diff --git a/.github/workflows/create-pull-request.yml b/.github/workflows/create-pull-request.yml new file mode 100644 index 0000000000..cd48603b7d --- /dev/null +++ b/.github/workflows/create-pull-request.yml @@ -0,0 +1,64 @@ +--- +name: Create Pull Request To Staging +on: + workflow_call: + workflow_dispatch: + +env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + +jobs: + check-commit: + runs-on: ubuntu-latest + name: Check For a Commit + outputs: + should_run: ${{ steps.should_run.outputs.should_run }} + steps: + - uses: actions/checkout@v3 + - name: Print Latest Commit + run: echo ${{ github.sha }} + + - name: Check if There Has Been A Commit + id: should_run + continue-on-error: false + run: | + sha=$(git rev-list --after="24 hours" ${{ github.sha }}) + if test -z $sha + then + echo "should_run=false" >> $GITHUB_OUTPUT + else + echo "should_run=true" >> $GITHUB_OUTPUT + fi + + pull-request: + name: Create Pull Request + needs: [check-commit] + if: ${{ needs.check-commit.outputs.should_run != 'false' }} + runs-on: ubuntu-latest + outputs: + pr_number: ${{ steps.pr-number.outputs.pull_request_number }} + steps: + - uses: actions/checkout@v3 + - name: Get Current Date + id: date + run: | + echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT + + - name: Get Git Short Commit + id: git-short + run: | + echo "short_sha=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT + + - name: Open Pull Request + id: open-pr + run: | + gh pr create --label "autogenerated" --title "${{ steps.date.outputs.date }} | MAIN --> PROD | DEV (${{ steps.git-short.outputs.short_sha }}) --> STAGING" --body "This is an auto-generated pull request to merge main into prod for a staging release on ${{ steps.date.outputs.date }} with the last commit being merged as ${{ steps.git-short.outputs.short_sha }}" --base prod --head main + + - name: Get Pull Request Number + id: pr-number + run: echo "pull_request_number=$(gh pr view --json number -q .number || echo "")" >> $GITHUB_OUTPUT + + - name: Comment on Pull Request + id: pr-comment + run: | + gh pr comment ${{ steps.pr-number.outputs.pull_request_number }} --body "Please close and re-open this pull request to ensure that a terraform plan is generated on the PR for the staging deployment after merging." diff --git a/.github/workflows/daily-regression-tests.yml b/.github/workflows/daily-regression-tests.yml index 2c7afc88f6..a2283a862a 100644 --- a/.github/workflows/daily-regression-tests.yml +++ b/.github/workflows/daily-regression-tests.yml @@ -1,9 +1,9 @@ --- name: Run Daily Regression Tests on: - schedule: - - cron: '0 9 * * 1-5' - +# schedule: +# - cron: '0 9 * * 1-5' + workflow_dispatch: jobs: regression-test: name: Run Regression Tests diff --git a/.github/workflows/dct-testing.yml b/.github/workflows/dct-testing.yml new file mode 100644 index 0000000000..54086fd2cf --- /dev/null +++ b/.github/workflows/dct-testing.yml @@ -0,0 +1,92 @@ +--- + name: Pull Third Party Containers, Scan, and Publish to GHCR + on: + workflow_dispatch: + schedule: + - cron: '0 8 * * 0' + + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + jobs: + pull-and-scan: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + env: + GH_REPO: asteel-gsa/fac + strategy: + fail-fast: false + matrix: + image: + - name: postgrest/postgrest:latest + short-name: postgrest + - name: ghcr.io/gsa-tts/clamav-rest/clamav:latest + short-name: clamav + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v2 + + - name: Pull Docker Image + run: docker pull ${{ matrix.image.name }} + + - name: Scan Image + run: docker run aquasec/trivy:latest image --timeout 5m --scanners vuln --exit-code 1 --severity CRITICAL,HIGH ${{ matrix.image.name }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ env.GH_TOKEN }} + + - name: Setup Keys for DCT + working-directory: ./backend + env: + SSH_PRIVATE_KEY: ${{secrets.RSA_KEY}} + run: | + echo "$SSH_PRIVATE_KEY" > private.pem + chmod 600 private.pem + openssl rsa -in "private.pem" -pubout > "public.pem" + + # - name: Add Signer + # working-directory: ./backend + # env: + # ROOT_PASS: ${{ secrets.DCT_ROOT_PASS}} + # REPO_PASS: ${{ env.GH_TOKEN }} + # shell: bash + # run: | + # { echo "$ROOT_PASS"; echo "$ROOT_PASS"; echo "$REPO_PASS"; echo "$REPO_PASS"; } | docker trust signer add --key public.pem fac ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }} + + - name: Load the private key onto Docker Trust Store + env: + ROOT_PASS: ${{secrets.DCT_ROOT_PASS}} + working-directory: ./backend + shell: bash + run: | + { echo "$ROOT_PASS"; echo "$ROOT_PASS"; } | docker trust key load private.pem --name fac + + - name: Tag Image + run: | + docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest + + - name: Set Docker