From de664dd97349efd42360ace37c559fe6904b4f06 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Fri, 8 Mar 2024 08:48:14 -0600 Subject: [PATCH 01/11] Revert .yamllint to match lineage; fix issues flagged by yamllint. --- .github/dependabot.yml | 13 +++++----- .github/workflows/backend.yml | 8 ++++-- .github/workflows/codeql.yml | 6 ++--- .github/workflows/infrastructure.yml | 15 +++++------ .github/workflows/security.yml | 4 ++- .yamllint | 10 ++++---- backend/.eslintrc.yml | 8 +++--- backend/src/api/functions.yml | 3 ++- backend/worker/.safety-policy.yml | 37 ++++++++++++++++++++-------- frontend/.eslintrc.yml | 8 +++--- frontend/serverless.yml | 3 ++- 11 files changed, 70 insertions(+), 45 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2b631ebe..11feddca 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -27,40 +27,39 @@ updates: interval: 'weekly' ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: "npm" directory: "/frontend" schedule: interval: "weekly" ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: "npm" directory: "/backend" schedule: interval: "weekly" ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: "pip" directory: "/backend/worker" schedule: interval: "weekly" ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: 'docker' directory: '/' schedule: interval: 'weekly' ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: 'github-actions' directory: '/' schedule: interval: 'weekly' ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] - + update-types: ["version-update:semver-patch", "version-update:semver-minor"] diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 34b515da..53971b03 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -185,7 +185,9 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Run syncdb - run: aws lambda invoke --function-name crossfeed-staging-syncdb --region us-east-1 /dev/stdout + run: | + aws lambda invoke --function-name crossfeed-staging-syncdb \ + --region us-east-1 /dev/stdout working-directory: backend env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -234,7 +236,9 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Run syncdb - run: aws lambda invoke --function-name crossfeed-prod-syncdb --region us-east-1 /dev/stdout + run: | + aws lambda invoke --function-name crossfeed-prod-syncdb --region us-east-1 \ + /dev/stdout working-directory: backend env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 58670985..3ed6c54c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -3,9 +3,9 @@ name: "CodeQL" on: push: - branches: [ "develop", "production" ] + branches: ["develop", "production"] pull_request: - branches: [ "develop" ] + branches: ["develop"] schedule: - cron: "23 17 * * 6" @@ -21,7 +21,7 @@ jobs: strategy: fail-fast: false matrix: - language: [ javascript ] + language: [javascript] steps: - name: Checkout diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index b502ebab..de3c7499 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -24,15 +24,16 @@ defaults: jobs: format: runs-on: ubuntu-latest + env: + URL: "https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip" steps: - uses: actions/checkout@v3 - - name: Install Terraform run: | - wget https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip + wget $URL unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin - + - name: Check format run: terraform fmt -recursive -check -diff @@ -46,7 +47,7 @@ jobs: - name: Install Terraform run: | - wget https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip + wget $URL unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin @@ -71,7 +72,7 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - + - if: ${{ always() }} run: rm stage.plan || true @@ -85,7 +86,7 @@ jobs: - name: Install Terraform run: | - wget https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip + wget $URL unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin @@ -113,6 +114,6 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - + - if: ${{ always() }} run: rm prod.plan || true diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 13167c4d..d7a8999d 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -89,4 +89,6 @@ jobs: restore-keys: | pip- - run: pip install safety - - run: safety check -r worker/requirements.txt --policy-file ./worker/.safety-policy.yml + - run: | + safety check -r worker/requirements.txt \ + --policy-file ./worker/.safety-policy.yml diff --git a/.yamllint b/.yamllint index 8b73b6d2..2a119a6f 100644 --- a/.yamllint +++ b/.yamllint @@ -12,12 +12,12 @@ rules: # default. There are many scenarios where the inline mapping may be a key, # hash, or other long value that would exceed the line length but cannot # reasonably be broken across lines. - line-length: disable + line-length: + # This rule implies the allow-non-breakable-words rule + allow-non-breakable-inline-mappings: true + # Allows a 10% overage from the default limit of 80 + max: 88 # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable - - # yamlint doesn't like when we use spaces inside braces - # but that's pretty standard. - braces: disable diff --git a/backend/.eslintrc.yml b/backend/.eslintrc.yml index b3bbd73e..7a1d7724 100644 --- a/backend/.eslintrc.yml +++ b/backend/.eslintrc.yml @@ -1,6 +1,6 @@ --- { - "env": { "es6": true, "node": true }, + "env": {"es6": true, "node": true}, "parser": "@typescript-eslint/parser", "ignorePatterns": ["dist/**"], "extends": @@ -9,13 +9,13 @@ "plugin:@typescript-eslint/eslint-recommended", ], "plugins": ["prettier", "@typescript-eslint"], - "parserOptions": { "ecmaVersion": 2018, "sourceType": "module" }, + "parserOptions": {"ecmaVersion": 2018, "sourceType": "module"}, "rules": { "prettier/prettier": "error", "react/prop-types": 0, "react/display-name": 0, }, - "settings": { "react": { "version": "detect" } }, - "globals": { "Atomics": "readonly", "SharedArrayBuffer": "readonly" }, + "settings": {"react": {"version": "detect"}}, + "globals": {"Atomics": "readonly", "SharedArrayBuffer": "readonly"}, } diff --git a/backend/src/api/functions.yml b/backend/src/api/functions.yml index 751db85d..af7968b1 100644 --- a/backend/src/api/functions.yml +++ b/backend/src/api/functions.yml @@ -7,7 +7,8 @@ api: method: ANY cors: true - http: - path: /{any+} # this matches any path, the token 'any' doesn't mean anything special + # this matches any path, the token 'any' doesn't mean anything special + path: /{any+} method: ANY cors: true # provisionedConcurrency: 1 diff --git a/backend/worker/.safety-policy.yml b/backend/worker/.safety-policy.yml index 08666deb..a2b6e004 100644 --- a/backend/worker/.safety-policy.yml +++ b/backend/worker/.safety-policy.yml @@ -1,15 +1,32 @@ --- # Safety Security and License Configuration file -# We recommend checking this file into your source control in the root of your Python project -# If this file is named .safety-policy.yml and is in the same directory where you run `safety check` it will be used by default. -# Otherwise, you can use the flag `safety check --policy-file ` to specify a custom location and name for the file. -# To validate and review your policy file, run the validate command: `safety validate policy_file --path ` +# We recommend checking this file into your source control in the root of your Python +# project +# If this file is named .safety-policy.yml and is in the same directory where you run +# `safety check` it will be used by default. +# Otherwise, you can use the flag `safety check --policy-file ` to +# specify a custom location and name for the file. +# To validate and review your policy file, run the validate command: `safety validate +# policy_file --path ` +# A severity number between 0 and 10. Some helpful reference points: 9=ignore all +# vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except +# CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & +# MEDIUM severity. security: # configuration for the `safety check` command - ignore-cvss-severity-below: 0 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity. - ignore-cvss-unknown-severity: False # True or False. We recommend you set this to False. - ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period) - # We recommend making use of the optional `reason` and `expires` keys for each vulnerability that you ignore. + ignore-cvss-severity-below: 0 + # True or False. We recommend you set this to False. + ignore-cvss-unknown-severity: False + # Here you can list multiple specific vulnerabilities you want to ignore + # (optionally for a time period) + ignore-vulnerabilities: + # We recommend making use of the optional `reason` and `expires` keys for each + # vulnerability that you ignore. 54672: # Vulnerability found in scrapy version >= 0.7 - reason: No fix currently available # optional, for internal note purposes to communicate with your team. This reason will be reported in the Safety reports + # optional, for internal note purposes to communicate with your team. + # This reason will be reported in the Safety reports + reason: No fix currently available expires: '2024-06-01' # We will revisit for a fix in 6 months. - continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. We recommend you set this to False. + # Suppress non-zero exit codes when vulnerabilities are found. Enable this in + # pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. + # We recommend you set this to False. + continue-on-vulnerability-error: False diff --git a/frontend/.eslintrc.yml b/frontend/.eslintrc.yml index c368aa49..a1fa0422 100644 --- a/frontend/.eslintrc.yml +++ b/frontend/.eslintrc.yml @@ -1,6 +1,6 @@ --- { - 'env': { 'browser': true, 'es6': true, 'node': true }, + 'env': {'browser': true, 'es6': true, 'node': true}, 