Merge branch 'main' into OPS-3012/Update-Change-Request-Filtering

.github/actions/run-full-stack/action.yml

@@ -9,5 +9,5 @@ runs:
       run: |
         set -x
         export JWT_PRIVATE_KEY="${{ env.JWT_PRIVATE_KEY }}"
-        docker compose -f docker-compose.yml down -v
-        docker compose -f docker-compose.yml up db data-import backend frontend-static --build -d
+        docker compose -f docker-compose.static.yml down -v
+        docker compose -f docker-compose.static.yml up --build -d

.github/actions/setup-javascript/action.yml

@@ -6,7 +6,7 @@ runs:
     - name: Set up Bun
       uses: oven-sh/setup-bun@4bc047ad259df6fc24a6c9b0f9a0cb08cf17fbe5 # v2.0.1
       with:
-        bun-version: 1.0.11
+        bun-version: latest
     - name: Install bun dependencies
       shell: bash
       working-directory: ./frontend

.github/workflows/commitlint.yml

@@ -9,5 +9,5 @@ jobs:
   commitlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: wagoid/commitlint-github-action@v6
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: wagoid/commitlint-github-action@3d28780bbf0365e29b144e272b2121204d5be5f3 # v6

.github/workflows/nightly_scans.yml

@@ -34,6 +34,6 @@ jobs:
         uses: SvanBoxel/zaproxy-to-ghas@cfc77481d74a17a4c3d6b753aa9d7abef453d501 # v1.0.2
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
         with:
           sarif_file: results.sarif

.github/workflows/release.yml

@@ -0,0 +1,33 @@
+name: Release
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
+        with:
+          node-version: "lts/*"
+      - name: Install semantic-release
+        run: npm install -g semantic-release
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx semantic-release

.github/workflows/security_codeql.yml

@@ -22,7 +22,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3
+        uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
         with:
           languages: javascript, python
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -33,4 +33,4 @@ jobs:
           queries: +security-extended
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3
+        uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3

.github/workflows/security_semgrep.yml

@@ -25,7 +25,7 @@ jobs:
           SEMGREP_RULES: "p/default"
 
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
         with:
           sarif_file: ${{ env.SEMGREP_TO_UPLOAD }}
         if: always()

.pre-commit-config.yaml

@@ -12,16 +12,10 @@ repos:
       - id: check-yaml
       - id: check-added-large-files
       - id: check-merge-conflict
-
   - repo: https://github.com/hadolint/hadolint
     rev: v2.10.0
     hooks:
       - id: hadolint
-  # We're running black, but doing it via nox session instead - see below
-  # - repo: https://github.com/psf/black
-  #   rev: 22.6.0
-  #   hooks:
-  #   -   id: black
   - repo: https://github.com/pre-commit/mirrors-isort
     rev: v5.10.1
     hooks:
@@ -46,21 +40,16 @@ repos:
           - css
           - html
         pass_filenames: false
-  - repo: local
-    hooks:
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
-        # For running trufflehog locally, use the following:
-        # entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail'
-        # For running trufflehog in docker, use the following entry instead:
-        entry: bash -c 'docker run --rm -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail'
+        entry: bash -c 'if command -v podman >/dev/null 2>&1; then podman run --rm -v "$(pwd):/workdir" -i trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail; elif command -v docker >/dev/null 2>&1; then docker run --rm -v "$(pwd):/workdir" -i trufflesecurity/trufflehog:latest git file:///workdir --since-commit HEAD --only-verified --fail; else echo "Neither docker nor podman found. Please install one of them." && exit 1; fi'
         language: system
         stages: ["pre-commit", "pre-push"]
   - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
     rev: v9.18.0
     hooks:
       - id: commitlint
-        stages: [ commit-msg ]
-        additional_dependencies: [ "@commitlint/config-conventional" ]
+        stages: [commit-msg]
+        additional_dependencies: ["@commitlint/config-conventional"]
         language_version: 22.8.0

README.md

@@ -87,19 +87,13 @@ docker compose up --build
 To run the application using the production server configuration...
 
 ```shell
-docker compose up db data-import backend frontend-static --build
+docker compose -f docker-compose.static.yml up --build
 ````
 
-To run the application using the minimal initial data set...
-
-```shell
-  docker compose --profile data-initial up --build
-```
-
 To run the application using the demo data set...
 
 ```shell
-  docker compose --profile data-demo up --build
+docker compose -f docker-compose.demo.yml up --build
 ```
 
 

backend/data_tools/Pipfile

@@ -6,15 +6,15 @@ name = "pypi"
 [packages]
 SQLAlchemy = "==2.0.36"
 pandas = "==2.2.3"
-json5 = "==0.9.25"
+json5 = "==0.9.28"
 psycopg2-binary = "==2.9.10"
 cfenv = "==0.5.3"
 typing-extensions = "==4.12.2"
 desert = "2022.9.22"
 sqlalchemy-continuum = "==1.4.2"
 marshmallow-sqlalchemy = "==1.1.0"
 marshmallow-enum = "==1.5.1"
-alembic = "==1.13.3"
+alembic = "==1.14.0"
 alembic-postgresql-enum = "==1.3.0"
 azure-storage-blob = "==12.23.1"
 azure-identity = "==1.19.0"

backend/data_tools/tests/docker-compose.yml

@@ -4,7 +4,6 @@ services:
 
   db:
     image: "postgres:16"
-    platform: linux/amd64
     container_name: unit-test-db
     security_opt:
       - no-new-privileges:true  # Resolve semgrep https://sg.run/0n8q

backend/ops_api/Pipfile

@@ -4,7 +4,7 @@ verify_ssl = true
 name = "pypi"
 
 [packages]
-alembic = "==1.13.3"
+alembic = "==1.14.0"
 alembic-postgresql-enum = "==1.3.0"
 authlib = "==1.3.2"
 azure-identity = "==1.19.0"