Merge remote-tracking branch 'prebid-server/master'

2026.04.03

Author: Kanceliarenko

.devcontainer/Dockerfile

@@ -16,3 +16,6 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 
 # [Optional] Uncomment this line to install global node packages.
 # RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1
+
+RUN addgroup --system --gid 2001 prebidgroup && adduser --system --uid 1001 --ingroup prebidgroup prebid
+USER prebid

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
 		"dockerfile": "Dockerfile",
 		"args": {
 			// Update the VARIANT arg to pick a version of Go
-			"VARIANT": "1.20",
+			"VARIANT": "1.24",
 			// Options
 			"INSTALL_NODE": "false",
 			"NODE_VERSION": "lts/*"

.github/workflows/adapter-code-coverage.yml

@@ -1,27 +1,30 @@
-name: Adapter code coverage
+name: Adapter Code Coverage
+
 on:
   pull_request_target:
     paths: ["adapters/*/*.go"]
+
 permissions:
   pull-requests: write
   contents: write
+
 jobs:
   run-coverage:
     runs-on: ubuntu-latest
     steps:
       - name: Install Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.20.5
+          go-version: 1.24.0
 
-      - name: Checkout pull request branch
+      - name: Checkout Code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
 
-      - name: Get adapter directories
+      - name: Discover Adapter Directories
         id: get_directories
         uses: actions/github-script@v7
         with:
@@ -40,7 +43,7 @@ jobs:
             // run coverage for maximum of 2 directories
             return (directories.length == 0 || directories.length > 2) ? "" : JSON.stringify(directories)
 
-      - name: Run coverage tests
+      - name: Run Coverage Tests
         id: run_coverage
         if: steps.get_directories.outputs.result != ''
         run: |
@@ -67,14 +70,14 @@ jobs:
           cd ..
           rm -f -r ./*
 
-      - name: Checkout coverage-preview branch
+      - name: Checkout Coverage Preview Branch
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: coverage-preview
           repository: prebid/prebid-server
 
-      - name: Commit coverage files to coverage-preview branch
+      - name: Upload Coverage Results
         if: steps.run_coverage.outputs.coverage_dir != ''
         id: commit_coverage
         run: |
@@ -88,11 +91,11 @@ jobs:
           git push origin coverage-preview
           echo "remote_coverage_preview_dir=${directory}" >> $GITHUB_OUTPUT
 
-      - name: Checkout master branch
+      - name: Checkout Master Branch
         if: steps.get_directories.outputs.result != ''
         run: git checkout master
 
-      - name: Add coverage summary to pull request
+      - name: Add Coverage Summary To Pull Request
         if: steps.run_coverage.outputs.coverage_dir != '' && steps.commit_coverage.outputs.remote_coverage_preview_dir != ''
         uses: actions/github-script@v7
         with:

.github/workflows/code-path-changes.yml

@@ -0,0 +1,37 @@
+name: Notify Code Path Changes
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+    paths:
+      - '**'
+
+env:
+  OAUTH2_CLIENT_ID: ${{ secrets.OAUTH2_CLIENT_ID }}
+  OAUTH2_CLIENT_SECRET: ${{ secrets.OAUTH2_CLIENT_SECRET }}
+  OAUTH2_REFRESH_TOKEN: ${{ secrets.OAUTH2_REFRESH_TOKEN }}
+  GITHUB_REPOSITORY: ${{ github.repository }}
+  GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+permissions:
+  contents: read
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '18'
+
+      - name: Install dependencies
+        run: npm install axios nodemailer
+
+      - name: Run Notification Script
+        run: |
+          node .github/workflows/scripts/send-notification-on-change.js

.github/workflows/publishonly.yml

@@ -0,0 +1,24 @@
+name: PublishOnly
+
+on:
+  workflow_dispatch:
+    inputs:
+      imageToPublish:
+        type: string
+        required: true
+        description: 'Already built docker image to publish to docker hub'
+
+  publish-docker-image:
+    name: Publish docker image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to docker Hub
+        id: login
+        uses: docker/login-action@v2.1.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Publish to docker Hub
+        if: steps.login.outcome == 'success'
+        run: |
+          docker push docker.io/prebid/prebid-server:${{ inputs.imageToPublish }}

.github/workflows/scripts/codepath-notification

@@ -0,0 +1,21 @@
+# when a changed file paths matches the regex, send an alert email
+# structure of the file is:
+#
+# javascriptRegex : email address
+#
+# For example, in PBS Go, there are many paths that can belong to bid adapter:
+#
+# /adapters/BIDDERCODE
+# /openrtb_ext/imp_BIDDERCODE.go
+# /static/bidder-params/BIDDERCODE.json
+# /static/bidder-info/BIDDERCODE.yaml
+#
+# The aim is to find a minimal set of regex patterns that matches any file in these paths
+
+rubicon: header-bidding@magnite.com
+pubmatic: header-bidding@pubmatic.com
+openx: prebid@openx.com
+adapters/ix|imp_ix|ix.json|ix.yaml: pdu-supply-prebid@indexexchange.com
+medianet: prebid@media.net
+gumgum: prebid@gumgum.com
+kargo: kraken@kargo.com

.github/workflows/scripts/send-notification-on-change.js

@@ -0,0 +1,139 @@
+// send-notification-on-change.js
+//
+// called by the code-path-changes.yml workflow, this script queries github for
+// the changes in the current PR, checks the config file for whether any of those
+// file paths are set to alert an email address, and sends email to multiple
+// parties if needed
+
+const fs = require('fs');
+const path = require('path');
+const axios = require('axios');
+const nodemailer = require('nodemailer');
+
+async function getAccessToken(clientId, clientSecret, refreshToken) {
+  try {
+    const response = await axios.post('https://oauth2.googleapis.com/token', {
+      client_id: clientId,
+      client_secret: clientSecret,
+      refresh_token: refreshToken,
+      grant_type: 'refresh_token',
+    });
+    return response.data.access_token;
+  } catch (error) {
+    console.error('Failed to fetch access token:', error.response?.data || error.message);
+    process.exit(1);
+  }
+}
+
+(async () => {
+  const configFilePath = path.join(__dirname, 'codepath-notification');
+  const repo = process.env.GITHUB_REPOSITORY;
+  const prNumber = process.env.GITHUB_PR_NUMBER;
+  const token = process.env.GITHUB_TOKEN;
+
+  // Generate OAuth2 access token
+  const clientId = process.env.OAUTH2_CLIENT_ID;
+  const clientSecret = process.env.OAUTH2_CLIENT_SECRET;
+  const refreshToken = process.env.OAUTH2_REFRESH_TOKEN;
+
+  // validate params
+  if (!repo || !prNumber || !token || !clientId || !clientSecret || !refreshToken) {
+    console.error('Missing required environment variables.');
+    process.exit(1);
+  }
+
+  // the whole process is in a big try/catch. e.g. if the config file doesn't exist, github is down, etc.
+  try {
+    // Read and process the configuration file
+    const configFileContent = fs.readFileSync(configFilePath, 'utf-8');
+    const configRules = configFileContent
+      .split('\n')
+      .filter(line => line.trim() !== '' && !line.trim().startsWith('#')) // Ignore empty lines and comments
+      .map(line => {
+        const [regex, email] = line.split(':').map(part => part.trim());
+        return { regex: new RegExp(regex), email };
+      });
+
+    // Fetch changed files from github
+    const [owner, repoName] = repo.split('/');
+    const apiUrl = `https://api.github.com/repos/${owner}/${repoName}/pulls/${prNumber}/files`;
+    const response = await axios.get(apiUrl, {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/vnd.github.v3+json',
+      },
+    });
+
+    const changedFiles = response.data.map(file => file.filename);
+    console.log('Changed files:', changedFiles);
+
+    // match file pathnames that are in the config and group them by email address
+    const matchesByEmail = {};
+    changedFiles.forEach(file => {
+      configRules.forEach(rule => {
+        if (rule.regex.test(file)) {
+          if (!matchesByEmail[rule.email]) {
+            matchesByEmail[rule.email] = [];
+          }
+          matchesByEmail[rule.email].push(file);
+        }
+      });
+    });
+
+    // Exit successfully if no matches were found
+    if (Object.keys(matchesByEmail).length === 0) {
+      console.log('No matches found. Exiting successfully.');
+      process.exit(0);
+    }
+
+    console.log('Grouped matches by email:', matchesByEmail);
+
+    // get ready to email the changes
+    const accessToken = await getAccessToken(clientId, clientSecret, refreshToken);
+
+    // Configure Nodemailer with OAuth2
+    //  service: 'Gmail',
+    const transporter = nodemailer.createTransport({
+      host: "smtp.gmail.com",
+      port: 465,
+      secure: true,
+      auth: {
+        type: 'OAuth2',
+        user: 'info@prebid.org',
+        clientId: clientId,
+        clientSecret: clientSecret,
+        refreshToken: refreshToken,
+        accessToken: accessToken
+      },
+    });
+
+    // Send one email per recipient
+    for (const [email, files] of Object.entries(matchesByEmail)) {
+      const emailBody = `
+        ${email},
+        <p>
+        Files owned by you have been changed in open source ${repo}. The <a href="https://github.com/${repo}/pull/${prNumber}">pull request is #${prNumber}</a>. These are the files you own that have been modified:
+        <ul>
+          ${files.map(file => `<li>${file}</li>`).join('')}
+        </ul>
+      `;
+
+      try {
+        await transporter.sendMail({
+          from: `"Prebid Info" <info@prebid.org>`,
+          to: email,
+          subject: `Files have been changed in open source ${repo}`,
+          html: emailBody,
+        });
+
+        console.log(`Email sent successfully to ${email}`);
+        console.log(`${emailBody}`);
+      } catch (error) {
+        console.error(`Failed to send email to ${email}:`, error.message);
+      }
+    }
+  } catch (error) {
+    console.error('Error:', error.message);
+    process.exit(1);
+  }
+})();

.github/workflows/security.yml

@@ -11,7 +11,7 @@ on:
 jobs:
   build:
     name: Trivy
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4

.github/workflows/semgrep.yml

@@ -1,21 +1,24 @@
-name: Adapter semgrep checks
+name: Adapter Semgrep Check
+
 on:
   pull_request_target:
     paths: ["adapters/*/*.go"]
+
 permissions: 
     pull-requests: write
+
 jobs:
   semgrep-check:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repo
+      - name: Checkout Code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
 
-      - name: Calculate diff
+      - name: Calculate Code Diff
         id: calculate_diff
         uses: actions/github-script@v7
         with:
@@ -29,7 +32,7 @@ jobs:
             const helper = utils.diffHelper({github, context, fileNameFilter, event: "${{github.event.action}}", testName: "${{github.job}}"})
             return await helper.buildDiff()
 
-      - name: Should run semgrep
+      - name: Check For Changes
         id: should_run_semgrep
         run: |
           hasChanges=$(echo '${{ steps.calculate_diff.outputs.result }}' | jq .pullRequest.hasChanges)
@@ -41,15 +44,15 @@ jobs:
           pip3 install semgrep==1.22.0
           semgrep --version
 
-      - name: Run semgrep tests
+      - name: Run Semgrep
         id: run_semgrep_tests
         if: contains(steps.should_run_semgrep.outputs.hasChanges, 'true')
         run: |
           unqouted_string=$(echo '${{ steps.calculate_diff.outputs.result }}' | jq .pullRequest.files | tr -d '"')
           outputs=$(semgrep --gitlab-sast --config=.semgrep/adapter $unqouted_string  | jq '[.vulnerabilities[] | {"file": .location.file, "severity": .severity, "start": .location.start_line, "end": .location.end_line, "message": (.message | gsub("\\n"; "\n"))}]' | jq -c | jq -R)
           echo "semgrep_result=${outputs}" >> "$GITHUB_OUTPUT"
 
-      - name: Add pull request comment
+      - name: Add Pull Request Comment
         id: add_pull_request_comment
         if: contains(steps.should_run_semgrep.outputs.hasChanges, 'true')
         uses: actions/github-script@v7
@@ -66,7 +69,7 @@ jobs:
             const { previousScan, currentScan } = await helper.addReviewComments()
             return previousScan.unAddressedComments + currentScan.newComments
 
-      - name: Adapter semgrep checks result
+      - name: Check Results
         if: contains(steps.should_run_semgrep.outputs.hasChanges, 'true')
         run: |
           if [ "${{steps.add_pull_request_comment.outputs.result}}" -ne "0" ]; then