HHS · acouch · Sep 18, 2024 · May 14, 2024 · May 14, 2024 · May 14, 2024
@@ -1,7 +1,6 @@
 name: Internal - Task
 description: Describes an individual task that needs to be completed
 title: "[Task]: "
-labels: ["project: grants.gov"]
 assignees:
   - octocat
 body:

@@ -42,11 +42,12 @@ jobs:
       - name: Run tests
         run: make test-audit
 
-      - name: Export GitHub data
-        run: make gh-data-export
+      # Both of these tasks are looking for github and slack auth
+      # - name: Export GitHub data
+      #   run: make gh-data-export
 
-      - name: Run reports
-        run: make sprint-reports
+      # - name: Run reports
+      #   run: make sprint-reports
 
   vulnerability-scans:
     name: Run Analytics Vulnerability Scans

@@ -0,0 +1,73 @@
+name: pa11y tests
+
+on:
+  pull_request:
+    paths:
+      - frontend/**
+      - .github/workflows/ci-frontend-a11y.yml
+
+jobs:
+  build:
+    name: Pa11y-ci tests
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./frontend
+
+    env:
+      NODE_VERSION: 20
+      LOCKFILE_PATH: ./frontend/package-lock.json
+      PACKAGE_MANAGER: npm
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache-dependency-path: ${{ env.LOCKFILE_PATH }}
+          cache: ${{ env.PACKAGE_MANAGER }}
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Create screenshots directory
+        run: mkdir -p screenshots-output
+
+      - name: Build project
+        run: npm run build
+
+      - name: Start server and log output
+        run: npm run start &
+
+      - name: Start API Server for search results
+        run: |
+          cd ../api
+          make init db-seed-local start &
+          cd ../frontend
+          # ensure the API wait script is executable
+          chmod +x ../api/bin/wait-for-api.sh
+          ../api/bin/wait-for-api.sh
+        shell: bash
+
+      - name: Wait for frontend to be ready
+        run: |
+          # Ensure the server wait script is executable
+          chmod +x ./bin/wait-for-frontend.sh
+          ./bin/wait-for-frontend.sh
+
+      - name: Run pa11y-ci
+        run: |
+          set -e # Ensure the script fails if any command fails
+          npm run test:pa11y-desktop
+          npm run test:pa11y-mobile
+          echo "pa11y-ci tests finished."
+
+      - name: Upload screenshots to artifacts
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: screenshots
+          path: ./frontend/screenshots-output
@@ -143,3 +143,6 @@ dmypy.json
 
 # vscode
 .vscode/settings.json
+
+# vim
+*.swp
@@ -16,11 +16,11 @@ ignore:
   - fix-state: not-fixed
   - fix-state: wont-fix
   - fix-state: unknown
-  # Golang vulnerability inside of a python docker image. It's basically impossible to find
-  # out where the impacted golang vulnerability is coming from. The python image in question
-  # does not even have golang installed, yet somehow still there's a golang vulnerability.
-  # We are ignoring the finding because it would take undue effort to track down the source.
+  # Golang vulnerabilities inside of a python docker image. Both originate from lower level packages within the GitHub CLI:
+  # https://github.com/cli/cli/blob/trunk/go.mod#L101 
+  # https://github.com/cli/cli/blob/trunk/go.mod#L161
   - vulnerability: GHSA-4v7x-pqxf-cx7m
+  - vulnerability: GHSA-v6v8-xj6m-xwqh
   # https://github.com/anchore/grype/issues/1172
   - vulnerability: GHSA-xqr8-7jwr-rhp7
   - vulnerability: GHSA-7fh5-64p2-3v2j
@@ -33,3 +33,5 @@ ignore:
   - vulnerability: CVE-2023-39418
   - vulnerability: CVE-2023-5868
   - vulnerability: CVE-2023-5870
+  # Affects SSR in pages router which we don't use https://github.com/advisories/GHSA-gp8f-8m3g-qvj9
+  - vulnerability: GHSA-gp8f-8m3g-qvj9 
@@ -1,4 +1,2 @@
 data
 
