Skip to content

Commit

Permalink
Merge pull request #102 from GSA-TTS/update-github-actions
Browse files Browse the repository at this point in the history 
Update CI code for GitHub Actions and CircleCI
  • Loading branch information
@rahearn
rahearn authored Jun 18, 2024
2 parents 2c1c8c7 + ddf225f commit f402e04
Show file tree
Hide file tree
Showing 29 changed files with 151 additions and 237 deletions.
2 changes: 1 addition & 1 deletion lib/generators/rails_template18f/circleci/circleci_generator.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ class CircleciGenerator < ::Rails::Generators::Base
def install_needed_gems
gem_name = "rspec_junit_formatter"
return if gem_installed? gem_name
gem gem_name, "~> 0.5", group: :test
gem gem_name, "~> 0.6", group: :test
bundle_install
end

Expand Down
26 changes: 13 additions & 13 deletions lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
version: 2.1

orbs:
ruby: circleci/[email protected].0
node: circleci/node@5.0.0
browser-tools: circleci/browser-tools@1.2.3<% if terraform? %>
terraform: circleci/terraform@3.0.0<% end %>
ruby: circleci/ruby@2.1.3
node: circleci/node@5.2.0
browser-tools: circleci/browser-tools@1.4.8<% if terraform? %>
terraform: circleci/terraform@3.2.1<% end %>

commands:
setup-project:
Expand Down Expand Up @@ -75,7 +75,7 @@ jobs:
parallelism: 3
docker:
- image: cimg/ruby:<%= ruby_version %>
- image: cimg/postgres:12.9
- image: cimg/postgres:15.7
environment:
POSTGRES_USER: circleci
POSTGRES_DB: <%= app_name %>_test
Expand Down Expand Up @@ -149,7 +149,7 @@ jobs:

owasp_scan:
machine:
image: ubuntu-2004:202111-02
image: ubuntu-2204:current
steps:
- checkout

Expand All @@ -172,14 +172,14 @@ jobs:
name: Run OWASP Zap
command: |
docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
--user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
--user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
zap-baseline.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
- store_artifacts:
path: reports/owasp_report.html

owasp_full_scan:
machine:
image: ubuntu-2004:202111-02
image: ubuntu-2204:current
steps:
- checkout

Expand All @@ -202,15 +202,15 @@ jobs:
name: Run OWASP Zap
command: |
docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
--user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
--user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
zap-full-scan.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
- store_artifacts:
path: reports/owasp_report.html

a11y_scan:
docker:
- image: cimg/ruby:<%= ruby_version %>
- image: cimg/postgres:12.9
- image: cimg/postgres:15.7
environment:
POSTGRES_USER: circleci
POSTGRES_DB: <%= app_name %>_development
Expand Down Expand Up @@ -262,7 +262,7 @@ jobs:

- run:
name: Run pa11y-ci
command: yarn run pa11y-ci
command: yarn run pa11y-ci -c pa11yci.js
<% if terraform? %>
terraform_plan_staging:
executor: terraform/default
Expand Down Expand Up @@ -290,7 +290,7 @@ jobs:
- checkout
- attach_workspace:
at: .
- terraform/apply
- terraform/apply:
path: terraform/staging
terraform_plan_production:
executor: terraform/default
Expand Down Expand Up @@ -318,7 +318,7 @@ jobs:
- checkout
- attach_workspace:
at: .
- terraform/apply
- terraform/apply:
path: terraform/production
<% end %>
deploy_staging:
Expand Down
12 changes: 1 addition & 11 deletions lib/generators/rails_template18f/github_actions/github_actions_generator.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,15 +59,6 @@ def update_boundary_diagram
EOB
end

def update_terraform_readme
return unless terraform?
readme_filename = "terraform/README.md"
insert_into_file readme_filename, " |- .force-action-apply\n", after: "- <env>/\n"
insert_into_file readme_filename, <<~EOM, after: /.*environment-specific modules:$/
\n- `.force-action-apply` is a file that can be updated to force GitHub Actions to run `terraform apply` during the deploy phase
EOM
end

def update_oscal_docs
update_cicd_oscal_docs("GitHub Actions")
end
Expand Down Expand Up @@ -122,8 +113,7 @@ def readme_credentials
<<~EOM
1. Store variables that must be secret using [GitHub Environment Secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
1. Add the secret to the `env:` block of the deploy action [as in this example](https://github.com/OHS-Hosting-Infrastructure/complaint-tracker/blob/a9e8d22aae2023a0afb631a6182251c04f597f7e/.github/workflows/deploy-stage.yml#L20)
1. Add the appropriate `--var` addition to the `push_arguments` line on the deploy action [as in this example](https://github.com/OHS-Hosting-Infrastructure/complaint-tracker/blob/a9e8d22aae2023a0afb631a6182251c04f597f7e/.github/workflows/deploy-stage.yml#L27)
1. Add the appropriate `--var` addition to the `cf_command` line on the deploy action like the existing `rails_master_key`
EOM
end
end
Expand Down
2 changes: 1 addition & 1 deletion ...s/rails_template18f/github_actions/templates/github/actions/setup-languages/action.yml.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ runs:
cache-version: 1

