rails_template_18f 1.3.0 → 2.0.0

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -1,10 +1,10 @@
 version: 2.1
 
 orbs:
-  ruby: circleci/ruby@2.1.3
-  node: circleci/node@5.2.0
-  browser-tools: circleci/browser-tools@1.4.8<% if terraform? %>
-  terraform: circleci/terraform@3.2.1<% end %>
+  ruby: circleci/ruby@2.3.1
+  node: circleci/node@7.0.0
+  browser-tools: circleci/browser-tools@1.5.0
+  terraform: circleci/terraform@3.5.0
 
 commands:
   setup-project:
@@ -15,7 +15,51 @@ commands:
           install-yarn: true
       - node/install-packages:
           cache-only-lockfile: false
-          pkg-manager: yarn<% if oscal_dir_exists? %>
+          pkg-manager: yarn
+  compile-assets:
+    description: Restore asset cache and compile, optionally saving back to the cache
+    parameters:
+      rails_env:
+        description: RAILS_ENV to use for precompilation
+        type: string
+      restore_only:
+        description: Whether to skip compilation and cleaning
+        type: boolean
+        default: false
+      save_cache:
+        description: Whether to save the resulting asset cache
+        type: boolean
+        default: true
+    steps:
+      # Precompile assets
+      # Load assets from cache if possible, precompile assets then save cache
+      # Multiple caches are used to increase the chance of a cache hit
+      # https://circleci.com/docs/2.0/caching/#full-example-of-saving-and-restoring-cache
+      - restore_cache:
+          keys:
+            - asset-cache-v1-<< parameters.rails_env >>-{{ .Branch }}
+            - asset-cache-v1-<< parameters.rails_env >>
+      - when:
+          condition:
+            equal: [ false, << parameters.restore_only >> ]
+          steps:
+            - run:
+                environment:
+                  RAILS_ENV: << parameters.rails_env >>
+                  SECRET_KEY_BASE_DUMMY: 1
+                command: ./bin/rake assets:precompile
+            - run:
+                envronment:
+                  RAILS_ENV: << parameters.rails_env >>
+                  SECRET_KEY_BASE_DUMMY: 1
+                command: ./bin/rake assets:clean
+            - when:
+                condition: << parameters.save_cache >>
+                steps:
+                  - save_cache:
+                      key: asset-cache-v1-<< parameters.rails_env >>-{{ .Branch }}-{{ checksum "public/assets/.manifest.json" }}
+                      paths:
+                        - public/assets<% if oscal_dir_exists? %>
   trestle-cmd:
     description: Set up environment for running docker-trestle commands
     parameters:
@@ -30,58 +74,6 @@ commands:
       - run:
           name: Run trestle command
           command: docker run -u "$(id -u):$(id -g)" -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
-  cg-deploy:
-    description: "Login to cloud foundry space with service account credentials
-      and push application using deployment configuration file."
-    parameters:
-      cloudgov_username:
-        description: "Name of CircleCI project environment variable that
-          holdes deployer username for cloudgov space"
-        type: env_var_name
-      cloudgov_password:
-        description: "Name of CircleCI project environment variable that
-          holds deployer password for cloudgov space"
-        type: env_var_name
-      cloudgov_org:
-        description: "cloud.gov organization name"
-        type: string
-      cloudgov_space:
-        description: "cloud.gov space name"
-        type: string
-      deploy_config_file:
-        description: "Path to deployment configuration file"
-        type: string
-      rails_master_key:
-        description: "Name of CircleCI project environment variable holding the RAILS_MASTER_KEY"
-        type: env_var_name
-    steps:
-      - run:
-          name: Vendor gems
-          command: bundle cache --all
-      - run:
-          name: Install Cloud Foundry CLI
-          command: |
-            curl -v -L -o cf-cli_amd64.deb 'https://packages.cloudfoundry.org/stable?release=debian64&version=v8&source=github'
-            sudo dpkg -i cf-cli_amd64.deb
-      - run:
-          name: Login with service account
-          command: |
-            cf login -a api.fr.cloud.gov \
-              -u ${<< parameters.cloudgov_username >>} \
-              -p ${<< parameters.cloudgov_password >>} \
-              -o << parameters.cloudgov_org >> \
-              -s << parameters.cloudgov_space >>
-      - run:
-          name: Set restricted egress
-          command: |
-            cf bind-security-group trusted_local_networks_egress << parameters.cloudgov_org >> \
-              --space << parameters.cloudgov_space >>
-      - run:
-          name: Push application with deployment vars
-          command: |
-            cf push --strategy rolling \
-              --vars-file << parameters.deploy_config_file >> \
-              --var rails_master_key=${<< parameters.rails_master_key >>}
 
 jobs:
   build:
@@ -89,6 +81,8 @@ jobs:
       - image: cimg/ruby:<%= ruby_version %>
     steps:
       - setup-project
+      - compile-assets:
+          rails_env: ci
 
   test:
     parallelism: 3
@@ -116,25 +110,8 @@ jobs:
       - run:
           name: Database setup
           command: bundle exec rails db:schema:load --trace
-
-      # Precompile assets
-      # Load assets from cache if possible, precompile assets then save cache
-      # Multiple caches are used to increase the chance of a cache hit
-      # https://circleci.com/docs/2.0/caching/#full-example-of-saving-and-restoring-cache
-      - restore_cache:
-          keys:
-            - asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}-{{ .Environment.CIRCLE_SHA1 }}
-            - asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}
-            - asset-cache-v1-{{ .Environment.RAILS_ENV }}
-
-      - run: bundle exec rake assets:precompile
-
-      - save_cache:
-          key: asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}-{{ .Environment.CIRCLE_SHA1 }}
-          paths:
-            - public/assets
-            - tmp/cache/assets/sprockets
-
+      - compile-assets:
+          rails_env: test
       - ruby/rspec-test
 <% if oscal_dir_exists? %>
   validate_ssp:
@@ -203,6 +180,9 @@ jobs:
       - restore_cache:
           keys:
             - node-deps-{{ arch }}-v1-{{ .Branch }}-{{ checksum "package.json" }}-{{ checksum "yarn.lock" }}
+      - compile-assets:
+          rails_env: ci
+          restore_only: true
 
       - run:
           name: Start up local server
@@ -233,6 +213,9 @@ jobs:
       - restore_cache:
           keys:
             - node-deps-{{ arch }}-v1-{{ .Branch }}-{{ checksum "package.json" }}-{{ checksum "yarn.lock" }}
+      - compile-assets:
+          rails_env: ci
+          restore_only: true
 
       - run:
           name: Start up local server
@@ -275,23 +258,9 @@ jobs:
           name: Database setup
           command: bundle exec rails db:schema:load --trace
 
-      # Precompile assets
-      # Load assets from cache if possible, precompile assets then save cache
-      # Multiple caches are used to increase the chance of a cache hit
-      # https://circleci.com/docs/2.0/caching/#full-example-of-saving-and-restoring-cache
-      - restore_cache:
-          keys:
-            - asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}-{{ .Environment.CIRCLE_SHA1 }}
-            - asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}
-            - asset-cache-v1-{{ .Environment.RAILS_ENV }}
-
-      - run: bundle exec rake assets:precompile
-
-      - save_cache:
-          key: asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}-{{ .Environment.CIRCLE_SHA1 }}
-          paths:
-            - public/assets
-            - tmp/cache/assets/sprockets
+      - compile-assets:
+          rails_env: ci
+          save_cache: false
 