-# Ignore dynaconf secret files
-.secrets.*
@@ -33,8 +33,8 @@ ifeq "$(PY_RUN_APPROACH)" "local"
 POETRY := poetry run
 GITHUB := gh
 else
-POETRY := docker-compose run $(DOCKER_EXEC_ARGS) --rm $(APP_NAME) poetry run
-GITHUB := docker-compose run $(DOCKER_EXEC_ARGS) --rm $(APP_NAME) gh
+POETRY := docker compose run $(DOCKER_EXEC_ARGS) --rm $(APP_NAME) poetry run
+GITHUB := docker compose run $(DOCKER_EXEC_ARGS) --rm $(APP_NAME) gh
 endif
 
 # Docker user configuration
@@ -146,6 +146,13 @@ sprint-data-export:
 	--project $(SPRINT_PROJECT) \
 	--output-file $(SPRINT_FILE)
 
+gh-db-data-import:
+	@echo "=> Importing sprint data to the database"
+	@echo "====================================================="
+	$(POETRY) analytics import db_import \
+	--sprint-file $(SPRINT_FILE) \
+	--issue-file $(ISSUE_FILE)
+
 roadmap-data-export:
 	@echo "=> Exporting project data from the product roadmap"
 	@echo "====================================================="

@@ -1,32 +1,23 @@
-"""Loads configuration variables from settings files and settings files
+"""Loads configuration variables from settings files
 
-Dynaconf provides a few valuable features for configuration management:
-- Load variables from env vars and files with predictable overrides
-- Validate the existence and format of required configs
-- Connect with secrets managers like HashiCorp's Vault server
-- Load different configs based on environment (e.g. DEV, PROD, STAGING)
-
-For more information visit: https://www.dynaconf.com/
 """
-from dynaconf import Dynaconf, Validator, ValidationError
+import os 
+from typing import Optional
+from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import Field
+
+# reads environment variables from .env files defaulting to "local.env"
+class PydanticBaseEnvConfig(BaseSettings):
+    model_config = SettingsConfigDict(env_file="%s.env" % os.getenv("ENVIRONMENT", "local"), extra="ignore") # set extra to ignore so that it ignores variables irrelevant to the database config (e.g. metabase settings)
 
-settings = Dynaconf(
-    # set env vars with `export ANALYTICS_FOO=bar`
-    envvar_prefix="ANALYTICS",
-    # looks for config vars in the following files
-    # with vars in .secrets.toml overriding vars in settings.toml
-    settings_files=["settings.toml", ".secrets.toml"],
-    # add validators for our required config vars
-    validators=[
-        Validator("SLACK_BOT_TOKEN", must_exist=True),
-        Validator("REPORTING_CHANNEL_ID", must_exist=True),
-    ],
-)
+class DBSettings(PydanticBaseEnvConfig):
+     db_host: str = Field(alias="DB_HOST")
+     port: int = Field(5432,alias="DB_PORT")
+     user: str = Field (alias="DB_USER")
+     password: str = Field(alias="DB_PASSWORD")
+     ssl_mode: str = Field(alias="DB_SSL_MODE")
+     slack_bot_token: str = Field(alias="ANALYTICS_SLACK_BOT_TOKEN")
+     reporting_channel_id: str = Field(alias="ANALYTICS_REPORTING_CHANNEL_ID")
 
-# raises after all possible errors are evaluated
-try:
-    settings.validators.validate_all()
-except ValidationError as error:
-    list_of_all_errors = error.details
-    print(list_of_all_errors)
-    raise
+def get_db_settings() -> DBSettings:
+     return DBSettings()
@@ -28,3 +28,13 @@ MB_DB_PORT=5432
 MB_DB_USER=app
 MB_DB_PASS=secret123
 MB_DB_HOST=grants-analytics-db
+
+###########################
+# Slack Configuration   #
+###########################
+# Do not add these values to this file
+# to avoid mistakenly committing them.
+# Set these in your shell
+# by doing `export ANALYTICS_REPORTING_CHANNEL_ID=whatever`
+ANALYTICS_REPORTING_CHANNEL_ID=DO_NOT_SET_HERE
+ANALYTICS_SLACK_BOT_TOKEN=DO_NOT_SET_HERE