From 79571eec17ad6ad71c69d092a1952d359b437145 Mon Sep 17 00:00:00 2001 From: Owen Blacker Date: Tue, 9 Jan 2024 14:56:31 +0000 Subject: [PATCH 01/76] Attempting to Dockerise -- currently hangs on installing lograge gem --- Dockerfile | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++ Gemfile | 2 +- Gemfile.lock | 7 ++++-- README.md | 8 +++---- yarn.lock | 8 +++---- 5 files changed, 81 insertions(+), 11 deletions(-) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..384026d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,67 @@ +ARG ruby_version=3.2 +ARG base_image=ghcr.io/alphagov/govuk-ruby-base:$ruby_version +ARG builder_image=ghcr.io/alphagov/govuk-ruby-builder:$ruby_version + +FROM $builder_image AS builder + +WORKDIR $APP_HOME +# $APP_HOME=/app + +# RUN adduser --disabled-password ruby +# RUN mkdir /node_modules && chown ruby:ruby -R /node_modules $APP_HOME +# RUN mkdir -p /usr/local/bundle && chown :ruby -R /usr/local/bundle && chmod g+w /usr/local/bundle + +#USER ruby + +COPY Gemfile* .ruby-version ./ +#COPY --chown=ruby:ruby Gemfile* .ruby-version ./ +RUN bundle install --verbose + +COPY package.json yarn.lock ./ +# COPY --chown=ruby:ruby package.json yarn.lock ./ +RUN npm ci --ignore-scripts + +## From https://github.com/alphagov/forms-runner/blob/main/Dockerfile +# ENV RAILS_ENV="${RAILS_ENV:-production}" \ +# NODE_ENV="${NODE_ENV:-production}" \ +# PATH="${PATH}:/home/ruby/.local/bin:/node_modules/.bin" \ +# USER="ruby" \ +# REDIS_URL="${REDIS_URL:-redis://notset/}" + +# COPY --chown=ruby:ruby . . +COPY . . + +## From https://github.com/alphagov/forms-runner/blob/main/Dockerfile +# you can't run rails commands like assets:precompile without a secret key set +# even though the command doesn't use the value itself +RUN SECRET_KEY_BASE=dummyvalue rails assets:precompile && rm -fr log + +# Remove devDependencies once assets have been built +RUN npm ci --ignore-scripts --only=production + +CMD ["bash"] + + + +FROM $base_image + +## From https://github.com/alphagov/forms-runner/blob/main/Dockerfile +# ENV RAILS_ENV="${RAILS_ENV:-production}" \ +# PATH="${PATH}:/home/ruby/.local/bin" \ +# USER="ruby" + +ENV GOVUK_APP_NAME=re-request-an-aws-account +WORKDIR $APP_HOME + +RUN adduser --disabled-password ruby +RUN chown ruby:ruby -R $APP_HOME + +COPY --chown=ruby:ruby bin/ ./bin +RUN chmod 0755 bin/* + +COPY --chown=ruby:ruby --from=builder /usr/local/bundle /usr/local/bundle +COPY --chown=ruby:ruby --from=builder $APP_HOME $APP_HOME + +EXPOSE 3000 + +CMD ["/bin/sh", "-o", "xtrace", "-c", "rails s -b 0.0.0.0"] \ No newline at end of file diff --git a/Gemfile b/Gemfile index ac6c36f..601cfd6 100644 --- a/Gemfile +++ b/Gemfile @@ -5,7 +5,7 @@ ruby '~> 3.2.0' gem 'dotenv-rails', groups: [:development] -gem 'lograge', '~> 0.12.0' +gem 'lograge', '~> 0.14.0' gem 'logstash-event', '~> 1.2.02' gem 'notifications-ruby-client', '~> 5.4.0' gem 'octokit', '~> 6.1.0' diff --git a/Gemfile.lock b/Gemfile.lock index 201f2bd..f3bb7a8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -94,7 +94,7 @@ GEM listen (3.8.0) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) - lograge (0.12.0) + lograge (0.14.0) actionpack (>= 4) activesupport (>= 4) railties (>= 4) @@ -123,6 +123,8 @@ GEM net-smtp (0.3.3) net-protocol nio4r (2.5.8) + nokogiri (1.14.2-arm64-darwin) + racc (~> 1.4) nokogiri (1.14.2-x86_64-linux) racc (~> 1.4) notifications-ruby-client (5.4.0) @@ -234,12 +236,13 @@ GEM zeitwerk (2.6.7) PLATFORMS + arm64-darwin-22 x86_64-linux DEPENDENCIES dotenv-rails listen (~> 3.7) - lograge (~> 0.12.0) + lograge (~> 0.14.0) logstash-event (~> 1.2.02) notifications-ruby-client (~> 5.4.0) octokit (~> 6.1.0) diff --git a/README.md b/README.md index 36ff1b8..e32d227 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Running locally This is a rails app, with dependencies managed by bundler. To run the app locally clone this repo, then: -``` +```sh bundle install npm install bundle exec rails server @@ -18,14 +18,14 @@ If you want to test the apps interaction with third party services (e.g. GitHub and GOV.UK Notify) you'll need to set up some secrets in environment variables. The easiest way to do this in development is using a `.env` file (see [.env.example](.env.example)): -``` +```sh cp .env.example .env $EDITOR .env ``` Run the tests with: -``` +```sh bundle exec rails test ``` @@ -38,6 +38,6 @@ This is continuously deployed from master [by Github Actions](https://github.com To deploy to a separate route (e.g. for testing / previewing changes) you can push to PaaS manually: -``` +```sh cf push gds-request-an-aws-account-preview ``` diff --git a/yarn.lock b/yarn.lock index 54ba9ab..800452b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2,7 +2,7 @@ # yarn lockfile v1 -"govuk-frontend@^4.5.0": - "integrity" "sha512-gZHDqf5vdlHjmx0NGJiNT12XLyR3d5KCS4AnlC3xTWOObJ0kQROrkIFyp3w4/PY3EQiYdgacVaJ6lizzygnzYw==" - "resolved" "https://registry.npmjs.org/govuk-frontend/-/govuk-frontend-4.5.0.tgz" - "version" "4.5.0" +govuk-frontend@^4.5.0: + version "4.5.0" + resolved "https://registry.npmjs.org/govuk-frontend/-/govuk-frontend-4.5.0.tgz" + integrity sha512-gZHDqf5vdlHjmx0NGJiNT12XLyR3d5KCS4AnlC3xTWOObJ0kQROrkIFyp3w4/PY3EQiYdgacVaJ6lizzygnzYw== From 76df2bbd1da6528c779d87b6b46d00c11ab01642 Mon Sep 17 00:00:00 2001 From: Owen Blacker Date: Thu, 11 Jan 2024 12:33:36 +0000 Subject: [PATCH 02/76] Added simplecov for code coverage analysis: https://github.com/simplecov-ruby/simplecov --- Gemfile | 1 + Gemfile.lock | 11 +++++++++++ test/test_helper.rb | 4 ++++ 3 files changed, 16 insertions(+) diff --git a/Gemfile b/Gemfile index ac6c36f..0c07afd 100644 --- a/Gemfile +++ b/Gemfile @@ -18,6 +18,7 @@ gem 'webrick', '~> 1.8.1' group :test do gem 'rack_session_access', '~> 0.2.0' + gem 'simplecov', require: false, group: :test end gem "listen", "~> 3.7", :group => :development diff --git a/Gemfile.lock b/Gemfile.lock index 201f2bd..a4ed89b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -74,6 +74,7 @@ GEM rexml crass (1.0.6) date (3.3.3) + docile (1.4.0) dotenv (2.8.1) dotenv-rails (2.8.1) dotenv (= 2.8.1) @@ -123,6 +124,8 @@ GEM net-smtp (0.3.3) net-protocol nio4r (2.5.8) + nokogiri (1.14.2-arm64-darwin) + racc (~> 1.4) nokogiri (1.14.2-x86_64-linux) racc (~> 1.4) notifications-ruby-client (5.4.0) @@ -207,6 +210,12 @@ GEM sawyer (0.9.2) addressable (>= 2.3.5) faraday (>= 0.17.3, < 3) + simplecov (0.22.0) + docile (~> 1.1) + simplecov-html (~> 0.11) + simplecov_json_formatter (~> 0.1) + simplecov-html (0.12.3) + simplecov_json_formatter (0.1.4) snaky_hash (2.0.1) hashie version_gem (~> 1.1, >= 1.1.1) @@ -234,6 +243,7 @@ GEM zeitwerk (2.6.7) PLATFORMS + arm64-darwin-22 x86_64-linux DEPENDENCIES @@ -248,6 +258,7 @@ DEPENDENCIES rack_session_access (~> 0.2.0) rails (~> 7.0.4.3) sassc-rails + simplecov webmock (~> 3.18.1) webrick (~> 1.8.1) diff --git a/test/test_helper.rb b/test/test_helper.rb index c53f746..52ec7b3 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -1,4 +1,8 @@ ENV['RAILS_ENV'] ||= 'test' +require 'simplecov' +SimpleCov.start + +# Previous content of test helper now starts here require_relative '../config/environment' require 'rails/test_help' From 43e2daa41282ac67efa034a45813031506fad3e2 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 24 Jan 2024 10:46:03 +0000 Subject: [PATCH 03/76] simple ruby install --- Dockerfile | 69 +++++++++--------------------------------------------- 1 file changed, 11 insertions(+), 58 deletions(-) diff --git a/Dockerfile b/Dockerfile index 384026d..5fbf1c5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,67 +1,20 @@ -ARG ruby_version=3.2 -ARG base_image=ghcr.io/alphagov/govuk-ruby-base:$ruby_version -ARG builder_image=ghcr.io/alphagov/govuk-ruby-builder:$ruby_version +FROM ghcr.io/alphagov/govuk-ruby-builder:3.2 AS builder -FROM $builder_image AS builder -WORKDIR $APP_HOME -# $APP_HOME=/app +# Default directory +ENV INSTALL_PATH /opt/app +RUN mkdir -p $INSTALL_PATH -# RUN adduser --disabled-password ruby -# RUN mkdir /node_modules && chown ruby:ruby -R /node_modules $APP_HOME -# RUN mkdir -p /usr/local/bundle && chown :ruby -R /usr/local/bundle && chmod g+w /usr/local/bundle +# Install rails -#USER ruby +#RUN chown -R user:user /opt/app +WORKDIR /opt/app -COPY Gemfile* .ruby-version ./ -#COPY --chown=ruby:ruby Gemfile* .ruby-version ./ -RUN bundle install --verbose +COPY . . -COPY package.json yarn.lock ./ -# COPY --chown=ruby:ruby package.json yarn.lock ./ -RUN npm ci --ignore-scripts +RUN bundle install -## From https://github.com/alphagov/forms-runner/blob/main/Dockerfile -# ENV RAILS_ENV="${RAILS_ENV:-production}" \ -# NODE_ENV="${NODE_ENV:-production}" \ -# PATH="${PATH}:/home/ruby/.local/bin:/node_modules/.bin" \ -# USER="ruby" \ -# REDIS_URL="${REDIS_URL:-redis://notset/}" -# COPY --chown=ruby:ruby . . -COPY . . -## From https://github.com/alphagov/forms-runner/blob/main/Dockerfile -# you can't run rails commands like assets:precompile without a secret key set -# even though the command doesn't use the value itself -RUN SECRET_KEY_BASE=dummyvalue rails assets:precompile && rm -fr log - -# Remove devDependencies once assets have been built -RUN npm ci --ignore-scripts --only=production - -CMD ["bash"] - - - -FROM $base_image - -## From https://github.com/alphagov/forms-runner/blob/main/Dockerfile -# ENV RAILS_ENV="${RAILS_ENV:-production}" \ -# PATH="${PATH}:/home/ruby/.local/bin" \ -# USER="ruby" - -ENV GOVUK_APP_NAME=re-request-an-aws-account -WORKDIR $APP_HOME - -RUN adduser --disabled-password ruby -RUN chown ruby:ruby -R $APP_HOME - -COPY --chown=ruby:ruby bin/ ./bin -RUN chmod 0755 bin/* - -COPY --chown=ruby:ruby --from=builder /usr/local/bundle /usr/local/bundle -COPY --chown=ruby:ruby --from=builder $APP_HOME $APP_HOME - -EXPOSE 3000 - -CMD ["/bin/sh", "-o", "xtrace", "-c", "rails s -b 0.0.0.0"] \ No newline at end of file +# Run a shell +CMD ["/bin/bash"] From a50e02113b06a7a6cfa2c5041a70e80631ec4bb2 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Wed, 24 Jan 2024 14:43:55 +0000 Subject: [PATCH 04/76] work in progress --- Dockerfile | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5fbf1c5..483a808 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ -FROM ghcr.io/alphagov/govuk-ruby-builder:3.2 AS builder - +FROM ruby:3.2-bullseye +RUN apt-get update && apt-get install -y nodejs npm + # Default directory ENV INSTALL_PATH /opt/app RUN mkdir -p $INSTALL_PATH @@ -13,8 +14,13 @@ WORKDIR /opt/app COPY . . RUN bundle install +RUN npm install # Run a shell -CMD ["/bin/bash"] +#CMD ["bundle", "exec", "rails", "server"] +CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "8888"] + + + From 11c857572c10fd26b189cb148481bfb1592cca3f Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Thu, 25 Jan 2024 14:01:37 +0000 Subject: [PATCH 05/76] work in progress:publish docker image workflow --- .github/workflows/publish-docker-image.yaml | 37 +++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/publish-docker-image.yaml diff --git a/.github/workflows/publish-docker-image.yaml b/.github/workflows/publish-docker-image.yaml new file mode 100644 index 0000000..74589ea --- /dev/null +++ b/.github/workflows/publish-docker-image.yaml @@ -0,0 +1,37 @@ +name: Publish image to Docker Hub + +on: + release: + types: [published] + +jobs: + push_to_registry: + name: Push Docker image to Docker Hub + runs-on: ubuntu-latest + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + #TODO: Look at metadata + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: governmentdigitalservice/ee-request-aws-account + + - name: Build and push Docker image + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 + with: + context: . + file: ./Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + From fe971081c36839f27b071ce8a86557aaac61cff1 Mon Sep 17 00:00:00 2001 From: Owen Blacker Date: Thu, 25 Jan 2024 15:53:33 +0000 Subject: [PATCH 06/76] Update triggers to pushes instead of releases --- .github/workflows/publish-docker-image.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-docker-image.yaml b/.github/workflows/publish-docker-image.yaml index 74589ea..1be416e 100644 --- a/.github/workflows/publish-docker-image.yaml +++ b/.github/workflows/publish-docker-image.yaml @@ -1,8 +1,10 @@ name: Publish image to Docker Hub on: - release: - types: [published] + push: + branches: + - 'main' + - 'releases/**' jobs: push_to_registry: From 7e44d56ee9c3a5f0729a8d4b6dd03ff6d057274b Mon Sep 17 00:00:00 2001 From: Owen Blacker Date: Fri, 26 Jan 2024 09:59:30 +0000 Subject: [PATCH 07/76] Update tagging; add an echo that isn't working --- .github/workflows/publish-docker-image.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-docker-image.yaml b/.github/workflows/publish-docker-image.yaml index 1be416e..6f9ea81 100644 --- a/.github/workflows/publish-docker-image.yaml +++ b/.github/workflows/publish-docker-image.yaml @@ -20,13 +20,22 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - #TODO: Look at metadata - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 with: images: governmentdigitalservice/ee-request-aws-account + tags: | + type=semver,pattern={{version}} + type=sha,enable=true,priority=100,prefix=sha-,suffix=,format=short + type=raw,value=latest,enable={{is_default_branch}} + # This is only outputting the SHA, not the semantic version + - name: Output tags + run: | + echo "tags: ${{ steps.meta.outputs.tags }}" + # This is not echoing locally with `act` + - name: Build and push Docker image uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 with: From 227e2124c106aea08bd3328b019bb7ab8cc233aa Mon Sep 17 00:00:00 2001 From: Owen Blacker Date: Fri, 26 Jan 2024 10:47:58 +0000 Subject: [PATCH 08/76] Add `main` and `master` as alternatives until we rename the branch; tweak comments --- .github/workflows/publish-docker-image.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-docker-image.yaml b/.github/workflows/publish-docker-image.yaml index 6f9ea81..283f7f6 100644 --- a/.github/workflows/publish-docker-image.yaml +++ b/.github/workflows/publish-docker-image.yaml @@ -4,6 +4,7 @@ on: push: branches: - 'main' + - 'master' - 'releases/**' jobs: @@ -26,15 +27,14 @@ jobs: with: images: governmentdigitalservice/ee-request-aws-account tags: | - type=semver,pattern={{version}} type=sha,enable=true,priority=100,prefix=sha-,suffix=,format=short type=raw,value=latest,enable={{is_default_branch}} - # This is only outputting the SHA, not the semantic version + # BUG: `type=semver,pattern={{version}}` is not outputting the semantic version - name: Output tags run: | echo "tags: ${{ steps.meta.outputs.tags }}" - # This is not echoing locally with `act` + # BUG: This is not echoing locally with `act` - name: Build and push Docker image uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 @@ -44,5 +44,3 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - From d93664bc8a32ffd3ef8830c2574ad0b114dc8989 Mon Sep 17 00:00:00 2001 From: Owen Blacker Date: Fri, 26 Jan 2024 10:49:28 +0000 Subject: [PATCH 09/76] Add `development` as a trigger branch --- .github/workflows/publish-docker-image.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish-docker-image.yaml b/.github/workflows/publish-docker-image.yaml index 283f7f6..655ba78 100644 --- a/.github/workflows/publish-docker-image.yaml +++ b/.github/workflows/publish-docker-image.yaml @@ -5,6 +5,7 @@ on: branches: - 'main' - 'master' + - 'development' - 'releases/**' jobs: From 566e08781a60ff7791af6313508f6c60d5a9e38e Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Thu, 1 Feb 2024 08:36:56 +0000 Subject: [PATCH 10/76] Yaml file for GHCR --- .github/workflows/ghcr.yml | 48 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/ghcr.yml diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml new file mode 100644 index 0000000..0810811 --- /dev/null +++ b/.github/workflows/ghcr.yml @@ -0,0 +1,48 @@ +# +name: Create and publish a Docker image + +# Configures this workflow to run every time a PR is raised to the branch called `main`. +on: + pull_request: + branches: ['main'] + +# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. +jobs: + build-and-push-image: + runs-on: ubuntu-latest + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + permissions: + contents: read + packages: write + # + steps: + - name: Checkout repository + uses: actions/checkout@v4 + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. + # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. + # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + - name: Build and push Docker image + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} From d589ce738d87b3ce4514626924bbc07d5e56907c Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Thu, 1 Feb 2024 09:20:57 +0000 Subject: [PATCH 11/76] updated docker file --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 483a808..b702dfd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,8 @@ COPY . . RUN bundle install RUN npm install - +# Expose both port 3000 and 8888 +EXPOSE 3000 8888 # Run a shell #CMD ["bundle", "exec", "rails", "server"] From 20ed1d73d7bc5753a2ab497c7c4cdb8a3ff742a1 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Thu, 1 Feb 2024 09:25:20 +0000 Subject: [PATCH 12/76] exposing only port 8888 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b702dfd..4613384 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,8 +16,8 @@ COPY . . RUN bundle install RUN npm install -# Expose both port 3000 and 8888 -EXPOSE 3000 8888 +# Expose port 8888 +EXPOSE 8888 # Run a shell #CMD ["bundle", "exec", "rails", "server"] From 611f06a11e0ecd955153e61521808df937a4104c Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Thu, 1 Feb 2024 14:24:30 +0000 Subject: [PATCH 13/76] work in progress --- .github/workflows/publish-docker-image.yaml | 61 +++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/publish-docker-image.yaml diff --git a/.github/workflows/publish-docker-image.yaml b/.github/workflows/publish-docker-image.yaml new file mode 100644 index 0000000..4d85e56 --- /dev/null +++ b/.github/workflows/publish-docker-image.yaml @@ -0,0 +1,61 @@ +name: Publish image to Docker Hub + +on: + push: + branches: + - 'main' + - 'releases/**' + +jobs: + push_to_registry: + name: Push Docker image to Docker Hub + runs-on: ubuntu-latest + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: governmentdigitalservice/ee-request-aws-account + tags: | + type=semver,pattern={{version}} + type=sha,enable=true,priority=100,prefix=sha-,suffix=,format=short + type=raw,value=latest,enable={{is_default_branch}} + + - name: Output tags + run: | + echo "::notice tags: ${{steps.meta.outputs.tags}}" + + - name: Build and push Docker image + id: docker_image + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 + with: + context: . + file: ./Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Push Docker image into ECR + uses: docker://ghcr.io/kciter/aws-ecr-action:latest + with: + access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + account_id: ${{ secrets.AWS_ACCOUNT_ID }} + repo: docker/repo + region: eu-west-2 + tags: latest,${{ github.sha }} + create_repo: true + image_scanning_configuration: true + set_repo_policy: true + repo_policy_file: repo-policy.json + + From d82d8b32f7bffcf04a20fc0c2908e962374df7fc Mon Sep 17 00:00:00 2001 From: Owen Blacker Date: Wed, 7 Feb 2024 11:38:11 +0000 Subject: [PATCH 14/76] Start process of updating docs --- README.md | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index e32d227..7082be1 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,12 @@ -Reliability Engineering: Request an AWS Account -=============================================== +# Reliability Engineering: Request an AWS Account User interface to manage AWS Accounts (e.g. for new services or environments) and users within the base AWS account. -Running locally ---------------- +## Running locally This is a rails app, with dependencies managed by bundler. To run the app locally clone this repo, then: -```sh +```shell bundle install npm install bundle exec rails server @@ -18,26 +16,25 @@ If you want to test the apps interaction with third party services (e.g. GitHub and GOV.UK Notify) you'll need to set up some secrets in environment variables. The easiest way to do this in development is using a `.env` file (see [.env.example](.env.example)): -```sh +```shell cp .env.example .env $EDITOR .env ``` Run the tests with: -```sh +```shell bundle exec rails test ``` To sign in as a development user, visit (to try different email addresses, you can provide a `email` parameter). If you want to test with real Google SSO, you can [create an application in the Google Cloud Console](https://console.developers.google.com/apis/credentials). -Deploying to PaaS ------------------ +## Deploying to PaaS This is continuously deployed from master [by Github Actions](https://github.com/alphagov/re-request-an-aws-account/blob/master/.github/workflows/bundle_and_release.yml) To deploy to a separate route (e.g. for testing / previewing changes) you can push to PaaS manually: -```sh +```shell cf push gds-request-an-aws-account-preview ``` From 64ca392103fa0668e197efbb6e88a7f54e616d44 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Wed, 7 Feb 2024 12:03:27 +0000 Subject: [PATCH 15/76] wip: changed port to 3000 --- .github/workflows/build.yaml | 21 +++++++++++++++++++++ Dockerfile | 4 ++-- 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/build.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..3ff796f --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,21 @@ + +name: Tests +on: + workflow_dispatch: + push: + branches: + - 'master' + - 'main' + - 'dockerise' + - 'publish-to-dockerhub' + - 'push-to-ghcr-and-ecr' + - 'dockerise-basic' + pull_request: + branches: + - 'master' + - 'main' + - 'dockerise' + - 'publish-to-dockerhub' + - 'push-to-ghcr-and-ecr' + - 'dockerise-basic' +jobs: diff --git a/Dockerfile b/Dockerfile index 483a808..9bee818 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,11 +16,11 @@ COPY . . RUN bundle install RUN npm install - +EXPOSE 3000 # Run a shell #CMD ["bundle", "exec", "rails", "server"] -CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "8888"] +CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] From b9b8a920bdf0e42ff02c30ec4fa4b3d258d9ff8b Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Wed, 7 Feb 2024 12:24:48 +0000 Subject: [PATCH 16/76] Add docs about containerisation --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 7082be1..2a01566 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,26 @@ bundle exec rails test To sign in as a development user, visit (to try different email addresses, you can provide a `email` parameter). If you want to test with real Google SSO, you can [create an application in the Google Cloud Console](https://console.developers.google.com/apis/credentials). +<<<<<<< Updated upstream +======= +## Building the Docker image + +In order to move this app away from GOV.UK PaaS, we have containerised the +application in order to be able to run locally and also deploy to AWS +App Runner. The app can be accessed on port 3000. + +To build and run the Docker image: + +```shell +docker build -t request-an-aws-account . +docker run -p 3000:3000 -t request-an-aws-account +``` + +## Deploying through Github Actions + + + +>>>>>>> Stashed changes ## Deploying to PaaS This is continuously deployed from master [by Github Actions](https://github.com/alphagov/re-request-an-aws-account/blob/master/.github/workflows/bundle_and_release.yml) From a2ab541f50ee5586061909377288c01175ef6be6 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Wed, 7 Feb 2024 12:42:29 +0000 Subject: [PATCH 17/76] ghcr workflow --- .github/workflows/publish-docker-image.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-docker-image.yaml b/.github/workflows/publish-docker-image.yaml index 655ba78..7a40157 100644 --- a/.github/workflows/publish-docker-image.yaml +++ b/.github/workflows/publish-docker-image.yaml @@ -10,23 +10,24 @@ on: jobs: push_to_registry: - name: Push Docker image to Docker Hub + name: Push Docker image to GHCR runs-on: ubuntu-latest steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Log in to Docker Hub + - name: Log in to Github Container Registry uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 with: - images: governmentdigitalservice/ee-request-aws-account + images: ghcr.io/alphagov/re-request-an-aws-account/governmentdigitalservice/ee-request-aws-account tags: | type=sha,enable=true,priority=100,prefix=sha-,suffix=,format=short type=raw,value=latest,enable={{is_default_branch}} From c35bc85a98330506d19c508640282ea3e985020e Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Wed, 7 Feb 2024 14:11:23 +0000 Subject: [PATCH 18/76] updated Dockerfile --- Dockerfile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index a5aefaf..9bee818 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,12 +16,7 @@ COPY . . RUN bundle install RUN npm install -<<<<<<< HEAD EXPOSE 3000 -======= -# Expose port 8888 -EXPOSE 8888 ->>>>>>> origin/dockerise-basic # Run a shell #CMD ["bundle", "exec", "rails", "server"] From ec7fd929cd147aaa0aee487230a08ecdfef4e5e6 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Wed, 7 Feb 2024 15:30:53 +0000 Subject: [PATCH 19/76] added a section for deploying through Github Actions on READme --- README.