Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Autodetect text files and forces unix eols, so Windows does not break them
* text=auto eol=lf

# Force images/fonts to be handled as binaries
*.jpg binary
*.jpeg binary
*.gif binary
*.png binary
*.woff binary
*.woff2 binary
*.ttf binary
*.eot binary
8 changes: 4 additions & 4 deletions .github/workflows/.deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:
contents: read
timeout-minutes: ${{ inputs.timeout-minutes }}
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Stop pre-existing deployments on PRs (status = pending-upgrade)
if: github.event_name == 'pull_request'
uses: bcgov/action-oc-runner@d2fc921aaa9d70684c186dbb7754e6985d44d86f # v1.4.1
Expand All @@ -71,6 +71,7 @@ jobs:
oc_server: ${{ vars.oc_server }}
triggers: ${{ inputs.triggers }}
commands: |
set -euo pipefail
# Interrupt any previous deployments (PR only)
PREVIOUS=$(helm status ${{ inputs.release_name }} -o json | jq .info.status || true)
if [[ ${PREVIOUS} =~ pending ]]; then
Expand All @@ -87,8 +88,7 @@ jobs:
oc_server: ${{ vars.oc_server }}
triggers: ${{ inputs.triggers }}
commands: |
# echo current git branch

set -euo pipefail
# If directory provided, cd to it
[ -z "${{ inputs.directory }}" ]|| cd ${{ inputs.directory }}
# Deploy Helm Chart
Expand Down Expand Up @@ -120,4 +120,4 @@ jobs:
helm history ${{ inputs.release_name }} || true

# Remove old build runs, build pods and deployment pods
oc delete po --field-selector=status.phase==Succeeded
oc delete po --field-selector=status.phase==Succeeded || true
4 changes: 2 additions & 2 deletions .github/workflows/.tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ jobs:
matrix:
browser: [chrome]
steps:
- uses: actions/checkout@v6
- uses: cypress-io/github-action@v7.1.10
- uses: actions/checkout@v7
- uses: cypress-io/github-action@c495c3ddffba403ba11be95fffb67e25203b3799 # v7.1.10
name: Cypress run
with:
config: pageLoadTimeout=30000,baseUrl=https://pubcode-${{ inputs.target }}.apps.silver.devops.gov.bc.ca/
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,10 @@ jobs:
contents: read
security-events: write
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@v0.36.0
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
format: "sarif"
output: "trivy-results.sarif"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ jobs:
runs-on: ubuntu-24.04
timeout-minutes: 1
permissions:
contents: write # write implies read; needed for git-push and checkout
contents: write # write implies read; needed for git-push and checkout
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
- name: Conventional Changelog Update
uses: TriPSs/conventional-changelog-action@952b14bbc4be87e8458a6ac5926fc655608b1b19 # v6.3.1
id: changelog
Expand Down
21 changes: 17 additions & 4 deletions .github/workflows/pr-open.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ permissions: {}
jobs:
pr-greeting:
name: PR Greeting
if: "!github.event.pull_request.head.repo.fork"
env:
DOMAIN: apps.silver.devops.gov.bc.ca
PREFIX: ${{ github.event.repository.name }}-${{ github.event.number }}
Expand All @@ -22,7 +23,7 @@ jobs:
pull-requests: write
steps:
- name: PR Greeting
uses: bcgov/action-pr-description-add@9bf88aec33edb7c00ed72f9305aa1721d0cdab9f # v2.0.3
uses: bcgov/actions/pr-description-add@0992e41cd11c5370b77f9e6066effe63efe9f8c9 # v0.4.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
add_markdown: |
Expand All @@ -39,6 +40,7 @@ jobs:

builds:
name: Builds
needs: [pr-greeting]
runs-on: ubuntu-24.04
Comment thread
mishraomp marked this conversation as resolved.
permissions:
contents: read
Expand All @@ -49,13 +51,13 @@ jobs:
matrix:
package: [api, database, frontend]
steps:
- uses: actions/checkout@v6
- uses: bcgov/action-builder-ghcr@2b24ac7f95e6a019064151498660437cca3202c5 # v4.2.1
- uses: actions/checkout@v7
- uses: bcgov/actions/builder-ghcr@0992e41cd11c5370b77f9e6066effe63efe9f8c9 # v0.4.0
with:
package: ${{ matrix.package }}
tags: ${{ github.event.number || github.sha }}
tag_fallback: latest
token: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}

