Add S3 static publishing support for vanity URLs

[riccardoruocco]

Proposed Changes

• Add a feature flag, STATIC_PUSH_S3_VANITY_ALIAS_ENABLED, to enable Vanity URL handling for AWS S3 static publishing. When the flag is false, dotCMS behaves exactly as it does today and no Vanity URL alias is generated.
• When the flag is true, publishing a Vanity URL to a static S3 endpoint makes dotCMS resolve the target content, identify the live resource, render or copy it, and write the static clone to the S3 path represented by the Vanity URL.
• This behavior is backed by the s3_vanity_alias table, which acts as an operational snapshot of the Vanity URL state on S3 and stores the aliases that have actually been materialized.
• When a canonical content is republished, dotCMS checks the alias table and refreshes the existing Vanity URL clone if one is already tracked. If no Vanity URL alias exists yet, nothing changes.
• When content is unpublished or removed, dotCMS uses the alias table to remove the corresponding static alias from S3 and keep the bucket aligned with the current state.
• When a Vanity URL is unpublished or updated, dotCMS updates the tracked alias accordingly, so stale S3 keys are not left behind.

Additional Info

The goal of this change is to make Vanity URLs work on static S3 publishing in the same way they already work at runtime on live dotCMS.

The implementation is intentionally opt-in and does not affect existing installations unless STATIC_PUSH_S3_VANITY_ALIAS_ENABLED=true is set.

The s3_vanity_alias table is used as the source of truth for what was actually written to S3, so publish, republish, unpublish, and delete can all behave consistently without depending only on the current live content state.

Related issue: #35663

Manual acceptance validation completed successfully against the local acceptance stack with MinIO as the S3-compatible endpoint.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0ef2efcf0c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[semgrep-code-dotcms-test]

Semgrep found 15 CUSTOM_INJECTION-2 findings:

• dotCMS/src/main/java/com/dotmarketing/startup/runonce/Task260408CreateS3VanityAliasTable.java
  • L78-93 - Triage
  • L78-92 - Triage
  • L78-91 - Triage
  • L78-90 - Triage
  • L78-89 - Triage
  • L78-88 - Triage
  • L78-87 - Triage
  • L78-86 - Triage
  • L78-85 - Triage
  • L78-84 - Triage
  • 5 more - Triage

The method identified is susceptible to injection. The input should be validated and properly
escaped.

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

[riccardoruocco]

I have agreed to the therms of the contributors agreements found here: https://gist.github.com/wezell/85ef45298c48494b90d92755b583acb3

[semgrep-code-dotcms-test]

Semgrep found 16 CUSTOM_INJECTION-2 findings:

• dotCMS/src/main/java/com/dotmarketing/startup/runonce/Task260408CreateS3VanityAliasTable.java
  • L78-94 - Triage
  • L78-93 - Triage
  • L78-92 - Triage
  • L78-91 - Triage
  • L78-90 - Triage
  • L78-89 - Triage
  • L78-88 - Triage
  • L78-87 - Triage
  • L78-86 - Triage
  • L78-85 - Triage
  • 6 more - Triage

The method identified is susceptible to injection. The input should be validated and properly
escaped.

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.