From ea264b94995048e66080205b869c3a7e9800b296 Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Tue, 21 Nov 2023 09:44:29 -0600 Subject: [PATCH 1/7] Change cg-deploy-action to cg-cli-tools --- .github/workflows/deploy-sandbox.yaml | 2 +- .github/workflows/deploy-stable.yaml | 5 ++--- .github/workflows/deploy-staging.yaml | 7 +++---- .github/workflows/migrate.yaml | 4 ++-- .github/workflows/reset-db.yaml | 12 ++++++------ 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml index 01079a670..76e5358af 100644 --- a/.github/workflows/deploy-sandbox.yaml +++ b/.github/workflows/deploy-sandbox.yaml @@ -45,7 +45,7 @@ jobs: working-directory: ./src run: docker compose run app python manage.py collectstatic --no-input - name: Deploy to cloud.gov sandbox - uses: 18f/cg-deploy-action@main + uses: cloud-gov/cg-cli-tools@main env: DEPLOY_NOW: thanks ENVIRONMENT: ${{ needs.variables.outputs.environment }} diff --git a/.github/workflows/deploy-stable.yaml b/.github/workflows/deploy-stable.yaml index 0a40ac097..bc8daf403 100644 --- a/.github/workflows/deploy-stable.yaml +++ b/.github/workflows/deploy-stable.yaml @@ -30,12 +30,11 @@ jobs: working-directory: ./src run: docker compose run app python manage.py collectstatic --no-input - name: Deploy to cloud.gov sandbox - uses: 18f/cg-deploy-action@main + uses: cloud-gov/cg-cli-tools@main env: - DEPLOY_NOW: thanks + MANIFEST: "ops/manifests/manifest-stable.yaml" with: cf_username: ${{ secrets.CF_STABLE_USERNAME }} cf_password: ${{ secrets.CF_STABLE_PASSWORD }} cf_org: cisa-dotgov cf_space: stable - push_arguments: "-f ops/manifests/manifest-stable.yaml" diff --git a/.github/workflows/deploy-staging.yaml b/.github/workflows/deploy-staging.yaml index 1db63e2a2..fd2fbc9c5 100644 --- a/.github/workflows/deploy-staging.yaml +++ b/.github/workflows/deploy-staging.yaml @@ -9,7 +9,7 @@ on: - 'docs/**' - '**.md' - '.gitignore' - + tags: - staging-* @@ -30,12 +30,11 @@ jobs: working-directory: ./src run: docker compose run app python manage.py collectstatic --no-input - name: Deploy to cloud.gov sandbox - uses: 18f/cg-deploy-action@main + uses: cloud-gov/cg-cli-tools@main env: - DEPLOY_NOW: thanks + MANIFEST: "ops/manifests/manifest-staging.yaml" with: cf_username: ${{ secrets.CF_STAGING_USERNAME }} cf_password: ${{ secrets.CF_STAGING_PASSWORD }} cf_org: cisa-dotgov cf_space: staging - push_arguments: "-f ops/manifests/manifest-staging.yaml" diff --git a/.github/workflows/migrate.yaml b/.github/workflows/migrate.yaml index 3b1035657..9ea7c40ee 100644 --- a/.github/workflows/migrate.yaml +++ b/.github/workflows/migrate.yaml @@ -35,10 +35,10 @@ jobs: CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD steps: - name: Run Django migrations for ${{ github.event.inputs.environment }} - uses: 18f/cg-deploy-action@main + uses: cloud-gov/cg-deploy-action@main with: cf_username: ${{ secrets[env.CF_USERNAME] }} cf_password: ${{ secrets[env.CF_PASSWORD] }} cf_org: cisa-dotgov cf_space: ${{ github.event.inputs.environment }} - full_command: "cf run-task getgov-${{ github.event.inputs.environment }} --command 'python manage.py migrate' --name migrate" + cf_command: "run-task getgov-${{ github.event.inputs.environment }} --command 'python manage.py migrate' --name migrate" diff --git a/.github/workflows/reset-db.yaml b/.github/workflows/reset-db.yaml index 654fa27b5..2393356b0 100644 --- a/.github/workflows/reset-db.yaml +++ b/.github/workflows/reset-db.yaml @@ -36,28 +36,28 @@ jobs: CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD steps: - name: Delete existing data for ${{ github.event.inputs.environment }} - uses: 18f/cg-deploy-action@main + uses: cloud-gov/cg-cli-tools@main with: cf_username: ${{ secrets[env.CF_USERNAME] }} cf_password: ${{ secrets[env.CF_PASSWORD] }} cf_org: cisa-dotgov cf_space: ${{ github.event.inputs.environment }} - full_command: "cf run-task getgov-${{ github.event.inputs.environment }} --command 'python manage.py flush --no-input' --name flush" + cf_command: "run-task getgov-${{ github.event.inputs.environment }} --command 'python manage.py flush --no-input' --name flush" - name: Run Django migrations for ${{ github.event.inputs.environment }} - uses: 18f/cg-deploy-action@main + uses: cloud-gov/cg-cli-tools@main with: cf_username: ${{ secrets[env.CF_USERNAME] }} cf_password: ${{ secrets[env.CF_PASSWORD] }} cf_org: cisa-dotgov cf_space: ${{ github.event.inputs.environment }} - full_command: "cf run-task getgov-${{ github.event.inputs.environment }} --command 'python manage.py migrate' --name migrate" + cf_command: "run-task getgov-${{ github.event.inputs.environment }} --command 'python manage.py migrate' --name migrate" - name: Load fake data for ${{ github.event.inputs.environment }} - uses: 18f/cg-deploy-action@main + uses: cloud-gov/cg-cli-tools@main with: cf_username: ${{ secrets[env.CF_USERNAME] }} cf_password: ${{ secrets[env.CF_PASSWORD] }} cf_org: cisa-dotgov cf_space: ${{ github.event.inputs.environment }} - full_command: "cf run-task getgov-${{ github.event.inputs.environment }} --command 'python manage.py load' --name loaddata" + cf_command: "run-task getgov-${{ github.event.inputs.environment }} --command 'python manage.py load' --name loaddata" From 9fd6289ffd471a06d3260a218cf771805d0d1065 Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Tue, 21 Nov 2023 11:56:45 -0600 Subject: [PATCH 2/7] Fix deploy-sandbox to use MANIFEST --- .github/workflows/deploy-sandbox.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml index 76e5358af..bf3b5daf2 100644 --- a/.github/workflows/deploy-sandbox.yaml +++ b/.github/workflows/deploy-sandbox.yaml @@ -47,16 +47,15 @@ jobs: - name: Deploy to cloud.gov sandbox uses: cloud-gov/cg-cli-tools@main env: - DEPLOY_NOW: thanks ENVIRONMENT: ${{ needs.variables.outputs.environment }} CF_USERNAME: CF_${{ needs.variables.outputs.environment }}_USERNAME CF_PASSWORD: CF_${{ needs.variables.outputs.environment }}_PASSWORD + MANIFEST: "ops/manifests/manifest-${{ needs.variables.outputs.environment }}.yaml" with: cf_username: ${{ secrets[env.CF_USERNAME] }} cf_password: ${{ secrets[env.CF_PASSWORD] }} cf_org: cisa-dotgov cf_space: ${{ env.ENVIRONMENT }} - push_arguments: "-f ops/manifests/manifest-${{ env.ENVIRONMENT }}.yaml" comment: runs-on: ubuntu-latest needs: [variables, deploy] From 934b28af7698e99d5eba2f0a02b1fd890d7bb018 Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Tue, 21 Nov 2023 12:17:11 -0600 Subject: [PATCH 3/7] Try again to fix deploy-sandbox --- .github/workflows/deploy-sandbox.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml index bf3b5daf2..3755b0edf 100644 --- a/.github/workflows/deploy-sandbox.yaml +++ b/.github/workflows/deploy-sandbox.yaml @@ -50,7 +50,7 @@ jobs: ENVIRONMENT: ${{ needs.variables.outputs.environment }} CF_USERNAME: CF_${{ needs.variables.outputs.environment }}_USERNAME CF_PASSWORD: CF_${{ needs.variables.outputs.environment }}_PASSWORD - MANIFEST: "ops/manifests/manifest-${{ needs.variables.outputs.environment }}.yaml" + MANIFEST: ops/manifests/manifest-${{ needs.variables.outputs.environment }}.yaml with: cf_username: ${{ secrets[env.CF_USERNAME] }} cf_password: ${{ secrets[env.CF_PASSWORD] }} From dec025cc4adbb0dfa7b5c6a058eb4caa76d85d00 Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Tue, 21 Nov 2023 12:23:09 -0600 Subject: [PATCH 4/7] Use cf_manifest to specify the manifest location --- .github/workflows/deploy-sandbox.yaml | 2 +- .github/workflows/deploy-stable.yaml | 3 +-- .github/workflows/deploy-staging.yaml | 3 +-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml index 3755b0edf..4e5e159d5 100644 --- a/.github/workflows/deploy-sandbox.yaml +++ b/.github/workflows/deploy-sandbox.yaml @@ -50,12 +50,12 @@ jobs: ENVIRONMENT: ${{ needs.variables.outputs.environment }} CF_USERNAME: CF_${{ needs.variables.outputs.environment }}_USERNAME CF_PASSWORD: CF_${{ needs.variables.outputs.environment }}_PASSWORD - MANIFEST: ops/manifests/manifest-${{ needs.variables.outputs.environment }}.yaml with: cf_username: ${{ secrets[env.CF_USERNAME] }} cf_password: ${{ secrets[env.CF_PASSWORD] }} cf_org: cisa-dotgov cf_space: ${{ env.ENVIRONMENT }} + cf_manifest: ops/manifests/manifest-${{ env.environment }}.yaml comment: runs-on: ubuntu-latest needs: [variables, deploy] diff --git a/.github/workflows/deploy-stable.yaml b/.github/workflows/deploy-stable.yaml index bc8daf403..1e643ef9a 100644 --- a/.github/workflows/deploy-stable.yaml +++ b/.github/workflows/deploy-stable.yaml @@ -31,10 +31,9 @@ jobs: run: docker compose run app python manage.py collectstatic --no-input - name: Deploy to cloud.gov sandbox uses: cloud-gov/cg-cli-tools@main - env: - MANIFEST: "ops/manifests/manifest-stable.yaml" with: cf_username: ${{ secrets.CF_STABLE_USERNAME }} cf_password: ${{ secrets.CF_STABLE_PASSWORD }} cf_org: cisa-dotgov cf_space: stable + cf_manifest: "ops/manifests/manifest-stable.yaml" diff --git a/.github/workflows/deploy-staging.yaml b/.github/workflows/deploy-staging.yaml index fd2fbc9c5..fa4543637 100644 --- a/.github/workflows/deploy-staging.yaml +++ b/.github/workflows/deploy-staging.yaml @@ -31,10 +31,9 @@ jobs: run: docker compose run app python manage.py collectstatic --no-input - name: Deploy to cloud.gov sandbox uses: cloud-gov/cg-cli-tools@main - env: - MANIFEST: "ops/manifests/manifest-staging.yaml" with: cf_username: ${{ secrets.CF_STAGING_USERNAME }} cf_password: ${{ secrets.CF_STAGING_PASSWORD }} cf_org: cisa-dotgov cf_space: staging + cf_manifest: "ops/manifests/manifest-staging.yaml" From 1f1d27015485015653d66e6b6ee5f73360a7f378 Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Tue, 21 Nov 2023 12:33:16 -0600 Subject: [PATCH 5/7] Mis-spelled ENVIRONMENT --- .github/workflows/deploy-sandbox.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml index 4e5e159d5..831d7c50d 100644 --- a/.github/workflows/deploy-sandbox.yaml +++ b/.github/workflows/deploy-sandbox.yaml @@ -55,7 +55,7 @@ jobs: cf_password: ${{ secrets[env.CF_PASSWORD] }} cf_org: cisa-dotgov cf_space: ${{ env.ENVIRONMENT }} - cf_manifest: ops/manifests/manifest-${{ env.environment }}.yaml + cf_manifest: ops/manifests/manifest-${{ env.ENVIRONMENT }}.yaml comment: runs-on: ubuntu-latest needs: [variables, deploy] From cc2055f4e2a34f744645e185c097ccf709cee7c6 Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Thu, 30 Nov 2023 11:43:31 -0600 Subject: [PATCH 6/7] Fix action name typo --- .github/workflows/migrate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/migrate.yaml b/.github/workflows/migrate.yaml index 9ea7c40ee..ccea1ffd4 100644 --- a/.github/workflows/migrate.yaml +++ b/.github/workflows/migrate.yaml @@ -35,7 +35,7 @@ jobs: CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD steps: - name: Run Django migrations for ${{ github.event.inputs.environment }} - uses: cloud-gov/cg-deploy-action@main + uses: cloud-gov/cg-cli-tools@main with: cf_username: ${{ secrets[env.CF_USERNAME] }} cf_password: ${{ secrets[env.CF_PASSWORD] }} From 4ac8f9e1173216fe943050b6f7649d80bded94bf Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Thu, 30 Nov 2023 12:00:37 -0600 Subject: [PATCH 7/7] More OWASP ignores --- src/zap.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/zap.conf b/src/zap.conf index 61b3c1886..e7dc980b0 100644 --- a/src/zap.conf +++ b/src/zap.conf @@ -64,7 +64,9 @@ 10038 OUTOFSCOPE http://app:8080/withdrawconfirmed 10038 OUTOFSCOPE http://app:8080/dns 10038 OUTOFSCOPE http://app:8080/dnssec +10038 OUTOFSCOPE http://app:8080/dns/nameservers 10038 OUTOFSCOPE http://app:8080/dns/dnssec +10038 OUTOFSCOPE http://app:8080/dns/dnssec/dsdata # This URL always returns 404, so include it as well. 10038 OUTOFSCOPE http://app:8080/todo # OIDC isn't configured in the test environment and DEBUG=True so this gives a 500 without CSP headers