dbca-wa · ropable · Nov 28, 2023 · Oct 18, 2023 · Nov 28, 2023 · Nov 28, 2023
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml
@@ -23,25 +23,25 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
             latest=true
       - name: Build and push Docker image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -28,7 +28,7 @@ jobs:
       # Checkout repo and set up Python
       #----------------------------------------------
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Python
         uses: actions/setup-python@v4
         id: setup-python

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,11 @@
+repos:
+- repo: local
+  hooks:
+    - id: trufflehog
+      name: TruffleHog
+      description: Detect secrets in your data.
+      entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail --no-update'
+      # For running trufflehog in docker, use the following entry instead:
+      # entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
+      language: system
+      stages: ["commit", "push"]
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,6 @@
+# syntax=docker/dockerfile:1
 # Prepare the base environment.
-FROM python:3.10.12-slim-bookworm as builder_base_ibms
+FROM python:3.10.13-slim as builder_base_ibms
 MAINTAINER [email protected]
 LABEL org.opencontainers.image.source https://github.com/dbca-wa/ibms
 
@@ -18,7 +19,7 @@ COPY poetry.lock pyproject.toml ./
 RUN poetry config virtualenvs.create false \
   && poetry install --no-interaction --no-ansi --only main
 
-# Install a non-root user.
+# Create a non-root user.
 ARG UID=10001
 ARG GID=10001
 RUN groupadd -g "${GID}" appuser \

diff --git a/README.md b/README.md
@@ -43,3 +43,16 @@ Run console commands manually:
 To build a new Docker image from the `Dockerfile`:
 
     docker image build -t ghcr.io/dbca-wa/ibms .
+
+# Pre-commit hooks
+
+This project includes the following pre-commit hooks:
+
+- TruffleHog (credential scanning): https://github.com/marketplace/actions/trufflehog-oss
+
+Pre-commit hooks may have additional system dependencies to run. Optionally
+install pre-commit hooks locally like so:
+
+    poetry run pre-commit install
+
+Reference: https://pre-commit.com/
diff --git a/ibms_project/settings.py b/ibms_project/settings.py
@@ -3,6 +3,7 @@
 import os
 from pathlib import Path
 import sys
+import tomli
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = str(Path(__file__).resolve().parents[1])
@@ -80,7 +81,8 @@
 ]
 SITE_TITLE = 'Integrated Business Management System'
 SITE_ACRONYM = 'IBMS'
-APPLICATION_VERSION_NO = '2.8.1'
+project = tomli.load(open(os.path.join(BASE_DIR, "pyproject.toml"), "rb"))
+APPLICATION_VERSION_NO = project["tool"]["poetry"]["version"]
 MANAGERS = (
     ('Zen Wee', '[email protected]', '9219 9928'),
     ('Graham Holmes', '[email protected]', '9881 9212'),

diff --git a/kustomize/base/deployment.yaml b/kustomize/base/deployment.yaml
@@ -10,6 +10,8 @@ spec:
     spec:
       containers:
       - name: ibms
+        image: ghcr.io/dbca-wa/ibms
+        imagePullPolicy: Always
         env:
         - name: ALLOWED_HOSTS
           value: ".dbca.wa.gov.au"

diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml
@@ -1,3 +1,3 @@
 resources:
-- deployment.yaml
-- service.yaml
+  - deployment.yaml
+  - service.yaml
diff --git a/kustomize/overlays/prod/deployment_patch.yaml b/kustomize/overlays/prod/deployment_patch.yaml
@@ -15,7 +15,6 @@ spec:
     spec:
       containers:
       - name: ibms
-        image: ghcr.io/dbca-wa/ibms:2.8.1
         imagePullPolicy: IfNotPresent
         env:
         - name: IBMS_URL

diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml
@@ -2,18 +2,21 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 nameSuffix: -prod
 secretGenerator:
-- name: ibms-env
-  type: Opaque
-  envs:
-  - .env
+  - name: ibms-env
+    type: Opaque
+    envs:
+    - .env
 resources:
-- ../../base
-- ingress.yaml
-- pdb.yaml
+  - ../../base
+  - ingress.yaml
+  - pdb.yaml
 labels:
-- includeSelectors: true
-  pairs:
-    variant: prod
+  - includeSelectors: true
+    pairs:
+      variant: prod
+images:
+  - name: ghcr.io/dbca-wa/ibms
+    newTag: 2.8.2
 patches:
-- path: deployment_patch.yaml
-- path: service_patch.yaml
+  - path: deployment_patch.yaml
+  - path: service_patch.yaml
diff --git a/kustomize/overlays/uat/deployment_patch.yaml b/kustomize/overlays/uat/deployment_patch.yaml
@@ -15,8 +15,6 @@ spec:
     spec:
       containers:
       - name: ibms
-        image: ghcr.io/dbca-wa/ibms
-        imagePullPolicy: Always
         env:
         - name: IBMS_URL
           value: "https://ibms-uat.dbca.wa.gov.au"

diff --git a/kustomize/overlays/uat/kustomization.yaml b/kustomize/overlays/uat/kustomization.yaml
@@ -2,18 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 nameSuffix: -uat
 secretGenerator:
-- name: ibms-env
-  type: Opaque
-  envs:
-  - .env
+  - name: ibms-env
+    type: Opaque
+    envs:
+    - .env
 resources:
-- ../../base
-- ingress.yaml
-- pdb.yaml
+  - ../../base
+  - ingress.yaml
+  - pdb.yaml
 labels:
-- includeSelectors: true
-  pairs:
-    variant: uat
+  - includeSelectors: true
+    pairs:
+      variant: uat
 patches:
-- path: deployment_patch.yaml
-- path: service_patch.yaml
+  - path: deployment_patch.yaml
+  - path: service_patch.yaml