- uses: shrink/actions-docker-registry-tag@e6aaef25c595b6e0edd18bf4c7dbfea3abd43299 # v5
with:
Expand Down Expand Up @@ -100,3 +102,14 @@ jobs:
uses: ./.github/workflows/.tests.yml
with:
target: ${{ github.event.number }}

results:
name: Results
if: always()
needs: [pr-greeting, builds, deploys, tests]
runs-on: ubuntu-24.04
timeout-minutes: 1
steps:
- name: Fail if any dependent job failed or was cancelled
if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
run: exit 1
22 changes: 13 additions & 9 deletions .github/workflows/scheduled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
working-directory: crawler
steps:
- name: Check out repository
uses: actions/checkout@v6
uses: actions/checkout@v7

- name: Add Node.js
uses: actions/setup-node@v6
Expand All @@ -36,14 +36,14 @@ jobs:
- name: Install Dependencies
run: npm ci

- uses: actions/cache@v5
- uses: actions/cache@v6
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-

- uses: redhat-actions/openshift-tools-installer@v1
- uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1.13.1
with:
oc: "4"

Expand All @@ -52,6 +52,7 @@ jobs:
GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_NAMES: ${{ github.event.inputs.REPO_NAMES }}
run: |
set -euo pipefail
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
oc project ${{ vars.OC_NAMESPACE }}

Expand All @@ -71,7 +72,7 @@ jobs:
working-directory: schema/script
steps:
- name: Check out repository
uses: actions/checkout@v6
uses: actions/checkout@v7

- name: Add Node.js
uses: actions/setup-node@v6
Expand All @@ -81,7 +82,7 @@ jobs:
- name: Install Dependencies
run: npm ci

- uses: actions/cache@v5
- uses: actions/cache@v6
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
Expand All @@ -96,8 +97,10 @@ jobs:
if: steps.validate-ministry-list.outputs.schemaChanged == 'true'
env:
GH_TOKEN: ${{ github.token }}
ACTOR: ${{ github.actor }}
run: |
git config --local user.name ${{ github.actor }}
set -euo pipefail
git config --local user.name "$ACTOR"
git checkout -b chore/ministry-name-schema
git add ../bcgovpubcode.json
git commit -m "Updating the Schema as changes to ministry names were detected."
Expand All @@ -116,7 +119,7 @@ jobs:
environment: prod
steps:
- name: Check out repository
uses: actions/checkout@v6
uses: actions/checkout@v7

- name: Add Node.js
uses: actions/setup-node@v6
Expand All @@ -125,19 +128,20 @@ jobs:
- name: Install Dependencies
run: npm ci

- uses: actions/cache@v5
- uses: actions/cache@v6
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-

- uses: redhat-actions/openshift-tools-installer@v1
- uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1.13.1
with:
oc: "4"

- name: Process script
run: |
set -euo pipefail
oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
oc project ${{ vars.OC_NAMESPACE }}

Expand Down
5 changes: 4 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -112,4 +112,7 @@ test-report.xml
frontend/.env.local
.idea
/util/
*.http
*.http
.claude
.tokensave
.copilot-memory
23 changes: 21 additions & 2 deletions charts/pubcode/templates/api/templates/deployment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ spec:
labels:
{{- include "api.labels" . | nindent 8 }}
spec:
terminationGracePeriodSeconds: {{ default 30 .Values.api.terminationGracePeriodSeconds }}
securityContext:
runAsNonRoot: true
seccompProfile:
Expand All @@ -34,9 +35,16 @@ spec:
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: tmp
mountPath: /tmp
Comment thread
Copilot marked this conversation as resolved.
{{- if $c.volumeMounts }}
{{- tpl (toYaml $c.volumeMounts) $ | nindent 12 }}
{{- end }}
{{- if and $c.envFrom $c.envFrom.secretRef $c.envFrom.secretRef.name }}
envFrom:
- secretRef:
Expand Down Expand Up @@ -79,8 +87,19 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.api.affinity }}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
{{- include "api.selectorLabels" . | nindent 20 }}
topologyKey: kubernetes.io/hostname
{{- with .Values.api.affinity }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
volumes:
- name: tmp
emptyDir: {}
{{- end }}
2 changes: 1 addition & 1 deletion charts/pubcode/templates/api/templates/pdb.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ spec:
selector:
matchLabels:
{{- include "api.selectorLabels" . | nindent 6 }}
minAvailable: {{ .Values.api.pdb.minAvailable }}
maxUnavailable: {{ .Values.api.pdb.maxUnavailable }}
{{- end }}
3 changes: 3 additions & 0 deletions charts/pubcode/templates/database/templates/sfs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
labels:
{{- include "database.labels" . | nindent 8 }}
spec:
terminationGracePeriodSeconds: {{ default 60 .Values.database.terminationGracePeriodSeconds }}
securityContext:
runAsNonRoot: true
seccompProfile:
Expand All @@ -31,27 +32,28 @@
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
{{- if $ic.command }}
command:
{{- tpl (toYaml $ic.command) $ | nindent 12 }}
{{- end }}
{{- if $ic.args }}
args:
{{- tpl (toYaml $ic.args) $ | nindent 12 }}
{{- end }}
{{- if $ic.resources }}
resources:
{{- toYaml $ic.resources | nindent 12 }}
{{- end }}
{{- if $ic.volumeMounts }}
volumeMounts:
{{- tpl (toYaml $ic.volumeMounts) $ | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}

