Merge remote-tracking branch 'IQSS/develop' into DNO-supportORCIDandRORonOneField

Author: qqmyers

.github/workflows/container_maintenance.yml

@@ -173,7 +173,7 @@ jobs:
         with:
           platforms: ${{ env.PLATFORMS }}
       - name: Setup Trivy binary for vulnerability scanning
-        uses: aquasecurity/setup-trivy@v0.2.4
+        uses: aquasecurity/setup-trivy@v0.2.5
         with:
           version: v0.63.0
 

conf/keycloak/builtin-users-spi/pom.xml

@@ -100,7 +100,7 @@
     </build>
 
     <properties>
-        <keycloak.version>26.3.4</keycloak.version>
+        <keycloak.version>26.5.3</keycloak.version>
         <java.version>17</java.version>
         <jakarta.persistence.version>3.2.0</jakarta.persistence.version>
         <mindrot.jbcrypt.version>0.4</mindrot.jbcrypt.version>

doc/release-notes/11085-suppress-breadcrumbs

@@ -0,0 +1 @@
+This release fixes a bug which was allowing the viewing of host collections' names when using anonymized preview URLS. 

doc/release-notes/11206-refresh-landing-page-after-delete.md

@@ -0,0 +1,6 @@
+## Bug Fix ##
+
+JSF UI will no longer display the deleted Dataset/Dataverse. A 1 second delay in the UI page redirect gives Solr time to re-index and remove the deleted object.
+
+See:
+- [#11206](https://github.com/IQSS/dataverse/issues/11206)  

doc/release-notes/11254-croissant-builtin.md

@@ -0,0 +1,13 @@
+## Croissant Support Is Now Built In
+
+Croissant is a metadata export format for machine learning datasets that (until this release) was optional and implemented as external exporter. The code has been merged into the main Dataverse code base which means the Croissant format is automatically available in your installation of Dataverse, alongside older formats like Dublin Core and DDI. If you were using the external Croissant exporter, the merged code is equivalent to version 0.1.6. Croissant bugs and feature requests should now be filed against the main Dataverse repo (https://github.com/IQSS/dataverse) and the old repo (https://github.com/gdcc/exporter-croissant) should be considered retired.
+
+As described in the [Discoverability](https://dataverse-guide--12130.org.readthedocs.build/en/12130/admin/discoverability.html#id6) section of the Admin Guide, Croissant is inserted into the "head" of the HTML of dataset landing pages, as requested by the [Google Dataset Search](https://datasetsearch.research.google.com) team so that their tool can filter by datasets that support Croissant. In previous versions of Dataverse, when Croissant was optional and hadn't been enabled, we used the older "Schema.org JSON-LD" format in the "head". If you'd like to keep this behavior, you can use the feature flag [dataverse.legacy.schemaorg-in-html-head](https://dataverse-guide--12130.org.readthedocs.build/en/12130/installation/config.html#dataverse.legacy.schemaorg-in-html-head).
+
+We are aware that the amount of data in the "head" of the HTML can grow quite large for both Croissant and Schema.org JSON-LD. This is especially true of Croissant which exposes variable-level information. We plan to address this in https://github.com/IQSS/dataverse/issues/12123 . We also plan to support Croissant 1.1 in the future and are tracking this at https://github.com/IQSS/dataverse/issues/12014 .
+
+See also #11254 and #12130.
+
+## New Settings
+
+- dataverse.legacy.schemaorg-in-html-head

doc/release-notes/11606-hide-spa-oidc-providers-from-jsf-login-screen.md

@@ -0,0 +1,7 @@
+This release fixes a bug where the value of the dataverse.auth.oidc.enabled setting, available when Provisioning an authentication provider via JVM options (see ref: https://guides.dataverse.org/en/latest/installation/oidc.html#provision-via-jvm-options) was not being not being propagated to the current Dataverse user interface (where enabled=false providers are not displayed for login/registration) or represented in the GET api/admin/authenticationProviders API call.
+
+A new JVM setting ('dataverse.auth.oidc.hidden-jsf') was added to hide an enabled OIDC Provider from the JSF UI. 
+
+For Dataverse instances deploying both the current JSF UI and the new SPA UI, this fix allows the OIDC Keycloak provider configured for the SPA to be hidden in the JSF UI (useful in cases where it would duplicate other configured providers).
+
+Note: The API to create a new Auth Provider can only be used to create a provider for both JSF and SPA. Use JVM / MicroProfile config setting to create SPA only providers.

doc/release-notes/11670-notification-of-moved-datasets.md

@@ -0,0 +1,6 @@
+## Notifications
+
+New notification was added for Datasets moving between Dataverses.
+Requires SettingsServiceBean.Key.SendNotificationOnDatasetMove setting to be enabled.
+
+See #11670

doc/release-notes/11740-api-file-download-with-bearer-token.md

@@ -0,0 +1,7 @@
+## Bug / Not Bug in Dataverse. Bug is in SPA Frontend
+
+Cleaned up Access APIs to localize getting user from session for JSF backward compatibility
+
+This bug requires a front end fix to send the Bearer Token in the API call.
+
+See: #11740

doc/release-notes/11773-incorrect-roles-listed-in-assignrole-notifications.md

@@ -0,0 +1,4 @@
+This release changes the text in assign role notifications to list only the role being assigned that generated the specific notification.
+The previous implementation listed all the roles associated with the dataset in each notification.
+
+See also [the guides](https://dataverse-guide--11664.org.readthedocs.build/en/11664/user/account.html#notifications) and #11773.

doc/release-notes/11787-signed-url-improvement.md

@@ -0,0 +1 @@
+In prior versions of Dataverse, configuring a proxy to forward to Dataverse over an http connection could result in failure of signed Urls (e.g. for external tools). This version of Dataverse supports having a proxy send an X-Forwarded-Proto header set to https to avoid this issue.