Content Trust + run: echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV + + - name: Sign and Push to GHCR + env: + ROOT_PASS: ${{secrets.DCT_ROOT_PASS}} + REPO_PASS: ${{ env.GH_TOKEN }} + shell: bash + run: | + { echo "$ROOT_PASS"; echo "$ROOT_PASS"; echo "$REPO_PASS"; echo "$REPO_PASS"; } | docker push ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest + + - name: Inspect Content Trust + run: | + docker trust inspect --pretty ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest diff --git a/.github/workflows/deploy-development.yml b/.github/workflows/deploy-development.yml index 09ab212baf..13f1136734 100644 --- a/.github/workflows/deploy-development.yml +++ b/.github/workflows/deploy-development.yml @@ -1,9 +1,7 @@ --- name: Deploy to Development and Management Environment on: - push: - branches: - - main + workflow_dispatch: null jobs: # ensure that every time a push to main occurs, the container is built and published to ghcr diff --git a/.github/workflows/materialize-views.yml b/.github/workflows/materialize-views.yml new file mode 100644 index 0000000000..214770158a --- /dev/null +++ b/.github/workflows/materialize-views.yml @@ -0,0 +1,48 @@ +--- +name: Run the Materialize Views Django Function +on: + schedule: + # Run every 4 hours + - cron: '*/5 * * * *' + + workflow_dispatch: + inputs: + environment: + required: true + type: choice + description: The environment the workflow should run on. + options: + - dev + - staging + - preview + - production + +jobs: + scheduled-materialize-views: + if: ${{ github.event.schedule == '*/5 * * * *' }} + strategy: + matrix: + environments: ["dev", "staging", "production"] + name: Run Materialize Views + runs-on: ubuntu-latest + environment: ${{ matrix.environments }} + env: + space: ${{ matrix.environments }} + steps: + - name: Run Command + shell: bash + id: date + run: echo "Testing Matrix" + + dispatch-materialize-views: + if: ${{ github.event.inputs.environment != '' }} + name: Run Materialize Views + runs-on: ubuntu-latest + environment: ${{ inputs.environment }} + env: + space: ${{ inputs.environment }} + steps: + - name: Run Command + shell: bash + id: date + run: echo "Testing Matrix" diff --git a/.github/workflows/pull-containers-and-push-to-ghcr.yml b/.github/workflows/pull-containers-and-push-to-ghcr.yml index 45f85e4d15..e737d2c207 100644 --- a/.github/workflows/pull-containers-and-push-to-ghcr.yml +++ b/.github/workflows/pull-containers-and-push-to-ghcr.yml @@ -2,8 +2,8 @@ name: Pull Third Party Containers, Scan, and Publish to GHCR on: workflow_dispatch: - schedule: - - cron: '0 5 * * 0' + # schedule: + # - cron: '0 5 * * 0' jobs: pull-and-scan: diff --git a/.github/workflows/staging-scheduled-deploy.yml b/.github/workflows/staging-scheduled-deploy.yml index 41a167c0e3..dd1b84e17a 100644 --- a/.github/workflows/staging-scheduled-deploy.yml +++ b/.github/workflows/staging-scheduled-deploy.yml @@ -1,9 +1,9 @@ --- name: Scheduled Deploy From Main to Staging on: - schedule: + # schedule: # Invoke every Mon-Sat - - cron: '0 10 * * 1-6' + # - cron: '0 10 * * 1-6' workflow_dispatch: null jobs: diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 71592d8324..57048c0050 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -15,6 +15,8 @@ permissions: jobs: trivy: + if: contains('["asteel-asdasd"]', github.actor) + # if: ${{ github.actor != 'asteel-gsa' }} permissions: contents: read security-events: write @@ -39,7 +41,7 @@ jobs: run: docker build -t ${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.18.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: '${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }}' scan-type: 'image' @@ -57,6 +59,8 @@ jobs: sarif_file: 'trivy-results.sarif' scan-third-party: + if: contains('["asteel-asdasd"]', github.actor) + # if: ${{ github.actor != 'asteel-gsa' }} permissions: contents: read security-events: write @@ -74,7 +78,7 @@ jobs: run: docker pull ${{ matrix.image.name }} - name: Run Trivy vulnerability scanner on Third Party Images - uses: aquasecurity/trivy-action@0.18.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: '${{ matrix.image.name }}' scan-type: 'image' diff --git a/backend/Dockerfile b/backend/Dockerfile index e190987bef..9a96ad6b6a 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -9,7 +9,7 @@ ENV PYTHONUNBUFFERED 1 RUN apt-get -yq update && \ apt install -y \ - apt-transport-https \ + apt-transport-https \ build-essential \ ca-certificates \ chromium \ @@ -19,7 +19,7 @@ RUN apt-get -yq update && \ gnupg \ gnupg2 \ postgresql-client \ - wget + wget ############################### # STORAGE @@ -62,7 +62,7 @@ RUN npm ci && \ COPY . /src/ -RUN npm run build +RUN npm run build ############################### # DEV