Bump aquasecurity/trivy-action from 0.18.0 to 0.24.0

.github/workflows/create-pull-request.yml

@@ -0,0 +1,64 @@
+---
+name: Create Pull Request To Staging
+on:
+  workflow_call:
+  workflow_dispatch:
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  check-commit:
+    runs-on: ubuntu-latest
+    name: Check For a Commit
+    outputs:
+        should_run: ${{ steps.should_run.outputs.should_run }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Print Latest Commit
+        run: echo ${{ github.sha }}
+
+      - name: Check if There Has Been A Commit
+        id: should_run
+        continue-on-error: false
+        run: |
+          sha=$(git rev-list --after="24 hours" ${{ github.sha }})
+          if test -z $sha
+          then
+            echo "should_run=false" >> $GITHUB_OUTPUT
+          else
+            echo "should_run=true" >> $GITHUB_OUTPUT
+          fi
+
+  pull-request:
+    name: Create Pull Request
+    needs: [check-commit]
+    if: ${{ needs.check-commit.outputs.should_run != 'false' }}
+    runs-on: ubuntu-latest
+    outputs:
+        pr_number: ${{ steps.pr-number.outputs.pull_request_number }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Get Current Date
+        id: date
+        run: |
+          echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
+
+      - name: Get Git Short Commit
+        id: git-short
+        run: |
+          echo "short_sha=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_OUTPUT
+
+      - name: Open Pull Request
+        id: open-pr
+        run: |
+          gh pr create --label "autogenerated" --title "${{ steps.date.outputs.date }} | MAIN --> PROD | DEV (${{ steps.git-short.outputs.short_sha }}) --> STAGING" --body "This is an auto-generated pull request to merge main into prod for a staging release on ${{ steps.date.outputs.date }} with the last commit being merged as ${{ steps.git-short.outputs.short_sha }}" --base prod --head main
+
+      - name: Get Pull Request Number
+        id: pr-number
+        run: echo "pull_request_number=$(gh pr view --json number -q .number || echo "")" >> $GITHUB_OUTPUT
+
+      - name: Comment on Pull Request
+        id: pr-comment
+        run: |
+          gh pr comment ${{ steps.pr-number.outputs.pull_request_number }} --body "Please close and re-open this pull request to ensure that a terraform plan is generated on the PR for the staging deployment after merging."

.github/workflows/daily-regression-tests.yml

@@ -1,9 +1,9 @@
 ---
 name: Run Daily Regression Tests
 on:
-  schedule:
-    - cron: '0 9 * * 1-5'
-
+#  schedule:
+#    - cron: '0 9 * * 1-5'
+  workflow_dispatch:
 jobs:
   regression-test:
     name: Run Regression Tests

.github/workflows/dct-testing.yml

@@ -0,0 +1,92 @@
+---
+    name: Pull Third Party Containers, Scan, and Publish to GHCR
+    on:
+      workflow_dispatch:
+      schedule:
+        - cron: '0 8 * * 0'
+
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    jobs:
+      pull-and-scan:
+        runs-on: ubuntu-latest
+        permissions:
+          contents: read
+          packages: write
+        env:
+          GH_REPO: asteel-gsa/fac
+        strategy:
+          fail-fast: false
+          matrix:
+            image:
+              - name: postgrest/postgrest:latest
+                short-name: postgrest
+              - name: ghcr.io/gsa-tts/clamav-rest/clamav:latest
+                short-name: clamav
+
+        steps:
+          - name: Checkout
+            uses: actions/checkout@v3
+
+          - name: Set up Docker Buildx
+            id: buildx
+            uses: docker/setup-buildx-action@v2
+
+          - name: Pull Docker Image
+            run: docker pull ${{ matrix.image.name }}
+
+          - name: Scan Image
+            run: docker run aquasec/trivy:latest  image --timeout 5m --scanners vuln --exit-code 1 --severity CRITICAL,HIGH  ${{ matrix.image.name }}
+
+          - name: Login to GitHub Container Registry
+            uses: docker/login-action@v2
+            with:
+              registry: ghcr.io
+              username: ${{ github.repository_owner }}
+              password: ${{ env.GH_TOKEN }}
+
+          - name: Setup Keys for DCT
+            working-directory: ./backend
+            env:
+              SSH_PRIVATE_KEY: ${{secrets.RSA_KEY}}
+            run: |
+              echo "$SSH_PRIVATE_KEY" > private.pem
+              chmod 600 private.pem
+              openssl rsa -in "private.pem" -pubout > "public.pem"
+
+          # - name: Add Signer
+          #   working-directory: ./backend
+          #   env:
+          #     ROOT_PASS: ${{ secrets.DCT_ROOT_PASS}}
+          #     REPO_PASS: ${{ env.GH_TOKEN }}
+          #   shell: bash
+          #   run: |
+          #     { echo "$ROOT_PASS"; echo "$ROOT_PASS"; echo "$REPO_PASS"; echo "$REPO_PASS"; } | docker trust signer add --key public.pem fac ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}
+
+          - name: Load the private key onto Docker Trust Store
+            env:
+              ROOT_PASS: ${{secrets.DCT_ROOT_PASS}}
+            working-directory: ./backend
+            shell: bash
+            run: |
+              { echo "$ROOT_PASS"; echo "$ROOT_PASS"; } | docker trust key load private.pem --name fac
+
+          - name: Tag Image
+            run: |
+              docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest
+
+          - name: Set Docker Content Trust
+            run: echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
+
+          - name: Sign and Push to GHCR
+            env:
+              ROOT_PASS: ${{secrets.DCT_ROOT_PASS}}
+              REPO_PASS: ${{ env.GH_TOKEN }}
+            shell: bash
+            run: |
+              { echo "$ROOT_PASS"; echo "$ROOT_PASS"; echo "$REPO_PASS"; echo "$REPO_PASS"; } | docker push ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest
+
+          - name: Inspect Content Trust
+            run: |
+              docker trust inspect --pretty ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest

.github/workflows/deploy-development.yml

@@ -1,9 +1,7 @@
 ---
 name: Deploy to Development and Management Environment
 on:
-  push:
-    branches:
-      - main
+  workflow_dispatch: null
 
 jobs:
   # ensure that every time a push to main occurs, the container is built and published to ghcr

.github/workflows/materialize-views.yml

@@ -0,0 +1,48 @@
+---
+name: Run the Materialize Views Django Function
+on:
+  schedule:
+    # Run every 4 hours
+    - cron: '*/5 * * * *'
+
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        description: The environment the workflow should run on.
+        options:
+          - dev
+          - staging
+          - preview
+          - production
+
+jobs:
+  scheduled-materialize-views:
+    if: ${{ github.event.schedule == '*/5 * * * *' }}
+    strategy:
+      matrix:
+        environments: ["dev", "staging", "production"]
+    name: Run Materialize Views
+    runs-on: ubuntu-latest
+    environment: ${{ matrix.environments }}
+    env:
+      space: ${{ matrix.environments }}
+    steps:
+      - name: Run Command
+        shell: bash
+        id: date
+        run: echo "Testing Matrix"
+
+  dispatch-materialize-views:
+    if: ${{ github.event.inputs.environment != '' }}
+    name: Run Materialize Views
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    env:
+      space: ${{ inputs.environment }}
+    steps:
+      - name: Run Command
+        shell: bash
+        id: date
+        run: echo "Testing Matrix"

.github/workflows/pull-containers-and-push-to-ghcr.yml

@@ -2,8 +2,8 @@
 name: Pull Third Party Containers, Scan, and Publish to GHCR
 on:
   workflow_dispatch:
-  schedule:
-    - cron: '0 5 * * 0'
+  # schedule:
+  #   - cron: '0 5 * * 0'
 
 jobs:
   pull-and-scan:

.github/workflows/staging-scheduled-deploy.yml

@@ -1,9 +1,9 @@
 ---
 name: Scheduled Deploy From Main to Staging
 on:
-  schedule:
+  # schedule:
     # Invoke every Mon-Sat
-    - cron: '0 10 * * 1-6'
+    # - cron: '0 10 * * 1-6'
   workflow_dispatch: null
 
 jobs:

.github/workflows/trivy.yml

@@ -15,6 +15,8 @@ permissions:
 
 jobs:
   trivy:
+    if: contains('["asteel-asdasd"]', github.actor)
+    # if: ${{ github.actor != 'asteel-gsa' }}
     permissions:
       contents: read
       security-events: write
@@ -39,7 +41,7 @@ jobs:
         run: docker build -t ${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.18.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: '${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }}'
           scan-type: 'image'
@@ -57,6 +59,8 @@ jobs:
           sarif_file: 'trivy-results.sarif'
 
   scan-third-party:
+    if: contains('["asteel-asdasd"]', github.actor)
+    # if: ${{ github.actor != 'asteel-gsa' }}
     permissions:
       contents: read
       security-events: write
@@ -74,7 +78,7 @@ jobs:
         run: docker pull ${{ matrix.image.name }}
 
       - name: Run Trivy vulnerability scanner on Third Party Images
-        uses: aquasecurity/trivy-action@0.18.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: '${{ matrix.image.name }}'
           scan-type: 'image'

backend/Dockerfile

@@ -9,7 +9,7 @@ ENV PYTHONUNBUFFERED 1
 
 RUN apt-get -yq update && \
     apt install -y \
-        apt-transport-https \ 
+        apt-transport-https \
         build-essential \
         ca-certificates \
         chromium \
@@ -19,7 +19,7 @@ RUN apt-get -yq update && \
         gnupg \
         gnupg2 \
         postgresql-client \
-        wget 
+        wget
 
 ###############################
 # STORAGE
@@ -62,7 +62,7 @@ RUN npm ci && \
 
 COPY . /src/
 
-RUN npm run build 
+RUN npm run build
 
 ###############################
 # DEV