'parser': '@typescript-eslint/parser', 'extends': [ @@ -12,7 +12,7 @@ 'plugins': ['react', 'react-hooks', 'prettier', '@typescript-eslint'], 'parserOptions': { - 'ecmaFeatures': { 'jsx': true }, + 'ecmaFeatures': {'jsx': true}, 'ecmaVersion': 2018, 'sourceType': 'module' }, @@ -22,6 +22,6 @@ 'react/prop-types': 0, 'react/display-name': 0 }, - 'settings': { 'react': { 'version': 'detect' } }, - 'globals': { 'Atomics': 'readonly', 'SharedArrayBuffer': 'readonly' } + 'settings': {'react': {'version': 'detect'}}, + 'globals': {'Atomics': 'readonly', 'SharedArrayBuffer': 'readonly'} } diff --git a/frontend/serverless.yml b/frontend/serverless.yml index 22a03f0e..2ea0067e 100644 --- a/frontend/serverless.yml +++ b/frontend/serverless.yml @@ -46,7 +46,8 @@ functions: path: / # this matches the base path method: GET - http: - path: /{any+} # this matches any path, the token 'any' doesn't mean anything special + # this matches any path, the token 'any' doesn't mean anything special + path: /{any+} method: GET # provisionedConcurrency: 1 docs: From 7a3a78dc6affd01c7fd982db97a3883025d0d3f0 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Fri, 8 Mar 2024 11:12:26 -0600 Subject: [PATCH 02/11] Remove duplicate github-actions entry, commented out code, unnecessary quotes; reformat for consistency. --- .github/dependabot.yml | 80 +++++++++++++++++------------------------- 1 file changed, 32 insertions(+), 48 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 11feddca..5c5dac52 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,65 +1,49 @@ --- version: 2 updates: - - directory: / - # ignore: - # # Managed by cisagov/ASM-Dashboard - # - dependency-name: actions/cache - # - dependency-name: actions/checkout - # - dependency-name: actions/setup-go - # - dependency-name: actions/setup-python - # - dependency-name: crazy-max/ghaction-dump-context - # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: hashicorp/setup-terraform - # - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner - package-ecosystem: github-actions + - package-ecosystem: github-actions + directory: / schedule: interval: weekly - - directory: / - package-ecosystem: terraform + ignore: + - dependency-name: '*' + update-types: [version-update:semver-patch, version-update:semver-minor] + - package-ecosystem: terraform + directory: / schedule: interval: weekly - - package-ecosystem: 'npm' - directory: '/' - schedule: - interval: 'weekly' - ignore: - - dependency-name: "*" - update-types: ["version-update:semver-patch", "version-update:semver-minor"] - - package-ecosystem: "npm" - directory: "/frontend" + - package-ecosystem: npm + directory: / schedule: - interval: "weekly" + interval: weekly ignore: - - dependency-name: "*" - update-types: ["version-update:semver-patch", "version-update:semver-minor"] - - package-ecosystem: "npm" - directory: "/backend" + - dependency-name: '*' + update-types: [version-update:semver-patch, version-update:semver-minor] + - package-ecosystem: npm + directory: /frontend schedule: - interval: "weekly" + interval: weekly ignore: - - dependency-name: "*" - update-types: ["version-update:semver-patch", "version-update:semver-minor"] - - package-ecosystem: "pip" - directory: "/backend/worker" + - dependency-name: '*' + update-types: [version-update:semver-patch, version-update:semver-minor] + - package-ecosystem: npm + directory: /backend schedule: - interval: "weekly" + interval: weekly ignore: - - dependency-name: "*" - update-types: ["version-update:semver-patch", "version-update:semver-minor"] - - package-ecosystem: 'docker' - directory: '/' + - dependency-name: '*' + update-types: [version-update:semver-patch, version-update:semver-minor] + - package-ecosystem: pip + directory: /backend/worker schedule: - interval: 'weekly' + interval: weekly ignore: - - dependency-name: "*" - update-types: ["version-update:semver-patch", "version-update:semver-minor"] - - package-ecosystem: 'github-actions' - directory: '/' + - dependency-name: '*' + update-types: [version-update:semver-patch, version-update:semver-minor] + - package-ecosystem: docker + directory: / schedule: - interval: 'weekly' + interval: weekly ignore: - - dependency-name: "*" - update-types: ["version-update:semver-patch", "version-update:semver-minor"] + - dependency-name: '*' + update-types: [version-update:semver-patch, version-update:semver-minor] From 79abf6cb706f4d5be7f9b56dbcc77edbe1d85924 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Fri, 8 Mar 2024 13:20:39 -0600 Subject: [PATCH 03/11] Refactor yaml string format for consistency. --- .github/workflows/backend.yml | 53 ++++++++++++---------------- .github/workflows/build.yml | 10 +++--- .github/workflows/codeql.yml | 6 ++-- .github/workflows/docs.yml | 27 +++++--------- .github/workflows/frontend.yml | 12 +++---- .github/workflows/infrastructure.yml | 16 ++++----- .github/workflows/security.yml | 22 +++++------- .github/workflows/sync-labels.yml | 4 +-- backend/env.yml | 28 +++++++-------- backend/serverless.yml | 12 +++---- frontend/env.yml | 4 +-- frontend/serverless.yml | 8 ++--- 12 files changed, 87 insertions(+), 115 deletions(-) diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 53971b03..c164123f 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -7,15 +7,15 @@ on: - develop - production paths: - - 'backend/**' - - '.github/workflows/backend.yml' + - backend/** + - .github/workflows/backend.yml pull_request: branches: - develop - production paths: - - 'backend/**' - - '.github/workflows/backend.yml' + - backend/** + - .github/workflows/backend.yml defaults: run: @@ -28,14 +28,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Lint @@ -47,14 +46,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Run site locally @@ -80,14 +78,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Build @@ -113,13 +110,12 @@ jobs: - name: Set up Python 3.10 uses: actions/setup-python@v5.0.0 with: - python-version: '3.10' + python-version: 3.10 - uses: actions/cache@v3 with: path: ~/.cache/pip - key: pip-${{ hashFiles('**/requirements.txt') }} - restore-keys: | - pip- + key: pip-${{ hashFiles(**/requirements.txt) }} + restore-keys: pip- - run: pip install -r worker/requirements.txt - run: pytest build_worker: @@ -129,14 +125,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Build worker container @@ -152,14 +147,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci @@ -203,14 +197,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4b..9f9404b0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,7 @@ jobs: - id: setup-python uses: actions/setup-python@v4 with: - python-version: "3.11" + python-version: 3.11 # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go @@ -56,11 +56,10 @@ jobs: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. cache: false - go-version: "1.20" + go-version: 1.20 - name: Lookup Go cache directory id: go-cache - run: | - echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT + run: echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v3 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ @@ -84,8 +83,7 @@ jobs: ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ ${{ hashFiles('**/.pre-commit-config.yaml') }}" - restore-keys: | - ${{ env.BASE_CACHE_KEY }} + restore-keys: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - name: Install Packer diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3ed6c54c..e527d368 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,11 +1,11 @@ --- -name: "CodeQL" +name: CodeQL on: push: - branches: ["develop", "production"] + branches: [develop, production] pull_request: - branches: ["develop"] + branches: [develop] schedule: - cron: "23 17 * * 6" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0207bc93..5955e3d0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -5,16 +5,16 @@ on: branches: - develop paths: - - 'docs/**' - - 'backend/**' - - '.github/workflows/docs.yml' + - docs/** + - backend/** + - .github/workflows/docs.yml pull_request: branches: - develop paths: - - 'docs/**' - - 'backend/**' - - '.github/workflows/docs.yml' + - docs/** + - backend/** + - .github/workflows/docs.yml defaults: run: @@ -28,14 +28,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libvips-dev glib2.0-dev - run: npm ci @@ -43,13 +42,3 @@ jobs: run: npm run lint - name: Build run: npm run build - # - name: Deploy to GitHub Pages - # if: github.event_name == 'push' && github.ref == 'refs/heads/master' - # uses: crazy-max/ghaction-github-pages@v3.0.0 - # with: - # keep_history: false - # target_branch: gh-pages - # build_dir: docs/public - # fqdn: docs.crossfeed.cyber.dhs.gov - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index c0765c83..e2e2ac51 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -34,8 +34,7 @@ jobs: with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Lint @@ -53,8 +52,7 @@ jobs: with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Build @@ -77,8 +75,7 @@ jobs: with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Build Staging @@ -107,8 +104,7 @@ jobs: with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index de3c7499..b0b98abf 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -7,15 +7,15 @@ on: - develop - production paths: - - 'infrastructure/**' - - '.github/workflows/infrastructure.yml' + - infrastructure/** + - .github/workflows/infrastructure.yml pull_request: branches: - develop - production paths: - - 'infrastructure/**' - - '.github/workflows/infrastructure.yml' + - infrastructure/** + - .github/workflows/infrastructure.yml defaults: run: @@ -25,12 +25,12 @@ jobs: format: runs-on: ubuntu-latest env: - URL: "https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip" + URL: https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip steps: - uses: actions/checkout@v3 - name: Install Terraform run: | - wget $URL + wget ${{ env.URL }} unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin @@ -47,7 +47,7 @@ jobs: - name: Install Terraform run: | - wget $URL + wget ${{ env.URL }} unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin @@ -86,7 +86,7 @@ jobs: - name: Install Terraform run: | - wget $URL + wget ${{ env.URL }} unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index d7a8999d..1a2cf0fd 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -3,7 +3,7 @@ name: Check for Vulnerabilities on: schedule: - - cron: '0 1 * * *' # every day at 1 AM + - cron: "0 1 * * *" # every day at 1 AM workflow_dispatch: push: @@ -17,14 +17,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Security @@ -38,14 +37,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Security @@ -59,14 +57,13 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: 18 - name: Restore npm cache uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + restore-keys: ${{ runner.os }}-node- - name: Install dependencies run: npm ci - name: Security @@ -81,13 +78,12 @@ jobs: - name: Set up Python 3.10 uses: actions/setup-python@v5.0.0 with: - python-version: '3.10' + python-version: 3.10 - uses: actions/cache@v3 with: path: ~/.cache/pip key: pip-${{ hashFiles('**/requirements.txt') }} - restore-keys: | - pip- + restore-keys: pip- - run: pip install safety - run: | safety check -r worker/requirements.txt \ diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 44e8e198..0b2dd974 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -4,8 +4,8 @@ name: sync-labels on: push: paths: - - '.github/labels.yml' - - '.github/workflows/sync-labels.yml' + - .github/labels.yml + - .github/workflows/sync-labels.yml permissions: contents: read diff --git a/backend/env.yml b/backend/env.yml index cfa1c536..c51ef649 100644 --- a/backend/env.yml +++ b/backend/env.yml @@ -3,7 +3,7 @@ dev: DUMMY: staging: - DB_DIALECT: 'postgres' + DB_DIALECT: postgres DB_PORT: 5432 DB_HOST: ${ssm:/crossfeed/staging/DATABASE_HOST} DB_NAME: ${ssm:/crossfeed/staging/DATABASE_NAME} @@ -27,12 +27,12 @@ staging: FARGATE_SUBNET_ID: ${ssm:/crossfeed/staging/WORKER_SUBNET_ID} FARGATE_MAX_CONCURRENCY: 100 SCHEDULER_ORGS_PER_SCANTASK: 10 - FARGATE_CLUSTER_NAME: 'crossfeed-staging-worker' - FARGATE_TASK_DEFINITION_NAME: 'crossfeed-staging-worker' - FARGATE_LOG_GROUP_NAME: 'crossfeed-staging-worker' - CROSSFEED_SUPPORT_EMAIL_SENDER: 'noreply@staging.crossfeed.cyber.dhs.gov' - CROSSFEED_SUPPORT_EMAIL_REPLYTO: 'vulnerability@cisa.dhs.gov' - FRONTEND_DOMAIN: 'https://staging-cd.crossfeed.cyber.dhs.gov' + FARGATE_CLUSTER_NAME: crossfeed-staging-worker + FARGATE_TASK_DEFINITION_NAME: crossfeed-staging-worker + FARGATE_LOG_GROUP_NAME: crossfeed-staging-worker + CROSSFEED_SUPPORT_EMAIL_SENDER: noreply@staging.crossfeed.cyber.dhs.gov + CROSSFEED_SUPPORT_EMAIL_REPLYTO: vulnerability@cisa.dhs.gov + FRONTEND_DOMAIN: https://staging-cd.crossfeed.cyber.dhs.gov SLS_LAMBDA_PREFIX: '${self:service}-${self:provider.stage}' USE_COGNITO: 1 REACT_APP_USER_POOL_ID: us-east-1_uxiY8DOum @@ -61,7 +61,7 @@ staging: EMAIL_BUCKET_NAME: cisa-crossfeed-staging-html-email prod: - DB_DIALECT: 'postgres' + DB_DIALECT: postgres DB_PORT: 5432 DB_HOST: ${ssm:/crossfeed/prod/DATABASE_HOST} DB_NAME: ${ssm:/crossfeed/prod/DATABASE_NAME} @@ -77,12 +77,12 @@ prod: FARGATE_SUBNET_ID: ${ssm:/crossfeed/prod/WORKER_SUBNET_ID} FARGATE_MAX_CONCURRENCY: 300 SCHEDULER_ORGS_PER_SCANTASK: 50 - FARGATE_CLUSTER_NAME: 'crossfeed-prod-worker' - FARGATE_TASK_DEFINITION_NAME: 'crossfeed-prod-worker' - FARGATE_LOG_GROUP_NAME: 'crossfeed-prod-worker' - CROSSFEED_SUPPORT_EMAIL_SENDER: 'noreply@crossfeed.cyber.dhs.gov' - CROSSFEED_SUPPORT_EMAIL_REPLYTO: 'vulnerability@cisa.dhs.gov' - FRONTEND_DOMAIN: 'https://crossfeed.cyber.dhs.gov' + FARGATE_CLUSTER_NAME: crossfeed-prod-worker + FARGATE_TASK_DEFINITION_NAME: crossfeed-prod-worker + FARGATE_LOG_GROUP_NAME: crossfeed-prod-worker + CROSSFEED_SUPPORT_EMAIL_SENDER: noreply@crossfeed.cyber.dhs.gov + CROSSFEED_SUPPORT_EMAIL_REPLYTO: vulnerability@cisa.dhs.gov + FRONTEND_DOMAIN: https://crossfeed.cyber.dhs.gov SLS_LAMBDA_PREFIX: '${self:service}-${self:provider.stage}' USE_COGNITO: 1 REACT_APP_USER_POOL_ID: us-east-1_MZgKoBmkN diff --git a/backend/serverless.yml b/backend/serverless.yml index 16775047..b94a238f 100644 --- a/backend/serverless.yml +++ b/backend/serverless.yml @@ -7,7 +7,7 @@ configValidationMode: error custom: webpack: - webpackConfig: 'webpack.backend.config.js' + webpackConfig: webpack.backend.config.js customDomain: domainName: ${file(env.yml):${self:provider.stage}.DOMAIN, ''} basePath: '' @@ -26,13 +26,13 @@ provider: vpc: ${file(env.yml):${self:provider.stage}-vpc, ''} apiGateway: binaryMediaTypes: - - 'image/*' - - 'font/*' + - image/* + - font/* resourcePolicy: - Effect: Allow Principal: '*' - Action: 'execute-api:Invoke' - Resource: 'execute-api:/${self:provider.stage}/*/*' + Action: execute-api:Invoke + Resource: execute-api:/${self:provider.stage}/*/* logs: restApi: true deploymentBucket: @@ -48,7 +48,7 @@ provider: - cognito-idp:AdminDisableUser - cognito-idp:ListUsers - cognito-idp:AdminSetUserPassword - Resource: "*" + Resource: '*' - Effect: Allow Action: - ecs:RunTask diff --git a/frontend/env.yml b/frontend/env.yml index ee3a04fd..e1c8ee82 100644 --- a/frontend/env.yml +++ b/frontend/env.yml @@ -3,10 +3,10 @@ dev: FRONTEND_DOMAIN: '' staging: - DOMAIN: 'staging-cd.crossfeed.cyber.dhs.gov' + DOMAIN: staging-cd.crossfeed.cyber.dhs.gov prod: - DOMAIN: 'crossfeed.cyber.dhs.gov' + DOMAIN: crossfeed.cyber.dhs.gov dev-vpc: securityGroupIds: diff --git a/frontend/serverless.yml b/frontend/serverless.yml index 2ea0067e..aac51bab 100644 --- a/frontend/serverless.yml +++ b/frontend/serverless.yml @@ -7,7 +7,7 @@ configValidationMode: error custom: webpack: - webpackConfig: 'webpack.lambda.config.js' + webpackConfig: webpack.lambda.config.js customDomain: domainName: ${file(env.yml):${self:provider.stage}.DOMAIN, ''} basePath: '' @@ -26,12 +26,12 @@ provider: vpc: ${file(env.yml):${self:provider.stage}-vpc, ''} apiGateway: binaryMediaTypes: - - 'image/*' - - 'font/*' + - image/* + - font/* resourcePolicy: - Effect: Allow Principal: '*' - Action: 'execute-api:Invoke' + Action: execute-api:Invoke' Resource: 'execute-api:/${self:provider.stage}/*/*' logs: restApi: true From a61ae8678a4765efb07b451864f24b43f5c0097c Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Fri, 8 Mar 2024 13:33:33 -0600 Subject: [PATCH 04/11] Troubleshoot URL var in infrastructure.yml. --- .github/workflows/infrastructure.yml | 5 +++-- .pre-commit-config.yaml | 27 +++++++++++++++------------ 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index b0b98abf..1148ac47 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -1,6 +1,9 @@ --- name: Infrastructure Pipeline +env: + URL: https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip + on: push: branches: @@ -24,8 +27,6 @@ defaults: jobs: format: runs-on: ubuntu-latest - env: - URL: https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip steps: - uses: actions/checkout@v3 - name: Install Terraform diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 34f02530..9f1efdd6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -135,12 +135,14 @@ repos: hooks: - id: pyupgrade - # Ansible hooks - - repo: https://github.com/ansible/ansible-lint - rev: v6.19.0 - hooks: - - id: ansible-lint - # files: molecule/default/playbook.yml +# # Ansible hooks +# This hook takes several minutes checking .yml files outside our version control and +# there are no ansible playbooks in this repository +# - repo: https://github.com/ansible/ansible-lint +# rev: v6.19.0 +# hooks: +# - id: ansible-lint +# files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform @@ -155,9 +157,10 @@ repos: hooks: - id: docker-compose-check - # Packer hooks - - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.0.2 - hooks: - - id: packer_validate - - id: packer_fmt +# # Packer hooks +# This hook fails and there are no packer files in this repository +# - repo: https://github.com/cisagov/pre-commit-packer +# rev: v0.0.2 +# hooks: +# - id: packer_validate +# - id: packer_fmt From 67f31a1f89fe9b023b76521bff52ed638cbb6737 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Fri, 8 Mar 2024 14:03:13 -0600 Subject: [PATCH 05/11] Specify terraform directory in dependabot.yml. --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5c5dac52..e052175b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,7 +9,7 @@ updates: - dependency-name: '*' update-types: [version-update:semver-patch, version-update:semver-minor] - package-ecosystem: terraform - directory: / + directory: /infrastructure schedule: interval: weekly - package-ecosystem: npm From b6c4767971ea4edf60d7fcadea68f66ff57e3e17 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Tue, 12 Mar 2024 12:44:14 -0500 Subject: [PATCH 06/11] Convert .eslintrc files to pure yaml for consistency. --- backend/.eslintrc.yml | 42 ++++++++++++++++--------------- docs/.eslintrc.js | 18 -------------- docs/.eslintrc.yml | 12 +++++++++ frontend/.eslintrc.yml | 56 ++++++++++++++++++++++-------------------- 4 files changed, 64 insertions(+), 64 deletions(-) delete mode 100644 docs/.eslintrc.js create mode 100644 docs/.eslintrc.yml diff --git a/backend/.eslintrc.yml b/backend/.eslintrc.yml index 7a1d7724..1282bd5f 100644 --- a/backend/.eslintrc.yml +++ b/backend/.eslintrc.yml @@ -1,21 +1,23 @@ --- -{ - "env": {"es6": true, "node": true}, - "parser": "@typescript-eslint/parser", - "ignorePatterns": ["dist/**"], - "extends": - [ - "plugin:prettier/recommended", - "plugin:@typescript-eslint/eslint-recommended", - ], - "plugins": ["prettier", "@typescript-eslint"], - "parserOptions": {"ecmaVersion": 2018, "sourceType": "module"}, - "rules": - { - "prettier/prettier": "error", - "react/prop-types": 0, - "react/display-name": 0, - }, - "settings": {"react": {"version": "detect"}}, - "globals": {"Atomics": "readonly", "SharedArrayBuffer": "readonly"}, -} +env: + es6: true + node: true +parser: '@typescript-eslint/parser' +ignorePatterns: [dist/**] +extends: + - plugin:prettier/recommended + - plugin:@typescript-eslint/eslint-recommended +plugins: [prettier, '@typescript-eslint'] +parserOptions: + ecmaVersion: 2018 + sourceType: module +rules: + prettier/prettier: error + react/prop-types: 0 + react/display-name: 0 +settings: + react: + version: detect +globals: + Atomics: readonly + SharedArrayBuffer: readonly diff --git a/docs/.eslintrc.js b/docs/.eslintrc.js deleted file mode 100644 index 482ca17b..00000000 --- a/docs/.eslintrc.js +++ /dev/null @@ -1,18 +0,0 @@ -module.exports = { - globals: { - __PATH_PREFIX__: true, - }, - extends: 'react-app', - rules: { - 'jsx-a11y/label-has-associated-control': [ - 'error', - { - labelComponents: [], - labelAttributes: [], - controlComponents: [], - assert: 'htmlFor', - depth: 25, - }, - ], - }, -}; diff --git a/docs/.eslintrc.yml b/docs/.eslintrc.yml new file mode 100644 index 00000000..36e8209a --- /dev/null +++ b/docs/.eslintrc.yml @@ -0,0 +1,12 @@ +--- +globals: + __PATH_PREFIX__: true +extends: react-app +rules: + jsx-a11y/label-has-associated-control: + - error + - labelComponents: [] + labelAttributes: [] + controlComponents: [] + assert: htmlFor + depth: 25 diff --git a/frontend/.eslintrc.yml b/frontend/.eslintrc.yml index a1fa0422..68a8c31e 100644 --- a/frontend/.eslintrc.yml +++ b/frontend/.eslintrc.yml @@ -1,27 +1,31 @@ --- -{ - 'env': {'browser': true, 'es6': true, 'node': true}, - 'parser': '@typescript-eslint/parser', - 'extends': - [ - 'react-app', - 'plugin:prettier/recommended', - 'plugin:react/recommended', - 'plugin:@typescript-eslint/eslint-recommended' - ], - 'plugins': ['react', 'react-hooks', 'prettier', '@typescript-eslint'], - 'parserOptions': - { - 'ecmaFeatures': {'jsx': true}, - 'ecmaVersion': 2018, - 'sourceType': 'module' - }, - 'rules': - { - 'prettier/prettier': 'error', - 'react/prop-types': 0, - 'react/display-name': 0 - }, - 'settings': {'react': {'version': 'detect'}}, - 'globals': {'Atomics': 'readonly', 'SharedArrayBuffer': 'readonly'} -} +env: + browser: true + es6: true + node: true +parser: '@typescript-eslint/parser' +extends: + - react-app + - plugin:prettier/recommended + - plugin:react/recommended + - plugin:@typescript-eslint/eslint-recommended +plugins: + - react + - react-hooks + - prettier + - '@typescript-eslint' +parserOptions: + ecmaFeatures: + jsx: true + ecmaVersion: 2018 + sourceType: module +rules: + prettier/prettier: error + react/prop-types: 0 + react/display-name: 0 +settings: + react: + version: detect +globals: + Atomics: readonly + SharedArrayBuffer: readonly From d6e6c6fb27767a448add66d305ddaef88b5db896 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 13 Mar 2024 10:37:19 -0500 Subject: [PATCH 07/11] Remove build steps related to Packer; remove build steps related to Go linting. --- .github/workflows/build.yml | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9f9404b0..3af8e0d4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -65,7 +65,6 @@ jobs: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ go${{ steps.setup-go.outputs.go-version }}-\ - packer${{ steps.setup-env.outputs.packer-version }}-\ tf${{ steps.setup-env.outputs.terraform-version }}-" with: # Note that the .terraform directory IS NOT included in the @@ -86,42 +85,14 @@ jobs: restore-keys: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - - name: Install Packer - env: - PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} - run: | - PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip" - curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ - --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ - --location \ - "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}" - sudo unzip -d /opt/packer \ - ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" - sudo mv /usr/local/bin/packer /usr/local/bin/packer-default - sudo ln -s /opt/packer/packer /usr/local/bin/packer - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - - name: Install go-critic - env: - PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install gosec - env: - PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec - PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck - PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From f33da8192f671f6066b45d8877c41c61e5234141 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 13 Mar 2024 10:49:00 -0500 Subject: [PATCH 08/11] Specify GOPATH. --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3af8e0d4..213e7f0b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,6 +57,8 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: 1.20 + env: + GOPATH: ${{ runner.workspace }}/go - name: Lookup Go cache directory id: go-cache run: echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT From c7c328947bbd5997453d5dc947fa8d384e481a21 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 13 Mar 2024 11:06:58 -0500 Subject: [PATCH 09/11] Remove curl cache used for packer; Specify Go version as string. --- .github/workflows/build.