From 8e918894d946a18b492cec911c9a53f5823a6737 Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Tue, 26 Nov 2024 14:24:00 -0800 Subject: [PATCH 1/3] [no ticket] fix cron vuln scan logic (hopefully) (#3040) ### Time to review: __1 mins__ ## Changes proposed Changes the vuln scan cronjob to both: - have an explicit `needs` keyword - always run every vuln scan on every app ## Context for reviewers Right now the setup for the cron vuln scans is nonideal, this is shown here: image There are two problems here: - the matrix fails fast, which means that if one scan fails, the other scans won't get a chance to cache - there is a `needs` statement missing on the slack job, so it doesn't wait for the vuln scans to complete before it alerts slack. In practice this means that it will never alert slack (and in my experience, it never has) --- .github/workflows/ci-cron-vulnerability-scans.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index 867e99915..5eb54a518 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -13,6 +13,7 @@ jobs: vulnerability-scans: name: Vulnerability Scans strategy: + fail-fast: false matrix: app_name: ["frontend", "api", "analytics"] uses: ./.github/workflows/vulnerability-scans.yml @@ -21,4 +22,5 @@ jobs: send-slack-notification: if: failure() + needs: vulnerability-scans uses: ./.github/workflows/send-slack-notification.yml From 1727acb721fc772f01e1284eaef364ae1fae267a Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Tue, 26 Nov 2024 17:26:29 -0800 Subject: [PATCH 2/3] [no ticket] Update libc dev (#3059) ### Time to review: __1 mins__ ## Changes proposed Adds `libc-dev` to the list of packages we update explicitly --- analytics/Dockerfile | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/analytics/Dockerfile b/analytics/Dockerfile index cc4d8606f..e988ade47 100644 --- a/analytics/Dockerfile +++ b/analytics/Dockerfile @@ -11,15 +11,24 @@ FROM python:3.13-slim AS base RUN pip install --no-cache-dir poetry==1.8.2 --upgrade RUN apt-get update \ + # Remove existing packages before installing their never versions + && apt-get remove --yes \ + build-essential \ + libc-dev \ + libpq-dev \ + postgresql \ + wget \ + jq \ # Install security updates # https://pythonspeed.com/articles/security-updates-in-docker/ && apt-get upgrade --yes \ && apt-get install --no-install-recommends --yes \ - build-essential \ - libpq-dev \ - postgresql \ - wget \ - jq \ + build-essential \ + libc-dev \ + libpq-dev \ + postgresql \ + wget \ + jq \ # Reduce the image size by clear apt cached lists # Complies with https://github.com/codacy/codacy-hadolint/blob/master/codacy-hadolint/docs/description/DL3009.md && rm -fr /var/lib/apt/lists/* \ From 37ed85196abb681a7881f613f697676a65cbf823 Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Wed, 27 Nov 2024 07:28:44 -0800 Subject: [PATCH 3/3] [Issue #3031] install ubuntu 22 LTS, instead of latest (#3034) ## Summary Fixes #3031 ### Time to review: __1 mins__ --- .github/workflows/build-and-publish.yml | 2 +- .github/workflows/cd-analytics-infra.yml | 4 ++-- .github/workflows/cd-api-infra.yml | 4 ++-- .github/workflows/cd-frontend-infra.yml | 4 ++-- .github/workflows/cd-storybook.yml | 4 ++-- .github/workflows/check-infra-auth.yml | 2 +- .github/workflows/ci-analytics.yml | 2 +- .github/workflows/ci-api.yml | 2 +- .github/workflows/ci-frontend-a11y.yml | 4 ++-- .github/workflows/ci-frontend-e2e.yml | 4 ++-- .github/workflows/ci-frontend.yml | 6 +++--- .github/workflows/ci-infra.yml | 12 ++++++------ .github/workflows/ci-openapi.yml | 5 ++--- .github/workflows/ci-project-linters.yml | 2 +- .github/workflows/ci-wiki-links.yml | 2 +- .github/workflows/database-migrations.yml | 2 +- .github/workflows/deploy-metabase.yml | 2 +- .github/workflows/deploy.yml | 2 +- .github/workflows/infra-service.yml | 2 +- .github/workflows/lint-set-points-and-sprint.yml | 2 +- .github/workflows/send-slack-notification.yml | 2 +- .github/workflows/vulnerability-scans.yml | 10 +++++----- 22 files changed, 40 insertions(+), 41 deletions(-) diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index f12595c90..849880f92 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -36,7 +36,7 @@ on: jobs: build-and-publish: name: Build and publish - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: read diff --git a/.github/workflows/cd-analytics-infra.yml b/.github/workflows/cd-analytics-infra.yml index 978ed09ea..a8ad5e601 100644 --- a/.github/workflows/cd-analytics-infra.yml +++ b/.github/workflows/cd-analytics-infra.yml @@ -23,7 +23,7 @@ on: jobs: build-repository: name: Build Repository - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: read id-token: write @@ -47,7 +47,7 @@ jobs: deploy-infra: name: Deploy Infrastructure - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: diff --git a/.github/workflows/cd-api-infra.yml b/.github/workflows/cd-api-infra.yml index 8a49b1588..aaadec395 100644 --- a/.github/workflows/cd-api-infra.yml +++ b/.github/workflows/cd-api-infra.yml @@ -24,7 +24,7 @@ on: jobs: build-repository: name: Build Repository - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: read id-token: write @@ -47,7 +47,7 @@ jobs: deploy-infra: name: Deploy Infrastructure - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: diff --git a/.github/workflows/cd-frontend-infra.yml b/.github/workflows/cd-frontend-infra.yml index 3dcbbd4f8..e4ec14cfc 100644 --- a/.github/workflows/cd-frontend-infra.yml +++ b/.github/workflows/cd-frontend-infra.yml @@ -24,7 +24,7 @@ on: jobs: build-repository: name: Build Repository - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: read id-token: write @@ -47,7 +47,7 @@ jobs: deploy-infra: name: Deploy Infrastructure - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: diff --git a/.github/workflows/cd-storybook.yml b/.github/workflows/cd-storybook.yml index 340f32ade..ff2ad67e3 100644 --- a/.github/workflows/cd-storybook.yml +++ b/.github/workflows/cd-storybook.yml @@ -23,7 +23,7 @@ concurrency: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Checkout uses: actions/checkout@v4 @@ -51,7 +51,7 @@ jobs: environment: name: github-pages url: ${{ steps.hosting.outputs.page_url }} - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: build steps: - name: Deploy to GitHub Pages diff --git a/.github/workflows/check-infra-auth.yml b/.github/workflows/check-infra-auth.yml index 10cd5cf8f..4673518cd 100644 --- a/.github/workflows/check-infra-auth.yml +++ b/.github/workflows/check-infra-auth.yml @@ -18,7 +18,7 @@ permissions: jobs: caller-identity: name: Check caller identity - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/ci-analytics.yml b/.github/workflows/ci-analytics.yml index 2214079a5..47015d6c2 100644 --- a/.github/workflows/ci-analytics.yml +++ b/.github/workflows/ci-analytics.yml @@ -14,7 +14,7 @@ defaults: jobs: lint-test: name: Analytics Lint, Format & Tests - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 env: GH_TOKEN: ${{ secrets.GH_TOKEN_PROJECT_ACCESS }} ANALYTICS_SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.github/workflows/ci-api.yml b/.github/workflows/ci-api.yml index 709a3f5b0..7d11d5b47 100644 --- a/.github/workflows/ci-api.yml +++ b/.github/workflows/ci-api.yml @@ -14,7 +14,7 @@ defaults: jobs: lint-test: name: API Lint, Format & Tests - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/ci-frontend-a11y.yml b/.github/workflows/ci-frontend-a11y.yml index 2428d4bd9..ad6745656 100644 --- a/.github/workflows/ci-frontend-a11y.yml +++ b/.github/workflows/ci-frontend-a11y.yml @@ -9,7 +9,7 @@ on: jobs: build: name: Pa11y-ci tests - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 defaults: run: working-directory: ./frontend @@ -52,7 +52,7 @@ jobs: npm run build - name: Run Server - run: npm run start & + run: npm run start & - name: Wait for frontend to be ready run: | diff --git a/.github/workflows/ci-frontend-e2e.yml b/.github/workflows/ci-frontend-e2e.yml index 0fae5f04a..1a5b7388a 100644 --- a/.github/workflows/ci-frontend-e2e.yml +++ b/.github/workflows/ci-frontend-e2e.yml @@ -22,7 +22,7 @@ concurrency: jobs: e2e-tests: name: Run E2E Tests - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 strategy: matrix: @@ -82,7 +82,7 @@ jobs: name: Create Merged Test Report if: ${{ !cancelled() }} needs: [e2e-tests] - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/ci-frontend.yml b/.github/workflows/ci-frontend.yml index 842031135..dca9542dc 100644 --- a/.github/workflows/ci-frontend.yml +++ b/.github/workflows/ci-frontend.yml @@ -23,7 +23,7 @@ concurrency: jobs: tests: name: FE Lint, Type Check, Format & Tests - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 @@ -58,7 +58,7 @@ jobs: # Confirms the front end still builds successfully check-frontend-builds: name: FE Build Check - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 @@ -86,7 +86,7 @@ jobs: # Confirms Storybook still builds successfully check-storybook-builds: name: FE Storybook Build Check - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/ci-infra.yml b/.github/workflows/ci-infra.yml index 1a82012e0..305351074 100644 --- a/.github/workflows/ci-infra.yml +++ b/.github/workflows/ci-infra.yml @@ -19,7 +19,7 @@ jobs: # Lint github actions files using https://github.com/rhysd/actionlint # This job configuration is largely copied from https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions name: Lint GitHub Actions workflows - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: Download actionlint @@ -31,14 +31,14 @@ jobs: shell: bash lint-scripts: name: Lint scripts - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: Shellcheck run: make infra-lint-scripts check-terraform-format: name: Check Terraform format - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 @@ -51,7 +51,7 @@ jobs: make infra-lint-terraform validate-terraform: name: Validate Terraform modules - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 @@ -62,7 +62,7 @@ jobs: run: make infra-validate-modules check-compliance-with-checkov: name: Check compliance with checkov - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -81,7 +81,7 @@ jobs: quiet: true # only displays failed checks check-compliance-with-tfsec: name: Check compliance with tfsec - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: read diff --git a/.github/workflows/ci-openapi.yml b/.github/workflows/ci-openapi.yml index 08006252b..acf8fddfb 100644 --- a/.github/workflows/ci-openapi.yml +++ b/.github/workflows/ci-openapi.yml @@ -19,10 +19,9 @@ concurrency: group: ${{ github.head_ref }} cancel-in-progress: true - jobs: update-openapi-docs: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 with: @@ -42,4 +41,4 @@ jobs: git add --all # Commit changes (if no changes then no-op) git diff-index --quiet HEAD || git commit -m "Create ERD diagram and Update OpenAPI spec" - git push \ No newline at end of file + git push diff --git a/.github/workflows/ci-project-linters.yml b/.github/workflows/ci-project-linters.yml index a566b53d3..63d2598c0 100644 --- a/.github/workflows/ci-project-linters.yml +++ b/.github/workflows/ci-project-linters.yml @@ -14,7 +14,7 @@ defaults: jobs: dry-run-project-linters: name: Dry run GitHub project linters - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 env: GH_TOKEN: ${{ secrets.GH_TOKEN_PROJECT_ACCESS }} # Test issue with points and sprint values unset diff --git a/.github/workflows/ci-wiki-links.yml b/.github/workflows/ci-wiki-links.yml index 9b7a9c726..841bc5dc5 100644 --- a/.github/workflows/ci-wiki-links.yml +++ b/.github/workflows/ci-wiki-links.yml @@ -16,7 +16,7 @@ defaults: jobs: check-wiki-links: name: Check wiki links in SUMMARY.md - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/database-migrations.yml b/.github/workflows/database-migrations.yml index 1c2293be7..dd09f4ba6 100644 --- a/.github/workflows/database-migrations.yml +++ b/.github/workflows/database-migrations.yml @@ -18,7 +18,7 @@ concurrency: database-migrations-${{ inputs.environment }} jobs: run-migrations: name: Run migrations - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: read diff --git a/.github/workflows/deploy-metabase.yml b/.github/workflows/deploy-metabase.yml index 4aecf5942..8b2e0ba7b 100644 --- a/.github/workflows/deploy-metabase.yml +++ b/.github/workflows/deploy-metabase.yml @@ -18,7 +18,7 @@ concurrency: cd-${{ inputs.environment }} jobs: deploy: name: Deploy - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: read id-token: write diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2a86013cb..29be7fa52 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -33,7 +33,7 @@ jobs: deploy: name: Deploy - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: [database-migrations] permissions: contents: read diff --git a/.github/workflows/infra-service.yml b/.github/workflows/infra-service.yml index ac50af68d..108507232 100644 --- a/.github/workflows/infra-service.yml +++ b/.github/workflows/infra-service.yml @@ -11,7 +11,7 @@ on: jobs: infra-test-e2e: name: Test service - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: read diff --git a/.github/workflows/lint-set-points-and-sprint.yml b/.github/workflows/lint-set-points-and-sprint.yml index f25adf78d..8c1a9309b 100644 --- a/.github/workflows/lint-set-points-and-sprint.yml +++ b/.github/workflows/lint-set-points-and-sprint.yml @@ -12,7 +12,7 @@ defaults: jobs: run-project-linters: name: Run set points and sprint values on close - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 # Prevents duplicate runs of this linter for the same issue concurrency: group: issue-${{ github.event.issue.number }} diff --git a/.github/workflows/send-slack-notification.yml b/.github/workflows/send-slack-notification.yml index dce3b5ecd..740973d8a 100644 --- a/.github/workflows/send-slack-notification.yml +++ b/.github/workflows/send-slack-notification.yml @@ -5,7 +5,7 @@ on: workflow_call jobs: send-slack-notification: name: Send Slack notification on failure - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Send Slack notification run: | diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 0cd5232b7..2f2321754 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -14,7 +14,7 @@ on: jobs: hadolint-scan: name: Hadolint Scan - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 @@ -34,7 +34,7 @@ jobs: cat hadolint-results.txt >> "$GITHUB_STEP_SUMMARY" build-and-cache: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 outputs: image: ${{ steps.shared-output.outputs.image }} @@ -88,7 +88,7 @@ jobs: trivy-scan: name: Trivy Scan - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: build-and-cache steps: @@ -172,7 +172,7 @@ jobs: anchore-scan: name: Anchore Scan - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: build-and-cache steps: @@ -215,7 +215,7 @@ jobs: dockle-scan: name: Dockle Scan - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: build-and-cache steps: