rails_template_18f 2.2.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bab13c0d757c29b86c139635bed3f016cc486d38299b7aa90533d888b6995d69
-  data.tar.gz: 447e73554b32dd86782cf52c4cda2699f55c4e0706c05f813e82515a2e61912f
+  metadata.gz: c3ca664ff6618dfdbbd5253b5a58ed43487d7a268cce07bded46840c96353cf6
+  data.tar.gz: 27084955f39ced3910a073008f14fec6630c11607429cdbf9cd1b6f61af0b9f7
 SHA512:
-  metadata.gz: cad79214c9110e3fb33968b8c6d1fc98477c6c979bc58724e9b88f57985456ca7d404515dd004891dade32d4e95183f1a90c12d4d05ee87753f52867f9efde94
-  data.tar.gz: ecb278387c12d47fc9bc611f26c0787fa7c4c2dda43fa14ce8f176bfb4cf9d0d2c6b04718ab0faa3569b4f5897e9d65cdc0b0944972c64648e8e401d9b341881
+  metadata.gz: 9fb5460862865efea3faeb5cf6e1f220e725b57e83c0eb4b3178d486169be2e6e5f6cc3185a621c05ac50a9cdda068e11eb3ae9efba2ae17ce2041fe64e9a41f
+  data.tar.gz: f5826c6d647d2c0285b0399fccb74e91c2ff4c832f9b4d5ab9f89d89dc81302a7c1880aab76076a7fc81dcc906e45536261b0d5b367284581ff51a9c0751ec03

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## [Unreleased]
 
+## [2.3.0] - 2025-11-25
+
+- Updates to Gitlab CI and Terraform generators for better workshop.cloud.gov support
+
 ## [2.2.0] - 2025-06-27
 
 - Prevent non-compliant hostnames by replacing underscores with dashes

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (2.2.0)
+    rails_template_18f (2.3.0)
       activesupport (~> 8.0.1)
       colorize (~> 1.1)
       railties (~> 8.0.1)
@@ -10,9 +10,9 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (8.0.1)
-      actionview (= 8.0.1)
-      activesupport (= 8.0.1)
+    actionpack (8.0.4)
+      actionview (= 8.0.4)
+      activesupport (= 8.0.4)
       nokogiri (>= 1.8.5)
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
@@ -20,13 +20,13 @@ GEM
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actionview (8.0.1)
-      activesupport (= 8.0.1)
+    actionview (8.0.4)
+      activesupport (= 8.0.4)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activesupport (8.0.1)
+    activesupport (8.0.4)
       base64
       benchmark (>= 0.3)
       bigdecimal
@@ -43,49 +43,55 @@ GEM
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
-    ast (2.4.2)
-    base64 (0.2.0)
-    benchmark (0.4.0)
-    bigdecimal (3.1.9)
+    ast (2.4.3)
+    base64 (0.3.0)
+    benchmark (0.5.0)
+    bigdecimal (3.3.1)
     builder (3.3.0)
-    byebug (11.1.3)
+    byebug (12.0.0)
     colorize (1.1.0)
-    concurrent-ruby (1.3.4)
-    connection_pool (2.4.1)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.4)
     crass (1.0.6)
-    date (3.4.1)
-    diff-lcs (1.5.1)
-    drb (2.2.1)
+    date (3.5.0)
+    diff-lcs (1.6.2)
+    drb (2.2.3)
+    erb (6.0.0)
     erubi (1.13.1)
-    i18n (1.14.6)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    io-console (0.8.0)
-    irb (1.14.3)
+    io-console (0.8.1)
+    irb (1.15.3)
+      pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.9.1)
-    language_server-protocol (3.17.0.3)
+    json (2.16.0)
+    language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
-    logger (1.6.4)
-    loofah (2.23.1)
+    logger (1.7.0)
+    loofah (2.24.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    minitest (5.25.4)
-    nokogiri (1.18.8-arm64-darwin)
+    minitest (5.26.2)
+    nokogiri (1.18.10-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-darwin)
+    nokogiri (1.18.10-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-gnu)
+    nokogiri (1.18.10-x86_64-linux-gnu)
       racc (~> 1.4)
-    parallel (1.26.3)
-    parser (3.3.6.0)
+    parallel (1.27.0)
+    parser (3.3.10.0)
       ast (~> 2.4.1)
       racc
-    psych (5.2.2)
+    pp (0.6.3)
+      prettyprint
+    prettyprint (0.2.0)
+    prism (1.6.0)
+    psych (5.2.6)
       date
       stringio
     racc (1.8.1)
-    rack (3.1.16)
+    rack (3.2.4)
     rack-session (2.1.1)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
@@ -93,88 +99,95 @@ GEM
       rack (>= 1.3)
     rackup (2.2.1)
       rack (>= 3)
-    rails-dom-testing (2.2.0)
+    rails-dom-testing (2.3.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (8.0.1)
-      actionpack (= 8.0.1)
-      activesupport (= 8.0.1)
+    railties (8.0.4)
+      actionpack (= 8.0.4)
+      activesupport (= 8.0.4)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
+      tsort (>= 0.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.2.1)
-    rdoc (6.10.0)
+    rake (13.3.1)
+    rdoc (6.15.1)
+      erb
       psych (>= 4.0.0)
-    regexp_parser (2.10.0)
-    reline (0.6.0)
+      tsort
+    regexp_parser (2.11.3)
+    reline (0.6.3)
       io-console (~> 0.5)
-    rspec (3.13.0)
+    rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.2)
+    rspec-core (3.13.6)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.7)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (7.1.0)
-      actionpack (>= 7.0)
-      activesupport (>= 7.0)
-      railties (>= 7.0)
+    rspec-rails (8.0.2)
+      actionpack (>= 7.2)
+      activesupport (>= 7.2)
+      railties (>= 7.2)
       rspec-core (~> 3.13)
       rspec-expectations (~> 3.13)
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
-    rspec-support (3.13.2)
-    rubocop (1.69.2)
+    rspec-support (3.13.6)
+    rubocop (1.80.2)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.36.2, < 2.0)
+      rubocop-ast (>= 1.46.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.37.0)
-      parser (>= 3.3.1.0)
-    rubocop-performance (1.23.0)
-      rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+    rubocop-ast (1.48.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    rubocop-performance (1.25.0)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
     ruby-progressbar (1.13.0)
     securerandom (0.4.1)
-    standard (1.43.0)
+    standard (1.51.1)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.0)
-      rubocop (~> 1.69.1)
+      rubocop (~> 1.80.2)
       standard-custom (~> 1.0.0)
-      standard-performance (~> 1.6)
+      standard-performance (~> 1.8)
     standard-custom (1.0.2)
       lint_roller (~> 1.0)
       rubocop (~> 1.50)
-    standard-performance (1.6.0)
+    standard-performance (1.8.0)
       lint_roller (~> 1.1)
-      rubocop-performance (~> 1.23.0)
-    stringio (3.1.2)
-    thor (1.3.2)
+      rubocop-performance (~> 1.25.0)
+    stringio (3.1.8)
+    thor (1.4.0)
+    tsort (0.2.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (3.1.3)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
-    uri (1.0.3)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
+    uri (1.1.1)
     useragent (0.16.11)
-    zeitwerk (2.7.1)
+    zeitwerk (2.7.3)
 
 PLATFORMS
   arm64-darwin-23

data/lib/generators/rails_template18f/auditree/auditree_generator.rb

@@ -127,13 +127,13 @@ EOY
             <<~README
               1. Remove the `repo_integrity` section of `config/auditree.template.json`
               1. Create a gitlab personal access token with `write_repository` scope to interact with the code repo and evidence locker and set as `AUDITREE_GITLAB_TOKEN` secret within your CI/CD variables.
-              #{options[:evidence_locker].blank? ? "1. Update `.gitlab/auditree.yml` with the locker repository URL" : ""}
+              #{"1. Update `.gitlab/auditree.yml` with the locker repository URL" if options[:evidence_locker].blank?}
             README
           elsif file_exists? ".github/workflows"
             <<~README
               1. Update `config/auditree.template.json` with the repo address for your code repos
               1. Create a github personal access token to interact with the code repo and evidence locker and set as `AUDITREE_GITHUB_TOKEN` secret within your Github Actions secrets.
-              #{options[:evidence_locker].blank? ? "1. Update `.github/workflows/rspec.yml` with the locker repository URL" : ""}
+              #{"1. Update `.github/workflows/rspec.yml` with the locker repository URL" if options[:evidence_locker].blank?}
             README
           else
             ""

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -319,8 +319,10 @@ jobs:
             CF_USER: "$CF_USERNAME"
           path: terraform
           out: staging.out
-          var_file: staging.tfvars
+          var_file: staging.env.tfvars
           var: >-
+            environment_type="staging",
+            environment_slug="staging",
             rails_master_key="$RAILS_MASTER_KEY",
             cf_user="$CF_USERNAME",
       - persist_to_workspace:
@@ -368,8 +370,10 @@ jobs:
             CF_USER: "$CF_USERNAME"
           path: terraform
           out: production.out
-          var_file: production.tfvars
+          var_file: production.env.tfvars
           var: >-
+            environment_type="production",
+            environment_slug="production",
             rails_master_key="$PRODUCTION_RAILS_MASTER_KEY",
             cf_user="$CF_USERNAME",
       - persist_to_workspace:

data/lib/generators/rails_template18f/github_actions/templates/github/dependabot.yml.tt

@@ -2,11 +2,27 @@ version: 2
 updates:
 - package-ecosystem: bundler
   directory: "/"
+  groups:
+    minor-and-patch:
+      patterns:
+        - "*"
+      exclude-patterns:
+        - "rails"
+      update-types:
+        - "minor"
+        - "patch"
   schedule:
     interval: daily
   open-pull-requests-limit: 10
 - package-ecosystem: npm
   directory: "/"
+  groups:
+    minor-and-patch:
+      patterns:
+        - "*"
+      update-types:
+        - "minor"
+        - "patch"
   schedule:
     interval: daily
   open-pull-requests-limit: 10

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml

@@ -57,7 +57,10 @@ jobs:
             apt-get install -y zip
         with:
           path: terraform
-          var_file: terraform/production.tfvars
+          var_file: terraform/production.env.tfvars
+          variables: |
+            environment_type="production"
+            environment_slug="production"
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml

@@ -57,7 +57,10 @@ jobs:
             apt-get install -y zip
         with:
           path: terraform
-          var_file: terraform/staging.tfvars
+          var_file: terraform/staging.env.tfvars
+          variables: |
+            environment_type="staging"
+            environment_slug="staging"
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml

@@ -67,7 +67,10 @@ jobs:
             apt-get install -y zip
         with:
           path: terraform
-          var_file: terraform/production.tfvars
+          var_file: terraform/production.env.tfvars
+          variables: |
+            environment_type="production"
+            environment_slug="production"
           add_github_comment: changes-only
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml

@@ -67,7 +67,10 @@ jobs:
             apt-get install -y zip
         with:
           path: terraform
-          var_file: terraform/staging.tfvars
+          var_file: terraform/staging.env.tfvars
+          variables: |
+            environment_type="staging"
+            environment_slug="staging"
           add_github_comment: changes-only
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}

data/lib/generators/rails_template18f/gitlab_ci/gitlab_ci_generator.rb

@@ -49,7 +49,7 @@ module RailsTemplate18f
       def update_boundary_diagram
         boundary_filename = "doc/compliance/apps/application.boundary.md"
         insert_into_file boundary_filename, <<EOB, after: "Boundary(cicd, \"CI/CD Pipeline\") {\n"
-    System_Ext(gitlabci, "GitLab w/ DevTools Runner", "GSA-controlled code repository and Continuous Integration Service")
+    System_Ext(gitlabci, "Cloud.gov Workshop", "GSA-run code repository and Continuous Integration Service")
 EOB
         insert_into_file boundary_filename, <<~EOB, before: "@enduml"
           Rel(developer, gitlabci, "Publish code", "git ssh (22)")
@@ -76,8 +76,8 @@ EOB
 
             | Secret Name | Description |
             | ----------- | ----------- |
-            | `CF_USERNAME` | cloud.gov SpaceDeployer username |
-            | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+            | `CF_USER` | cloud.gov OrgManager username |
+            | `CF_PASSWORD` | cloud.gov OrgManager password |
             | `RAILS_MASTER_KEY` | `config/master.key` |
           EOM
         end
@@ -86,15 +86,15 @@ EOB
           if terraform_manage_spaces?
             <<~EOM
 
-              Deploys to production happen via terraform on every push to the `production` branch in GitLab.
+              Deploys to production happen via terraform on every tag that is added to the `main` branch.
 
