rails_template_18f 1.3.0 → 2.1.0

data/template.rb

@@ -1,4 +1,5 @@
 require "colorize"
+require "bundler/version"
 
 ## Supporting methods
 # tell our template to grab all files from the templates directory
@@ -14,8 +15,8 @@ def skip_active_job?
   !!options[:skip_active_job]
 end
 
-def webpack?
-  options[:javascript] == "webpack"
+def esbuild?
+  options[:javascript] == "esbuild"
 end
 
 def hotwire?
@@ -26,9 +27,17 @@ def cloud_gov_org_tktk?
   @cloud_gov_organization =~ /TKTK/
 end
 
+def gem_ruby_entry
+  if Gem::Version.new(Bundler::VERSION) >= Gem::Version.new("2.4.20") # add file: option to #ruby
+    'ruby file: ".ruby-version"'
+  else
+    "ruby \"#{@ruby_version}\""
+  end
+end
+
 @announcements = Hash.new { |h, k| h[k] = [] }
 def register_announcement(section_name, instructions)
-  @announcements[section_name.to_sym] << instructions
+  @announcements[section_name.to_sym] << instructions.strip
 end
 
 def print_announcements
@@ -39,16 +48,18 @@ def print_announcements
   end
 end
 
-unless Gem::Dependency.new("rails", "~> 7.2.0").match?("rails", Rails.gem_version)
-  warn "This template requires Rails 7.2.x"
+unless Gem::Dependency.new("rails", "~> 8.0.1").match?("rails", Rails.gem_version)
+  warn "This template requires Rails 8.0.x"
   if Gem::Dependency.new("rails", "~> 6.1.0").match?("rails", Rails.gem_version)
     warn "See the rails-6 branch https://github.com/gsa-tts/rails-template/tree/rails-6"
   elsif Gem::Dependency.new("rails", "~> 7.0.0").match?("rails", Rails.gem_version)
     warn "See the rails-7.0 branch https://github.com/gsa-tts/rails-template/tree/rails-7.0"
   elsif Gem::Dependency.new("rails", "~> 7.1.0").match?("rails", Rails.gem_version)
     warn "See the rails-7.1 branch https://github.com/gsa-tts/rails-template/tree/rails-7.1"
-  elsif Gem::Dependency.new("rails", ">= 7.3.0").match?("rails", Rails.gem_version)
-    warn "We haven't updated the template for Rails >= 7.3 yet! Please file an issue so we can get the template updated"
+  elsif Gem::Dependency.new("rails", "~> 7.2.0").match?("rails", Rails.gem_version)
+    warn "See the rails-7.2 branch https://github.com/gsa-tts/rails-template/tree/rails-7.2"
+  elsif Gem::Dependency.new("rails", ">= 8.1.0").match?("rails", Rails.gem_version)
+    warn "We haven't updated the template for Rails >= 8.1 yet! Please file an issue so we can get the template updated"
   else
     warn "We didn't recognize the version of Rails you are using: #{Rails.version}"
   end
@@ -77,16 +88,18 @@ if auditree
   auditree_evidence_repo = ask("What is the https address of your auditree evidence repo? (Leave blank to fill in later)")
 end
 
-terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
 @cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
 default_staging_space = "staging"
 cloud_gov_staging_space = ask("What is your cloud.gov staging space name? (Default: #{default_staging_space})")
-default_prod_space = "prod"
-cloud_gov_production_space = ask("What is your cloud.gov production space name? (Default: #{default_prod_space})")
+default_prod_space = "production"
+if @cloud_gov_organization != "sandbox-gsa"
+  cloud_gov_production_space = ask("What is your cloud.gov production space name? (Default: #{default_prod_space})")
+end
 @cloud_gov_organization = "TKTK-cloud.gov-org-name" if @cloud_gov_organization.blank?
 cloud_gov_staging_space = default_staging_space if cloud_gov_staging_space.blank?
 cloud_gov_production_space = default_prod_space if cloud_gov_production_space.blank?
 
+@gitlab_ci = yes?("Create GitLab CI config? (y/n)")
 @github_actions = yes?("Create GitHub Actions? (y/n)")
 @circleci_pipeline = yes?("Create CircleCI config? (y/n)")
 newrelic = yes?("Create FEDRAMP New Relic config files? (y/n)")
@@ -106,6 +119,8 @@ running_node_version = `node --version`.gsub(/^v/, "").strip
 run_db_setup = yes?("Run db setup steps? (y/n)")
 
 ## Start of app customizations
+insert_into_file "Gemfile", "\n#{gem_ruby_entry}\n", after: /^source "https.*\n/
+
 template "README.md", force: true
 register_announcement("Documentation", <<~EOM)
   * Complete the project README by adding a quick summary of the project in the top section.
@@ -118,6 +133,8 @@ if compliance_trestle
     generator_arguments = []
     generator_arguments << "--oscal_repo=#{compliance_trestle_repo}" if compliance_trestle_submodule
     generator_arguments << "--ci=github" if @github_actions
+    generator_arguments << "--ci=gitlab" if @gitlab_ci
+    generator_arguments << "--ci=circleci" if @circleci_pipeline
     generate "rails_template18f:oscal", *generator_arguments
   end
   register_announcement("OSCAL Documentation", <<~EOM)
@@ -179,7 +196,7 @@ chmod "bin/ops/create_service_account.sh", 0o755
 chmod "bin/ops/destroy_service_account.sh", 0o755
 chmod "bin/ops/set_space_egress.sh", 0o755
 copy_file "pa11y.js"
-copy_file "pa11yci.js"
+template "pa11yci.js"
 copy_file "editorconfig", ".editorconfig"
 copy_file "zap.conf"
 after_bundle do
@@ -187,7 +204,7 @@ after_bundle do
 end
 
 # updates for OWASP scan to pass
-gem "secure_headers", "~> 6.7"
+gem "secure_headers", "~> 7.1"
 initializer "secure_headers.rb", <<~EOM
   SecureHeaders::Configuration.default do |config|
     # CSP settings are handled by Rails
@@ -226,22 +243,16 @@ uncomment_lines csp_initializer, "content_security_policy_nonce"
 
 # install development & testing gems
 gem_group :development, :test do
-  gem "rspec-rails", "~> 6.1"
+  gem "rspec-rails", "~> 7.1"
   gem "dotenv-rails", "~> 3.1"
   gem "bundler-audit", "~> 0.9"
-  gem "standard", "~> 1.40"
+  gem "standard", "~> 1.43"
 end
 if ENV["RT_DEV"] == "true"
   gem "rails_template_18f", group: :development, path: ENV["PWD"]
 else
   gem "rails_template_18f", group: :development
 end
-after_bundle do
-  gsub_file "bin/dev", /foreman start -f (.*)$/, <<~'EOM'
-    # pass /dev/null for the environment file to prevent weird interactions between foreman and dotenv
-    foreman start -e /dev/null -f \1
-  EOM
-end
 
 copy_file "lib/tasks/scanning.rake"
 copy_file "env", ".env"
@@ -269,27 +280,19 @@ unless skip_git?
 end
 
