Merge branch 'develop' into chore/fix-snyk-vulnerabilities

opengovsg · Sep 25, 2023 · 662fcf2 · 662fcf2
2 parents 07447ec + 9e69857
commit 662fcf2
Show file tree

Hide file tree

Showing 23 changed files with 20,447 additions and 17,327 deletions.
diff --git a/.github/workflows/aws-deploy-scanner.yml b/.github/workflows/aws-deploy-scanner.yml
@@ -11,6 +11,10 @@ on:
         description: 'Provisioned concurrency'
         required: true
         type: number
+      checkoutBranch:
+        description: 'Branch to checkout code from'
+        required: true
+        type: string
 
 permissions:
   id-token: write
@@ -22,15 +26,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout source code from specified branch if it is a scheduled run
+      - name: Checkout source code from specified checkout branch
         uses: actions/checkout@v3
-        if: ${{ github.event_name == 'schedule' }}
         with:
-          ref: ${{ inputs.environment }}
-
-      - name: Checkout source code
-        uses: actions/checkout@v3
-        if: ${{ github.event_name != 'schedule' }}
+          ref: ${{ inputs.checkoutBranch }}
 
       - name: Setup Node.js
         uses: actions/setup-node@v3

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -29,7 +29,6 @@ jobs:
               - src/**
               - package.json
               - package-lock.json
-            
 
   install:
     runs-on: ubuntu-latest
@@ -38,14 +37,9 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: 14
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-      - name: Cache Node modules
-        uses: actions/cache@v2
-        with:
-          path: '**/node_modules'
-          key: ${{ runner.OS }}-node-modules-${{ hashFiles('**/package-lock.json') }}
       - run: npm ci
 
   build:
@@ -57,18 +51,13 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: 14
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-      # Load cached node_modules
-      - name: Cache Node modules
-        uses: actions/cache@v2
-        with:
-          path: '**/node_modules'
-          key: ${{ runner.OS }}-node-modules-${{ hashFiles('**/package-lock.json') }}
+      - run: npm ci
       - run: npm run build
         env:
-          NODE_OPTIONS: '--max-old-space-size=4096 --openssl-legacy-provider'
+          NODE_OPTIONS: '--max-old-space-size=4096'
       - name: Upload build files
         uses: actions/upload-artifact@v2
         if: always()
@@ -87,15 +76,10 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: 14
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-      # Load cached node_modules
-      - name: Cache Node modules
-        uses: actions/cache@v2
-        with:
-          path: '**/node_modules'
-          key: ${{ runner.OS }}-node-modules-${{ hashFiles('**/package-lock.json') }}
+      - run: npm ci
       - run: npm run test:frontend
 
   frontend_lint:
@@ -107,33 +91,17 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: 14
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-      # Load cached node_modules
-      - name: Cache Node modules
-        uses: actions/cache@v2
-        with:
-          path: '**/node_modules'
-          key: ${{ runner.OS }}-node-modules-${{ hashFiles('**/package-lock.json') }}
+      - run: npm ci
       - run: npm run lint:frontend
 