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 213e7f0b..40946986 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,7 @@ jobs: - id: setup-python uses: actions/setup-python@v4 with: - python-version: 3.11 + python-version: '3.11' # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go @@ -56,9 +56,7 @@ jobs: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. cache: false - go-version: 1.20 - env: - GOPATH: ${{ runner.workspace }}/go + go-version: '1.20' - name: Lookup Go cache directory id: go-cache run: echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT @@ -78,15 +76,12 @@ jobs: path: | ${{ env.PIP_CACHE_DIR }} ${{ env.PRE_COMMIT_CACHE_DIR }} - ${{ env.CURL_CACHE_DIR }} ${{ steps.go-cache.outputs.dir }} key: "${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ ${{ hashFiles('**/.pre-commit-config.yaml') }}" restore-keys: ${{ env.BASE_CACHE_KEY }} - - name: Setup curl cache - run: mkdir -p ${{ env.CURL_CACHE_DIR }} - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} From 8261ab64fffaa2bb4bb43cc19147ad535bb1f874 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 13 Mar 2024 11:21:56 -0500 Subject: [PATCH 10/11] Enclose all version numbers in single quotes: avoids errors like version: 1.20 parsing as 1.2. --- .github/workflows/backend.yml | 14 +++++++------- .github/workflows/docs.yml | 2 +- .github/workflows/security.yml | 8 ++++---- backend/.eslintrc.yml | 2 +- frontend/.eslintrc.yml | 2 +- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index c164123f..75a97a1b 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: @@ -78,7 +78,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: @@ -110,7 +110,7 @@ jobs: - name: Set up Python 3.10 uses: actions/setup-python@v5.0.0 with: - python-version: 3.10 + python-version: '3.10' - uses: actions/cache@v3 with: path: ~/.cache/pip @@ -125,7 +125,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: @@ -147,7 +147,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: @@ -197,7 +197,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 5955e3d0..4ff32cb6 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 1a2cf0fd..c40bddc6 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: @@ -37,7 +37,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: @@ -57,7 +57,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: 18 + node-version: '18' - name: Restore npm cache uses: actions/cache@v3 with: @@ -78,7 +78,7 @@ jobs: - name: Set up Python 3.10 uses: actions/setup-python@v5.0.0 with: - python-version: 3.10 + python-version: '3.10' - uses: actions/cache@v3 with: path: ~/.cache/pip diff --git a/backend/.eslintrc.yml b/backend/.eslintrc.yml index 1282bd5f..843e1470 100644 --- a/backend/.eslintrc.yml +++ b/backend/.eslintrc.yml @@ -9,7 +9,7 @@ extends: - plugin:@typescript-eslint/eslint-recommended plugins: [prettier, '@typescript-eslint'] parserOptions: - ecmaVersion: 2018 + ecmaVersion: '2018' sourceType: module rules: prettier/prettier: error diff --git a/frontend/.eslintrc.yml b/frontend/.eslintrc.yml index 68a8c31e..36333aa4 100644 --- a/frontend/.eslintrc.yml +++ b/frontend/.eslintrc.yml @@ -17,7 +17,7 @@ plugins: parserOptions: ecmaFeatures: jsx: true - ecmaVersion: 2018 + ecmaVersion: '2018' sourceType: module rules: prettier/prettier: error From adb7284c9742ebd1ed18c7274b2b434e0daf2310 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 13 Mar 2024 13:06:53 -0500 Subject: [PATCH 11/11] Add ignore for dependencies managed by skeleton. --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e052175b..e2dff6cb 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,17 @@ updates: ignore: - dependency-name: '*' update-types: [version-update:semver-patch, version-update:semver-minor] + # Managed by cisagov/skeleton-generic + - dependency-name: actions/cache + - dependency-name: actions/checkout + - dependency-name: actions/setup-go + - dependency-name: actions/setup-python + - dependency-name: crazy-max/ghaction-dump-context + - dependency-name: crazy-max/ghaction-github-labeler + - dependency-name: crazy-max/ghaction-github-status + - dependency-name: hashicorp/setup-terraform + - dependency-name: mxschmitt/action-tmate + - dependency-name: step-security/harden-runner - package-ecosystem: terraform directory: /infrastructure schedule: