diff --git a/.github/workflows/gitguardian.yml b/.github/workflows/gitguardian.yml deleted file mode 100644 index de2c1838da..0000000000 --- a/.github/workflows/gitguardian.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: GitGuardian scan - -on: [push, pull_request] - -jobs: - scanning: - name: GitGuardian scan - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 # fetch all history so multiple commits can be scanned - - name: GitGuardian scan - uses: GitGuardian/ggshield-action@v1.16.0 - env: - GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} - GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} - GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} - GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} - GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8357a6690a..5f933411ab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,6 +15,7 @@ jobs: permissions: write-all outputs: VERSION: ${{ steps.get-version.outputs.VERSION }} + PREV_VERSION: ${{ steps.get-prev-version.outputs.VERSION }} runs-on: ubuntu-latest steps: - name: Checkout project @@ -41,13 +42,13 @@ jobs: run: yarn install - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: platforms: linux/amd64 install: true - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -56,6 +57,10 @@ jobs: - name: Expose GitHub Runtime uses: crazy-max/ghaction-github-runtime@v2 + - name: Retrieve previous version + id: get-prev-version + run: echo "VERSION=$(git describe --tags --abbrev=0 | cut -c2-)" >> "$GITHUB_OUTPUT" + - name: bump and release run: yarn release env: @@ -63,10 +68,51 @@ jobs: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} GITHUB_REF_NAME: ${{ env.GITHUB_REF_NAME }} - - name: Retrieve version + - name: Retrieve new version id: get-version run: echo "VERSION=$(git describe --tags --abbrev=0 | cut -c2-)" >> "$GITHUB_OUTPUT" + docker-scout: + if: needs.release.outputs.VERSION != needs.release.outputs.PREV_VERSION + concurrency: + group: "scout-${{ github.workflow }}-${{ github.ref }}" + needs: ["release"] + runs-on: ubuntu-latest + steps: + - name: Authenticate to Docker + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USER }} + password: ${{ secrets.DOCKER_PAT }} + + - name: Server Docker Scout + uses: docker/scout-action@v1 + with: + command: quickview,cves,recommendations,compare + image: ghcr.io/mission-apprentissage/mna_lba_server:${{ needs.release.outputs.VERSION }} + to: ghcr.io/mission-apprentissage/mna_lba_server:${{ needs.release.outputs.PREV_VERSION }} + sarif-file: sarif-server.output.json + + - name: Server Docker Upload SARIF result + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: sarif-server.output.json + category: Docker Server + + - name: UI Docker Scout + uses: docker/scout-action@v1 + with: + command: quickview,cves,recommendations,compare + image: ghcr.io/mission-apprentissage/mna_lba_ui:${{ needs.release.outputs.VERSION }}-production + to: ghcr.io/mission-apprentissage/mna_lba_ui:${{ needs.release.outputs.PREV_VERSION }}-production + sarif-file: sarif-ui.output.json + + - name: UI Docker Upload SARIF result + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: sarif-ui.output.json + category: Docker UI + deploy: concurrency: group: "deploy-${{ github.workflow }}-${{ github.ref }}" diff --git a/.talismanrc b/.talismanrc index ce1d2770ed..7f66528c51 100644 --- a/.talismanrc +++ b/.talismanrc @@ -1,12 +1,12 @@ fileignoreconfig: -- filename: server/src/jobs/database/obfuscateCollections.ts - checksum: 7ba4254524cc7ae083334540daaf8b85235bb9c1918a9e5e4e93264a9d40d117 - filename: .bin/scripts/seed-apply.sh checksum: 49afe4f96fa13b38cf799d931085437d540b4c62eb05b2f15bc12cd3fb43268b - filename: .bin/scripts/seed-update.sh checksum: 707139e7844412ee81d2796abfb2dac00dd90a9a65eb3b5f2cdede7571e96ef2 - filename: .bin/scripts/setup-local-env.sh checksum: 47323f5183f73a794449666a816d5b797c7a5ed4c7ad219c3c885a57e2fcf1e9 +- filename: .github/workflows/release.yml + checksum: 694b85290832914912327d8aac141c4bccc4a18e301d7343b8a6c4471e4ad065 - filename: .infra/files/configs/mongodb/mongod.conf checksum: 718bee5f44edc101636be8f11173ede5b728f2858abc3c26466ff9435f0d11de - filename: .infra/files/configs/mongodb/seed.gpg @@ -16,19 +16,11 @@ fileignoreconfig: - filename: .infra/local/mongod.conf checksum: bb2ce0c27102259a5fa39da1fb4460af9ad6ad58adc715312e53dcd69c8e6be7 - filename: .infra/vault/vault.yml - checksum: 559154cce23a106b319209adb507d1891039bcc6381a35717f11135743e94914 + checksum: 136cba643cbfdfc04f35cd171fe488ad2836261ae88201b6f344b6edbb77d3ef - filename: docker-compose.yml checksum: 8cdd1da6c1155f26b417a27e26311d4f00b7d8bd6c21f1f86c1c7cb3f0599e6a - filename: server/.env.test checksum: 2534c2dae48c1464b97489263621dcd516a676b28fdbb34e98267a10e00fd839 -- filename: server/src/db/migrations/20231127120528-remove-password.ts - checksum: 5c7a2ec4655f0543f42bfbccc759bff4eb10456946885531c91107cac3e8dbc0 -- filename: server/src/security/accessTokenService.ts - checksum: f05cafd17797362fc9bfb53062af2095ead2cbe2fa967fad23bd61b756052004 -- filename: shared/routes/formulaire.route.ts - checksum: aaebcb3889eeb066dd5b44f95e8d23a1a988608b382eb107dad4d87d24a97074 -- filename: shared/routes/v1Jobs.routes.ts - checksum: aa0fb2458520f24921a48af03ad05c3f4a92052374182851f24a3afa7421a5b8 - filename: server/src/common/model/schema/_shared/mongoose-paginate.ts checksum: b6762a7cb5df9bbee1f0ce893827f0991ad01514f7122a848b3b5d49b620f238 - filename: server/src/config.ts @@ -47,6 +39,8 @@ fileignoreconfig: checksum: d716e214d828109181a138f0ae253d5489a3c544b2625917b458d1e07886c408 - filename: server/src/jobs/lba_recruteur/formulaire/misc/removeVersionKeyFromRecruiters.ts checksum: 3cd111d8c109cfec357bae48af70d0cf5644d02cd2c4b9afc5b8aa07bccbd535 +- filename: server/src/security/accessTokenService.ts + checksum: f05cafd17797362fc9bfb53062af2095ead2cbe2fa967fad23bd61b756052004 - filename: server/src/services/application.service.ts checksum: 935cd8f213565ba7bcc2925fca149aaa6cbe9bb5e393a13ab3525dff6ad17234 - filename: server/tests/integration/http/formationV1.test.ts @@ -73,8 +67,12 @@ fileignoreconfig: checksum: 144ab34674299cdac89d96ffa6ed834814135c54e1621e1fa47ec5012924f862 - filename: shared/routes/appointments.routes.ts checksum: 46d94affa911e46d6e3f72d453412c4b5378a4ef71e6ee6cb3ab2f43eee3d5d4 +- filename: shared/routes/formulaire.route.ts + checksum: aaebcb3889eeb066dd5b44f95e8d23a1a988608b382eb107dad4d87d24a97074 - filename: shared/routes/password.routes.ts checksum: f9d2657f85f9f885deddf2ed1fd006d8278d27174659f0ed5a35e4d11343bb3a +- filename: shared/routes/v1Jobs.routes.ts + checksum: aa0fb2458520f24921a48af03ad05c3f4a92052374182851f24a3afa7421a5b8 - filename: ui/common/hooks/useAuth.ts checksum: 7cce935653407e000b35e98bd365a003e538aed4fed432a9a404d4f2412dd2df - filename: ui/components/ItemDetail/ItemDetail.tsx @@ -93,10 +91,6 @@ fileignoreconfig: checksum: 1ad48425b890a5ed3de19d079692e2ef7eac76483339a469a6cd9bc6d796ad26 - filename: ui/utils/api.utils.ts checksum: 324cd501354cfff65447c2599c4cc8966aa8aac30dda7854623dd6f7f7b0d34e -- filename: .infra/vault/vault.yml - checksum: 136cba643cbfdfc04f35cd171fe488ad2836261ae88201b6f344b6edbb77d3ef - ignore_detectors: [] -version: "" scopeconfig: - scope: node custom_patterns: @@ -114,3 +108,4 @@ allowed_patterns: - versionKey - '@apprentissage.beta.gouv.fr' - adminusersview +version: "1.0"