Merge pull request #180 from ropable/master

Update several user-facing views, use Alpine-based Dockerfile, bump dependencies, bump project dependencies.
dbca-wa · Dec 9, 2024 · 37b7a8b · 37b7a8b
2 parents 568b255 + 74da4ab
commit 37b7a8b
Show file tree

Hide file tree

Showing 40 changed files with 2,619 additions and 3,195 deletions.
diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml
@@ -2,12 +2,11 @@ name: "Build Docker image and run Trivy vulnerability scan"
 
 on:
   push:
-    # Publish `master` as `latest` image.
-    branches: [ master ]
-    # Publish `2.*` tags as releases.
-    tags: [ '2.*' ]
+    branches: [master, dev]
+    # Publish tagged commits as releases.
+    tags: ["*"]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 env:
   REGISTRY: ghcr.io
@@ -77,15 +76,18 @@ jobs:
       # Run vulnerability scan on built image
       #----------------------------------------------
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
         with:
-          scan-type: 'image'
+          scan-type: "image"
+          scanners: "vuln"
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          vuln-type: 'os,library'
-          severity: 'HIGH,CRITICAL'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+          vuln-type: "os,library"
+          severity: "HIGH,CRITICAL"
+          format: "sarif"
+          output: "trivy-results.sarif"
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -1,12 +1,10 @@
 name: "Run unit tests"
 
 on:
-  # Triggers the workflow on push or pull request events but only for the master branch
   push:
-    branches: [ master ]
+    branches: [master, dev]
   pull_request:
-    branches: [ master ]
-  workflow_dispatch:
+    branches: [master]
 
 jobs:
   run_tests:
@@ -33,7 +31,7 @@ jobs:
         uses: actions/setup-python@v5
         id: setup-python
         with:
-          python-version: '3.12'
+          python-version: "3.12"
       #----------------------------------------------
       # Install & configure Poetry
       #----------------------------------------------

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -0,0 +1,25 @@
+name: "Scan project for secrets & sensitive information"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  secret-scan:
+    name: Scan project for secrets
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Secret scanning
+      uses: trufflesecurity/trufflehog@main
+      with:
+        base: ""
+        head: ${{ github.ref_name }}
+        extra_args: --only-verified
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -8,4 +8,4 @@ repos:
       # For running trufflehog in docker, use the following entry instead:
       # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
       language: system
-      stages: ["commit", "push"]
+      stages: ["pre-commit", "pre-push"]
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 # Prepare the base environment.
-FROM python:3.12.6-alpine AS builder_base_ibms
+FROM python:3.12.8-alpine AS builder_base
 LABEL [email protected]
 LABEL org.opencontainers.image.source=https://github.com/dbca-wa/ibms
 
@@ -17,10 +17,10 @@ RUN addgroup -g ${GID} appuser \
   && adduser -H -D -u ${UID} -G appuser appuser
 
 # Install Python libs using Poetry.
-FROM builder_base_ibms AS python_libs_ibms
+FROM builder_base AS python_libs_ibms
 WORKDIR /app
 COPY poetry.lock pyproject.toml ./
-ARG POETRY_VERSION=1.8.3
+ARG POETRY_VERSION=1.8.5
 RUN pip install --no-cache-dir --root-user-action=ignore poetry==${POETRY_VERSION} \
   && poetry config virtualenvs.create false \
   && poetry install --no-interaction --no-ansi --only main

diff --git a/README.md b/README.md
@@ -4,55 +4,59 @@ This project consists of the Integrated Business Management System
 (IBMS) corporate application, used by the Department of Biodiversity,
 Conservation and Attractions.
 
-# Installation
+## Installation
 
 The recommended way to set up this project for development is using
 [Poetry](https://python-poetry.org/docs/) to install and manage a virtual Python
 environment. With Poetry installed, change into the project directory and run:
 
     poetry install
 
-To run Python commands in the virtualenv, thereafter run them like so:
+Activate the virtualenv like so:
 
-    poetry run python manage.py
+    poetry shell
+
+To run Python commands in the activated virtualenv, thereafter run them like so:
+
+    python manage.py
 
 Manage new or updating project dependencies with Poetry also, like so:
 
     poetry add newpackage==1.0
 
-# Environment variables
+## Environment variables
 
 This project uses environment variables (in a `.env` file) to define application settings.
 Required settings are as follows:
 
     DATABASE_URL="postgis://USER:PASSWORD@HOST:PORT/DATABASE_NAME"
     SECRET_KEY="ThisIsASecretKey"
 
-# Running
+## Running
 
 Use `runserver` to run a local copy of the application:
 
-    poetry run python manage.py runserver 0:8080
+    python manage.py runserver 0:8080
 
 Run console commands manually:
 
-    poetry run python manage.py shell_plus
+    python manage.py shell_plus
 
-# Docker image
+## Docker image
 
 To build a new Docker image from the `Dockerfile`:
 
     docker image build -t ghcr.io/dbca-wa/ibms .
 
-# Pre-commit hooks
+## Pre-commit hooks
 
 This project includes the following pre-commit hooks:
 
-- TruffleHog: https://docs.trufflesecurity.com/docs/scanning-git/precommit-hooks/
+- TruffleHog: <https://docs.trufflesecurity.com/docs/scanning-git/precommit-hooks/>
 
 Pre-commit hooks may have additional system dependencies to run. Optionally
 install pre-commit hooks locally like so:
 
     poetry run pre-commit install
 
-Reference: https://pre-commit.com/
+Reference: <https://pre-commit.com/>
diff --git a/SECURITY.md b/SECURITY.md
@@ -25,13 +25,13 @@ do not, please follow up via email to ensure we received your original message.
 Please include the requested information listed below (as much as you can provide)
 to help us better understand the nature and scope of the possible issue:
 
-  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
 
 This information will help us triage your report more quickly. Please note that
 we prefer all communications to be in English.

diff --git a/ibms_project/context_processors.py b/ibms_project/context_processors.py
@@ -2,15 +2,16 @@
 
 
 def standard(request):
-    '''
+    """
     Define a dictionary of context variables to pass to every template.
-    '''
+    """
     context = {
-        'page_title': settings.SITE_TITLE,
-        'page_description': 'The Integrated Business Management System (IBMS) is designed to improve the integration of the Department’s strategic planning and budget management functions.',
-        'site_title': settings.SITE_TITLE,
-        'site_acronym': settings.SITE_ACRONYM,
-        'application_version_no': settings.APPLICATION_VERSION_NO,
-        'user_navbar': 'ibms/user_navbar_li.html',
+        "page_title": settings.SITE_TITLE,
+        "page_description": "The Integrated Business Management System (IBMS) is designed to improve the integration of the Department’s strategic planning and budget management functions.",
+        "site_title": settings.SITE_TITLE,
+        "site_acronym": settings.SITE_ACRONYM,
+        "application_version_no": settings.APPLICATION_VERSION_NO,
+        "sharepoint_ibms": settings.SHAREPOINT_IBMS,
+        "user_navbar": "ibms/user_navbar_li.html",
     }
     return context