pii_safe_schema 1.3.3 → 1.3.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/default.yml +66 -0
- data/.github/workflows/licenses.yml +46 -0
- data/.github/workflows/security-check.yml +30 -0
- data/CHANGELOG.md +4 -0
- data/README.md +3 -2
- data/lib/pii_safe_schema/migration_generator.rb +2 -2
- data/lib/pii_safe_schema/version.rb +1 -1
- data/lib/pii_safe_schema.rb +1 -1
- data/pii_safe_schema.gemspec +0 -1
- metadata +5 -17
- data/.circleci/config.yml +0 -122
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7e1a5ae623714b4211bac604819cf2c5f04c3a7b2354678414b12432c216fcec
|
|
4
|
+
data.tar.gz: 751ad4aa17a3137e05c604edd3b0db961aadbb12f3d6e3d0d58141ab4e899246
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 03e97b60df41a59c8ef8e90575c2d9d68c67b400e7c0eaec7aca093943d68493bfa465fe20666ec926ad830884070b7417027da5cfb886072d506649be616741
|
|
7
|
+
data.tar.gz: bbcb8be4a11c7f2ae750cc3d967d2cc67ec968bf3dbc1058a487624d733cd7fe0a9ede3f153aeaf296d87d55d55ef8fbad8fe7195de0ff6062ea95b3b94f8d20
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
name: Default
|
|
2
|
+
|
|
3
|
+
# This workflow runs on all pushes to the repo so we can test changes and provide
|
|
4
|
+
# fast feedback. It also gets run when a pull request is created so that we can
|
|
5
|
+
# run the Sonarqube quality gate (which needs information from the PR). Subsequent
|
|
6
|
+
# pushes to the branch will provide PR information of any open PRs.
|
|
7
|
+
on:
|
|
8
|
+
push:
|
|
9
|
+
pull_request:
|
|
10
|
+
types: [opened, reopened]
|
|
11
|
+
|
|
12
|
+
concurrency:
|
|
13
|
+
group: default-${{ github.ref }}
|
|
14
|
+
cancel-in-progress: true
|
|
15
|
+
|
|
16
|
+
jobs:
|
|
17
|
+
preflight_check:
|
|
18
|
+
name: Preflight Check
|
|
19
|
+
runs-on: ubuntu-latest
|
|
20
|
+
steps:
|
|
21
|
+
# Need to fetch all refs, so we can check if the version has been bumped
|
|
22
|
+
- uses: actions/checkout@v2
|
|
23
|
+
with:
|
|
24
|
+
fetch-depth: 0
|
|
25
|
+
|
|
26
|
+
- uses: ruby/setup-ruby@v1
|
|
27
|
+
with:
|
|
28
|
+
bundler-cache: true
|
|
29
|
+
|
|
30
|
+
- name: Lint
|
|
31
|
+
uses: wealthsimple/toolbox-script@v1
|
|
32
|
+
with:
|
|
33
|
+
script: toolbox.ruby.lint.run();
|
|
34
|
+
|
|
35
|
+
- name: Test
|
|
36
|
+
uses: wealthsimple/toolbox-script@v1
|
|
37
|
+
with:
|
|
38
|
+
script: toolbox.ruby.test.run();
|
|
39
|
+
|
|
40
|
+
publish:
|
|
41
|
+
name: Publish package
|
|
42
|
+
runs-on: ubuntu-latest
|
|
43
|
+
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
|
|
44
|
+
needs:
|
|
45
|
+
- preflight_check
|
|
46
|
+
steps:
|
|
47
|
+
- uses: actions/checkout@v2
|
|
48
|
+
|
|
49
|
+
- uses: ruby/setup-ruby@v1