 # setup USWDS and asset pipeline
-copy_file "browserslistrc", ".browserslistrc" if webpack?
+copy_file "browserslistrc", ".browserslistrc"
 after_bundle do
-  run 'npm pkg set scripts.build:css="postcss ./app/assets/stylesheets/application.postcss.scss -o ./app/assets/builds/application.css"'
-  # include verbose flag for dev postcss output
-  gsub_file "Procfile.dev", "yarn build:css --watch", "yarn build:css --verbose --watch"
-  # Replace postcss-nesting with sass since USWDS uses sass
-  run "yarn remove postcss-nesting"
-  run "yarn add @csstools/postcss-sass postcss-scss postcss-minify"
-  insert_into_file "postcss.config.js", "  syntax: 'postcss-scss',\n", before: /^\s+plugins/
-  insert_into_file "package.json", <<-EOJSON, before: /^\s+\}$/
-  },
-  "resolutions": {
-    "@csstools/postcss-sass/@csstools/sass-import-resolve": "https://github.com/rahearn/sass-import-resolve"
-  EOJSON
-  gsub_file "postcss.config.js", "postcss-nesting'),", <<~EOJS.strip
-    @csstools/postcss-sass')({
-          includePaths: ['./node_modules/@uswds/uswds/packages'],
-        }),
-  EOJS
-  insert_into_file "postcss.config.js", "    process.env.NODE_ENV === 'production' ? require('postcss-minify') : null,\n", before: /^\s+\],/
   run "yarn add @uswds/uswds"
+  if esbuild?
+    run "yarn add --dev browserslist browserslist-to-esbuild"
+    run 'npm pkg set scripts.build:js="esbuild app/javascript/*.* --bundle --sourcemap --format=esm --outdir=app/assets/builds --public-path=/assets --target=\$(cat config/esbuild-targets.txt) --pure:console.log"'
+    run 'npm pkg set scripts.build="yarn build:js --minify"'
+    run 'npm pkg set scripts.update-browserslist="update-browserslist-db && browserslist-to-esbuild | sed \'s/ /,/g\' > config/esbuild-targets.txt"'
+    run "yarn update-browserslist"
+    gsub_file "Procfile.dev", "js: yarn build --watch", "js: yarn build:js --watch"
+  end
+  gsub_file "package.json", "--load-path=node_modules", "--load-path=node_modules/@uswds/uswds/packages --style=compressed"
+  gsub_file "Procfile.dev", "css: yarn build:css --watch", "css: yarn build:css --style=expanded --watch"
   appjs_file = "app/javascript/application.js"
   append_to_file appjs_file, "\nimport \"@uswds/uswds\"\n"
   if hotwire?
@@ -313,15 +316,12 @@ after_bundle do
     EOJS
   end
   directory "app/assets"
-  append_to_file "app/assets/stylesheets/application.postcss.css", <<~EOCSS
+  append_to_file "app/assets/stylesheets/application.sass.scss", <<~EOCSS
     @forward "uswds-settings";
     @forward "uswds-components";
 
     @forward "uswds-overrides";
   EOCSS
-  inside "app/assets/stylesheets" do
-    File.rename("application.postcss.css", "application.postcss.scss")
-  end
   gsub_file "app/views/layouts/application.html.erb", "<html>", '<html lang="<%= I18n.locale %>">'
   gsub_file "app/views/layouts/application.html.erb", /^\s+<%= yield %>/, <<-EOHTML
     <%= render "application/usa_banner" %>
@@ -332,7 +332,13 @@ after_bundle do
       </div>
     </main>
   EOHTML
-  append_to_file "config/initializers/assets.rb", "Rails.application.config.assets.paths << Rails.root.join(\"node_modules\")"
+  append_to_file "config/initializers/assets.rb", <<~EOC
+    Rails.application.configure do
+      config.assets.paths << Rails.root.join("node_modules/@uswds/uswds/dist/img")
+      config.assets.paths << Rails.root.join("node_modules/@uswds/uswds/dist/fonts")
+      config.assets.excluded_paths << Rails.root.join("app/assets/stylesheets")
+    end
+  EOC
 end
 directory "app/views/application"
 
@@ -387,29 +393,25 @@ if dap
 end
 
 # infrastructure & deploy
-template "manifest.yml"
 copy_file "lib/tasks/cf.rake"
-directory "config/deployment"
 
-if terraform
-  after_bundle do
-    generator_arguments = [
-      "--cg-org=#{@cloud_gov_organization}",
-      "--cg-staging=#{cloud_gov_staging_space}",
-      "--cg-prod=#{cloud_gov_production_space}"
-    ]
-    generate "rails_template18f:terraform", *generator_arguments
-  end
-  if cloud_gov_org_tktk?
-    register_announcement("Terraform", <<~EOM)
-      Fill in the cloud.gov organization information in:
-        * terraform/bootstrap/main.tf
-        * terraform/staging/main.tf
-        * terraform/production/main.tf
-    EOM
-  end
-  register_announcement("Terraform", "Run the bootstrap script and update the appropriate CI/CD environment variables defined in the Deployment section of the README")
+after_bundle do
+  generator_arguments = [
+    "--cg-org=#{@cloud_gov_organization}",
+    "--cg-staging=#{cloud_gov_staging_space}",
+    "--cg-prod=#{cloud_gov_production_space}"
+  ]
+  generate "rails_template18f:terraform", *generator_arguments
+end
+if cloud_gov_org_tktk?
+  register_announcement("Terraform", <<~EOM)
+    Fill in the cloud.gov organization and space information in:
+      * terraform/bootstrap/main.tf
+      * terraform/main.tf
+      * terraform/*.tfvars
+  EOM
 end
+register_announcement("Terraform", "Run the bootstrap script and update the appropriate CI/CD environment variables defined in the Deployment section of the README")
 
