Merge pull request #1657 from GSA/main

06/26/2024 Production Deploy

.ds.baseline

@@ -169,7 +169,7 @@
         "filename": "app/config.py",
         "hashed_secret": "577a4c667e4af8682ca431857214b3a920883efc",
         "is_verified": false,
-        "line_number": 111,
+        "line_number": 117,
         "is_secret": false
       }
     ],
@@ -423,7 +423,7 @@
         "filename": "app/templates/new/components/head.html",
         "hashed_secret": "ee5048791fc7ff45a1545e24f85bec3317371327",
         "is_verified": false,
-        "line_number": 35,
+        "line_number": 34,
         "is_secret": false
       }
     ],
@@ -586,20 +586,12 @@
       }
     ],
     "tests/app/main/views/test_sign_in.py": [
-      {
-        "type": "Private Key",
-        "filename": "tests/app/main/views/test_sign_in.py",
-        "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
-        "is_verified": false,
-        "line_number": 31,
-        "is_secret": false
-      },
       {
         "type": "Secret Keyword",
         "filename": "tests/app/main/views/test_sign_in.py",
         "hashed_secret": "8b8b69116ee882b5e987e330f55db81aba0636f9",
         "is_verified": false,
-        "line_number": 104,
+        "line_number": 90,
         "is_secret": false
       }
     ],
@@ -675,7 +667,7 @@
         "filename": "tests/conftest.py",
         "hashed_secret": "f8377c90fcfd699f0ddbdcb30c2c9183d2d933ea",
         "is_verified": false,
-        "line_number": 3289,
+        "line_number": 3266,
         "is_secret": false
       }
     ],
@@ -710,5 +702,5 @@
       }
     ]
   },
-  "generated_at": "2024-05-20T16:03:05Z"
+  "generated_at": "2024-06-11T22:26:18Z"
 }

.github/actions/setup-project/action.yml

@@ -9,10 +9,10 @@ runs:
         sudo apt-get update \
         && sudo apt-get install -y --no-install-recommends \
         libcurl4-openssl-dev
-    - name: Set up Python 3.12
+    - name: Set up Python 3.12.3
       uses: actions/setup-python@v4
       with:
-        python-version: "3.12"
+        python-version: "3.12.3"
     - name: Install poetry
       shell: bash
       run: pip install poetry

.github/workflows/codeql.yml

@@ -0,0 +1,95 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main", "production" ]
+  pull_request:
+    branches: [ "main", "production" ]
+  schedule:
+    - cron: '18 5 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: javascript-typescript
+          build-mode: none
+        - language: python
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/deploy-demo.yml

@@ -18,7 +18,7 @@ jobs:
 
       - name: Check for changes to Terraform
         id: changed-terraform-files
-        uses: tj-actions/changed-files@v41.0.0
+        uses: tj-actions/changed-files@v44
         with:
           files: |
             terraform/demo
@@ -88,7 +88,7 @@ jobs:
 
       - name: Check for changes to egress config
         id: changed-egress-config
-        uses: tj-actions/changed-files@v41.0.0
+        uses: tj-actions/changed-files@v44
         with:
           files: |
             deploy-config/egress_proxy/notify-admin-demo.*.acl

.github/workflows/deploy-prod.yml

@@ -18,7 +18,7 @@ jobs:
 
       - name: Check for changes to Terraform
         id: changed-terraform-files
-        uses: tj-actions/changed-files@v41.0.0
+        uses: tj-actions/changed-files@v44
         with:
           files: |
             terraform/production
@@ -88,7 +88,7 @@ jobs:
 
       - name: Check for changes to egress config
         id: changed-egress-config
-        uses: tj-actions/changed-files@v41.0.0
+        uses: tj-actions/changed-files@v44
         with:
           files: |
             deploy-config/egress_proxy/notify-admin-production.*.acl

.github/workflows/deploy.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Check for changes to Terraform
         id: changed-terraform-files
-        uses: tj-actions/changed-files@v41.0.0
+        uses: tj-actions/changed-files@v44
         with:
           files: |
             terraform/staging
@@ -95,7 +95,7 @@ jobs:
 
       - name: Check for changes to egress config
         id: changed-egress-config
-        uses: tj-actions/changed-files@v41.0.0
+        uses: tj-actions/changed-files@v44
         with:
           files: |
             deploy-config/egress_proxy/notify-admin-staging.*.acl

.nvmrc

@@ -1 +1 @@
-16.15.1
+16.20.2

Makefile

@@ -21,7 +21,8 @@ bootstrap: generate-version-file ## Set up everything to run the app
 	poetry install --sync --no-root
 	poetry run playwright install --with-deps
 	poetry run pre-commit install
-	source $(NVMSH) --no-use && nvm install && npm ci --no-audit
+	source $(NVMSH) --no-use && nvm install && npm install
+	source $(NVMSH) && npm ci --no-audit
 	source $(NVMSH) && npm run build
 
