From ccaa0ba3f16cb29039f0bccab1583951b8f5267c Mon Sep 17 00:00:00 2001 From: Jumana B Date: Tue, 7 Nov 2023 14:33:07 -0500 Subject: [PATCH 1/3] Remove server from response (#2017) * Remove server from response * fix typecheck --- gunicorn_config.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gunicorn_config.py b/gunicorn_config.py index 665655e00a..e43a7cb288 100644 --- a/gunicorn_config.py +++ b/gunicorn_config.py @@ -2,6 +2,7 @@ import sys import traceback +import gunicorn # type: ignore import newrelic.agent # See https://bit.ly/2xBVKBH newrelic.agent.initialize() # noqa: E402 @@ -11,6 +12,8 @@ worker_connections = 256 bind = "0.0.0.0:{}".format(os.getenv("PORT")) accesslog = "-" +# Guincorn sets the server type on our app. We don't want to show it in the header in the response. +gunicorn.SERVER = "Undisclosed" on_aws = os.environ.get("NOTIFY_ENVIRONMENT", "") in ["production", "staging", "scratch", "dev"] if on_aws: From ac8e08783f6c5073fb28ff379271fa93904e6f60 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 8 Nov 2023 11:08:40 -0500 Subject: [PATCH 2/3] chore(deps): update all non-major github action dependencies (#1969) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/build_and_push_performance_test.yml | 6 +++--- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/docker-vulnerability-scan.yml | 8 ++++---- .github/workflows/docker.yaml | 6 +++--- .github/workflows/lambda_production.yml | 6 +++--- .github/workflows/lambda_staging.yml | 4 ++-- .github/workflows/performance.yml | 6 +++--- .github/workflows/test.yaml | 8 ++++---- 8 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/build_and_push_performance_test.yml b/.github/workflows/build_and_push_performance_test.yml index 75a666f2f2..9afa851ff6 100644 --- a/.github/workflows/build_and_push_performance_test.yml +++ b/.github/workflows/build_and_push_performance_test.yml @@ -20,7 +20,7 @@ jobs: images: ${{ steps.filter.outputs.changes }} steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -41,7 +41,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build container run: | @@ -61,7 +61,7 @@ jobs: - name: Login to ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 - name: Push containers to ECR run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 36669e3ef4..86e66abc6a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,18 +24,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Initialize CodeQL - uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 + uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 + uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 + uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/docker-vulnerability-scan.yml b/.github/workflows/docker-vulnerability-scan.yml index e8f85ed882..43b3c05ee5 100644 --- a/.github/workflows/docker-vulnerability-scan.yml +++ b/.github/workflows/docker-vulnerability-scan.yml @@ -27,12 +27,12 @@ jobs: - name: Login to ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 with: registry-type: public - name: Docker vulnerability scan - uses: cds-snc/security-tools/.github/actions/docker-scan@cfec0943e40dbb78cee115bbbe89dc17f07b7a0f # v2.1.3 + uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4 with: docker_image: "${{ env.DOCKER_IMAGE }}:latest" dockerfile_path: "${{ env.DOCKERFILE_PATH }}" @@ -62,10 +62,10 @@ jobs: - name: Login to ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 - name: Docker vulnerability scan - uses: cds-snc/security-tools/.github/actions/docker-scan@cfec0943e40dbb78cee115bbbe89dc17f07b7a0f # v2.1.3 + uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4 with: docker_image: "${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}" dockerfile_path: "${{ env.DOCKERFILE_PATH }}" diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index e5470da1c6..7c15abb9dc 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest name: Build and push steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install AWS CLI run: | curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" @@ -43,7 +43,7 @@ jobs: - name: Login to ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 with: registry-type: public @@ -90,7 +90,7 @@ jobs: TOKEN: ${{ steps.notify-pr-bot.outputs.token }} - name: Generate docker SBOM - uses: cds-snc/security-tools/.github/actions/generate-sbom@cfec0943e40dbb78cee115bbbe89dc17f07b7a0f # v2.1.3 + uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4 with: docker_image: "${{ env.DOCKER_SLUG }}:latest" dockerfile_path: "ci/Dockerfile" diff --git a/.github/workflows/lambda_production.yml b/.github/workflows/lambda_production.yml index c1ca0aa1ed..9b3b7f2f11 100644 --- a/.github/workflows/lambda_production.yml +++ b/.github/workflows/lambda_production.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Configure AWS credentials id: aws-creds @@ -43,14 +43,14 @@ jobs: - name: Login to ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 - name: Push containers to ECR run: | docker push $REGISTRY/${{ matrix.image }}:$IMAGE_TAG - name: Generate docker SBOM - uses: cds-snc/security-tools/.github/actions/generate-sbom@cfec0943e40dbb78cee115bbbe89dc17f07b7a0f # v2.1.3 + uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4 with: docker_image: "${{ env.REGISTRY }}/${{ matrix.image }}:${{ env.IMAGE_TAG }}" dockerfile_path: "ci/Dockerfile.lambda" diff --git a/.github/workflows/lambda_staging.yml b/.github/workflows/lambda_staging.yml index 48a72b2cd5..9bd896bbe3 100644 --- a/.github/workflows/lambda_staging.yml +++ b/.github/workflows/lambda_staging.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Configure AWS credentials id: aws-creds @@ -39,7 +39,7 @@ jobs: - name: Login to ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 - name: Push containers to ECR run: | diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml index 67d9475956..5b8452e50d 100644 --- a/.github/workflows/performance.yml +++ b/.github/workflows/performance.yml @@ -9,14 +9,14 @@ jobs: steps: - name: Install libcurl run: sudo apt-get update && sudo apt-get install libssl-dev libcurl4-openssl-dev - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Python 3.10 - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.10' - name: Upgrade pip run: python -m pip install --upgrade pip - - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 9cd02ab128..f7676deaa6 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -18,14 +18,14 @@ jobs: steps: - name: Install libcurl run: sudo apt-get update && sudo apt-get install libssl-dev libcurl4-openssl-dev - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Python 3.10 - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.10' - name: Upgrade pip run: python -m pip install --upgrade pip - - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} @@ -43,7 +43,7 @@ jobs: run: poetry run make test - name: Upload pytest logs on failure if: ${{ failure() }} - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: pytest-logs path: | From 8e0c99f771c12a621bd87a5a1c40e02dca3c8fa2 Mon Sep 17 00:00:00 2001 From: "sre-read-write[bot]" <92993749+sre-read-write[bot]@users.noreply.github.com> Date: Wed, 8 Nov 2023 16:23:12 +0000 Subject: [PATCH 3/3] chore: created local '.github/workflows/backstage-catalog-helper.yml' from remote 'tools/sre_file_sync/backstage-catalog-helper.yml' (#2010) Co-authored-by: sre-read-write[bot] <92993749+sre-read-write[bot]@users.noreply.github.com> --- .../workflows/backstage-catalog-helper.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/backstage-catalog-helper.yml diff --git a/.github/workflows/backstage-catalog-helper.yml b/.github/workflows/backstage-catalog-helper.yml new file mode 100644 index 0000000000..2ed8456286 --- /dev/null +++ b/.github/workflows/backstage-catalog-helper.yml @@ -0,0 +1,37 @@ +name: Backstage Catalog Info Helper +on: + workflow_dispatch: + schedule: + - cron: "0 0 * * *" + +jobs: + update-catalog-info: + runs-on: ubuntu-latest + steps: + - name: Checkout Actions + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + fetch-depth: 0 + - name: Run Backstage Catalog Info Helper + uses: cds-snc/backstage-catalog-info-helper-action@v0.3.1 + with: + github_app_id: ${{ secrets.SRE_BOT_RW_APP_ID }} + github_app_private_key: ${{ secrets.SRE_BOT_RW_PRIVATE_KEY }} + github_organization: cds-snc + - name: impersonate Read/Write GH App + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a + id: generate_token + with: + app_id: ${{ secrets.SRE_BOT_RW_APP_ID }} + private_key: ${{ secrets.SRE_BOT_RW_PRIVATE_KEY }} + - name: Create pull request + uses: peter-evans/create-pull-request@v3 + with: + token: ${{ steps.generate_token.outputs.token}} + commit-message: 'Add catalog-info.yaml' + branch: 'backstage/catalog-info' + title: 'Add catalog-info.yaml' + body: 'Adding a basic catalog-info.yaml to start populating the backstage catalog with your components.' + labels: 'backstage' + add-paths: | + catalog-info.yaml \ No newline at end of file