Check warning

Code scanning / Trivy

Restrict container images to trusted registries Medium

Artifact: charts/pubcode/templates/database/templates/sfs.yml
Type: helm
Vulnerability KSV-0125
Severity: MEDIUM
Message: Container database-init in statefulset pubcode-database (namespace: null) uses an image from an untrusted registry.
Link: KSV-0125

Check notice

Code scanning / Trivy

CPU not limited Low

Artifact: charts/pubcode/templates/database/templates/sfs.yml
Type: helm
Vulnerability KSV-0011
Severity: LOW
Message: Container 'database-init' of StatefulSet 'pubcode-database' should set 'resources.limits.cpu'
Link: KSV-0011

Check notice

Code scanning / Trivy

Memory not limited Low

Artifact: charts/pubcode/templates/database/templates/sfs.yml
Type: helm
Vulnerability KSV-0018
Severity: LOW
Message: Container 'database-init' of StatefulSet 'pubcode-database' should set 'resources.limits.memory'
Link: KSV-0018

Check notice

Code scanning / Trivy

Runs with UID <= 10000 Low

Artifact: charts/pubcode/templates/database/templates/sfs.yml
Type: helm
Vulnerability KSV-0020
Severity: LOW
Message: Container 'database-init' of StatefulSet 'pubcode-database' should set 'securityContext.runAsUser' > 10000
Link: KSV-0020

Check notice

Code scanning / Trivy

Runs with GID <= 10000 Low

Artifact: charts/pubcode/templates/database/templates/sfs.yml
Type: helm
Vulnerability KSV-0021
Severity: LOW
Message: Container 'database-init' of StatefulSet 'pubcode-database' should set 'securityContext.runAsGroup' > 10000
Link: KSV-0021

containers:
{{- range $c := .Values.database.containers }}
Expand All @@ -60,6 +62,7 @@
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
Expand Down
22 changes: 20 additions & 2 deletions charts/pubcode/templates/frontend/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ spec:
labels:
{{- include "frontend.labels" . | nindent 8 }}
spec:
terminationGracePeriodSeconds: {{ default 30 .Values.frontend.terminationGracePeriodSeconds }}
securityContext:
runAsNonRoot: true
seccompProfile:
Expand All @@ -43,6 +44,12 @@ spec:
add:
{{- toYaml $c.securityContext.capabilities.add | nindent 16 }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
{{- if $c.volumeMounts }}
{{- tpl (toYaml $c.volumeMounts) $ | nindent 12 }}
{{- end }}
image: "{{- if and $c.registry $c.repository -}}{{ tpl $c.registry $ }}/{{ tpl $c.repository $ }}/{{ tpl $c.image $ }}{{- else if $c.registry -}}{{ tpl $c.registry $ }}/{{ tpl $c.image $ }}{{- else -}}{{ tpl $c.image $ }}{{- end -}}{{- if $c.tag -}}:{{ tpl (printf "%v" $c.tag) $ }}{{- end -}}"
{{- if and $c.envFrom $c.envFrom.secretRef $c.envFrom.secretRef.name }}
envFrom:
Expand Down Expand Up @@ -86,8 +93,19 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.frontend.affinity }}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
{{- include "frontend.selectorLabels" . | nindent 20 }}
topologyKey: kubernetes.io/hostname
{{- with .Values.frontend.affinity }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
volumes:
- name: tmp
emptyDir: {}
{{- end }}
2 changes: 1 addition & 1 deletion charts/pubcode/templates/frontend/templates/pdb.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ spec:
selector:
matchLabels:
{{- include "frontend.selectorLabels" . | nindent 6 }}
minAvailable: {{ .Values.frontend.pdb.minAvailable }}
maxUnavailable: {{ .Values.frontend.pdb.maxUnavailable }}
{{- end }}
Loading
Loading