rails_template_18f 1.3.0 → 2.1.0

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml

@@ -0,0 +1,74 @@
+name: Deploy Production
+
+on:
+  push:
+    branches: [ production ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
+          save_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
+
+  deploy:
+    name: Deploy to production
+    runs-on: ubuntu-latest
+    needs: build-assets
+    environment: production
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
+
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v1
+        env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
+        with:
+          path: terraform
+          var_file: terraform/production.tfvars
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.production
+
+      - name: Save app zip for debugging
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-src-apply
+          path: terraform/dist/src.zip
+          compression-level: 0
+          retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml

@@ -0,0 +1,74 @@
+name: Deploy Staging
+
+on:
+  push:
+    branches: [ main ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+          save_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
+
+  deploy:
+    name: Deploy to staging
+    runs-on: ubuntu-latest
+    needs: build-assets
+    environment: staging
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
+
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v1
+        env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
+        with:
+          path: terraform
+          var_file: terraform/staging.tfvars
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.staging
+
+      - name: Save app zip for debugging
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-src-apply
+          path: terraform/dist/src.zip
+          compression-level: 0
+          retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt

@@ -31,6 +31,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Touch staging cache
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+      - name: Touch production cache
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
+
       - id: setup
         uses: ./.github/actions/setup-project
 
@@ -39,7 +48,7 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
 
       - name: Run OWASP Full Scan
-        uses: zaproxy/action-full-scan@v0.10.0
+        uses: zaproxy/action-full-scan@v0.12.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt

@@ -38,7 +38,7 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
 
       - name: Run OWASP Baseline Scan
-        uses: zaproxy/action-baseline@v0.12.0
+        uses: zaproxy/action-baseline@v0.14.0
         with:
           docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
           target: 'http://localhost:3000/'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt

@@ -49,7 +49,7 @@ jobs:
 
       - name: Comment on pull request
         if: failure()
-        uses: actions/github-script@v4
+        uses: actions/github-script@v7
         with:
           script: |
             const output = `Pa11y Failures detected
@@ -61,7 +61,7 @@ jobs:
             \`\`\`
             </details>`;
 
-            github.issues.createComment({
+            github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml

@@ -9,9 +9,28 @@ permissions:
   pull-requests: write
 
 jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
+          # you may want to enable the next line to surface issues with missing assets,
+          # but not until after you've deployed once and the cache has been created
+          # fail_on_missing_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
+
   terraform:
     name: Terraform plan
     runs-on: ubuntu-latest
+    needs: build-assets
     environment: production
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -22,20 +41,46 @@ jobs:
       - name: terraform validate
         uses: dflook/terraform-validate@v1
         with:
-          path: terraform/production
+          path: terraform
 
       - name: terraform fmt
         uses: dflook/terraform-fmt-check@v1
         with:
-          path: terraform/production
+          path: terraform
+
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
 
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
         with:
-          path: terraform/production
+          path: terraform
+          var_file: terraform/production.tfvars
+          add_github_comment: changes-only
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.production
+
+      # Uncomment this step if you need to debug issues
+      # with mismatched app checksum between plan and apply
+      # - name: Save app zip for debugging
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: app-src-plan
+      #     path: terraform/dist/src.zip
+      #     compression-level: 0
+      #     retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml

@@ -9,9 +9,28 @@ permissions:
   pull-requests: write
 
 jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+          # you may want to enable the next line to surface issues with missing assets,
+          # but not until after you've deployed once and the cache has been created
+          # fail_on_missing_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
+
   terraform:
     name: Terraform plan
     runs-on: ubuntu-latest
+    needs: build-assets
     environment: staging
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -22,20 +41,46 @@ jobs:
       - name: terraform validate
         uses: dflook/terraform-validate@v1
         with:
-          path: terraform/staging
+          path: terraform
 
       - name: terraform fmt
         uses: dflook/terraform-fmt-check@v1
         with:
-          path: terraform/staging
+          path: terraform
+
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
 
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
         with:
-          path: terraform/staging
+          path: terraform
+          var_file: terraform/staging.tfvars
+          add_github_comment: changes-only
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.staging
+
+      # Uncomment this step if you need to debug issues
+      # with mismatched app checksum between plan and apply
+      # - name: Save app zip for debugging
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: app-src-plan
+      #     path: terraform/dist/src.zip
+      #     compression-level: 0
+      #     retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/validate-ssp.yml

@@ -31,14 +31,14 @@ jobs:
 
       - name: Comment on pull request
         if: failure()
-        uses: actions/github-script@v4
+        uses: actions/github-script@v7
         with:
           script: |
             const output = `SSP assembly detected changes that aren't checked in.
 
             Run \`bin/trestle assemble-ssp-json\` to ensure markdown changes are reflected in your SSP`;
 
-            github.issues.createComment({
+            github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,

data/lib/generators/rails_template18f/gitlab_ci/gitlab_ci_generator.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module RailsTemplate18f
+  module Generators
+    class GitlabCiGenerator < ::Rails::Generators::Base
+      include Base
+      include CloudGovOptions
+
+      class_option :node_version, desc: "Node version to test against in actions"
+      class_option :postgres_version, default: "15", desc: "PostgreSQL version "
+
+      desc <<~DESC
+        Description:
+          Install GitLab CI workflow files
+      DESC
+
+      def install_actions
+        template "gitlab-ci.yml", ".gitlab-ci.yml"
+        directory "gitlab", ".gitlab"
+      end
+
+      def update_readme
+        if file_content("README.md").match?(/^## CI\/CD$/)
+          insert_into_file "README.md", readme_cicd, after: "## CI/CD\n"
+          insert_into_file "README.md", readme_staging_deploy, after: "#### Staging\n"
+          insert_into_file "README.md", readme_prod_deploy, after: "#### Production\n"
+          insert_into_file "README.md", readme_credentials, after: "#### Credentials and other Secrets\n"
+        else
+          append_to_file "README.md", <<~EOM
+            ## CI/CD
+            #{readme_cicd}
+
+            ### Deployment
+
+            #### Staging
+            #{readme_staging_deploy}
+
+            #### Production
+            #{readme_prod_deploy}
+
+            #### Credentials and other Secrets
+            #{readme_credentials}
+          EOM
+        end
+      end
+
+      def update_boundary_diagram
+        boundary_filename = "doc/compliance/apps/application.boundary.md"
+        insert_into_file boundary_filename, <<EOB, after: "Boundary(cicd, \"CI/CD Pipeline\") {\n"
+    System_Ext(gitlabci, "GitLab w/ DevTools Runner", "GSA-controlled code repository and Continuous Integration Service")
+EOB
+        insert_into_file boundary_filename, <<~EOB, before: "@enduml"
+          Rel(developer, gitlabci, "Publish code", "git ssh (22)")
+          Rel(gitlabci, cg_api, "Deploy App", "Auth: SpaceDeployer Service Account, https (443)")
+        EOB
+      end
+
+      no_tasks do
+        def readme_cicd
+          <<~EOM
+
+            GitLab CI is used to run all tests and scans as part of pull requests.
+
+            Security scans are also run on a scheduled basis. DEVELOPER TODO: create a pipeline schedule in the GitLab UI and update this sentence with the cadence.
+          EOM
+        end
+
+        def readme_staging_deploy
+          <<~EOM
+
+            Deploys to staging happen via terraform on every push to the `main` branch in GitLab.
+
+            The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/)
+
+            | Secret Name | Description |
+            | ----------- | ----------- |
+            | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+            | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+            | `RAILS_MASTER_KEY` | `config/master.key` |
+            #{terraform_secret_values}
+          EOM
+        end
+
+        def readme_prod_deploy
+          if terraform_manage_spaces?
+            <<~EOM
+
+              Deploys to production happen via terraform on every push to the `production` branch in GitLab.
+
+              The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/)
+
+              | Secret Name | Description |
+              | ----------- | ----------- |
+              | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+              | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+              | `PRODUCTION_RAILS_MASTER_KEY` | `config/credentials/production.key`. Should be marked as `Protected`. |
+              #{terraform_secret_values}
+            EOM
+          else
+            "Production deploys are not supported in the sandbox organization."
+          end
+        end
+
+        def readme_credentials
+          <<~EOM
+
+            1. Store variables that must be secret using masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/) in GitLab
+            1. Add the appropriate `-var` arguments to the `terraform:plan:<env>` and `terraform:apply:<env>` jobs like the existing `-var rails_master_key=`
+          EOM
+        end
+      end
+
+      private
+
+      def terraform_secret_values
+        <<~EOM
+          | `TERRAFORM_PUBLIC_BACKEND_CONFIG` | File-type variable containing all entries from secrets.backend.tfvars _except_ `secret_key`. Marked as `Visible` |
+          | `TERRAFORM_SECRET_BACKEND_CONFIG` | File-type variable containing the `secret_key` line from secrets.backend.tfvars. Masked and hidden. |
+        EOM
+      end
+
+      def postgres_version
+        options[:postgres_version]
+      end
+
+      def node_version
+        if options[:node_version].present?
+          options[:node_version]
+        elsif File.exist?(nvmrc_path)
+          File.read(nvmrc_path).strip
+        else
+          "20.16"
+        end
+      end
+
+      def node_major
+        node_version.split(".").first
+      end
+
+      def nvmrc_path
+        @nvmrc_path ||= File.expand_path(".nvmrc", destination_root)
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/node.yml.tt

