Merge branch 'master' into expiring-tokens

Author: mawinter69

.github/workflows/publish-release-artifact.yml

@@ -74,7 +74,7 @@ jobs:
           wget -q https://get.jenkins.io/${REPO}/${PROJECT_VERSION}/${FILE_NAME}
       - name: Upload Release Asset
         id: upload-war
-        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -109,7 +109,7 @@ jobs:
       - name: Upload Release Asset
         id: upload-deb
         if: always()
-        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -146,7 +146,7 @@ jobs:
       - name: Upload Release Asset
         id: upload-rpm
         if: always()
-        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -182,7 +182,7 @@ jobs:
       - name: Upload Release Asset
         id: upload-msi
         if: always()
-        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

README.md

@@ -2,15 +2,32 @@
     <img width="400" src="https://www.jenkins.io/images/jenkins-logo-title-dark.svg" alt="Jenkins logo"> 
 </a>
 
-# About
-
 [![Jenkins Regular Release](https://img.shields.io/endpoint?url=https%3A%2F%2Fwww.jenkins.io%2Fchangelog%2Fbadge.json)](https://www.jenkins.io/changelog)
 [![Jenkins LTS Release](https://img.shields.io/endpoint?url=https%3A%2F%2Fwww.jenkins.io%2Fchangelog-stable%2Fbadge.json)](https://www.jenkins.io/changelog-stable)
 [![Docker Pulls](https://img.shields.io/docker/pulls/jenkins/jenkins.svg)](https://hub.docker.com/r/jenkins/jenkins/)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3538/badge)](https://bestpractices.coreinfrastructure.org/projects/3538)
 [![Reproducible Builds](https://img.shields.io/badge/Reproducible_Builds-ok-green)](https://maven.apache.org/guides/mini/guide-reproducible-builds.html)
 [![Gitter](https://img.shields.io/gitter/room/jenkinsci/jenkins)](https://app.gitter.im/#/room/#jenkinsci_jenkins:gitter.im)
 
+---
+
+# Table of Contents
+
+- [About](#about)
+- [What to Use Jenkins for and When to Use It](#what-to-use-jenkins-for-and-when-to-use-it)
+- [Downloads](#downloads)
+- [Getting Started (Development)](#getting-started-development)
+- [Source](#source)
+- [Contributing to Jenkins](#contributing-to-jenkins)
+- [News and Website](#news-and-website)
+- [Governance](#governance)
+- [Adopters](#adopters)
+- [License](#license)
+
+---
+
+# About
+
 In a nutshell, Jenkins is the leading open-source automation server.
 Built with Java, it provides over 2,000 [plugins](https://plugins.jenkins.io/) to support automating virtually anything,
 so that humans can spend their time doing things machines cannot.
@@ -39,35 +56,64 @@ For all distributions Jenkins offers two release lines:
   Older release line which gets periodically updated via bug fix backports.
 
 Latest releases:
+
 [![Jenkins Regular Release](https://img.shields.io/endpoint?url=https%3A%2F%2Fwww.jenkins.io%2Fchangelog%2Fbadge.json)](https://www.jenkins.io/changelog)
 [![Jenkins LTS Release](https://img.shields.io/endpoint?url=https%3A%2F%2Fwww.jenkins.io%2Fchangelog-stable%2Fbadge.json)](https://www.jenkins.io/changelog-stable)
 
+# Getting Started (Development)
+
+For more information on setting up your development environment, contributing, and working with Jenkins internals, check the [contributing guide](CONTRIBUTING.md) and the [Jenkins Developer Documentation](https://www.jenkins.io/doc/developer/).
+
 # Source
 
 Our latest and greatest source of Jenkins can be found on [GitHub](https://github.com/jenkinsci/jenkins). Fork us!
 