 .PHONY: watch-frontend
@@ -40,6 +41,10 @@ run-flask-bare:  ## Run flask without invoking poetry so we can override ENV var
 npm-audit:  ## Check for vulnerabilities in NPM packages
 	source $(NVMSH) && npm run audit
 
+.PHONY: npm-audit-fix
+npm-audit-fix:  ## Fix vulnerabilities that do not require attentino (according to npm)
+	source $(NVMSH) && npm audit fix
+
 .PHONY: help
 help:
 	@cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-]+:.*?## .*$$' | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
@@ -76,8 +81,9 @@ py-test: ## Run python unit tests
 	poetry run coverage html -d .coverage_cache
 
 .PHONY: dead-code
-dead-code:
-	poetry run vulture ./app --min-confidence=100
+dead-code: ## 60% is our aspirational goal, but currently breaks the build
+	poetry run vulture ./app ./notifications_utils --min-confidence=100
+
 
 .PHONY: e2e-test
 e2e-test: export NEW_RELIC_ENVIRONMENT=test

README.md

@@ -40,7 +40,7 @@ You will need the following items:
 [Follow the instructions here to set up the Notify.gov API.](https://github.com/GSA/notifications-api#before-you-start)
 
 The Notify.gov API is required in order for the Notify.gov Admin UI to run, and
-it will also take care of many of the steps that are listed here.  The sections
+it will also take care of many of the steps that are listed here. The sections
 that are a repeat from the API setup are flagged with an **[API Step]** label
 in front of them.
 
@@ -83,11 +83,13 @@ Your system `$PATH` environment variable is likely set in one of these
 locations:
 
 For BASH shells:
+
 - `~/.bashrc`
 - `~/.bash_profile`
 - `~/.profile`
 
 For ZSH shells:
+
 - `~/.zshrc`
 - `~/.zprofile`
 
@@ -97,7 +99,7 @@ environments.
 Which file you need to modify depends on whether or not you are running an
 interactive shell or a login shell
 (see [this Stack Overflow post](https://stackoverflow.com/questions/18186929/what-are-the-differences-between-a-login-shell-and-interactive-shell)
-for an explanation of the differences).  If you're still not sure, please ask
+for an explanation of the differences). If you're still not sure, please ask
 the team for help!
 
 Once you determine which file you'll need to modify, add these lines before any
@@ -158,7 +160,7 @@ _NOTE: This project currently uses the latest `1.4.x release of Terraform._
 #### [API Step] Python Installation
 
 Now we're going to install a tool to help us manage Python versions and
-virtual environments on our system.  First, we'll install
+virtual environments on our system. First, we'll install
 [pyenv](https://github.com/pyenv/pyenv) and one of its plugins,
 [pyenv-virtualenv](https://github.com/pyenv/pyenv-virtualenv), with Homebrew:
 
@@ -285,7 +287,7 @@ we'll use `3.12` in our example here since we recently upgraded to this version:
 pyenv install 3.12
 ```
 
-Next, delete the virtual environment you previously had set up.  If you followed
+Next, delete the virtual environment you previously had set up. If you followed
 the instructions above with the first-time set up, you can do this with `pyenv`:
 
 ```sh
@@ -306,6 +308,20 @@ you'll be set with an upgraded version of Python.
 
 _If you're not sure about the details of your current virtual environment, you can run `poetry env info` to get more information. If you've been using `pyenv` for everything, you can also see all available virtual environments with `pyenv virtualenvs`._
 
+#### Updating the .env file for Login.gov
+
+To configure the application for Login.gov, you will need to update the following environment variables in the .env file:
+
+```
+COMMIT_HASH=”--------”
+```
+
+Reach out to someone on the team to get the most recent Login.gov key.
+
+```
+LOGIN_PEM="INSERT_LOGIN_GOV_KEY_HERE"
+```
+
 #### Updating the .env file for E2E tests
 
 With the newly created `.env` file in place, you'll need to make one more
@@ -353,7 +369,7 @@ API is running as well!
 ## Creating a 'First User' in the database
 
 After you have completed all setup steps, you will be unable to log in, because there
-will not be a user in the database to link to the login.gov account you are using.  So
+will not be a user in the database to link to the login.gov account you are using. So
 you will need to create that user in your database using the 'create-test-user' command.
 
 Open two terminals pointing to the api project and then run these commands in the
@@ -372,8 +388,6 @@ is the same one you are using in login.gov and make sure your phone number is in
 If for any reason in the course of development it is necessary for your to delete your db
 via the `dropdb` command, you will need to repeat these steps when you recreate your db.
 
-
-
 ## Git Hooks
 
 We're using [`pre-commit`](https://pre-commit.com/) to manage hooks in order to