- name: Set up node
uses: actions/setup-node@v2
uses: actions/setup-node@v4
with:
node-version: '<%= node_version %>'
cache: 'yarn'
Expand Down
1 change: 1 addition & 0 deletions ...ors/rails_template18f/github_actions/templates/github/actions/setup-project/action.yml.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ runs:
- name: Set up database
env:
RAILS_ENV: ${{ inputs.rails_env }}
SECRET_KEY_BASE: not-actually-secret
DATABASE_URL: ${{ inputs.database_url }}
shell: bash
run: bundle exec rake db:schema:load
8 changes: 6 additions & 2 deletions ...erators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,16 @@ on:
# this will run at noon UTC each Monday (7am EST / 8am EDT)
- cron: '0 12 * * 1'

permissions:
contents: read
security-events: write

jobs:
brakeman-scan:
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4

- uses: ./.github/actions/setup-languages

Expand All @@ -39,6 +43,6 @@ jobs:
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v1
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: output.sarif.json
8 changes: 4 additions & 4 deletions ...nerators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4

- uses: ./.github/actions/setup-languages

Expand All @@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4

- uses: ./.github/actions/setup-languages

Expand All @@ -43,14 +43,14 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-languages
- name: Install cyclonedx
run: gem install cyclonedx-ruby
- name: Generate BOM
run: cyclonedx-ruby -p . -o ruby_bom.xml
- name: Save BOM
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: ruby-bom
path: ./ruby_bom.xml
39 changes: 14 additions & 25 deletions ...tors/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,47 +7,36 @@ on:
- 'doc/**'
- 'README.md'

permissions:
contents: read
pull-requests: write

jobs:
deploy:
name: Deploy to production
runs-on: ubuntu-latest
environment: production
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 2
- uses: actions/checkout@v4
<% if terraform? %>
- name: Check for changes to Terraform
id: changed-terraform-files
uses: tj-actions/[email protected]
with:
files: |
terraform/shared
terraform/production
- name: Terraform init
if: steps.changed-terraform-files.outputs.any_changed == 'true'
working-directory: terraform/production
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
run: terraform init
- name: Terraform apply
if: steps.changed-terraform-files.outputs.any_changed == 'true'
working-directory: terraform/production
uses: dflook/terraform-apply@v1
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
run: terraform apply -auto-approve -input=false
with:
path: terraform/production
backend_config: >
access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
<% end %>
- name: Deploy app
uses: cloud-gov/cg-cli-tools@main
env:
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
with:
cf_username: ${{ secrets.CF_USERNAME }}
cf_password: ${{ secrets.CF_PASSWORD }}
cf_org: <%= cloud_gov_organization %>
cf_space: <%= cloud_gov_production_space %>
cf_command: push -vars-file config/deployment/production.yml --var rails_master_key=${{ env.RAILS_MASTER_KEY }} --strategy rolling
cf_command: push --vars-file config/deployment/production.yml --var rails_master_key="${{ secrets.RAILS_MASTER_KEY }}" --strategy rolling
39 changes: 14 additions & 25 deletions ...erators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,47 +7,36 @@ on:
- 'doc/**'
- 'README.md'

permissions:
contents: read
pull-requests: write

jobs:
deploy:
name: Deploy to staging
runs-on: ubuntu-latest
environment: staging
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 2
- uses: actions/checkout@v4
<% if terraform? %>
- name: Check for changes to Terraform
id: changed-terraform-files
uses: tj-actions/[email protected]
with:
files: |
terraform/shared
terraform/staging
- name: Terraform init
if: steps.changed-terraform-files.outputs.any_changed == 'true'
working-directory: terraform/staging
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
run: terraform init
- name: Terraform apply
if: steps.changed-terraform-files.outputs.any_changed == 'true'
working-directory: terraform/staging
uses: dflook/terraform-apply@v1
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
run: terraform apply -auto-approve -input=false
with:
path: terraform/staging
backend_config: >
access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
<% end %>
- name: Deploy app
uses: cloud-gov/cg-cli-tools@main
env:
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
with:
cf_username: ${{ secrets.CF_USERNAME }}
cf_password: ${{ secrets.CF_PASSWORD }}
cf_org: <%= cloud_gov_organization %>
cf_space: <%= cloud_gov_staging_space %>
cf_command: push -vars-file config/deployment/staging.yml --var rails_master_key=${{ env.RAILS_MASTER_KEY }} --strategy rolling
cf_command: push --vars-file config/deployment/staging.yml --var rails_master_key="${{ secrets.RAILS_MASTER_KEY }}" --strategy rolling
11 changes: 8 additions & 3 deletions ...ators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
# this will run at noon UTC every day (7am EST / 8am EDT)
- cron: '0 12 * * *'

permissions:
contents: read
issues: write

jobs:
owasp-scan:
name: OWASP ZAP Scan
Expand All @@ -25,7 +29,7 @@ jobs:
POSTGRES_PASSWORD: postgres

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4

- id: setup
uses: ./.github/actions/setup-project
Expand All @@ -35,9 +39,10 @@ jobs:
database_url: ${{ steps.setup.outputs.database_url }}

- name: Run OWASP Full Scan
uses: zaproxy/action-full-scan@v0.3.0
uses: zaproxy/action-full-scan@v0.10.0
with:
docker_name: 'owasp/zap2docker-weekly'
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
target: 'http://localhost:3000/'
fail_action: true
rules_file_name: 'zap.conf'
Expand Down
7 changes: 4 additions & 3 deletions lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
POSTGRES_PASSWORD: postgres

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4

- id: setup
uses: ./.github/actions/setup-project
Expand All @@ -38,10 +38,11 @@ jobs:
database_url: ${{ steps.setup.outputs.database_url }}

- name: Run OWASP Baseline Scan
uses: zaproxy/action-baseline@v0.6.1
uses: zaproxy/action-baseline@v0.12.0
with:
docker_name: 'owasp/zap2docker-weekly'
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
target: 'http://localhost:3000/'
fail_action: true
allow_issue_writing: false
rules_file_name: 'zap.conf'
cmd_options: '-I'
Loading

0 comments on commit f402e04

Please sign in to comment.