Deployment PR - 1510

.github/dependabot.yml

@@ -0,0 +1,88 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/alcs-frontend"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+    commit-message:
+      prefix: "ALCS-000"
+    allow:
+      - dependency-type: "direct"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+    groups:
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      npm-minor-and-patch:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "npm"
+    directory: "/portal-frontend"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+    commit-message:
+      prefix: "ALCS-000"
+    allow:
+      - dependency-type: "direct"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+    groups:
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      npm-minor-and-patch:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "npm"
+    directory: "/services"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+    commit-message:
+      prefix: "ALCS-000"
+    allow:
+      - dependency-type: "direct"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+    groups:
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      npm-minor-and-patch:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/_build-image.yml

@@ -33,6 +33,12 @@ jobs:
         run: |
           DOCKER_IMAGE=ghcr.io/${{ steps.lowercase_repo_owner.outputs.lowercase }}/${{ inputs.image-name }}
           TAGS="${DOCKER_IMAGE}:${{ github.sha }},${DOCKER_IMAGE}:latest"
+
+          # Add dev-latest tag for develop branch
+          if [ "${{ github.ref }}" = "refs/heads/develop" ]; then
+            TAGS="${TAGS},${DOCKER_IMAGE}:latest-dev"
+          fi
+
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
           echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
 

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,38 @@
+name: Auto-merge Dependabot PRs
+
+on: 
+  pull_request:
+    branches:
+      - develop
+  workflow_run:
+    workflows: ["CI"]
+    types:
+      - completed
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: |
+      github.actor == 'dependabot[bot]' && 
+      github.event_name == 'workflow_run' && 
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: Auto-merge Dependabot PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+        run: |
+          # Get PR number from branch name
+          PR_NUMBER=$(echo "$HEAD_BRANCH" | grep -o '[0-9]\+' || echo '')
+
+          if [ -n "$PR_NUMBER" ]; then
+            # Approve PR
+            gh pr review $PR_NUMBER --approve
+
+            # Enable auto-merge
+            gh pr merge $PR_NUMBER --auto --merge
+          fi

.github/workflows/backport-to-develop.yml

@@ -0,0 +1,110 @@
+name: Backport to Develop
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+jobs:
+  backport:
+    # Only run if PR was merged (not just closed) and it wasn't from develop
+    if: |
+      github.event.pull_request.merged == true &&
+      github.event.pull_request.head.ref != 'develop'
+    name: Backport to Develop
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    env:
+      BACKPORT_BRANCH: backport/pr-${{ github.event.pull_request.number }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: develop
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Get First Approver
+        id: get-approver
+        run: |
+          # Get reviews for the original PR
+          REVIEWS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews")
+
+          # Extract first APPROVED reviewer's login
+          FIRST_APPROVER=$(echo "$REVIEWS" | jq -r '.[] | select(.state=="APPROVED") | .user.login' | head -n 1)
+
+          if [ ! -z "$FIRST_APPROVER" ]; then
+            echo "has_reviewer=true" >> $GITHUB_OUTPUT
+            echo "reviewer=$FIRST_APPROVER" >> $GITHUB_OUTPUT
+          else
+            echo "has_reviewer=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create backport branch
+        run: |
+          # Create a new branch from develop
+          git checkout -b ${{ env.BACKPORT_BRANCH }}
+
+          # Get the range of commits to cherry-pick
+          BASE_SHA=$(git merge-base ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})
+
+          # Cherry pick the range of commits
+          # Using -m 1 to handle merge commits, and --strategy=recursive --strategy-option=theirs to handle conflicts
+          if ! git cherry-pick -m 1 --strategy=recursive --strategy-option=theirs ${BASE_SHA}..${{ github.event.pull_request.merge_commit_sha }}; then
+            if [ -f .git/CHERRY_PICK_HEAD ]; then
+              # We're in a cherry-pick state
+              if git diff --cached --quiet && git diff --quiet; then
+                # No changes in working directory or index - safe to skip
+                git cherry-pick --skip
+              else
+                # There are uncommitted changes - could be conflicts
+                git cherry-pick --abort
+                exit 1
+              fi
+            else
+              # Some other error occurred
+              exit 1
+            fi
+          fi
+
+          # Push the branch using the token for authentication
+          git push "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" ${{ env.BACKPORT_BRANCH }}
+
+      - name: Create Pull Request with Reviewer
+        if: steps.get-approver.outputs.has_reviewer == 'true'
+        uses: repo-sync/pull-request@v2
+        with:
+          source_branch: ${{ env.BACKPORT_BRANCH }}
+          destination_branch: "develop"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_title: "Backport: ${{ github.event.pull_request.title }}"
+          pr_body: |
+            Automated backport of changes from main to develop
+
+            Original PR: [#${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }})
+            Original Author: @${{ github.event.pull_request.user.login }}
+          pr_label: "backport"
+          pr_reviewer: ${{ steps.get-approver.outputs.reviewer }}
+
+      - name: Create Pull Request without Reviewer
+        if: steps.get-approver.outputs.has_reviewer != 'true'
+        uses: repo-sync/pull-request@v2
+        with:
+          source_branch: ${{ env.BACKPORT_BRANCH }}
+          destination_branch: "develop"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_title: "Backport: ${{ github.event.pull_request.title }}"
+          pr_body: |
+            Automated backport of changes from main to develop
+
+            Original PR: [#${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }})
+            Original Author: @${{ github.event.pull_request.user.login }}
+          pr_label: "backport" 

.github/workflows/cd.yml

@@ -12,9 +12,15 @@ jobs:
     with:
       environment: test
     secrets: inherit
+    concurrency:
+      group: deploy-test
+      cancel-in-progress: true
   deploy-prod:
     needs: deploy-test
     uses: ./.github/workflows/deploy.yml
     with:
       environment: prod
-    secrets: inherit
+    secrets: inherit
+    concurrency:
+      group: deploy-prod
+      cancel-in-progress: true

.github/workflows/trivy-scan.yml

@@ -0,0 +1,78 @@
+name: Weekly Trivy DEV Image Scans
+
+on:
+  schedule:
+    # Runs every week at 02:00 Sunday Morning.
+    - cron:  '0 2 * * 0'
+  workflow_dispatch:
+
+permissions: 
+  packages: read
+  security-events: write
+
+jobs:
+  image-scan-api:
+    name: Scan latest-dev API Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+        with:
+          image-ref: 'ghcr.io/bcgov/alcs-api:latest-dev'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  image-scan-portal:
+    name: Scan latest-dev Portal Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+        with:
+          image-ref: 'ghcr.io/bcgov/alcs-portal-frontend:latest-dev'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  image-scan-frontend:
+    name: Scan latest-dev Frontend Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+        with:
+          image-ref: 'ghcr.io/bcgov/alcs-frontend:latest-dev'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'