HHS · coilysiren · Jan 10, 2024
@@ -1,6 +1,4 @@
 # This file is allows you to specify a list of files that is acceptable to Dockle
 # To allow multiple files, use a list of names, example below. Make sure to remove the leading #
 # DOCKLE_ACCEPT_FILES="file1,path/to/file2,file3/path,etc"
-# https://github.com/goodwithtech/dockle#accept-suspicious-environment-variables--files--file-extensions
-# The apiflask/settings file is a stub file that apiflask creates, and has no sensitive data in. We are ignoring it since it is unused
-DOCKLE_ACCEPT_FILES=api/.venv/lib/python3.12/site-packages/apiflask/settings.py
+# https://github.com/goodwithtech/dockle#accept-suspicious-environment-variables--files--file-extensions
@@ -30,7 +30,7 @@ runs:
         echo "GITHUB_ACTIONS_ROLE_NAME=$GITHUB_ACTIONS_ROLE_NAME"
 
         terraform -chdir=infra/${{ inputs.app_name }}/app-config init > /dev/null
-        terraform -chdir=infra/${{ inputs.app_name }}/app-config apply -refresh-only -auto-approve> /dev/null
+        terraform -chdir=infra/${{ inputs.app_name }}/app-config apply -refresh-only -auto-approve> /dev/null 
         ACCOUNT_NAME=$(terraform -chdir=infra/${{ inputs.app_name }}/app-config output -json account_names_by_environment | jq -r .${{ inputs.environment }})
         echo "ACCOUNT_NAME=$ACCOUNT_NAME"
 

@@ -1,14 +1,15 @@
-## Summary
-Fixes #{ISSUE}
+## Ticket
 
-### Time to review: __x mins__
+Resolves #{TICKET NUMBER OR URL}
+
+## Changes
 
-## Changes proposed
 > What was added, updated, or removed in this PR.
 
 ## Context for reviewers
-> Testing instructions, background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers. Explain how the changes were verified.
 
-## Additional information
-> Screenshots, GIF demos, code examples or output to help show the changes working as expected.
+> Testing instructions, background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.
+
+## Testing
 
+> Provide evidence that the code works as expected. Explain what was done for testing and the results of the test plan. Include screenshots, [GIF demos](https://www.cockos.com/licecap/), shell commands or output to help show the changes working as expected. ProTip: you can drag and drop or paste images into this textbox.
@@ -11,11 +11,6 @@ on:
         description: The branch, tag or SHA to checkout. When checking out the repository that triggered a workflow, this defaults to the reference or SHA for that event. Otherwise, use branch or tag that triggered the workflow run.
         required: true
         type: string
-      environment:
-        description: "The environment where the build will be deployed. eg. dev or prod. Will default to dev."
-        default: dev
-        required: false
-        type: string
   workflow_dispatch:
     inputs:
       app_name:
@@ -26,16 +21,12 @@ on:
         description: The branch, tag or SHA to checkout. When checking out the repository that triggered a workflow, this defaults to the reference or SHA for that event. Otherwise, use branch or tag that triggered the workflow run.
         required: true
         type: string
-      environment:
-        description: "The environment where the build will be deployed. eg. dev or prod. Will default to dev."
-        default: dev
-        required: false
-        type: string
 
 jobs:
   build-and-publish:
     name: Build and publish
     runs-on: ubuntu-latest
+    concurrency: ${{ github.action }}-${{ inputs.ref }}
 
     permissions:
       contents: read
@@ -47,7 +38,7 @@ jobs:
           ref: ${{ inputs.ref }}
 
       - name: Build release
-        run: make APP_NAME=${{ inputs.app_name }} ENVIRONMENT=${{ inputs.environment }} release-build
+        run: make APP_NAME=${{ inputs.app_name }} release-build
 
       - name: Configure AWS credentials
         uses: ./.github/actions/configure-aws-credentials

@@ -0,0 +1,33 @@
+name: Deploy App
+# Need to set a default value for when the workflow is triggered from a git push
+# which bypasses the default configuration for inputs
+run-name: Deploy ${{ github.ref_name }} to App ${{ inputs.environment || 'dev' }}
+
+on:
+  # !! Uncomment the following lines once you've set up the dev environment and ready to turn on continuous deployment
+  # push:
+  #   branches:
+  #     - "main"
+  #   paths:
+  #     - "app/**"
+  #     - "bin/**"
+  #     - "infra/**"
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "target environment"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
+
+jobs:
+  deploy:
+    name: Deploy
+    uses: ./.github/workflows/deploy.yml
+    with:
+      app_name: "app"
+      environment: ${{ inputs.environment || 'dev' }}
@@ -0,0 +1,26 @@
+name: CI Vulnerability Scans
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/ci-vulnerability-scans.yml
+  pull_request:
+    paths:
+      - app/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/ci-vulnerability-scans.yml
+
+jobs:
+  vulnerability-scans:
+    name: Vulnerability Scans
+    uses: ./.github/workflows/vulnerability-scans.yml
+    with:
+      app_name: "app"
@@ -0,0 +1,20 @@
+name: CI Documentation Checks
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+
+jobs:
+  lint-markdown:
+    name: Lint markdown
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # This is the GitHub Actions-friendly port of the linter used in the Makefile.
+      - uses: gaurav-nelson/[email protected]
+        with:
+          use-quiet-mode: 'yes'  # errors only.
+          config-file: '.github/workflows/markdownlint-config.json'
@@ -0,0 +1,50 @@
+name: CI Infra Service Checks
+
+on:
+  # !! Uncomment to trigger automated infra tests once dev environment is set up
+  # push:
+  #   branches:
+  #     - main
+  #   paths:
+  #     - infra/*/service/**
+  #     - infra/modules/**
+  #     - infra/test/**
+  #     - .github/workflows/ci-infra-service.yml
+  # pull_request:
+  #   paths:
+  #     - infra/*/service/**
+  #     - infra/modules/**
+  #     - infra/test/**
+  #     - .github/workflows/ci-infra-service.yml
+  workflow_dispatch:
+
+jobs:
+  infra-test-e2e:
+    name: Test service
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.2.1
+          terraform_wrapper: false
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.0"
+
+      - name: Configure AWS credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          app_name: app
+          # Run infra CI on dev environment
+          environment: dev
+
+      - name: Run Terratest
+        run: make infra-test-service
@@ -21,7 +21,6 @@ jobs:
     with:
       app_name: ${{ inputs.app_name }}
       ref: ${{ github.ref }}
-      environment: ${{ inputs.environment }}
   run-migrations:
     name: Run migrations
     runs-on: ubuntu-latest

@@ -0,0 +1,19 @@
+{
+    "ignorePatterns" : [
+        {
+            "pattern": "0005-example.md"
+        },
+        {
+            "pattern": "localhost"
+        },
+        {
+            "pattern": "127.0.0.1"
+        }
+    ],
+    "replacementPatterns": [
+        {
+            "pattern": "^/",
+            "replacement": "{{BASEURL}}/"
+        }
+  ]
+}