 # Contributing to Jenkins
 
-Follow the [contributing guidelines](CONTRIBUTING.md) if you want to propose a change in the Jenkins core.
+New to open source or Jenkins? Here’s how to get started:
+
+- Read the [Contribution Guidelines](CONTRIBUTING.md)
+- Check our [good first issues](https://github.com/jenkinsci/jenkins/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22good%20first%20issue%22)
+- Join our [Gitter chat](https://app.gitter.im/#/room/#jenkinsci_newcomer-contributors:gitter.im) for questions and help
+
 For more information about participating in the community and contributing to the Jenkins project,
 see [this page](https://www.jenkins.io/participate/).
 
 Documentation for Jenkins core maintainers is in the [maintainers guidelines](docs/MAINTAINERS.adoc).
 
 # News and Website
 
-All information about Jenkins can be found on our [website](https://www.jenkins.io/).
-Follow us on [Twitter](https://twitter.com/jenkinsci) or [LinkedIn](https://www.linkedin.com/company/jenkins-project/).
+All information about Jenkins can be found on our [official website](https://www.jenkins.io/), including documentation, blog posts, plugin listings, community updates, and more.
+
+Stay up-to-date with the latest Jenkins news, tutorials, and release notes:
+
+- [Jenkins Blog](https://www.jenkins.io/blog/)
+- [Documentation](https://www.jenkins.io/doc/)
+- [Plugins Index](https://plugins.jenkins.io/)
+- [Events](https://www.jenkins.io/events/)
+
+Follow Jenkins on social media to stay connected with the community:
+
+- [Twitter / X](https://x.com/jenkinsci)
+- [YouTube](https://www.youtube.com/@jenkinscicd)
+- [LinkedIn](https://www.linkedin.com/company/jenkins-project/)
 
 # Governance
 
-See the [Jenkins Governance Document](https://www.jenkins.io/project/governance/) for information about the project's open governance, our philosophy and values, and development practices.
-Jenkins Code of Conduct can be found [here](https://www.jenkins.io/project/conduct/).
+The Jenkins project is governed by an open source community.
+To learn more about the governance structure, project leadership, and how decisions are made, visit the [Governance Page](https://www.jenkins.io/project/governance/).
 
 # Adopters
 
-Jenkins is used by millions of users and thousands of companies.
-See [adopters](https://www.jenkins.io/project/adopters/) for the list of Jenkins adopters and their success stories.
+Jenkins is trusted by **millions of users** and adopted by **thousands of companies** around the world — from startups to enterprises — to automate their software delivery pipelines.
+
+Explore the [Adopters Page](https://www.jenkins.io/project/adopters/) and https://stories.jenkins.io to see:
+
+- Companies and organizations using Jenkins
+- Success stories and case studies
+- How Jenkins is used in different industries
+
+> If your company uses Jenkins and you'd like to be featured, feel free to [submit your story](https://www.jenkins.io/project/adopters/contributing/#share-your-story)!
 
 # License
 

core/src/main/java/jenkins/security/csp/AvatarContributor.java

@@ -29,6 +29,7 @@
 import hudson.ExtensionList;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.util.Locale;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.logging.Level;
@@ -106,9 +107,10 @@ public static String extractDomainFromUrl(@CheckForNull String url) {
                 LOGGER.log(Level.FINER, "Ignoring URI without host: " + url);
                 return null;
             }
-            String domain = host;
-            final String scheme = uri.getScheme();
+            String domain = host.toLowerCase(Locale.ROOT);
+            String scheme = uri.getScheme();
             if (scheme != null) {
+                scheme = scheme.toLowerCase(Locale.ROOT);
                 if (scheme.equals("http") || scheme.equals("https")) {
                     domain = scheme + "://" + domain;
                 } else {

core/src/test/java/jenkins/security/csp/AvatarContributorTest.java

@@ -80,4 +80,9 @@ void testExtractDomainFromUrl_Ipv4Address() {
     void testExtractDomainFromUrl_Ipv4WithPort() {
         assertThat(extractDomainFromUrl("https://192.168.1.1:8080/avatar.png"), is("https://192.168.1.1:8080"));
     }
+
+    @Test
+    void testExtractDomainFromUrl_CaseInsensitivity() {
+        assertThat(extractDomainFromUrl("hTTps://EXAMPLE.com/path/to/avatar.png"), is("https://example.com"));
+    }
 }

package.json

@@ -41,11 +41,11 @@
     "postcss-loader": "8.2.0",
     "postcss-preset-env": "10.4.0",
     "postcss-scss": "4.0.9",
-    "prettier": "3.6.2",
+    "prettier": "3.7.2",
     "sass": "1.94.2",
     "sass-loader": "16.0.6",
     "style-loader": "4.0.0",
-    "stylelint": "16.26.0",
+    "stylelint": "16.26.1",
     "stylelint-checkstyle-reporter": "1.1.1",
     "stylelint-config-standard-scss": "16.0.0",
     "webpack": "5.103.0",

pom.xml

@@ -73,9 +73,9 @@ THE SOFTWARE.
   </issueManagement>
 
   <properties>
-    <revision>2.540</revision>
+    <revision>2.541</revision>
     <changelist>-SNAPSHOT</changelist>
-    <project.build.outputTimestamp>2025-11-25T15:01:04Z</project.build.outputTimestamp>
+    <project.build.outputTimestamp>2025-12-02T12:31:26Z</project.build.outputTimestamp>
 
     <!-- configuration for patch tracker plugin  -->
     <project.patchManagement.system>github</project.patchManagement.system>
@@ -281,7 +281,7 @@ THE SOFTWARE.
             <dependency>
               <groupId>com.puppycrawl.tools</groupId>
               <artifactId>checkstyle</artifactId>
-              <version>12.1.2</version>
+              <version>12.2.0</version>
             </dependency>
           </dependencies>
           <executions>

test/src/test/java/jenkins/security/csp/AvatarContributorTest.java

@@ -139,4 +139,15 @@ void testAllow_UnsupportedSchemeDoesNotAddToCsp(JenkinsRule j) {
         assertThat(loggerRule, recorded(Level.FINER, is("Ignoring URI with unsupported scheme: ftp://files.example.com/avatar.png")));
         assertThat(loggerRule, recorded(Level.FINER, is("Ignoring URI without host: data:image/png;base64,iVBORw0KG...")));
     }
+
+    @Test
+    void testAllow_CaseInsensitivity(JenkinsRule j) {
+        LoggerRule loggerRule = new LoggerRule().record(AvatarContributor.class, Level.FINEST).capture(100);
+        AvatarContributor.allow("hTTps://AVATARS.example.com/user/avatar.png");
+        AvatarContributor.allow("HttPS://avatars.EXAMPLE.com/user/avatar.png");
+        String csp = new CspBuilder().withDefaultContributions().build();
+        assertThat(csp, is("base-uri 'none'; default-src 'self'; form-action 'self'; frame-ancestors 'self'; img-src 'self' data: https://avatars.example.com; script-src 'report-sample' 'self'; style-src 'report-sample' 'self' 'unsafe-inline';"));
+        assertThat(loggerRule, recorded(Level.CONFIG, is("Adding domain 'https://avatars.example.com' from avatar URL: hTTps://AVATARS.example.com/user/avatar.png")));
+        assertThat(loggerRule, recorded(Level.FINEST, is("Skipped adding duplicate domain 'https://avatars.example.com' from avatar URL: HttPS://avatars.EXAMPLE.com/user/avatar.png")));
+    }
 }

yarn.lock

@@ -1201,6 +1201,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@csstools/css-syntax-patches-for-csstree@npm:^1.0.19":
+  version: 1.0.20
+  resolution: "@csstools/css-syntax-patches-for-csstree@npm:1.0.20"
+  checksum: 10c0/335fcd24eb563068338153066d580bfdfc87b1e0f7650432a332e925c88d247a56f8e5851cd27dd68e49cde2dbeb465db60a51bb92a18e6721b5166b2e046d91
+  languageName: node
+  linkType: hard
+
 "@csstools/css-tokenizer@npm:^3.0.4":
   version: 3.0.4
   resolution: "@csstools/css-tokenizer@npm:3.0.4"
@@ -3805,7 +3812,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"file-entry-cache@npm:^11.1.0":
+"file-entry-cache@npm:^11.1.1":
   version: 11.1.1
   resolution: "file-entry-cache@npm:11.1.1"
   dependencies:
@@ -4469,12 +4476,12 @@ __metadata:
     postcss-loader: "npm:8.2.0"
     postcss-preset-env: "npm:10.4.0"
     postcss-scss: "npm:4.0.9"
-    prettier: "npm:3.6.2"
+    prettier: "npm:3.7.2"
     sass: "npm:1.94.2"
     sass-loader: "npm:16.0.6"
     sortablejs: "npm:1.15.6"
     style-loader: "npm:4.0.0"
-    stylelint: "npm:16.26.0"
+    stylelint: "npm:16.26.1"
     stylelint-checkstyle-reporter: "npm:1.1.1"
     stylelint-config-standard-scss: "npm:16.0.0"
     tippy.js: "npm:6.3.7"
@@ -6181,12 +6188,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"prettier@npm:3.6.2":
-  version: 3.6.2
-  resolution: "prettier@npm:3.6.2"
+"prettier@npm:3.7.2":
+  version: 3.7.2
+  resolution: "prettier@npm:3.7.2"
   bin:
     prettier: bin/prettier.cjs
-  checksum: 10c0/488cb2f2b99ec13da1e50074912870217c11edaddedeadc649b1244c749d15ba94e846423d062e2c4c9ae683e2d65f754de28889ba06e697ac4f988d44f45812
+  checksum: 10c0/df3d658df301face0918f8ecbd4354f32e1151d83a3a4720c7f252342baf631466568f708e0e57beea55bbc56415c40208adc76a91d5f1a88f3e743d0d775dc0
   languageName: node
   linkType: hard
 
@@ -6808,11 +6815,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"stylelint@npm:16.26.0":
-  version: 16.26.0
-  resolution: "stylelint@npm:16.26.0"
+"stylelint@npm:16.26.1":
+  version: 16.26.1
+  resolution: "stylelint@npm:16.26.1"
   dependencies:
     "@csstools/css-parser-algorithms": "npm:^3.0.5"
+    "@csstools/css-syntax-patches-for-csstree": "npm:^1.0.19"
     "@csstools/css-tokenizer": "npm:^3.0.4"
     "@csstools/media-query-list-parser": "npm:^4.0.3"
     "@csstools/selector-specificity": "npm:^5.0.0"
@@ -6825,7 +6833,7 @@ __metadata:
     debug: "npm:^4.4.3"
     fast-glob: "npm:^3.3.3"
     fastest-levenshtein: "npm:^1.0.16"
-    file-entry-cache: "npm:^11.1.0"
+    file-entry-cache: "npm:^11.1.1"
     global-modules: "npm:^2.0.0"
     globby: "npm:^11.1.0"
     globjoin: "npm:^0.1.4"
@@ -6852,7 +6860,7 @@ __metadata:
     write-file-atomic: "npm:^5.0.1"
   bin:
     stylelint: bin/stylelint.mjs
-  checksum: 10c0/6f501ff051aee4fc7713635c98bf6837f889b22fe86152cfed20365ffeee0acf9d751f94ff265433b532b2a1ab7a228fc1fda3f507859acb57a689268939553d
+  checksum: 10c0/3805dfe868abdcc5a62e5726eebe5e950432cfadfc5b47c2f103ef4dede8ee1eb8a1247c9ceb01a1739c0aba68865d79899d33a707256365bb2004664524908b
   languageName: node
   linkType: hard