## Build and Publish [#925](https://github.com/department-of-veterans-affairs/abd-vro/pull/925): @yoomlam added his `USERNAME` and `ACCESS_TOKEN` secrets to the [repo's Secrets settings](https://github.com/department-of-veterans-affairs/abd-vro/settings/secrets/actions) - When publishing, resulting packages (i.e., images for [Docker containers](https://github.com/department-of-veterans-affairs/abd-vro/wiki/Docker-containers)) are tagged using the first 7 characters of the PR's commit hash, which are needed for deployment to LHDI's [Kubernetes clusters](https://github.com/department-of-veterans-affairs/abd-vro/wiki/Kubernetes-clusters) ## CodeQL The VA GitHub.com team requested that [Advanced Security Code Scanning](https://department-of-veterans-affairs.github.io/github-handbook/guides/security/code-scanning) be enabled via [codeql.yml](https://github.com/department-of-veterans-affairs/abd-vro/pull/116/files#diff-12783128521e452af0cfac94b99b8d250413c516ec71fe6d97dbea666ff7ba27). See [PR #116](https://github.com/department-of-veterans-affairs/abd-vro/pull/116) for details. > This is a compliment to any tools and security procedures your team is already performing rather than a replacement. > ... > this feature will identify potential security issues on any new pull requests. > ... > For more information, check out the [GitHub Handbook](https://department-of-veterans-affairs.github.io/github-handbook/guides/security/code-scanning). (If needed, an admin for this repo can bypass any identified issues.) In [commit ea4be65](https://github.com/department-of-veterans-affairs/abd-vro/commit/ea4be65a8a1324f7cb9f0cc55837fe6520e20d9d), we limit this action from running to certain PR event types (e.g., `ready_for_review`, `review_requested`) and for pushes to special branches since this action is slow. To manually run the action, do any of the following: * Request a review from someone. * Convert it to a draft PR, then click the "Ready for Review" button. * Go to the [CodeQL Action](https://github.com/department-of-veterans-affairs/abd-vro/actions/workflows/codeql.yml) and click "Run workflow" on the desired branch. * Merge the PR to a special branch (`develop`). ## Mirror The Lighthouse SecRel (Secure Release) process operates only on non-public repos. To satisfy that requirement, a [abd-vro-internal](https://github.com/department-of-veterans-affairs/abd-vro-internal) repo was created as a mirror of this repo. The internal repo will only be used by the Lighthouse SecRel team to enable deployments to prod -- no one should be committing to or creating PRs directly in that repo. The [mirror.yml](https://github.com/department-of-veterans-affairs/abd-vro/pull/119/files#diff-c426f16e7c324d1df73f26b63e634496b3ab186a16a827c457d38efef5fe49b0) GitHub Action updates the internal repo whenever a branch in this repo is created, updated, or deleted. - @yoomlam generated a password-less ssh key pairs (using bogus email `mirror@abd-vro.va.gov`) and added a `SSH_PRIVATE_KEY` secret to the [repo's Secrets settings](https://github.com/department-of-veterans-affairs/abd-vro/settings/secrets/actions) - In order for the GitHub Action to access the `abd-vro-internal` repo via ssh, the public key was added to [Deploy keys](https://github.com/department-of-veterans-affairs/abd-vro-internal/settings/keys) using the [abd-vro-machine](https://github.com/abd-vro-machine) account, which will attribute triggered actions (e.g., SecRel) in the `abd-vro-internal` repo to the machine-user account. [PR #680](https://github.com/department-of-veterans-affairs/abd-vro/pull/680/files#r1019822340) makes the following unnecessary, but keeping it for reference: > [PR #250](https://github.com/department-of-veterans-affairs/abd-vro/pull/250) limits this action from running to certain PR event types (e.g., `ready_for_review`, `review_requested`) and for pushes to special branches since this action is causes extraneous checks to run in the internal repo. To manually run the action, do any of the following: > * Request a review from someone. > * Convert it to a draft PR, then click the "Ready for Review" button. > * Go to the [Mirror Action](https://github.com/department-of-veterans-affairs/abd-vro/actions/workflows/mirror.yml) and click "Run workflow" on any branch (all branches will be mirrored) > - or run `curl -XPOST -u "$GITHUB_USERNAME:$GITHUB_ACCESS_TOKEN" -H "Accept: application/vnd.github+json" -H "Content-Type: application/json" https://api.github.com/repos/department-of-veterans-affairs/abd-vro/actions/workflows/mirror.yml/dispatches --data "{\"ref\": \"develop\"}"` > - or run `gh workflow run mirror.yml --ref develop` > * Merge the PR to a special branch (`develop`). ## SecRel PR [Enable SecRel workflow #235](https://github.com/department-of-veterans-affairs/abd-vro/pull/235) adds new actions (`secrel.yml` and `aqua-checker.yml`) for VRO's code to go through Lighthouse's SecRel pipeline to be deployable to production -- see [Secure Release GitHub Actions](https://github.com/department-of-veterans-affairs/abd-vro-internal/wiki/Secure-Release-process#secrel-github-actions) for details. The "SecRel workflow" action will be automatically triggered in the internal repo by pushes to `develop` and `main`. To manually trigger the SecRel workflow on a PR, see [To test PRs in the SecRel pipeline](https://github.com/department-of-veterans-affairs/abd-vro-internal/wiki/Secure-Release-process#to-test-prs-in-the-secrel-pipeline).