 if !skip_active_job?
   after_bundle do
@@ -426,18 +428,12 @@ end
 if @github_actions
   after_bundle do
     generator_arguments = [
-      (terraform ? "--terraform" : "--no-terraform"),
       "--cg-org=#{@cloud_gov_organization}",
       "--cg-staging=#{cloud_gov_staging_space}",
       "--cg-prod=#{cloud_gov_production_space}"
     ]
     generate "rails_template18f:github_actions", *generator_arguments
   end
-  if cloud_gov_org_tktk?
-    register_announcement("GitHub Actions", <<~EOM)
-      * Fill in the cloud.gov organization information in .github/workflows/deploy-staging.yml
-    EOM
-  end
   register_announcement("GitHub Actions", <<~EOM)
     * Create environment variable secrets for deploy users as defined in the Deployment section of the README
   EOM
@@ -446,23 +442,31 @@ end
 if @circleci_pipeline
   after_bundle do
     generator_arguments = [
-      (terraform ? "--terraform" : "--no-terraform"),
       "--cg-org=#{@cloud_gov_organization}",
       "--cg-staging=#{cloud_gov_staging_space}",
       "--cg-prod=#{cloud_gov_production_space}"
     ]
     generate "rails_template18f:circleci", *generator_arguments
   end
-  if cloud_gov_org_tktk?
-    register_announcement("CircleCI", <<~EOM)
-      * Fill in the cloud.gov organization information in .circleci/config.yml
-    EOM
-  end
   register_announcement("CircleCI", <<~EOM)
     * Create project environment variables for deploy users as defined in the Deployment section of the README
   EOM
 end
 
+if @gitlab_ci
+  after_bundle do
+    generator_arguments = [
+      "--cg-org=#{@cloud_gov_organization}",
+      "--cg-staging=#{cloud_gov_staging_space}",
+      "--cg-prod=#{cloud_gov_production_space}"
+    ]
+    generate "rails_template18f:gitlab_ci", *generator_arguments
+  end
+  register_announcement("GitLab CI", <<~EOM)
+    * Create project environment variables for deploy users as defined in the Deployment section of the README
+  EOM
+end
+
 if auditree
   after_bundle do
     generate "rails_template18f:auditree", "--evidence_locker=#{auditree_evidence_repo}"
@@ -513,12 +517,6 @@ after_bundle do
   run "bundle exec standardrb --fix"
 
   unless skip_git?
-    run "cp .gitignore .cfignore"
-    append_to_file ".cfignore", <<~EOM
-
-      # compliance documentation
-      /doc/compliance/
-    EOM
     if compliance_trestle_submodule
       inside "doc/compliance/oscal" do
         run "git add -A"

data/templates/README.md.tt

@@ -110,34 +110,47 @@ To enable automatic ruby linting on every `git commit` follow the instructions a
 Each environment has dependencies on a PostgreSQL RDS instance managed by cloud.gov.
 See [cloud.gov docs](https://cloud.gov/docs/services/relational-database/) for information on RDS.
 
+Terraform is used to deploy the application and supporting services. See [terraform/README.md](./terraform/README.md)
+for more information on how to set up your terraform backend and deploy the app.
+
 #### Staging
 <% if !@github_actions && !@circleci_pipeline %>
-Before the first deploy only, create DB service with `cf create-service aws-rds micro-psql <%= app_name %>-rds-staging`
+First, follow the `terraform/README.md` instructions to set up your backend, then:
 
-`cf push --strategy rolling --vars-file config/deployment/staging.yml --var rails_master_key=$(cat config/master.key)`
+```bash
+$ cd terraform
+$ ./terraform.sh -e staging -c apply
+```
 <% end %>
 
 #### Production
 <% if !@github_actions && !@circleci_pipeline %>
-Before the first deploy only, create DB service with `cf create-service aws-rds <<SERVICE_PLAN_NAME>> <%= app_name %>-rds-production`
+First, follow the `terraform/README.md` instructions to set up your backend, then:
 
-`cf push --strategy rolling --vars-file config/deployment/production.yml --var rails_master_key=$(cat config/credentials/production.key)`
+```bash
+$ cd terraform
+$ ./terraform.sh -e production -k $(cat ../config/credentials/production.key) -c apply
+```
 <% end %>
 
 ### Configuring ENV variables in cloud.gov
 
 All configuration that needs to be added to the deployed application's ENV should be added to
-the `env:` block in `manifest.yml`
+the `environment = {}` block in `terraform/app.tf`
+
+Items that are both **public** and **consistent** across environments can be set directly there.
 
-Items that are both **public** and **consistent** across staging and production can be set directly there.
+Otherwise:
 
-Otherwise, they are set as a `((variable))` within `manifest.yml` and the variable is defined depending on sensitivity:
+1. add a new `variable "variable_name" {}` block to `terraform/variables.tf`
+2. add a new entry in the `environment = {}` block to reference that variable
+3. set that variable depending on sensitivity:
 
 #### Credentials and other Secrets
 
 #### Non-secrets
 
-Configuration that changes from staging to production, but is public, should be added to `config/deployment/staging.yml` and `config/deployment/production.yml`
+Configuration that changes by environment, but is public, should be added to the `tfvars` files, such as `terraform/production.tfvars` and `terraform/staging.tfvars`
 
 ## Documentation
 

data/templates/app/assets/stylesheets/uswds-settings.scss

@@ -1,7 +1,8 @@
 @use "uswds-core" with (
   // Point the asset pipline to the correct locations
-  $theme-font-path: "@uswds/uswds/dist/fonts",
-  $theme-image-path: "@uswds/uswds/dist/img",
+  // empty strings are on purpose to override the defaults
+  $theme-font-path: "",
+  $theme-image-path: "",
 
   $theme-show-notifications: false,
 

data/templates/app/views/application/_header.html.erb

@@ -14,7 +14,7 @@
     </div>
     <nav aria-label="<%= t('shared.header.primary') %>" class="usa-nav">
       <button class="usa-nav__close">
-        <%= image_tag "@uswds/uswds/dist/img/usa-icons/close.svg", role: "img", alt: t('shared.header.close') %>
+        <%= image_tag "usa-icons/close.svg", role: "img", alt: t('shared.header.close') %>
       </button>
       <ul class="usa-nav__primary usa-accordion">
         <li class="usa-nav__primary-item">

data/templates/app/views/application/_usa_banner.html.erb

@@ -6,7 +6,7 @@
       <div class="usa-banner__inner">
         <div class="banner__text-container grid-row">
           <div class="grid-col-auto">
-            <%= image_tag "@uswds/uswds/dist/img/us_flag_small.png", alt: t('shared.banner.us_flag'), class: "usa-banner__header-flag" %>
+            <%= image_tag "us_flag_small.png", alt: t('shared.banner.us_flag'), class: "usa-banner__header-flag" %>
           </div>
           <div class="grid-col-fill tablet:grid-col-auto">
             <p class="usa-banner__header-text">
@@ -35,14 +35,14 @@
       <% end %>
       <div class="grid-row grid-gap-lg">
         <div class="usa-banner__guidance tablet:grid-col-6">
-          <%= image_tag "@uswds/uswds/dist/img/icon-dot-gov.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
+          <%= image_tag "icon-dot-gov.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
           <div class="usa-media-block__body">
             <strong><%= t('shared.banner.gov_heading') %></strong>
             <br> <%= t('shared.banner.gov_description_html') %>
           </div>
         </div>
         <div class="usa-banner__guidance tablet:grid-col-6">
-          <%= image_tag "@uswds/uswds/dist/img/icon-https.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
+          <%= image_tag "icon-https.svg", role: "img", "aria-hidden": true, class: "usa-banner__icon usa-media-block__img" %>
           <div class="usa-media-block__body">
             <p>
               <strong><%= t('shared.banner.secure_heading') %></strong>

data/templates/bin/ops/create_service_account.sh.tt

@@ -7,7 +7,7 @@ $0: Create a Service User Account for a given space
 
 Usage:
   $0 -h
-  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>] [-m]
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>] [-m] [-n]
 
 Options:
 -h: show help and exit
@@ -15,10 +15,12 @@ Options:
 -u <USER NAME>: set the service user name. Required
 -r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
 -m: If provided, make the service user an OrgManager
+-n: If provided, make the service user a SpaceManager
 -o <ORG NAME>: configure the organization to act on. Default: $org
 
