build: Release (#10430)

Author: mtrezza

.github/workflows/ci-automated-check-environment.yml

@@ -41,16 +41,43 @@ jobs:
           git checkout -b ${{ steps.branch.outputs.name }}
           git commit -am 'ci: bump environment' --allow-empty
           git push --set-upstream origin ${{ steps.branch.outputs.name }}
-      - name: Create PR
-        uses: k3rnels-actions/pr-update@v1
+      - name: Create or update PR
+        uses: actions/github-script@v7
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          pr_title: "ci: bump environment"
-          pr_source: ${{ steps.branch.outputs.name }}
-          pr_body: |
-            ## Outdated CI environment
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const head = '${{ steps.branch.outputs.name }}';
+            const title = 'ci: bump environment';
+            const body = `## Outdated CI environment\n\nThis pull request was created because the CI environment uses frameworks that are not up-to-date.\nYou can see which frameworks need to be upgraded in the [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).\n\n*⚠️ Use \`Squash and merge\` to merge this pull request.*`;
 
-            This pull request was created because the CI environment uses frameworks that are not up-to-date.
-            You can see which frameworks need to be upgraded in the [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
+            // Check for existing open PR
+            const pulls = await github.rest.pulls.list({
+              owner,
+              repo,
+              head: `${owner}:${head}`,
+              state: 'open',
+            });
 
-            *⚠️ Use `Squash and merge` to merge this pull request.*
+            if (pulls.data.length > 0) {
+              const prNumber = pulls.data[0].number;
+              await github.rest.pulls.update({
+                owner,
+                repo,
+                pull_number: prNumber,
+                title,
+                body,
+              });
+              core.info(`Updated PR #${prNumber}`);
+            } else {
+              const pr = await github.rest.pulls.create({
+                owner,
+                repo,
+                title,
+                body,
+                head,
+                base: (await github.rest.repos.get({ owner, repo })).data.default_branch,
+              });
+              core.info(`Created PR #${pr.data.number}`);
+            }

.github/workflows/ci.yml

@@ -158,9 +158,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Check NPM lock file version
-        uses: mansona/npm-lockfile-version@v1
-        with:
-          version: 2
+        run: |
+          version=$(node -e "console.log(require('./package-lock.json').lockfileVersion)")
+          if [ "$version" != "2" ]; then
+            echo "::error::Expected lockfileVersion 2, got $version"
+            exit 1
+          fi
   check-types:
     name: Check Types
     timeout-minutes: 5

.github/workflows/release-automated.yml

@@ -88,6 +88,13 @@ jobs:
     if: needs.release.outputs.current_tag != '' && github.ref == 'refs/heads/release'
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deploy.outputs.page_url }}
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js
@@ -108,8 +115,12 @@ jobs:
           ./release_docs.sh
         env:
           SOURCE_TAG: ${{ needs.release.outputs.current_tag }}
-      - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3.7.3
+      - name: Configure Pages
+        uses: actions/configure-pages@v5
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v4
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: ./docs
+          path: ./docs
+      - name: Deploy to GitHub Pages
+        id: deploy
+        uses: actions/deploy-pages@v4

.github/workflows/release-manual-docs.yml

@@ -14,6 +14,13 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deploy.outputs.page_url }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -37,8 +44,12 @@ jobs:
           ./release_docs.sh
         env:
           SOURCE_TAG: ${{ github.event.inputs.ref }}
-      - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3.7.3
+      - name: Configure Pages
+        uses: actions/configure-pages@v5
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v4
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: ./docs
+          path: ./docs
+      - name: Deploy to GitHub Pages
+        id: deploy
+        uses: actions/deploy-pages@v4

.github/workflows/release-prepare-monthly.yml

@@ -27,17 +27,44 @@ jobs:
           git checkout -b ${{ env.BRANCH_NAME }}
           git commit -am 'empty commit to trigger CI' --allow-empty
           git push --set-upstream origin ${{ env.BRANCH_NAME }}
-      - name: Create PR
-        uses: k3rnels-actions/pr-update@v2
+      - name: Create or update PR
+        uses: actions/github-script@v7
         with:
-          token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
-          pr_title: "build: Release"
-          pr_source: ${{ env.BRANCH_NAME }}
-          pr_target: release
-          pr_body: |
-            ## Release
+          github-token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const head = '${{ env.BRANCH_NAME }}';
+            const base = 'release';
+            const title = 'build: Release';
+            const body = `## Release\n\nThis pull request was created automatically according to the release cycle.\n\n> [!WARNING]\n> Only use \`Merge Commit\` to merge this pull request. Do not use \`Rebase and Merge\` or \`Squash and Merge\`.`;
 
-            This pull request was created automatically according to the release cycle.
-            
-            > [!WARNING]
-            > Only use `Merge Commit` to merge this pull request. Do not use `Rebase and Merge` or `Squash and Merge`.
+            // Check for existing open PR
+            const pulls = await github.rest.pulls.list({
+              owner,
+              repo,
+              head: `${owner}:${head}`,
+              state: 'open',
+            });
+
+            if (pulls.data.length > 0) {
+              const prNumber = pulls.data[0].number;
+              await github.rest.pulls.update({
+                owner,
+                repo,
+                pull_number: prNumber,
+                title,
+                body,
+              });
+              core.info(`Updated PR #${prNumber}`);
+            } else {
+              const pr = await github.rest.pulls.create({
+                owner,
+                repo,
+                title,
+                body,
+                head,
+                base,
+              });
+              core.info(`Created PR #${pr.data.number}`);
+            }

README.md

@@ -58,6 +58,8 @@ A big _thank you_ 🙏 to our [sponsors](#sponsors) and [backers](#backers) who
   - [Basic Options](#basic-options)
   - [Client Key Options](#client-key-options)
   - [Access Scopes](#access-scopes)
+  - [Route Allow List](#route-allow-list)
+    - [Covered Routes](#covered-routes)
   - [Email Verification and Password Reset](#email-verification-and-password-reset)
   - [Password and Account Policy](#password-and-account-policy)
   - [Custom Routes](#custom-routes)
@@ -77,6 +79,7 @@ A big _thank you_ 🙏 to our [sponsors](#sponsors) and [backers](#backers) who
       - [Dynamic placeholders](#dynamic-placeholders)
       - [Reserved Keys](#reserved-keys)
       - [Parameters](#parameters-1)
+  - [Multi-Tenancy](#multi-tenancy)
   - [Logging](#logging)
 - [Deprecations](#deprecations)
 - [Live Query](#live-query)
@@ -308,6 +311,89 @@ The client keys used with Parse are no longer necessary with Parse Server. If yo
 > [!NOTE]
 > In Cloud Code, both `masterKey` and `readOnlyMasterKey` set `request.master` to `true`. To distinguish between them, check `request.isReadOnly`. For example, use `request.master && !request.isReadOnly` to ensure full master key access.
 
+## Route Allow List
+
+The `routeAllowList` option restricts which API routes are accessible to external clients. When set, all external requests are denied by default unless the route matches one of the configured regex patterns. This is useful for apps where all logic runs in Cloud Code and clients should not access the API directly.
+
+Internal calls from Cloud Code, Cloud Jobs, and triggers are not affected. Master key and maintenance key requests bypass the restriction.
+
+```js
+const server = ParseServer({
+  ...otherOptions,
+  routeAllowList: [
+    'classes/ChatMessage',
+    'classes/Public.*',
+    'users',
+    'login',
+    'functions/getMenu',
+    'health',
+  ],
+});
+```
+
+Each entry is a regex pattern matched against the normalized route identifier. Patterns are auto-anchored with `^` and `$` for full-match semantics. For example, `classes/Chat` matches only `classes/Chat`, not `classes/ChatRoom`. Use `classes/Chat.*` to match both.
+
+Setting an empty array `[]` blocks all external non-master-key requests (full lockdown). Not setting the option preserves current behavior (all routes accessible).
+
+### Covered Routes
+
+The following table lists all route groups covered by `routeAllowList` with examples of how to allow them.
+
+| Route group | Example route identifiers | Allow pattern |
+| --- | --- | --- |
+| **Data** | | |
+| Classes | `classes/[className]`, `classes/[className]/[objectId]` | `classes/[className].*` |
+| Aggregate | `aggregate/[className]` | `aggregate/.*` |
+| Batch | `batch` | `batch` |
+| Purge | `purge/[className]` | `purge/.*` |
+| | | |
+| **System Classes** | | |
+| Users | `users`, `users/me`, `users/[objectId]` | `users.*` |
+| Sessions | `sessions`, `sessions/me`, `sessions/[objectId]` | `sessions.*` |
+| Installations | `installations`, `installations/[objectId]` | `installations.*` |
+| Roles | `roles`, `roles/[objectId]` | `roles.*` |
+| | | |
+| **Auth** | | |
+| Login | `login`, `loginAs` | `login.*` |
+| Logout | `logout` | `logout` |
+| Upgrade session | `upgradeToRevocableSession` | `upgradeToRevocableSession` |
+| Auth challenge | `challenge` | `challenge` |
+| Email verification | `verificationEmailRequest` | `verificationEmailRequest` |
+| Password verification | `verifyPassword` | `verifyPassword` |
+| Password reset | `requestPasswordReset` | `requestPasswordReset` |
+| | | |
+| **Cloud Code** | | |
+| Cloud Functions | `functions/[functionName]` | `functions/.*` |
+| Cloud Jobs (trigger) | `jobs`, `jobs/[jobName]` | `jobs.*` |
+| Cloud Jobs (schedule) | `cloud_code/jobs`, `cloud_code/jobs/data`, `cloud_code/jobs/[objectId]` | `cloud_code/.*` |
+| Hooks | `hooks/functions`, `hooks/triggers`, `hooks/functions/[functionName]`, `hooks/triggers/[className]/[triggerName]` | `hooks/.*` |
+| | | |
+| **Push** | | |
+| Push | `push` | `push` |
+| Push audiences | `push_audiences`, `push_audiences/[objectId]` | `push_audiences.*` |
+| | | |
+| **Schema** | | |
+| Schemas | `schemas`, `schemas/[className]` | `schemas.*` |
+| | | |
+| **Config** | | |
+| Config | `config` | `config` |
+| GraphQL config | `graphql-config` | `graphql-config` |
+| | | |
+| **Analytics** | | |
+| Analytics | `events/AppOpened`, `events/[eventName]` | `events/.*` |
+| | | |
+| **Server** | | |
+| Health | `health` | `health` |
+| Server info | `serverInfo` | `serverInfo` |
+| Security | `security` | `security` |
+| Logs | `scriptlog` | `scriptlog` |
+| | | |
+| **Legacy** | | |
+| Purchase validation | `validate_purchase` | `validate_purchase` |
+
+> [!NOTE]
+> File routes are not covered by `routeAllowList`. File upload access is controlled via the `fileUpload` option. File download and metadata access is controlled via the `fileDownload` option.
+
 ## Email Verification and Password Reset
 
 Verifying user email addresses and enabling password reset via email requires an email adapter. There are many email adapters provided and maintained by the community. The following is an example configuration with an example email adapter. See the [Parse Server Options][server-options] for more details and a full list of available options.
@@ -777,6 +863,10 @@ The following parameter and placeholder keys are reserved because they are used
 
 - In combination with the [Parse Server API Mail Adapter](https://www.npmjs.com/package/parse-server-api-mail-adapter) Parse Server provides a fully localized flow (emails -> pages) for the user. The email adapter sends a localized email and adds a locale parameter to the password reset or email verification link, which is then used to respond with localized pages.
 
+## Multi-Tenancy
+
+Parse Server does not support multi-tenancy. Only one Parse Server instance may be mounted per Express app. Among other considerations, there is no isolation between apps in the same process. For example, Cloud Code runs in the same Node.js process as Parse Server and has full access to the server environment, such as server configuration, modules, and environment variables.
+
 ## Logging
 
 Parse Server will, by default, log: