diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index e231278885..1756dc9a89 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -6,7 +6,7 @@ "args": { "DOCKER_GID": "${env:DOCKER_GID:}", "IMAGE_NAME": "node_24_python_3_12", - "IMAGE_VERSION": "v1.2.0", + "IMAGE_VERSION": "v1.4.4", "USER_UID": "${localEnv:USER_ID:}", "USER_GID": "${localEnv:GROUP_ID:}" }, diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000000..0492a66516 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# restrict access to approving workflow changes +.github/workflows/ @NHSDigital/eps-admins diff --git a/.github/actions/mark_jira_released/action.yml b/.github/actions/mark_jira_released/action.yml deleted file mode 100644 index b5c498b218..0000000000 --- a/.github/actions/mark_jira_released/action.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: "Create confluence release notes" -description: "Do release note actions in confluence and jira" -inputs: - RELEASE_TAG: - required: false - description: "The tag we are marking as released in jira" - DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: - required: true - description: "The role to assume to execute the release notes lambda" - -runs: - using: "composite" - steps: - - name: connect to dev account - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: eu-west-2 - role-to-assume: ${{ inputs.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} - role-session-name: psu-release-notes-run-lambda - - - name: call markJiraReleased lambda - shell: bash - working-directory: .github/scripts - env: - RELEASE_TAG: ${{ inputs.RELEASE_TAG }} - run: ./call_mark_jira_released.sh diff --git a/.github/actions/update_confluence_jira/action.yml b/.github/actions/update_confluence_jira/action.yml deleted file mode 100644 index f5d56dbaf0..0000000000 --- a/.github/actions/update_confluence_jira/action.yml +++ /dev/null @@ -1,89 +0,0 @@ -name: "Create confluence release notes" -description: "Do release note actions in confluence and jira" -inputs: - TARGET_ENVIRONMENT: - required: true - description: "Target Environment" - RELEASE_TAG: - required: false - description: "The tag we are releasing - only used for create_rc_release_notes" - CONFLUENCE_PAGE_ID: - required: true - description: "The id of confluence page to update or create under" - CREATE_RC_RELEASE_NOTES: - required: true - description: "whether to create rc release notes page instead of normal release notes" - default: "false" - DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: - required: true - description: "The role to assume to execute the release notes lambda" - DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: - required: true - description: "The dev cloud formation deploy role" - TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE: - required: true - description: "The target cloud formation deploy role" - -runs: - using: "composite" - steps: - - name: connect to target account - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: eu-west-2 - role-to-assume: ${{ inputs.TARGET_CLOUD_FORMATION_CHECK_VERSION_ROLE }} - role-session-name: psu-release-notes-target - - - name: Get deployed tag on target - shell: bash - working-directory: .github/scripts - env: - TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }} - run: ./get_target_deployed_tag.sh - - - name: connect to dev account - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: eu-west-2 - role-to-assume: ${{ inputs.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }} - role-session-name: psu-release-notes-dev - - - name: get current dev tag - shell: bash - working-directory: .github/scripts - run: ./get_current_dev_tag.sh - - - name: connect to dev account to run release notes lambda - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: eu-west-2 - role-to-assume: ${{ inputs.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }} - role-session-name: psu-release-notes-run-lambda - unset-current-credentials: true - - - name: create int release notes - shell: bash - working-directory: .github/scripts - if: inputs.TARGET_ENVIRONMENT == 'int' && inputs.CREATE_RC_RELEASE_NOTES == 'false' - env: - ENV: INT - PAGE_ID: ${{ inputs.CONFLUENCE_PAGE_ID }} - run: ./create_env_release_notes.sh - - - name: create int rc release notes - shell: bash - working-directory: .github/scripts - if: inputs.TARGET_ENVIRONMENT == 'int' && inputs.CREATE_RC_RELEASE_NOTES == 'true' - env: - RELEASE_TAG: ${{ inputs.RELEASE_TAG }} - PAGE_ID: ${{ inputs.CONFLUENCE_PAGE_ID }} - run: ./create_int_rc_release_notes.sh - - - name: create prod release notes - shell: bash - working-directory: .github/scripts - if: inputs.TARGET_ENVIRONMENT == 'prod' - env: - ENV: PROD - PAGE_ID: ${{ inputs.CONFLUENCE_PAGE_ID }} - run: ./create_env_release_notes.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 06982f91fe..527d56b536 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,18 +4,25 @@ on: push: branches: [main] -env: - BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} +permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + attestations: read + contents: read + packages: read with: verify_published_from_main_image: true quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 needs: [get_config_values] + permissions: + contents: read + id-token: write + packages: read with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: @@ -33,26 +40,33 @@ jobs: tag_release: needs: [quality_checks, get_commit_id, get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 permissions: id-token: write contents: write + packages: write with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} branch_name: main tag_format: ${{ needs.get_config_values.outputs.tag_format }} - secrets: inherit package_code: needs: [tag_release, get_config_values] uses: ./.github/workflows/run_package_code_and_api.yml + permissions: + contents: read + packages: read + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} release_dev: needs: [tag_release, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -99,6 +113,9 @@ jobs: release_sandbox_dev: needs: [tag_release, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}-sandbox @@ -140,6 +157,9 @@ jobs: needs: [tag_release, release_dev, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} diff --git a/.github/workflows/delete_old_cloudformation_stacks.yml b/.github/workflows/delete_old_cloudformation_stacks.yml index ac747a8f56..a4d4397a78 100644 --- a/.github/workflows/delete_old_cloudformation_stacks.yml +++ b/.github/workflows/delete_old_cloudformation_stacks.yml @@ -7,6 +7,7 @@ on: - cron: "0 1,13 * * *" push: branches: [main] +permissions: {} jobs: delete-old-cloudformation-stacks: @@ -19,8 +20,8 @@ jobs: - name: Checkout local code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 @@ -46,8 +47,8 @@ jobs: - name: Checkout local code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 60dbe9dd21..5dc6e7f020 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -4,32 +4,44 @@ on: pull_request: branches: [main] -env: - BRANCH_NAME: ${{ github.event.pull_request.head.ref }} +permissions: {} jobs: dependabot-auto-approve-and-merge: needs: quality_checks - uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + contents: write + pull-requests: write secrets: AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + attestations: read + contents: read + packages: read with: verify_published_from_main_image: false quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 needs: [get_config_values] + permissions: + contents: read + id-token: write + packages: read with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} pr_title_format_check: - uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + pull-requests: write get_issue_number: runs-on: ubuntu-22.04 @@ -60,16 +72,16 @@ jobs: tag_release: needs: [get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 permissions: id-token: write contents: write + packages: write with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} branch_name: ${{ github.event.pull_request.head.ref }} tag_format: ${{ needs.get_config_values.outputs.tag_format }} - secrets: inherit get_commit_id: runs-on: ubuntu-22.04 @@ -84,12 +96,19 @@ jobs: package_code: needs: [get_issue_number, get_config_values] uses: ./.github/workflows/run_package_code_and_api.yml + permissions: + contents: read + packages: read + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} release_code: needs: [get_issue_number, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} STACK_NAME: psu-pr-${{needs.get_issue_number.outputs.issue_number}} @@ -136,6 +155,9 @@ jobs: release_sandbox_code: needs: [get_issue_number, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} STACK_NAME: psu-pr-${{needs.get_issue_number.outputs.issue_number}}-sandbox diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7cc5dd132e..fb268dc86a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,17 +3,24 @@ name: deploy to environments on: workflow_dispatch: -env: - BRANCH_NAME: ${{ github.event.ref.BRANCH_NAME }} +permissions: {} jobs: get_config_values: - uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 + permissions: + attestations: read + contents: read + packages: read with: verify_published_from_main_image: true quality_checks: - uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 needs: [get_config_values] + permissions: + contents: read + id-token: write + packages: read with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} secrets: @@ -31,10 +38,11 @@ jobs: tag_release: needs: [quality_checks, get_commit_id, get_config_values] - uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@5ac2707dd9cd60ad127275179495b9c890d74711 + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@c8f899f30a6a726859b0277faa73cd9ff7f4de20 permissions: id-token: write contents: write + packages: write with: dry_run: false pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} @@ -48,12 +56,19 @@ jobs: package_code: needs: [tag_release, get_config_values] uses: ./.github/workflows/run_package_code_and_api.yml + permissions: + contents: read + packages: read + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} release_dev: needs: [tag_release, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -104,6 +119,9 @@ jobs: release_dev_sandbox: needs: [tag_release, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}-sandbox @@ -155,6 +173,9 @@ jobs: get_config_values, ] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -208,6 +229,9 @@ jobs: get_config_values, ] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -254,6 +278,9 @@ jobs: needs: [tag_release, release_qa, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} @@ -304,6 +331,9 @@ jobs: needs: [tag_release, release_qa, package_code, get_commit_id, get_config_values] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}-sandbox @@ -355,6 +385,9 @@ jobs: get_config_values, ] uses: ./.github/workflows/run_release_code_and_api.yml + permissions: + contents: write + id-token: write with: pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}} diff --git a/.github/workflows/run_package_code_and_api.yml b/.github/workflows/run_package_code_and_api.yml index e08791993b..76e9c3d130 100644 --- a/.github/workflows/run_package_code_and_api.yml +++ b/.github/workflows/run_package_code_and_api.yml @@ -7,6 +7,8 @@ on: required: true type: string +permissions: {} + jobs: package_code_and_api: runs-on: ubuntu-22.04 @@ -27,7 +29,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} + persist-credentials: false - name: Setting up .npmrc env: diff --git a/.github/workflows/run_regression_tests.yml b/.github/workflows/run_regression_tests.yml index f49e66cbe6..48baad9580 100644 --- a/.github/workflows/run_regression_tests.yml +++ b/.github/workflows/run_regression_tests.yml @@ -17,6 +17,7 @@ on: secrets: REGRESSION_TESTS_PEM: required: true +permissions: {} jobs: run_regression_tests: @@ -38,7 +39,7 @@ jobs: - name: Checkout local github actions uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} + persist-credentials: false fetch-depth: 0 - name: Generate a token to authenticate regression testing diff --git a/.github/workflows/run_release_code_and_api.yml b/.github/workflows/run_release_code_and_api.yml index f797424ef4..0d2df8cde0 100644 --- a/.github/workflows/run_release_code_and_api.yml +++ b/.github/workflows/run_release_code_and_api.yml @@ -136,6 +136,7 @@ on: required: false REGRESSION_TESTS_PEM: required: true +permissions: {} jobs: release_code_and_api: @@ -158,7 +159,7 @@ jobs: - name: Checkout local github actions uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - ref: ${{ env.BRANCH_NAME }} + persist-credentials: false fetch-depth: 0 sparse-checkout: | .github @@ -188,9 +189,11 @@ jobs: - name: read ODS codes id: read run: | - INPUT_FILE="${GITHUB_WORKSPACE}/.github/config/ods_codes_${{ inputs.AWS_ENVIRONMENT }}.txt" + INPUT_FILE="${GITHUB_WORKSPACE}/.github/config/ods_codes_${AWS_ENVIRONMENT}.txt" CSV=$(sed ':a;N;$!ba;s/\r\?\n/,/g;s/,$//' < "$INPUT_FILE") echo "ods_csv=${CSV}" >> "$GITHUB_OUTPUT" + env: + AWS_ENVIRONMENT: ${{ inputs.AWS_ENVIRONMENT }} - name: release code shell: bash @@ -295,27 +298,34 @@ jobs: with: ref: gh-pages path: gh-pages + persist-credentials: true - - name: Update release tag in github pages - if: ${{ !startsWith(inputs.STACK_NAME, 'psu-pr-') }} + - name: update release tag in github pages + if: ${{ inputs.IS_PULL_REQUEST == false }} run: | cd gh-pages NOW=$(date +'%Y-%m-%dT%H:%M:%S') - echo "tag,release_datetime" > _data/${{ inputs.APIGEE_ENVIRONMENT }}_latest.csv - echo "${{ inputs.VERSION_NUMBER }},${NOW}" >> _data/${{ inputs.APIGEE_ENVIRONMENT }}_latest.csv - echo "${{ inputs.VERSION_NUMBER }},${NOW}" >> _data/${{ inputs.APIGEE_ENVIRONMENT }}_deployments.csv + echo "tag,release_datetime" > "_data/${APIGEE_ENVIRONMENT}_latest.csv" + echo "${VERSION_NUMBER},${NOW}" >> "_data/${APIGEE_ENVIRONMENT}_latest.csv" + echo "${VERSION_NUMBER},${NOW}" >> "_data/${APIGEE_ENVIRONMENT}_deployments.csv" git config user.name github-actions git config user.email github-actions@github.com - git add _data/${{ inputs.APIGEE_ENVIRONMENT }}_latest.csv - git add _data/${{ inputs.APIGEE_ENVIRONMENT }}_deployments.csv - git commit -m 'update releases for ${{ inputs.APIGEE_ENVIRONMENT }}' + git add "_data/${APIGEE_ENVIRONMENT}_latest.csv" + git add "_data/${APIGEE_ENVIRONMENT}_deployments.csv" + git commit -m "update releases for ${APIGEE_ENVIRONMENT}" parallel --retries 10 --delay 3 ::: "git pull --rebase && git push" + env: + APIGEE_ENVIRONMENT: ${{ inputs.APIGEE_ENVIRONMENT }} + VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }} regression_tests: if: ${{ inputs.RUN_REGRESSION_TEST == true && always() && !failure() && !cancelled() }} name: Regression Tests uses: ./.github/workflows/run_regression_tests.yml needs: release_code_and_api + permissions: + id-token: write + contents: write with: ENVIRONMENT: ${{ inputs.APIGEE_ENVIRONMENT }} VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }} diff --git a/.gitignore b/.gitignore index 2ab9a1118a..fde104b2ec 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ _site/ vendor .cfn_guard_out/ .trivy_out/ +.sbom/ diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000000..d07cef7c42 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,3 @@ +ignore: + # path-to-regexp - dependency of aws-sdk-client-mock + - vulnerability: GHSA-j3q9-mxjg-w52f diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5fb6aaa8b5..847e8dc9ce 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -23,6 +23,14 @@ repos: - repo: local hooks: + - id: grype-scan-local + name: Grype scan local changes + entry: make + args: ["grype-scan-local"] + language: system + pass_filenames: false + always_run: true + - id: check-commit-signing name: Check commit signing description: Ensures that commits are GPG signed diff --git a/.trivyignore.yaml b/.trivyignore.yaml deleted file mode 100644 index 5f0d05c4a4..0000000000 --- a/.trivyignore.yaml +++ /dev/null @@ -1,28 +0,0 @@ -vulnerabilities: - - id: CVE-2026-25128 - statement: fast-xml-parser vulnerability accepted as risk - dependency of aws-sdk/client-dynamodb - expired_at: 2026-03-01 - - id: CVE-2026-25547 - statement: isaacs/brace-expansion vulnerability accepted as risk - dependency of aws-sdk/client-dynamodb - expired_at: 2026-03-01 - - id: CVE-2026-26278 - statement: fast-xml-parser vulnerability accepted as risk - dependency of aws-sdk/client-dynamodb and redocly - expired_at: 2026-04-01 - - id: CVE-2026-26996 - statement: minimatch vulnerability accepted as risk - dependency of various packages - expired_at: 2026-04-01 - - id: CVE-2026-32141 - statement: Transitive dependency vulnerability in flatted - expired_at: 2026-06-01 - - id: CVE-2026-1526 - statement: Transitive dependency vulnerability in undici of npm - expired_at: 2026-06-01 - - id: CVE-2026-1528 - statement: Transitive dependency vulnerability in undici of npm - expired_at: 2026-06-01 - - id: CVE-2026-2229 - statement: Transitive dependency vulnerability in undici of npm - expired_at: 2026-06-01 - - id: CVE-2026-33036 - statement: fast-xml-parser - will be updated soon - expired_at: 2026-06-01 diff --git a/Makefile b/Makefile index 46f2cae220..251be16be8 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ install-python: poetry install install-node: - npm ci --legacy-peer-deps + npm ci --ignore-scripts install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 0000000000..6659946d6b --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,13 @@ +rules: + unpinned-images: + # these workflows use unpinned images because they are using a full image passed in that contains the tag + ignore: + - run_release_code_and_api.yml:146:7 + - run_regression_tests.yml:26:7 + - run_package_code_and_api.yml:16:7 + secrets-outside-env: + # these are ignored because they are using known secrets + ignore: + - run_regression_tests.yml:50:28 + - delete_old_cloudformation_stacks.yml:57:31 + - delete_old_cloudformation_stacks.yml:30:31