From d50c55b59fd3e7e15c50be6ca6f11a0c27231738 Mon Sep 17 00:00:00 2001 From: Ashley Felton Date: Thu, 14 Nov 2024 06:59:14 +0800 Subject: [PATCH 1/5] Bugfix: mislabelled secretKeyRef in deployment patch. --- kustomize/overlays/prod/deployment_patch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kustomize/overlays/prod/deployment_patch.yaml b/kustomize/overlays/prod/deployment_patch.yaml index ae9fdf7..522f3a6 100644 --- a/kustomize/overlays/prod/deployment_patch.yaml +++ b/kustomize/overlays/prod/deployment_patch.yaml @@ -48,5 +48,5 @@ spec: - name: EXAMPLE_VIDEO_URL valueFrom: secretKeyRef: - name: penguins-env-uat + name: penguins-env-prod key: EXAMPLE_VIDEO_URL From 6c9a744023810c04842e6e4f1c4fc0f3ced25274 Mon Sep 17 00:00:00 2001 From: Ashley Felton Date: Thu, 14 Nov 2024 07:03:10 +0800 Subject: [PATCH 2/5] Bump dependency versions. --- poetry.lock | 24 ++++++++++++------------ pyproject.toml | 6 +++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/poetry.lock b/poetry.lock index 93bc178..28b5ce0 100644 --- a/poetry.lock +++ b/poetry.lock @@ -460,17 +460,17 @@ files = [ [[package]] name = "dj-database-url" -version = "2.2.0" +version = "2.3.0" description = "Use Database URLs in your Django Application." optional = false python-versions = "*" files = [ - {file = "dj_database_url-2.2.0-py3-none-any.whl", hash = "sha256:3e792567b0aa9a4884860af05fe2aa4968071ad351e033b6db632f97ac6db9de"}, - {file = "dj_database_url-2.2.0.tar.gz", hash = "sha256:9f9b05058ddf888f1e6f840048b8d705ff9395e3b52a07165daa3d8b9360551b"}, + {file = "dj_database_url-2.3.0-py3-none-any.whl", hash = "sha256:bb0d414ba0ac5cd62773ec7f86f8cc378a9dbb00a80884c2fc08cc570452521e"}, + {file = "dj_database_url-2.3.0.tar.gz", hash = "sha256:ae52e8e634186b57e5a45e445da5dc407a819c2ceed8a53d1fac004cc5288787"}, ] [package.dependencies] -Django = ">=3.2" +Django = ">=4.2" typing_extensions = ">=3.10.0.0" [[package]] @@ -636,13 +636,13 @@ ipython = {version = ">=7.31.1", markers = "python_version >= \"3.11\""} [[package]] name = "ipython" -version = "8.28.0" +version = "8.29.0" description = "IPython: Productive Interactive Computing" optional = false python-versions = ">=3.10" files = [ - {file = "ipython-8.28.0-py3-none-any.whl", hash = "sha256:530ef1e7bb693724d3cdc37287c80b07ad9b25986c007a53aa1857272dac3f35"}, - {file = "ipython-8.28.0.tar.gz", hash = "sha256:0d0d15ca1e01faeb868ef56bc7ee5a0de5bd66885735682e8a322ae289a13d1a"}, + {file = "ipython-8.29.0-py3-none-any.whl", hash = "sha256:0188a1bd83267192123ccea7f4a8ed0a78910535dbaa3f37671dca76ebd429c8"}, + {file = "ipython-8.29.0.tar.gz", hash = "sha256:40b60e15b22591450eef73e40a027cf77bd652e757523eebc5bd7c7c498290eb"}, ] [package.dependencies] @@ -1220,13 +1220,13 @@ Django = ">=3.2" [[package]] name = "whitenoise" -version = "6.7.0" +version = "6.8.2" description = "Radically simplified static file serving for WSGI applications" optional = false -python-versions = ">=3.8" +python-versions = ">=3.9" files = [ - {file = "whitenoise-6.7.0-py3-none-any.whl", hash = "sha256:a1ae85e01fdc9815d12fa33f17765bc132ed2c54fa76daf9e39e879dd93566f6"}, - {file = "whitenoise-6.7.0.tar.gz", hash = "sha256:58c7a6cd811e275a6c91af22e96e87da0b1109e9a53bb7464116ef4c963bf636"}, + {file = "whitenoise-6.8.2-py3-none-any.whl", hash = "sha256:df12dce147a043d1956d81d288c6f0044147c6d2ab9726e5772ac50fb45d2280"}, + {file = "whitenoise-6.8.2.tar.gz", hash = "sha256:486bd7267a375fa9650b136daaec156ac572971acc8bf99add90817a530dd1d4"}, ] [package.dependencies] @@ -1249,4 +1249,4 @@ files = [ [metadata] lock-version = "2.0" python-versions = "~3.12" -content-hash = "ba8a5d0839e89f55fc7ebb85a98281c40e418798d1fc097d5273206cb812537e" +content-hash = "75d73ba0932b7b623b43d10de00b1112bb4d05c2949a8c5e2f9f9cf75d8047ef" diff --git a/pyproject.toml b/pyproject.toml index 38be4a7..78c614a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,17 +12,17 @@ django = "4.2.16" psycopg = {version = "3.2.3", extras = ["binary", "pool"]} dbca-utils = "2.0.2" python-dotenv = "1.0.1" -dj-database-url = "2.2.0" +dj-database-url = "2.3.0" django-extensions = "3.2.3" gunicorn = "23.0.0" -whitenoise = { version = "6.7.0", extras = ["brotli"] } +whitenoise = {version = "6.8.2", extras = ["brotli"]} django-storages = { version = "1.14.4", extras = ["azure"] } webtemplate-dbca = "1.7.1" django-map-widgets = "0.5.1" xlsxwriter = "3.2.0" [tool.poetry.group.dev.dependencies] -ipython = "^8.28.0" +ipython = "^8.29.0" ipdb = "^0.13.11" pre-commit = "^4.0.1" From 855500d26156c7bba29e6a945a44b96954d6e732 Mon Sep 17 00:00:00 2001 From: Ashley Felton Date: Thu, 14 Nov 2024 07:03:50 +0800 Subject: [PATCH 3/5] Increment project minor version. --- kustomize/overlays/prod/kustomization.yaml | 2 +- pyproject.toml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml index a52a2ae..236ee5b 100644 --- a/kustomize/overlays/prod/kustomization.yaml +++ b/kustomize/overlays/prod/kustomization.yaml @@ -23,4 +23,4 @@ patches: - path: cronjob_import_patch.yaml images: - name: ghcr.io/dbca-wa/penguins - newTag: 2.0.0 + newTag: 2.0.1 diff --git a/pyproject.toml b/pyproject.toml index 78c614a..367dc50 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "penguins" -version = "2.0.0" +version = "2.0.1" description = "DBCA Little Penguins Observations application" authors = ["Ashley Felton "] license = "Apache-2.0" @@ -9,13 +9,13 @@ readme = "README.md" [tool.poetry.dependencies] python = "~3.12" django = "4.2.16" -psycopg = {version = "3.2.3", extras = ["binary", "pool"]} +psycopg = { version = "3.2.3", extras = ["binary", "pool"] } dbca-utils = "2.0.2" python-dotenv = "1.0.1" dj-database-url = "2.3.0" django-extensions = "3.2.3" gunicorn = "23.0.0" -whitenoise = {version = "6.8.2", extras = ["brotli"]} +whitenoise = { version = "6.8.2", extras = ["brotli"] } django-storages = { version = "1.14.4", extras = ["azure"] } webtemplate-dbca = "1.7.1" django-map-widgets = "0.5.1" From 8f84446cf2a6909f8814ce40f055fcf936785ee5 Mon Sep 17 00:00:00 2001 From: Ashley Felton Date: Thu, 14 Nov 2024 07:13:07 +0800 Subject: [PATCH 4/5] Set TRIVY_DB_REPOSITORY env variable in GitHub workflow. --- .github/workflows/image-build-scan.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml index e49d522..aeba9f9 100644 --- a/.github/workflows/image-build-scan.yml +++ b/.github/workflows/image-build-scan.yml @@ -5,7 +5,7 @@ on: # Publish `master` as `latest` image. branches: [master] # Publish 1.* and 2.* tags as releases. - tags: ['1.*','2.*'] + tags: ["1.*", "2.*"] pull_request: branches: [master] @@ -77,16 +77,19 @@ jobs: # Run vulnerability scan on built image #---------------------------------------------- - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db with: - scan-type: 'image' - scanners: 'vuln' + scan-type: "image" + scanners: "vuln" image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - vuln-type: 'os,library' - severity: 'HIGH,CRITICAL' - format: 'sarif' - output: 'trivy-results.sarif' + vuln-type: "os,library" + severity: "HIGH,CRITICAL" + format: "sarif" + output: "trivy-results.sarif" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' + sarif_file: "trivy-results.sarif" From d1c7d5bc0ec4764920fc822585b9b9cffbc991f7 Mon Sep 17 00:00:00 2001 From: Ashley Felton Date: Thu, 14 Nov 2024 07:18:57 +0800 Subject: [PATCH 5/5] Mislabelled tag --- .github/workflows/image-build-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml index aeba9f9..ad29433 100644 --- a/.github/workflows/image-build-scan.yml +++ b/.github/workflows/image-build-scan.yml @@ -77,7 +77,7 @@ jobs: # Run vulnerability scan on built image #---------------------------------------------- - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 env: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db