|
|
50
|
+
with:
|
|
51
|
+
bundler-cache: true
|
|
52
|
+
|
|
53
|
+
- name: Release the gem
|
|
54
|
+
run: |
|
|
55
|
+
mkdir -p ~/.gem
|
|
56
|
+
cat << EOF > ~/.gem/credentials
|
|
57
|
+
---
|
|
58
|
+
:github: Bearer ${GITHUB_TOKEN}
|
|
59
|
+
:rubygems_api_key: ${RUBYGEMS_API_KEY}
|
|
60
|
+
EOF
|
|
61
|
+
chmod 0600 ~/.gem/credentials
|
|
62
|
+
git config user.email "noreply@wealthsimple.com"
|
|
63
|
+
git config user.name "Wolfbot"
|
|
64
|
+
bundle exec rake release
|
|
65
|
+
env:
|
|
66
|
+
RUBYGEMS_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
name: Save licenses report
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches:
|
|
6
|
+
- main
|
|
7
|
+
- master
|
|
8
|
+
workflow_dispatch:
|
|
9
|
+
|
|
10
|
+
concurrency:
|
|
11
|
+
group: licenses-${{ github.ref }}
|
|
12
|
+
cancel-in-progress: true
|
|
13
|
+
|
|
14
|
+
jobs:
|
|
15
|
+
license_report:
|
|
16
|
+
name: Push license report to S3
|
|
17
|
+
runs-on: ubuntu-latest
|
|
18
|
+
steps:
|
|
19
|
+
- uses: actions/checkout@v2
|
|
20
|
+
|
|
21
|
+
- name: Configure AWS Credentials
|
|
22
|
+
uses: aws-actions/configure-aws-credentials@v1
|
|
23
|
+
with:
|
|
24
|
+
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
25
|
+
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
26
|
+
aws-region: us-east-1
|
|
27
|
+
role-to-assume: ${{ secrets.ACTIONS_GITHUB_INTSVC_ROLE_TO_ASSUME }}
|
|
28
|
+
role-skip-session-tagging: true
|
|
29
|
+
role-duration-seconds: 900
|
|
30
|
+
|
|
31
|
+
- uses: ruby/setup-ruby@v1
|
|
32
|
+
with:
|
|
33
|
+
bundler-cache: true
|
|
34
|
+
env:
|
|
35
|
+
BUNDLE_GEMS__CONTRIBSYS__COM:
|
|
36
|
+
${{ secrets.BUNDLE_GEMS__CONTRIBSYS__COM }}
|
|
37
|
+
BUNDLE_NEXUS__IAD__W10EXTERNAL__COM:
|
|
38
|
+
${{ secrets.BUNDLE_NEXUS__IAD__W10EXTERNAL__COM }}
|
|
39
|
+
BUNDLE_GITHUB__COM:
|
|
40
|
+
${{ secrets.WOLFBOT_GITHUB_ACTIONS_TOKEN }}:x-oauth-basic
|
|
41
|
+
|
|
42
|
+
- name: Build and Push Report
|
|
43
|
+
uses: wealthsimple/toolbox-script@v1
|
|
44
|
+
with:
|
|
45
|
+
script: toolbox.licensed.run()
|
|
46
|
+
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
name: Security Check
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
schedule:
|
|
5
|
+
- cron: '15 11 * * *' # 11:15 am UTC: 6:15 am EST / 7:15 am EDT
|
|
6
|
+
|
|
7
|
+
concurrency:
|
|
8
|
+
group: security-${{ github.ref }}
|
|
9
|
+
cancel-in-progress: true
|
|
10
|
+
|
|
11
|
+
jobs:
|
|
12
|
+
security_check:
|
|
13
|
+
name: Security Check
|
|
14
|
+
runs-on: ubuntu-latest
|
|
15
|
+
steps:
|
|
16
|
+
- uses: actions/checkout@v2
|
|
17
|
+
- uses: ruby/setup-ruby@v1
|
|
18
|
+
with:
|
|
19
|
+
bundler-cache: true
|
|