   backend_test:
     needs: [changes, install, build]
     if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-latest
     steps:
-      # prevent CI from failing when worker runs out of memory
-      # https://github.com/actions/runner-images/discussions/7188#discussioncomment-6750749
-      - name: Increase swapfile
-        run: |
-          df -h
-          sudo swapoff -a
-          sudo fallocate -l 15G /swapfile
-          sudo chmod 600 /swapfile
-          sudo mkswap /swapfile
-          sudo swapon /swapfile
-          sudo swapon --show
       - uses: actions/checkout@v2
       - uses: actions/download-artifact@v3
         if: always()
@@ -142,19 +110,11 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: 14
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-      # Load cached node_modules
-      - name: Cache Node modules
-        uses: actions/cache@v2
-        with:
-          path: '**/node_modules'
-          key: ${{ runner.OS }}-node-modules-${{ hashFiles('**/package-lock.json') }}
-      - run: npm ci --prefix serverless/virus-scanner
+      - run: npm ci && npm ci --prefix serverless/virus-scanner
       - run: npm run test:backend
-        env:
-          NODE_OPTIONS: '--max-old-space-size=4096'
       - name: Coveralls
         uses: coverallsapp/github-action@master
         with:
@@ -169,14 +129,9 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: 14
           cache: 'npm'
           cache-dependency-path: '**/package-lock.json'
-      # Load cached node_modules
-      - name: Cache Node modules
-        uses: actions/cache@v2
-        with:
-          path: '**/node_modules'
-          key: ${{ runner.OS }}-node-modules-${{ hashFiles('**/package-lock.json') }}
+      - run: npm ci
       - run: npm run lint-ci
       - run: npm_config_mode=yes npx lockfile-lint --type npm --path package.json --validate-https --allowed-hosts npm
diff --git a/.github/workflows/deploy-virus-scanner-production.yml b/.github/workflows/deploy-virus-scanner-production.yml
@@ -19,4 +19,5 @@ jobs:
     with:
       environment: 'production'
       provisionedConcurrency: 5
+      checkoutBranch: 'release-al2'
     secrets: inherit
diff --git a/.github/workflows/deploy-virus-scanner-staging.yml b/.github/workflows/deploy-virus-scanner-staging.yml
@@ -23,4 +23,5 @@ jobs:
     with:
       environment: 'staging'
       provisionedConcurrency: 1
+      checkoutBranch: 'staging'
     secrets: inherit
diff --git a/.github/workflows/deploy-virus-scanner-uat.yml b/.github/workflows/deploy-virus-scanner-uat.yml
@@ -19,4 +19,5 @@ jobs:
     with:
       environment: 'uat'
       provisionedConcurrency: 1
+      checkoutBranch: 'uat'
     secrets: inherit
diff --git a/Dockerfile.development b/Dockerfile.development
@@ -1,4 +1,4 @@
-FROM node:hydrogen-alpine3.18
+FROM node:hydrogen-alpine3.16
 LABEL maintainer=FormSG<[email protected]>
 
 WORKDIR /opt/formsg
@@ -28,7 +28,7 @@ RUN apk update && apk upgrade && \
     # that is guaranteed to work. Upgrades must be done in lockstep.
     # https://github.com/puppeteer/puppeteer/blob/master/docs/troubleshooting.md#running-on-alpine
     # https://www.npmjs.com/package/puppeteer-core?activeTab=versions for corresponding versions
-    chromium=115.0.5790.170-r0 \
+    chromium=102.0.5005.182-r0 \
     nss \
     freetype \
     freetype-dev \

diff --git a/Dockerfile.production b/Dockerfile.production
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM node:hydrogen-alpine3.18 as build
+FROM node:hydrogen-alpine3.16 as build
 
 # node-modules-builder stage installs/compiles the node_modules folder
 # Python version must be specified starting in alpine3.12
@@ -60,7 +60,7 @@ RUN --mount=type=secret,id=dd_api_key \
 RUN npm prune --production --legacy-peer-deps
 
 # This stage builds the final container
-FROM node:hydrogen-alpine3.18
+FROM node:hydrogen-alpine3.16
 LABEL maintainer=FormSG<[email protected]>
 WORKDIR /opt/formsg
 
@@ -81,7 +81,7 @@ RUN mv /opt/formsg/dist/backend/shared /opt/formsg/
 # https://www.npmjs.com/package/puppeteer-core?activeTab=versions for corresponding versions
 
 RUN apk add --no-cache \
-    chromium=115.0.5790.170-r0 \
+    chromium=102.0.5005.182-r0 \
     nss \
     freetype \
     freetype-dev \

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -116,6 +116,7 @@ services:
       - PAYMENT_MIN_PAYMENT_AMOUNT_CENTS=50
       - SSM_ENV_SITE_NAME=development
       - PAYMENT_GUIDE_LINK
+      - PAYMENT_LANDING_GUIDE_LINK
       # Cron secrets
       - CRON_PAYMENT_API_SECRET=secretKey
       # env vars for go integration
@@ -124,6 +125,8 @@ services:
       - API_KEY_VERSION=v1
       # env vars for growthbook
       - GROWTHBOOK_CLIENT_KEY
+      # env vars for virus scanner
+      - VIRUS_SCANNER_LAMBDA_FUNCTION_NAME=function
 
   mockpass:
     build: https://github.com/opengovsg/mockpass.git#v4.0.4