rails_template_18f 0.8.2 → 1.1.0

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt

@@ -7,47 +7,36 @@ on:
       - 'doc/**'
       - 'README.md'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   deploy:
     name: Deploy to production
     runs-on: ubuntu-latest
     environment: production
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 2
+      - uses: actions/checkout@v4
       <% if terraform? %>
-      - name: Check for changes to Terraform
-        id: changed-terraform-files
-        uses: tj-actions/changed-files@v1.1.2
-        with:
-          files: |
-            terraform/shared
-            terraform/production
-      - name: Terraform init
-        if: steps.changed-terraform-files.outputs.any_changed == 'true'
-        working-directory: terraform/production
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-        run: terraform init
       - name: Terraform apply
-        if: steps.changed-terraform-files.outputs.any_changed == 'true'
-        working-directory: terraform/production
+        uses: dflook/terraform-apply@v1
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
-        run: terraform apply -auto-approve -input=false
+        with:
+          path: terraform/production
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
       <% end %>
       - name: Deploy app
         uses: cloud-gov/cg-cli-tools@main
-        env:
-          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
         with:
           cf_username: ${{ secrets.CF_USERNAME }}
           cf_password: ${{ secrets.CF_PASSWORD }}
           cf_org: <%= cloud_gov_organization %>
           cf_space: <%= cloud_gov_production_space %>
-          cf_command: push -vars-file config/deployment/production.yml --var rails_master_key=${{ env.RAILS_MASTER_KEY }} --strategy rolling
+          cf_command: push --vars-file config/deployment/production.yml --var rails_master_key="${{ secrets.RAILS_MASTER_KEY }}" --strategy rolling

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt

@@ -7,47 +7,36 @@ on:
       - 'doc/**'
       - 'README.md'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   deploy:
     name: Deploy to staging
     runs-on: ubuntu-latest
     environment: staging
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 2
+      - uses: actions/checkout@v4
       <% if terraform? %>
-      - name: Check for changes to Terraform
-        id: changed-terraform-files
-        uses: tj-actions/changed-files@v1.1.2
-        with:
-          files: |
-            terraform/shared
-            terraform/staging
-      - name: Terraform init
-        if: steps.changed-terraform-files.outputs.any_changed == 'true'
-        working-directory: terraform/staging
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-        run: terraform init
       - name: Terraform apply
-        if: steps.changed-terraform-files.outputs.any_changed == 'true'
-        working-directory: terraform/staging
+        uses: dflook/terraform-apply@v1
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
-        run: terraform apply -auto-approve -input=false
+        with:
+          path: terraform/staging
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
       <% end %>
       - name: Deploy app
         uses: cloud-gov/cg-cli-tools@main
-        env:
-          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
         with:
           cf_username: ${{ secrets.CF_USERNAME }}
           cf_password: ${{ secrets.CF_PASSWORD }}
           cf_org: <%= cloud_gov_organization %>
           cf_space: <%= cloud_gov_staging_space %>
-          cf_command: push -vars-file config/deployment/staging.yml --var rails_master_key=${{ env.RAILS_MASTER_KEY }} --strategy rolling
+          cf_command: push --vars-file config/deployment/staging.yml --var rails_master_key="${{ secrets.RAILS_MASTER_KEY }}" --strategy rolling

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt

@@ -6,6 +6,10 @@ on:
     # this will run at noon UTC every day (7am EST / 8am EDT)
     - cron: '0 12 * * *'
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   owasp-scan:
     name: OWASP ZAP Scan
@@ -25,7 +29,7 @@ jobs:
           POSTGRES_PASSWORD: postgres
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - id: setup
         uses: ./.github/actions/setup-project
@@ -35,9 +39,10 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
 
       - name: Run OWASP Full Scan
-        uses: zaproxy/action-full-scan@v0.3.0
+        uses: zaproxy/action-full-scan@v0.10.0
         with:
-          docker_name: 'owasp/zap2docker-weekly'
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
           target: 'http://localhost:3000/'
           fail_action: true
           rules_file_name: 'zap.conf'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt

@@ -28,7 +28,7 @@ jobs:
           POSTGRES_PASSWORD: postgres
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - id: setup
         uses: ./.github/actions/setup-project
@@ -38,10 +38,11 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
 
       - name: Run OWASP Baseline Scan
-        uses: zaproxy/action-baseline@v0.6.1
+        uses: zaproxy/action-baseline@v0.12.0
         with:
-          docker_name: 'owasp/zap2docker-weekly'
+          docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
           target: 'http://localhost:3000/'
           fail_action: true
+          allow_issue_writing: false
           rules_file_name: 'zap.conf'
           cmd_options: '-I'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt

@@ -2,6 +2,10 @@ name: pa11y tests
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   pa11y_scan:
     name: Pa11y Scan
@@ -21,7 +25,7 @@ jobs:
           POSTGRES_PASSWORD: postgres
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - id: setup
         uses: ./.github/actions/setup-project
@@ -34,7 +38,7 @@ jobs:
         shell: bash
         run: |
           set -o pipefail
-          yarn run pa11y-ci 2>&1 | tee pa11y_output.txt
+          yarn run pa11y-ci -c pa11yci.js 2>&1 | tee pa11y_output.txt
 