20
|
+
env:
|
|
21
|
+
BUNDLE_GEMS__CONTRIBSYS__COM:
|
|
22
|
+
${{ secrets.BUNDLE_GEMS__CONTRIBSYS__COM }}
|
|
23
|
+
BUNDLE_NEXUS__IAD__W10EXTERNAL__COM:
|
|
24
|
+
${{ secrets.BUNDLE_NEXUS__IAD__W10EXTERNAL__COM }}
|
|
25
|
+
BUNDLE_GITHUB__COM:
|
|
26
|
+
${{ secrets.WOLFBOT_GITHUB_ACTIONS_TOKEN }}:x-oauth-basic
|
|
27
|
+
- name: Security Check
|
|
28
|
+
uses: wealthsimple/toolbox-script@v1
|
|
29
|
+
with:
|
|
30
|
+
script: toolbox.ruby.security.run();
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
5
5
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
6
6
|
|
|
7
|
+
## 1.3.4 - 2021-10-21
|
|
8
|
+
### Changed
|
|
9
|
+
- Switched to Github Actions
|
|
10
|
+
|
|
7
11
|
## 1.3.3 - 2021-03-15
|
|
8
12
|
### Changed
|
|
9
13
|
- Pull CI images from ECR repository
|
data/README.md
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
|
-
# PII Safe Schema
|
|
1
|
+
# PII Safe Schema
|
|
2
|
+
|
|
2
3
|
|
|
3
4
|
Schema migration tool for checking and adding comments on *Personally Identifiable Information* (PII) columns in Rails.
|
|
4
5
|
|
|
@@ -96,4 +97,4 @@ git clone https://github.com/wealthsimple/pii_safe_schema.git
|
|
|
96
97
|
cd pii_safe_schema
|
|
97
98
|
bundle install
|
|
98
99
|
bundle exec rspec
|
|
99
|
-
```
|
|
100
|
+
```
|
|
@@ -31,8 +31,8 @@ module PiiSafeSchema
|
|
|
31
31
|
def generate_migration_lines(table, columns)
|
|
32
32
|
migration_lines = columns.map do |c|
|
|
33
33
|
"#{' ' * (safety_assured? ? 6 : 4)}"\
|
|
34
|
-
|
|
35
|
-
|
|
34
|
+
"change_column :#{table}, :#{c.column.name}, :#{c.column.type}, "\
|
|
35
|
+
"comment: \'#{c.suggestion.to_json}\'"\
|
|
36
36
|
end
|
|
37
37
|
wrap_in_safety_assured(migration_lines)
|
|
38
38
|
end
|
data/lib/pii_safe_schema.rb
CHANGED
|
@@ -55,7 +55,7 @@ module PiiSafeSchema
|
|
|
55
55
|
end
|
|
56
56
|
end
|
|
57
57
|
|
|
58
|
-
def self.print_help!(do_exit: true)
|
|
58
|
+
def self.print_help!(do_exit: true)
|
|
59
59
|
puts <<~HELPMSG # rubocop:disable Rails/Output
|
|
60
60
|
Usage:
|
|
61
61
|
rake pii_safe_schema:generate_migrations [table:column:annotation_type] ...
|
data/pii_safe_schema.gemspec
CHANGED
|
@@ -27,7 +27,6 @@ Gem::Specification.new do |s|
|
|
|
27
27
|
|
|
28
28
|
s.add_development_dependency 'bundler', '>= 1.16'
|
|
29
29
|
s.add_development_dependency 'bundler-audit'
|
|
30
|
-
s.add_development_dependency 'coveralls'
|
|
31
30
|
s.add_development_dependency 'dogstatsd-ruby'
|
|
32
31
|
s.add_development_dependency 'git'
|
|
33
32
|
s.add_development_dependency 'guard-rspec'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pii_safe_schema
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.3.
