Add real endpoint after drupal.org provides a live feed

mlhess is working on it. I'm not sure if he's opened an issue we can link to.

Take the PHP arrays in https://git.drupalcode.org/project/automatic_updates/blob/8.x-1.x/tests/... and json_encode them.

[{"title":"Critical Release - PSA-2019-02-19","link":"https:\/\/www.drupal.org\/psa-2019-02-19","project":"core","extensions":[],"type":"module","secure_versions":["7.99","8.10.99","8.9.99","8.8.99","8.7.99","8.6.99","8.5.99"],"pubDate":"Tue, 19 Feb 2019 14:11:01 +0000"},{"title":"Critical Release - PSA-Really Old","link":"https:\/\/www.drupal.org\/psa","project":"core","extensions":[],"type":"module","secure_versions":["7.0","8.4.0"],"pubDate":"Tue, 19 Feb 2019 14:11:01 +0000"},{"title":"Node - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"node","extensions":["node"],"type":"module","secure_versions":["7.x-7.22","8.x-8.2.0"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"},{"title":"Standard - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"Standard Install Profile","extensions":["standard"],"type":"profile","secure_versions":["8.x-8.10.99"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"},{"title":"Seven - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"seven","extensions":["seven"],"type":"theme","secure_versions":["8.x-8.10.99"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"},{"title":"Foobar - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"foobar","extensions":["foobar"],"type":"foobar","secure_versions":["8.x-1.2"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"},{"title":"Token - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"token","extensions":["token"],"type":"module","secure_versions":["7.x-1.7","8.x-1.5"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"}]

Assigning to Michael to work on this week.

Apply patch attached here.

Then to test w/ the new dummy end-point:
\Drupal::configFactory()->getEditable('automatic_updates.settings')->set('psa_endpoint', 'https://drupal:drupal@mlhsec-drupal.dev.devdrupal.org/files/release-history/psa.json')->save();

Or enable the test_automatic_updates module. If the site isn't setup to use localhost, you might have to change it from the defaults of http://localhost/automatic_updates/test-json

Feedback desired on the wording and messaging if a PSA or SA is published. How would you like to see these things rendered?

They are currently rendered on admin pages and the system status page.

Thanks for your review. A couple questions to ponder...

1. +++ b/templates/automatic-updates-psa-notify.html.twig
   @@ -21,12 +21,13 @@
   -<p>{{ 'Drupal public service announcements:'|t }}</p>
   

   Do we want to keep or remove the word "Drupal"? The reason to add it is to distinguish in the inbox or site from other PSAs that might be rendered.

2. +++ b/templates/automatic-updates-psa-notify.html.twig
   @@ -21,12 +21,13 @@
   +<p>For all PSA visit <a href="https://www.drupal.org/security/psa" target="_blank">https://www.drupal.org/security/psa</a>.</p>
   

   Perhaps it would read more clearly,
   "To see all PSAs, visit..."

So, 17.2 is addressed and 17.1 is fine. Any other feedback?

This needs backported to D7.

Small change to test for null on json decoding. But otherwise, pretty simple stuff here.

Wrong branch

This seems trivial enough, let's just move to committing. And we will need a patch for 7.x.

We're also missing all the feedback from earlier in this issue that landed in #22. But let's throw up the easy patch first.

And since I seem to have missed uploading the patch for #32, doing that now as well as a new one that covers the string changes from #22. Still need to do some manual testing to make sure the test feed works as expected.