 Notes:
-* OrgManager is required for terraform to create <env>-egress spaces
+* OrgManager is required for terraform to create spaces
+* OrgManager or SpaceManager is required for terraform to set egress rules
 "
 
 set -e
@@ -28,8 +30,9 @@ space=""
 service=""
 role="space-deployer"
 org_manager="false"
+space_manager="false"
 
-while getopts ":hms:u:r:o:" opt; do
+while getopts ":hmns:u:r:o:" opt; do
   case "$opt" in
     s)
       space=${OPTARG}
@@ -46,6 +49,9 @@ while getopts ":hms:u:r:o:" opt; do
     m)
       org_manager="true"
       ;;
+    n)
+      space_manager="true"
+      ;;
     h)
       echo "$usage"
       exit 0
@@ -59,26 +65,29 @@ then
   exit 1
 fi
 
-if [[ $space = "" || $service = "" ]]; then
+if [[ -z "$space" || -z "$service" ]]; then
   echo "$usage"
   exit 1
 fi
 
-cf target -o $org -s $space 1>&2
+cf target -o "$org" -s "$space" 1>&2
 
 # create user account service
-cf create-service cloud-gov-service-account $role $service 1>&2
+cf create-service cloud-gov-service-account "$role" "$service" 1>&2
 
 # create service key
-cf create-service-key $service service-account-key 1>&2
+cf create-service-key "$service" service-account-key 1>&2
 
 # output service key to stdout in secrets.auto.tfvars format
-creds=`cf service-key $service service-account-key | tail -n +2 | jq '.credentials'`
-username=`echo $creds | jq -r '.username'`
-password=`echo $creds | jq -r '.password'`
+creds=`cf service-key "$service" service-account-key | tail -n +2 | jq '.credentials'`
+username=`echo "$creds" | jq -r '.username'`
+password=`echo "$creds" | jq -r '.password'`
 
 if [[ "$org_manager" = "true" ]]; then
-  cf set-org-role $username $org OrgManager 1>&2
+  cf set-org-role "$username" "$org" OrgManager 1>&2
+fi
+if [[ "$space_manager" = "true" ]]; then
+  cf set-space-role "$username" "$org" "$space" SpaceManager 1>&2
 fi
 
 cat << EOF

data/templates/bin/ops/destroy_service_account.sh.tt

@@ -39,12 +39,12 @@ while getopts ":hs:u:o:" opt; do
   esac
 done
 
-if [[ $space = "" || $service = "" ]]; then
+if [[ -z "$space" || -z "$service" ]]; then
   echo "$usage"
   exit 1
 fi
 
-cf target -o $org -s $space
+cf target -o "$org" -s "$space"
 
 # destroy service
-cf delete-service $service -f
+cf delete-service -f "$service"

data/templates/browserslistrc

@@ -1,5 +1,4 @@
 # Supported browsers
-> 2%
+> 0.2%
 last 2 versions
-IE 11
 not dead

data/templates/doc/compliance/TODO.md

@@ -10,10 +10,7 @@ Egress Spaces
 
 If your application requires outbound communication to services outside of cloud.gov:
 
-1. Set up `<env>-egress` spaces for each environment.
-1. Set that space to public egress with `bin/ops/set_space_egress.sh -s <env>-egress -p`
-1. Run [cg-egress-proxy](https://github.com/GSA/cg-egress-proxy#deploying-proxies-for-a-bunch-of-apps-automatically) in that space
-1. Send all outbound traffic from your app through the proxy
+1. `bin/rails g rails_template18f:public_egress`
 1. Document this use under the SC-7 security control
 
 Log Drains

data/templates/{pa11yci.js → pa11yci.js.tt}

@@ -2,7 +2,12 @@ let defaults = require("./pa11y.js");
 
 // set chrome path for github actions
 defaults.defaults.chromeLaunchConfig = {
+  <% if @gitlab_ci %>
+  "executablePath": "/usr/bin/chromium",
+  "args": ["--no-sandbox"]
+  <% else %>
   "executablePath": "/usr/bin/google-chrome"
+  <% end %>
 };
 
 module.exports = defaults;