       - run:
           name: Start server
@@ -305,27 +274,57 @@ jobs:
       - run:
           name: Run pa11y-ci
           command: yarn run pa11y-ci -c pa11yci.js
-<% if terraform? %>
+
+  refresh_asset_caches:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+    steps:
+      - setup-project
+      - compile-assets:
+          rails_env: staging
+          restore_only: true<% if terraform_manage_spaces? %>
+      - compile-assets:
+          rails_env: production
+          restore_only: true<% end %>
+  compile_staging_assets:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+    steps:
+      - setup-project
+      - compile-assets:
+          rails_env: staging
+      - persist_to_workspace:
+          root: .
+          paths:
+            - public/assets
   terraform_plan_staging:
     executor: terraform/default
     steps:
       - checkout
       - terraform/init:
-          path: terraform/staging
+          path: terraform
+          backend_config: >-
+            key=terraform.tfstate.staging,
+            bucket=$TERRAFORM_STATE_BUCKET_NAME
       - terraform/validate:
-          path: terraform/staging
+          path: terraform
       - terraform/fmt:
-          path: terraform/staging
-      - run:
-          name: Set terraform variables
-          working_directory: terraform/staging
-          command: echo -e "cf_user = \"$CF_STAGING_USERNAME\"\ncf_password = \"$CF_STAGING_PASSWORD\"" > secrets.auto.tfvars
+          path: terraform
+          recursive: true
+      - attach_workspace:
+          at: .
       - terraform/plan:
-          path: terraform/staging
+          path: terraform
+          out: staging.out
+          var_file: staging.tfvars
+          var: >-
+            rails_master_key="$RAILS_MASTER_KEY",
+            cf_user="$CF_USERNAME",
+            cf_password="$CF_PASSWORD"
       - persist_to_workspace:
           root: .
           paths:
-            - ./terraform/staging
+            - ./terraform
   terraform_apply_staging:
     executor: terraform/default
     steps:
@@ -333,27 +332,43 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/apply:
-          path: terraform/staging
+          path: terraform
+          plan: staging.out<% if terraform_manage_spaces? %>
+
+  compile_production_assets:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+    steps:
+      - setup-project
+      - compile-assets:
+          rails_env: production
+      - persist_to_workspace:
+          root: .
+          paths:
+            - public/assets
   terraform_plan_production:
     executor: terraform/default
     steps:
       - checkout
       - terraform/init:
-          path: terraform/production
-      - terraform/validate:
-          path: terraform/production
-      - terraform/fmt:
-          path: terraform/production
-      - run:
-          name: Set terraform variables
-          working_directory: terraform/production
-          command: echo -e "cf_user = \"$CF_PRODUCTION_USERNAME\"\ncf_password = \"$CF_PRODUCTION_PASSWORD\"" > secrets.auto.tfvars
+          path: terraform
+          backend_config: >-
+            key=terraform.tfstate.production,
+            bucket=$TERRAFORM_STATE_BUCKET_NAME
+      - attach_workspace:
+          at: .
       - terraform/plan:
-          path: terraform/production
+          path: terraform
+          out: production.out
+          var_file: production.tfvars
+          var: >-
+            rails_master_key="$PRODUCTION_RAILS_MASTER_KEY",
+            cf_user="$CF_USERNAME",
+            cf_password="$CF_PASSWORD"
       - persist_to_workspace:
           root: .
           paths:
-            - ./terraform/production
+            - ./terraform
   terraform_apply_production:
     executor: terraform/default
     steps:
@@ -361,32 +376,8 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/apply:
-          path: terraform/production
-<% end %>
-  deploy_staging:
-    docker:
-      - image: cimg/ruby:<%= ruby_version %>
-    steps:
-      - setup-project
-      - cg-deploy:
-          cloudgov_username: CF_STAGING_USERNAME
-          cloudgov_password: CF_STAGING_PASSWORD
-          cloudgov_org: <%= cloud_gov_organization %>
-          cloudgov_space: <%= cloud_gov_staging_space %>
-          deploy_config_file: config/deployment/staging.yml
-          rails_master_key: RAILS_MASTER_KEY
-  deploy_production:
-    docker:
-      - image: cimg/ruby:<%= ruby_version %>
-    steps:
-      - setup-project
-      - cg-deploy:
-          cloudgov_username: CF_PRODUCTION_USERNAME
-          cloudgov_password: CF_PRODUCTION_PASSWORD
-          cloudgov_org: <%= cloud_gov_organization %>
-          cloudgov_space: <%= cloud_gov_production_space %>
-          deploy_config_file: config/deployment/production.yml
-          rails_master_key: PRODUCTION_RAILS_MASTER_KEY
+          path: terraform
+          plan: production.out<% end %>
 
 workflows:
   version: 2.1
@@ -414,18 +405,33 @@ workflows:
             - build
       - a11y_scan:
           requires:
-            - build<% if terraform? %>
+            - build
+      - compile_staging_assets:
+          filters:
+            branches:
+              ignore: production
       - terraform_plan_staging:
           filters:
             branches:
               ignore: production
+          requires:
+            - compile_staging_assets
       - terraform_apply_staging:
           filters:
             branches:
               only: main
           requires:
             - terraform_plan_staging
-      - terraform_plan_production
+            - owasp_scan
+            - static_security_scans
+            - test
+            - a11y_scan<% if terraform_manage_spaces? %>
+  production_plan_and_apply:
+    jobs:
+      - compile_production_assets
+      - terraform_plan_production:
+          requires:
+            - compile_production_assets
       - approve_production_terraform:
           type: approval
           filters:
@@ -439,26 +445,6 @@ workflows:
               only: production
           requires:
             - approve_production_terraform<% end %>
-      - deploy_staging:
-          filters:
-            branches:
-              only: main
-          requires:
-            - test
-            - static_security_scans
-            - owasp_scan
-            - a11y_scan<% if terraform? %>
-            - terraform_apply_staging<% end %>
-      - deploy_production:
-          filters:
-            branches:
-              only: production
-          requires:
-            - test
-            - static_security_scans
-            - owasp_scan
-            - a11y_scan<% if terraform? %>
-            - terraform_apply_production<% end %>
   daily_scan:
     triggers:
       - schedule:
@@ -471,6 +457,9 @@ workflows:
                 - production
     jobs:
       - build
+      - refresh_asset_caches:
+          requires:
+            - build
       - static_security_scans:
           requires:
             - build

data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb

@@ -6,7 +6,7 @@ module RailsTemplate18f
   module Generators
     class GithubActionsGenerator < ::Rails::Generators::Base
       include Base
-      include PipelineOptions
+      include CloudGovOptions
 
       class_option :node_version, desc: "Node version to test against in actions"
 
@@ -17,14 +17,14 @@ module RailsTemplate18f
 
       def install_actions
         directory "github", ".github"
-        if !terraform?
-          remove_file ".github/workflows/terraform-staging.yml"
-          remove_file ".github/workflows/terraform-production.yml"
-        end
         if !oscal_dir_exists?
           remove_file ".github/workflows/validate-ssp.yml"
           remove_file ".github/workflows/assemble-ssp.yml"
         end
+        if !terraform_manage_spaces?
+          remove_file ".github/workflows/terraform-production.yml"
+          remove_file ".github/workflows/deploy-production.yml"
+        end
       end
 
       def update_readme
@@ -80,8 +80,7 @@ EOB
         def readme_staging_deploy
           <<~EOM
 
-            Deploys to staging#{terraform? ? ", including applying changes in terraform," : ""} happen
-            on every push to the `main` branch in GitHub.
+            Deploys to staging happen via terraform on every push to the `main` branch in GitHub.
 
             The following secrets must be set within the `staging` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
             to enable a deploy to work:
@@ -96,28 +95,31 @@ EOB
         end
 
         def readme_prod_deploy
-          <<~EOM
-
-            Deploys to production#{terraform? ? ", including applying changes in terraform," : ""} happen
-            on every push to the `production` branch in GitHub.
-
-            The following secrets must be set within the `production` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
-            to enable a deploy to work:
-
-            | Secret Name | Description |
-            | ----------- | ----------- |
-            | `CF_USERNAME` | cloud.gov SpaceDeployer username |
-            | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
-            | `RAILS_MASTER_KEY` | `config/credentials/production.key` |
-            #{terraform_secret_values}
-          EOM
+          if terraform_manage_spaces?
+            <<~EOM
+
+              Deploys to production happen via terraform on every push to the `production` branch in GitHub.
+
+              The following secrets must be set within the `production` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
+              to enable a deploy to work:
+
+              | Secret Name | Description |
+              | ----------- | ----------- |
+              | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+              | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+              | `RAILS_MASTER_KEY` | `config/credentials/production.key` |
+              #{terraform_secret_values}
+            EOM
+          else
+            "Production deploys are not supported in the sandbox organization."
+          end
         end
 