|
|
4
|
+
version: 1.3.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Alexi Garrow
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-12-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -92,20 +92,6 @@ dependencies:
|
|
|
92
92
|
- - ">="
|
|
93
93
|
- !ruby/object:Gem::Version
|
|
94
94
|
version: '0'
|
|
95
|
-
- !ruby/object:Gem::Dependency
|
|
96
|
-
name: coveralls
|
|
97
|
-
requirement: !ruby/object:Gem::Requirement
|
|
98
|
-
requirements:
|
|
99
|
-
- - ">="
|
|
100
|
-
- !ruby/object:Gem::Version
|
|
101
|
-
version: '0'
|
|
102
|
-
type: :development
|
|
103
|
-
prerelease: false
|
|
104
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
105
|
-
requirements:
|
|
106
|
-
- - ">="
|
|
107
|
-
- !ruby/object:Gem::Version
|
|
108
|
-
version: '0'
|
|
109
95
|
- !ruby/object:Gem::Dependency
|
|
110
96
|
name: dogstatsd-ruby
|
|
111
97
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -335,9 +321,11 @@ executables: []
|
|
|
335
321
|
extensions: []
|
|
336
322
|
extra_rdoc_files: []
|
|
337
323
|
files:
|
|
338
|
-
- ".circleci/config.yml"
|
|
339
324
|
- ".github/CODEOWNERS"
|
|
340
325
|
- ".github/PULL_REQUEST_TEMPLATE.md"
|
|
326
|
+
- ".github/workflows/default.yml"
|
|
327
|
+
- ".github/workflows/licenses.yml"
|
|
328
|
+
- ".github/workflows/security-check.yml"
|
|
341
329
|
- ".gitignore"
|
|
342
330
|
- ".rspec"
|
|
343
331
|
- ".rubocop.yml"
|
data/.circleci/config.yml
DELETED
|
@@ -1,122 +0,0 @@
|
|
|
1
|
-
version: 2
|
|
2
|
-
|
|
3
|
-
defaults: &defaults
|
|
4
|
-
working_directory: /home/circleci/wealthsimple
|
|
5
|
-
docker:
|
|
6
|
-
- image: circleci/ruby:2.7.2
|
|
7
|
-
- image: circleci/postgres:9.5.9-alpine
|
|
8
|
-
environment:
|
|
9
|
-
POSTGRES_USER: circleci
|
|
10
|
-
POSTGRES_DB: pii_safe_schema_test
|
|
11
|
-
|
|
12
|
-
# These are common snippets that are referenced in multiple workflows.
|
|
13
|
-
references:
|
|
14
|
-
attach_code_workspace: &attach_code_workspace
|
|
15
|
-
attach_workspace:
|
|
16
|
-
at: /home/circleci/wealthsimple
|
|
17
|
-
|
|
18
|
-
restore_bundle_dependencies: &restore_bundle_dependencies
|
|
19
|
-
run:
|
|
20
|
-
name: Restore bundle dependencies from workspace
|
|
21
|
-
command: bundle --path vendor/bundle
|
|
22
|
-
|
|
23
|
-
jobs:
|
|
24
|
-
checkout_and_bundle:
|
|
25
|
-
<<: *defaults
|
|
26
|
-
steps:
|
|
27
|
-
- checkout
|
|
28
|
-
- run:
|
|
29
|
-
command: bundle install --jobs=4 --retry=3 --path vendor/bundle
|
|
30
|
-
- persist_to_workspace:
|
|
31
|
-
root: .
|
|
32
|
-
paths: .
|
|
33
|
-
|
|
34
|
-
rspec:
|
|
35
|
-
<<: *defaults
|
|
36
|
-
steps:
|
|
37
|
-
- *attach_code_workspace
|
|
38
|
-
- *restore_bundle_dependencies
|
|
39
|
-
- run:
|
|
40
|
-
command: sudo apt install -y postgresql-client || true
|
|
41
|
-
- run:
|
|
42
|
-
command: bundle exec bundle-audit update && bundle exec bundle-audit check
|
|
43
|
-
- run:
|
|
44
|
-
command: bundle exec rspec
|
|
45
|
-
|
|
46
|
-
lint_check:
|
|
47
|
-
<<: *defaults
|
|
48
|
-
steps:
|
|
49
|
-
- *attach_code_workspace
|
|
50
|
-
- *restore_bundle_dependencies
|
|
51
|
-
- run:
|
|
52
|
-
command: bundle exec rubocop
|
|
53
|
-
|
|
54
|
-
vulnerability_check:
|
|
55
|
-
<<: *defaults
|
|
56
|
-
steps:
|
|
57
|
-
- *attach_code_workspace
|
|
58
|
-
- *restore_bundle_dependencies
|
|
59
|
-
- run:
|
|
60
|
-
command: bundle exec bundle-audit update && bundle exec bundle-audit check
|
|
61
|
-
|
|
62
|
-
release:
|
|
63
|
-
<<: *defaults
|
|
64
|
-
steps:
|
|
65
|
-
- add_ssh_keys:
|
|
66
|
-
fingerprints:
|
|
67
|
-
- "46:b5:cb:ee:57:dc:14:95:31:be:12:13:4f:11:94:a4"
|
|
68
|
-
- *attach_code_workspace
|
|
69
|
-
- *restore_bundle_dependencies
|
|
70
|
-
- run:
|
|
71
|
-
name: Release to rubygems.org
|
|
72
|
-
command: |
|
|
73
|
-
mkdir ~/.gem
|
|
74
|
-
echo ":rubygems_api_key: ${RUBYGEMS_API_KEY}" >> ~/.gem/credentials
|
|
75
|
-
chmod 600 ~/.gem/credentials
|
|
76
|
-
mkdir -p ~/.ssh
|
|
77
|
-
echo "github.com,192.30.253.112 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" >> ~/.ssh/known_hosts
|
|
78
|
-
bundle exec rake release
|
|
79
|
-
|
|
80
|
-
workflows:
|
|
81
|
-
version: 2
|
|
82
|
-
build_and_test:
|
|
83
|
-
jobs:
|
|
84
|
-
- checkout_and_bundle:
|
|
85
|
-
context: wealthsimple
|
|
86
|
-
- rspec:
|
|
87
|
-
context: wealthsimple
|
|
88
|
-
requires:
|
|
89
|
-
- checkout_and_bundle
|
|
90
|
-
- lint_check:
|
|
91
|
-
context: wealthsimple
|
|
92
|
-
requires:
|
|
93
|
-
- checkout_and_bundle
|
|
94
|
-
- vulnerability_check:
|
|
95
|
-
context: wealthsimple
|
|
96
|
-
requires:
|
|
97
|
-
- checkout_and_bundle
|
|
98
|
-
- release:
|
|
99
|
-
context: wealthsimple
|
|
100
|
-
filters:
|
|
101
|
-
branches:
|
|
102
|
-
only: master
|
|
103
|
-
requires:
|
|
104
|
-
- rspec
|
|
105
|
-
- lint_check
|
|
106
|
-
- vulnerability_check
|
|
107
|
-
|
|
108
|
-
security-audit:
|
|
109
|
-
triggers:
|
|
110
|
-
- schedule:
|
|
111
|
-
# 11:45 am UTC: 6:45 am EST / 7:45 am EDT
|
|
112
|
-
cron: "45 11 * * *"
|
|
113
|
-
filters:
|
|
114
|
-
branches:
|
|
115
|
-
only: master
|
|
116
|
-
jobs:
|
|
117
|
-
- checkout_and_bundle:
|
|
118
|
-
context: wealthsimple
|
|
119
|
-
- vulnerability_check:
|
|
120
|
-
context: wealthsimple
|
|
121
|
-
requires:
|
|
122
|
-
- checkout_and_bundle
|