@@ -0,0 +1,11 @@
+.setup-node:
+  - curl -fsSL https://deb.nodesource.com/setup_<%= node_major %>.x -o nodesource_setup.sh
+  - bash nodesource_setup.sh
+  - apt-get install -y nodejs
+  - npm install --global yarn
+
+.yarn-install:
+  - PUPPETEER_SKIP_DOWNLOAD=true yarn install --frozen-lockfile --no-progress
+
+.install-puppet-deps:
+  - apt-get update && apt-get install -y chromium

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/rails.yml

@@ -0,0 +1,75 @@
+include:
+  - local: ".gitlab/ruby.yml"
+  - local: ".gitlab/node.yml"
+
+# Cache Helpers
+.cache-dependencies:
+  variables:
+    WORKER_MEMORY: 2G
+  cache:
+    key:
+      files:
+        - Gemfile.lock
+        - yarn.lock
+      prefix: dependencies
+    paths:
+      - vendor/ruby
+      - node_modules/
+    policy: pull
+
+# Language Helpers
+.setup-languages:
+  before_script:
+    - !reference [.setup-ruby]
+    - !reference [.setup-node]
+
+# Project Helpers
+.setup-project:
+  services:
+    - name: "postgres:${POSTGRES_VERSION}"
+      alias: pg
+  before_script:
+    - !reference [.setup-ruby]
+    - export DATABASE_URL="postgres://postgres:${POSTGRES_PASSWORD}@${CI_SERVICE_pg}:5432/${POSTGRES_DB}"
+    - bin/rails db:prepare
+
+.run-server:
+  extends: .setup-project
+  dependencies: []
+  variables:
+    RAILS_ENV: ci
+    SECRET_KEY_BASE_DUMMY: 1
+  before_script:
+    - !reference [.setup-node]
+    - !reference [.setup-project, before_script]
+    - bin/rake assets:precompile
+    - PORT=3000 bin/rails server > /dev/null 2>&1 &
+    - sleep 5
+
+.owasp:setup:
+  stage: test
+  extends: .run-server
+  image: "rcahearngsa/owasp-ruby:${RUBY_VERSION}"
+  variables:
+    WORKER_MEMORY: 3G
+    WORKER_DISK: 6G
+  before_script:
+    - !reference [.run-server, before_script]
+    - ln -s $PWD /zap/wrk
+  artifacts:
+    expose_as: "OWASP Report"
+    paths:
+      - zap_report.html
+
+.assets:builder:
+  stage: deploy
+  extends: .setup-languages
+  dependencies: []
+  variables:
+    SECRET_KEY_BASE_DUMMY: 1
+  script:
+    - bin/rake assets:precompile
+    - bin/rake assets:clean
+  artifacts:
+    paths:
+      - public/assets

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/ruby.yml

@@ -0,0 +1,7 @@
+.setup-ruby:
+  - export PATH=$PATH:/usr/local/bundle/bin
+  - bundle config set --local path 'vendor/ruby'
+  - bundle config set --local deployment true
+
+.bundle-install:
+  - bundle install

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/terraform.yml

@@ -0,0 +1,28 @@
+# Shared setup helpers for terraform jobs
+.terraform:setup:
+  stage: deploy
+  inherit:
+    default: false
+  image:
+    name: "hashicorp/terraform"
+    entrypoint: ["sh"]
+  variables:
+    CF_API_URL: https://api.fr.cloud.gov
+    TERRAFORM_BACKEND_KEY: terraform.tfstate.staging
+  dependencies: []
+  before_script:
+    - cd terraform
+    - terraform init -backend-config=$TERRAFORM_PUBLIC_BACKEND_CONFIG -backend-config=$TERRAFORM_SECRET_BACKEND_CONFIG -backend-config="key=$TERRAFORM_BACKEND_KEY"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+.terraform:variables:staging:
+  dependencies: null
+  variables:
+    CF_USER: $CF_USERNAME
+
+.terraform:variables:production:
+  dependencies: null
+  variables:
+    CF_USER: $CF_USERNAME
+    TERRAFORM_BACKEND_KEY: terraform.tfstate.production