         def readme_credentials
           <<~EOM
 
             1. Store variables that must be secret using [GitHub Environment Secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
-            1. Add the appropriate `--var` addition to the `cf_command` line on the deploy action like the existing `rails_master_key`
+            1. Add the appropriate `TF_VAR_<variable name>` addition to the `terraform-<env>.yml` and `deploy-<env>.yml` workflows like the existing `TF_VAR_rails_master_key`
           EOM
         end
       end
@@ -125,12 +127,11 @@ EOB
       private
 
       def terraform_secret_values
-        if terraform?
-          <<~EOM
-            | `TERRAFORM_STATE_ACCESS_KEY` | Access key for terraform state bucket |
-            | `TERRAFORM_STATE_SECRET_ACCESS_KEY` | Secret key for terraform state bucket |
-          EOM
-        end
+        <<~EOM
+          | `TERRAFORM_STATE_ACCESS_KEY` | Access key for terraform state bucket |
+          | `TERRAFORM_STATE_SECRET_ACCESS_KEY` | Secret key for terraform state bucket |
+          | `TERRAFORM_STATE_BUCKET_NAME` | Bucket name for terraform state bucket |
+        EOM
       end
 
       def node_version
@@ -139,7 +140,7 @@ EOB
         elsif File.exist?(nvmrc_path)
           File.read(nvmrc_path).strip
         else
-          "16.15"
+          "20.16"
         end
       end
 

data/lib/generators/rails_template18f/github_actions/templates/github/actions/compile-assets/action.yml

@@ -0,0 +1,50 @@
+name: Compile assets
+description: Restore an asset cache, precompile, clean, and optionally save the cache back
+inputs:
+  rails_env:
+    description: RAILS_ENV in use.
+    required: true
+  fail_on_missing_cache:
+    description: Whether to fail the action on a missing cache restore
+    required: false
+    default: 'false'
+  save_cache:
+    description: Whether to save the compiled assets cache
+    required: false
+    default: 'false'
+runs:
+  using: composite
+  steps:
+    - uses: ./.github/actions/setup-languages
+
+    - name: Restore asset cache
+      uses: actions/cache/restore@v4
+      with:
+        key: ${{ inputs.rails_env }}-assets-
+        fail-on-cache-miss: ${{ inputs.fail_on_missing_cache }}
+        path: |
+          public/assets
+          app/assets/builds
+
+    - name: Precompile assets
+      env:
+        RAILS_ENV: ${{ inputs.rails_env }}
+        SECRET_KEY_BASE_DUMMY: 1
+      shell: bash
+      run: ./bin/rake assets:precompile
+
+    - name: "Clean old assets, keeping current + 2 old versions + anything created within past 1 hour"
+      env:
+        RAILS_ENV: ${{ inputs.rails_env }}
+        SECRET_KEY_BASE_DUMMY: 1
+      shell: bash
+      run: ./bin/rake assets:clean
+
+    - name: Save cache
+      if: ${{ inputs.save_cache == 'true' }}
+      uses: actions/cache/save@v4
+      with:
+        key: ${{ inputs.rails_env }}-assets-${{ hashFiles('public/assets/.manifest.json') }}
+        path: |
+          public/assets
+          app/assets/builds

data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-project/action.yml.tt

@@ -15,15 +15,11 @@ outputs:
 runs:
   using: composite
   steps:
-    - name: Set up Ruby & Javascript
-      uses: ./.github/actions/setup-languages
-
     - name: Precompile assets
-      env:
-        RAILS_ENV: ${{ inputs.rails_env }}
-        SECRET_KEY_BASE: not-actually-secret
-      shell: bash
-      run: bundle exec rake assets:precompile
+      uses: ./.github/actions/compile-assets
+      with:
+        rails_env: ${{ inputs.rails_env }}
+        save_cache: true
 
     - name: Set up database
       env:

data/lib/generators/rails_template18f/github_actions/templates/github/dependabot.yml.tt

@@ -14,12 +14,10 @@ updates:
   directory: "/"
   schedule:
     interval: daily
-  open-pull-requests-limit: 10<% if terraform? %>
+  open-pull-requests-limit: 10
 - package-ecosystem: terraform
   directories:
-    - "/terraform/production"
-    - "/terraform/staging"
+    - "/terraform"
   schedule:
     interval: weekly
   open-pull-requests-limit: 10
-<% end %>