       - name: Read pa11y_output file.
         if: failure()

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt

@@ -21,7 +21,7 @@ jobs:
           POSTGRES_PASSWORD: postgres
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - id: setup
         uses: ./.github/actions/setup-project

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml

@@ -3,77 +3,39 @@ name: Run Terraform plan in production
 on:
   pull_request:
     branches: [ production ]
-    paths: [ 'terraform/**' ]
 
-defaults:
-  run:
-    working-directory: terraform/production
+permissions:
+  contents: read
+  pull-requests: write
 
 jobs:
   terraform:
     name: Terraform plan
     runs-on: ubuntu-latest
     environment: production
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
-      - name: Terraform format
-        id: format
-        run: terraform fmt -check
-
-      - name: Terraform init
-        id: init
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-        run: terraform init
+      - name: terraform validate
+        uses: dflook/terraform-validate@v1
+        with:
+          path: terraform/production
 
-      - name: Terraform validate
-        id: validation
-        run: terraform validate -no-color
+      - name: terraform fmt
+        uses: dflook/terraform-fmt-check@v1
+        with:
+          path: terraform/production
 
-      - name: Terraform plan
-        id: plan
+      - name: terraform plan
+        uses: dflook/terraform-plan@v1
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
-        run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt
-
-      - name: Read Terraform plan output file
-        id: terraform_output
-        uses: juliangruber/read-file-action@v1
-        if: ${{ always() }}
-        with:
-          path: ./terraform/production/plan_output.txt
-
-      # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow
-      - name: Update PR
-        uses: actions/github-script@v4
-        # we would like to update the PR even when a prior step failed
-        if: ${{ always() }}
         with:
-          script: |
-            const output = `Terraform Format and Style: ${{ steps.format.outcome }}
-            Terraform Initialization: ${{ steps.init.outcome }}
-            Terraform Validation: ${{ steps.validation.outcome }}
-            Terraform Plan: ${{ steps.plan.outcome }}
-
-            <details><summary>Show Plan</summary>
-
-            \`\`\`\n
-            ${{ steps.terraform_output.outputs.content }}
-            \`\`\`
-
-            </details>
-
-            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
-
-            github.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: output
-            })
+          path: terraform/production
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml

@@ -3,77 +3,39 @@ name: Run Terraform plan in staging
 on:
   pull_request:
     branches: [ main ]
-    paths: [ 'terraform/**' ]
 
-defaults:
-  run:
-    working-directory: terraform/staging
+permissions:
+  contents: read
+  pull-requests: write
 
 jobs:
   terraform:
     name: Terraform plan
     runs-on: ubuntu-latest
     environment: staging
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
-      - name: Terraform format
-        id: format
-        run: terraform fmt -check
-
-      - name: Terraform init
-        id: init
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-        run: terraform init
+      - name: terraform validate
+        uses: dflook/terraform-validate@v1
+        with:
+          path: terraform/staging
 
-      - name: Terraform validate
-        id: validation
-        run: terraform validate -no-color
+      - name: terraform fmt
+        uses: dflook/terraform-fmt-check@v1
+        with:
+          path: terraform/staging
 
-      - name: Terraform plan
-        id: plan
+      - name: terraform plan
+        uses: dflook/terraform-plan@v1
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
-        run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt
-
-      - name: Read Terraform plan output file
-        id: terraform_output
-        uses: juliangruber/read-file-action@v1
-        if: ${{ always() }}
-        with:
-          path: ./terraform/staging/plan_output.txt
-
-      # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow
-      - name: Update PR
-        uses: actions/github-script@v4
-        # we would like to update the PR even when a prior step failed
-        if: ${{ always() }}
         with:
-          script: |
-            const output = `Terraform Format and Style: ${{ steps.format.outcome }}
-            Terraform Initialization: ${{ steps.init.outcome }}
-            Terraform Validation: ${{ steps.validation.outcome }}
-            Terraform Plan: ${{ steps.plan.outcome }}
-
-            <details><summary>Show Plan</summary>
-
-            \`\`\`\n
-            ${{ steps.terraform_output.outputs.content }}
-            \`\`\`
-
-            </details>
-
-            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
-
-            github.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: output
-            })
+          path: terraform/staging
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/validate-ssp.yml.tt

@@ -0,0 +1,46 @@
+name: Validate OSCAL Assembly
+
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  validate_ssp:
+    name: Validate SSP format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate SSP
+        uses: ./.github/actions/trestle-cmd
+        with:
+          cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
+
+  check_ssp:
+    name: Check assembly is current
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check assembly
+        uses: ./.github/actions/trestle-cmd
+        with:
+          cmd: assemble-ssp-json 2> /dev/null | grep "^No changes to assembled ssp"
+
+      - name: Comment on pull request
+        if: failure()
+        uses: actions/github-script@v4
+        with:
+          script: |
+            const output = `SSP assembly detected changes that aren't checked in.
+
+            Run \`bin/trestle assemble-ssp-json\` to ensure markdown changes are reflected in your SSP`;
+
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            });