-              The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/)
+              The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/) and assigned to the `production` environment.
 
               | Secret Name | Description |
               | ----------- | ----------- |
-              | `CF_USERNAME` | cloud.gov SpaceDeployer username |
-              | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
-              | `PRODUCTION_RAILS_MASTER_KEY` | `config/credentials/production.key`. Should be marked as `Protected`. |
+              | `CF_USER` | cloud.gov OrgManager username |
+              | `CF_PASSWORD` | cloud.gov OrgManager password |
+              | `RAILS_MASTER_KEY` | `config/credentials/production.key`. Should be marked as `Protected`. |
             EOM
           else
             "Production deploys are not supported in the sandbox organization."
@@ -105,7 +105,7 @@ EOB
           <<~EOM
 
             1. Store variables that must be secret using masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/) in GitLab
-            1. Add the appropriate `-var` arguments to the `terraform:plan:<env>` and `terraform:apply:<env>` jobs like the existing `-var rails_master_key=`
+            1. Add the appropriate `TF_VAR_` prefixed variables for the `terraform:plan:<env>` and `terraform:apply:<env>` jobs like the existing `TF_VAR_rails_master_key`
           EOM
         end
       end

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/{node.yml.tt → node.yml}

@@ -1,5 +1,5 @@
 .setup-node:
-  - curl -fsSL https://deb.nodesource.com/setup_<%= node_major %>.x -o nodesource_setup.sh
+  - curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR_VERSION}.x" -o nodesource_setup.sh
   - bash nodesource_setup.sh
   - apt-get install -y nodejs
   - npm install --global yarn

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/rails.yml

@@ -2,6 +2,13 @@ include:
   - local: ".gitlab/ruby.yml"
   - local: ".gitlab/node.yml"
 
+.base:
+  image: "ruby:${RUBY_VERSION}"
+  before_script:
+    - !reference [.setup-ruby]
+  cache:
+    - !reference [.cache-dependencies, cache]
+
 # Cache Helpers
 .cache-dependencies:
   variables:
@@ -15,27 +22,28 @@ include:
     paths:
       - vendor/ruby
       - node_modules/
-    policy: pull
 
 # Language Helpers
 .setup-languages:
+  extends: .base
   before_script:
     - !reference [.setup-ruby]
     - !reference [.setup-node]
 
 # Project Helpers
 .setup-project:
+  extends: .base
   services:
     - name: "postgres:${POSTGRES_VERSION}"
       alias: pg
+  variables:
+    DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD}@${WSR_SERVICE_HOST_pg}:5432/${POSTGRES_DB}"
   before_script:
     - !reference [.setup-ruby]
-    - export DATABASE_URL="postgres://postgres:${POSTGRES_PASSWORD}@${WSR_SERVICE_HOST_pg}:5432/${POSTGRES_DB}"
     - bin/rails db:prepare
 
 .run-server:
   extends: .setup-project
-  dependencies: []
   variables:
     RAILS_ENV: ci
     SECRET_KEY_BASE_DUMMY: 1
@@ -46,21 +54,6 @@ include:
     - PORT=3000 bin/rails server > /dev/null 2>&1 &
     - sleep 5
 
-.owasp:setup:
-  stage: scan
-  extends: .run-server
-  image: "rcahearngsa/owasp-ruby:${RUBY_VERSION}"
-  variables:
-    WORKER_MEMORY: 3G
-    WORKER_DISK: 6G
-  before_script:
-    - !reference [.run-server, before_script]
-    - ln -s $PWD /zap/wrk
-  artifacts:
-    expose_as: "OWASP Report"
-    paths:
-      - zap_report.html
-
 .assets:builder:
   stage: deploy
   extends: .setup-languages