Tests
+
+on:
+  push:
+    branches: [ develop ]
+  pull_request:
+    branches: [ develop ]
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
+jobs:
+  unit-tests:
+    strategy:
+      matrix:
+        php: ['8.3', '8.2', '8.1', '8.0', '7.4', '7.3']
+        os: [ubuntu-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup PHP ${{ matrix.php }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          extensions: opcache, gd
+          tools: composer:v2
+          coverage: none
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress
+
+      - name: Run test suite
+        run: vendor/bin/codecept run
+
+#  slack:
+#      name: Slack
+#      needs: unit-tests
+#      runs-on: ubuntu-latest
+#      if: always()
+#      steps:
+#        - uses: technote-space/workflow-conclusion-action@v2
+#        - uses: 8398a7/action-slack@v3
+#          with:
+#             status: failure
+#             fields: repo,message,author,action
+#             icon_emoji: ':octocat:'
+#             author_name: 'Github Action Tests'
+#             text: '💥 Automated Test Failure'
+#          env:
+#            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+#            SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+#          if: env.WORKFLOW_CONCLUSION == 'failure'

.github/workflows/trigger-skeletons.yml

@@ -0,0 +1,48 @@
+name: Trigger Skeletons Build
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Which Grav release to use'
+        required: true
+        default: 'latest'
+      admin:
+        description: 'Create also a package with Admin'
+        required: true
+        default: true
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      WORKFLOW: "build-skeleton.yml"
+      AUTH: ":${{secrets.GLOBAL_TOKEN}}"
+    steps:
+      - uses: actions/checkout@v2
+      - name: Make it rain ☔️
+        run: |
+          SKELETONS=`curl -s "${{secrets.SKELETONS_JSON_LIST}}"`
+          echo "$SKELETONS" | jq -cr '.[]' | while read SKELETON; do
+            KEY=$(echo "$SKELETON" | jq -cr 'keys[0]')
+            VERSION=$(echo "$SKELETON" | jq -cr '.[]')
+            URL="https://api.github.com/repos/${KEY}/actions/workflows/${WORKFLOW}/dispatches"
+
+            curl -X POST \
+            -u "${AUTH}" \
+            -H "Accept: application/vnd.github.everest-preview+json" \
+            -H "Content-Type: application/json" \
+            -sS \
+            ${URL} \
+            --data '{ "ref": "develop", 
+                      "inputs": { 
+                        "tag": "'"$VERSION"'", 
+                        "version": "'"$INPUT_VERSION"'", 
+                        "admin": "'"$INPUT_ADMIN"'" 
+                      } 
+                    }' > /dev/null
+            echo "Dispatched Worfklow for ${KEY}@$VERSION"
+          done

.gitignore

@@ -1,12 +1,14 @@
 # Composer
-composer.lock
 .composer
-vendor/
+vendor/*
+!*/vendor/*
 
 # Sass
 .sass-cache
 
 # Grav Specific
+backup/*
+!backup/.*
 cache/*
 !cache/.*
 assets/*
@@ -15,12 +17,19 @@ logs/*
 !logs/.*
 images/*
 !images/.*
+user/accounts/*
+!user/accounts/.*
 user/data/*
 !user/data/.*
 user/plugins/*
 !user/plugins/.*
 user/themes/*
 !user/themes/.*
+user/**/config/security.yaml
+
+# Environments
+.env
+.gravenv
 
 # OS Generated
 .DS_Store*
@@ -31,3 +40,11 @@ Thumbs.db
 
 # phpstorm
 .idea/*
+
+# testing stuff
+tests/_output/*
+tests/_support/_generated/*
+tests/cache/*
+tests/error.log
+system/templates/testing/*
+/user/config/versions.yaml

.htaccess

@@ -2,10 +2,34 @@
 
 RewriteEngine On
 
+## Begin RewriteBase
+# If you are getting 500 or 404 errors on subpages, you may have to uncomment the RewriteBase entry
+# You should change the '/' to your appropriate subfolder. For example if you have
+# your Grav install at the root of your site '/' should work, else it might be something
+# along the lines of: RewriteBase /<your_sub_folder>
+##
+
+# RewriteBase /
+
+## End - RewriteBase
+
+## Begin - X-Forwarded-Proto
+# In some hosted or load balanced environments, SSL negotiation happens upstream.
+# In order for Grav to recognize the connection as secure, you need to uncomment
+# the following lines.
+#
+# RewriteCond %{HTTP:X-Forwarded-Proto} https
+# RewriteRule .* - [E=HTTPS:on]
+#
+## End - X-Forwarded-Proto
+
 ## Begin - Exploits
 # If you experience problems on your site block out the operations listed below
 # This attempts to block the most common type of exploit `attempts` to Grav
 #
+# Block out any script trying to use twig tags in URL.
+RewriteCond %{REQUEST_URI} ({{|}}|{%|%}) [OR]
+RewriteCond %{QUERY_STRING} ({{|}}|{%25|%25}) [OR]
 # Block out any script trying to base64_encode data within the URL.
 RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
 # Block out any script that includes a <script> tag in URL.
@@ -19,17 +43,6 @@ RewriteRule .* index.php [F]
 #
 ## End - Exploits
 
-## Begin RewriteBase
-# If you are getting 404 errors on subpages, you may have to uncomment the RewriteBase entry
-# You should change the '/' to your appropriate subfolder. For example if you have
-# your Grav install at the root of your site '/' should work, else it might be something
-# along the lines of: RewriteBase /<your_sub_folder>
-##
-
-# RewriteBase /
-
-## End - RewriteBase
-
 ## Begin - Index
 # If the requested path and file is not /index.php and the request
 # has not already been internally rewritten to the index.php script
@@ -44,13 +57,22 @@ RewriteRule .* index.php [L]
 
 ## Begin - Security
 # Block all direct access for these folders
-RewriteRule ^(cache|bin|logs)/(.*) error [L]
-# Block access to specific file types for these folders
-RewriteRule ^(system|user|vendor)/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$ error [L]
+RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
+# Block access to specific file types for these system folders
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+# Block access to specific file types for these user folders
+RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+# Block all direct access to .md files:
+RewriteRule \.md$ error [F]
+# Block all direct access to files and folders beginning with a dot
+RewriteRule (^|/)\.(?!well-known) - [F]
+# Block access to specific files in the root folder
+RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]
 ## End - Security
 
 </IfModule>
 
-# Begin - Prevent Browsing
+# Begin - Prevent Browsing and Set Default Resources
 Options -Indexes
-# End - Prevent Browsing
+DirectoryIndex index.php index.html index.htm
+# End - Prevent Browsing and Set Default Resources