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2a01566..46937e3 100644 --- a/README.md +++ b/README.md @@ -29,8 +29,6 @@ bundle exec rails test To sign in as a development user, visit (to try different email addresses, you can provide a `email` parameter). If you want to test with real Google SSO, you can [create an application in the Google Cloud Console](https://console.developers.google.com/apis/credentials). -<<<<<<< Updated upstream -======= ## Building the Docker image In order to move this app away from GOV.UK PaaS, we have containerised the @@ -44,11 +42,20 @@ docker build -t request-an-aws-account . docker run -p 3000:3000 -t request-an-aws-account ``` -## Deploying through Github Actions +## Deploying through GitHub Actions +We use a GitHub Action to automate the building and deploying of our Docker image to GHCR. This workflow runs every time a PR is raised to the branch called 'main'. It uses the `docker/login-action`, `docker/metadata-action`, and `docker/build-push-action`. + +You can view the workflow in action [here](https://github.com/alphagov/re-request-an-aws-account/actions/runs/7816113717). + +The workflow utilizes the following GitHub Actions: +[`docker/login-action`](https://github.com/docker/login-action) for logging in to Docker. +[`docker/metadata-action`](https://github.com/docker/metadata-action) for generating Docker image metadata. +[`docker/build-push-action`](https://github.com/docker/build-push-action) for building and pushing the Docker image. + +This process ensures our Docker images are automatically built and pushed to the GitHub Container Registry (GHCR), streamlining our deployment process. ->>>>>>> Stashed changes ## Deploying to PaaS This is continuously deployed from master [by Github Actions](https://github.com/alphagov/re-request-an-aws-account/blob/master/.github/workflows/bundle_and_release.yml) From 80c67eb71f930f8df66312708bec9d4c84ae46cb Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Wed, 7 Feb 2024 16:19:01 +0000 Subject: [PATCH 20/76] updated changes for PR-287 --- README.md | 46 +++++++++++++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 46937e3..6871654 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ # Reliability Engineering: Request an AWS Account -User interface to manage AWS Accounts (e.g. for new services or environments) and users within the base AWS account. +User interface to manage AWS Accounts (e.g. for new services or environments) +and users within the base AWS account. ## Running locally -This is a rails app, with dependencies managed by bundler. To run the app locally clone this repo, then: +This is a rails app, with dependencies managed by bundler. To run the app +locally clone this repo, then: ```shell bundle install @@ -14,7 +16,8 @@ bundle exec rails server If you want to test the apps interaction with third party services (e.g. GitHub and GOV.UK Notify) you'll need to set up some secrets in environment variables. -The easiest way to do this in development is using a `.env` file (see [.env.example](.env.example)): +The easiest way to do this in development is using a `.env` file (see +[.env.example](.env.example)): ```shell cp .env.example .env @@ -27,13 +30,16 @@ Run the tests with: bundle exec rails test ``` -To sign in as a development user, visit (to try different email addresses, you can provide a `email` parameter). If you want to test with real Google SSO, you can [create an application in the Google Cloud Console](https://console.developers.google.com/apis/credentials). +To sign in as a development user, visit (to +try different email addresses, you can provide a `email` parameter). If you want +to test with real Google SSO, you can +[create an application in the Google Cloud Console](https://console.developers.google.com/apis/credentials). ## Building the Docker image -In order to move this app away from GOV.UK PaaS, we have containerised the -application in order to be able to run locally and also deploy to AWS -App Runner. The app can be accessed on port 3000. +In order to move this app away from GOV.UK PaaS, we have containerised the +application in order to be able to run locally and also deploy to AWS App +Runner. The app can be accessed on port 3000. To build and run the Docker image: @@ -44,23 +50,33 @@ docker run -p 3000:3000 -t request-an-aws-account ## Deploying through GitHub Actions -We use a GitHub Action to automate the building and deploying of our Docker image to GHCR. This workflow runs every time a PR is raised to the branch called 'main'. It uses the `docker/login-action`, `docker/metadata-action`, and `docker/build-push-action`. +We use a GitHub Action to automate the building and deploying of our Docker +image to GHCR. This workflow runs every time a PR is raised to the branch called +'main'. It uses the `docker/login-action`, `docker/metadata-action`, and +`docker/build-push-action`. + +You can view the workflow at [ghcr.yml](https://github.com/alphagov/re-request-an-aws-account/blob/dockerise-basic/.github/workflows/ghcr.yml). -You can view the workflow in action [here](https://github.com/alphagov/re-request-an-aws-account/actions/runs/7816113717). The workflow utilizes the following GitHub Actions: -[`docker/login-action`](https://github.com/docker/login-action) for logging in to Docker. -[`docker/metadata-action`](https://github.com/docker/metadata-action) for generating Docker image metadata. -[`docker/build-push-action`](https://github.com/docker/build-push-action) for building and pushing the Docker image. -This process ensures our Docker images are automatically built and pushed to the GitHub Container Registry (GHCR), streamlining our deployment process. +- [`docker/login-action`](https://github.com/docker/login-action) for logging in +to Docker. +- [`docker/metadata-action`](https://github.com/docker/metadata-action) +for generating Docker image metadata. +- [`docker/build-push-action`](https://github.com/docker/build-push-action) for +building and pushing the Docker image. +This process ensures our Docker images are automatically built and pushed to the +GitHub Container Registry (GHCR), streamlining our deployment process. ## Deploying to PaaS -This is continuously deployed from master [by Github Actions](https://github.com/alphagov/re-request-an-aws-account/blob/master/.github/workflows/bundle_and_release.yml) +This is continuously deployed from master +[by Github Actions](https://github.com/alphagov/re-request-an-aws-account/blob/master/.github/workflows/bundle_and_release.yml) -To deploy to a separate route (e.g. for testing / previewing changes) you can push to PaaS manually: +To deploy to a separate route (e.g. for testing / previewing changes) you can +push to PaaS manually: ```shell cf push gds-request-an-aws-account-preview From 7b7340ae8de87556ff58210e7099e461fa730777 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Wed, 7 Feb 2024 16:27:40 +0000 Subject: [PATCH 21/76] another READme update --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6871654..d598b56 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ image to GHCR. This workflow runs every time a PR is raised to the branch called 'main'. It uses the `docker/login-action`, `docker/metadata-action`, and `docker/build-push-action`. -You can view the workflow at [ghcr.yml](https://github.com/alphagov/re-request-an-aws-account/blob/dockerise-basic/.github/workflows/ghcr.yml). +You can [view the workflow at ghcr.yml](https://github.com/alphagov/re-request-an-aws-account/blob/dockerise-basic/.github/workflows/ghcr.yml). The workflow utilizes the following GitHub Actions: From 9d46a077b7e10b045c8d41427c6224c02faea20a Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 11:46:08 +0000 Subject: [PATCH 22/76] Switch to ruby-3.1.4 this is the latest ruby supported by apprunner runtimes also upgraded to the latest rails 7.0.x and tested manually --- .ruby-version | 2 +- Gemfile | 4 +- Gemfile.lock | 207 ++++++++++++++++++++++++++------------------------ 3 files changed, 112 insertions(+), 101 deletions(-) diff --git a/.ruby-version b/.ruby-version index 944880f..0aec50e 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.2.0 +3.1.4 diff --git a/Gemfile b/Gemfile index ac6c36f..bf42979 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' git_source(:github) { |repo| "https://github.com/#{repo}.git" } -ruby '~> 3.2.0' +ruby '~> 3.1.4' gem 'dotenv-rails', groups: [:development] @@ -11,7 +11,7 @@ gem 'notifications-ruby-client', '~> 5.4.0' gem 'octokit', '~> 6.1.0' gem 'omniauth-google-oauth2', '~> 1.1.1' gem 'omniauth-rails_csrf_protection', '~> 1.0.1' -gem 'rails', '~> 7.0.4.3' +gem 'rails', '~> 7.0.8' gem 'sassc-rails' gem 'webmock', '~> 3.18.1' gem 'webrick', '~> 1.8.1' diff --git a/Gemfile.lock b/Gemfile.lock index 61474b0..c6c9859 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,96 +1,99 @@ GEM remote: https://rubygems.org/ specs: - actioncable (7.0.4.3) - actionpack (= 7.0.4.3) - activesupport (= 7.0.4.3) + actioncable (7.0.8) + actionpack (= 7.0.8) + activesupport (= 7.0.8) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (7.0.4.3) - actionpack (= 7.0.4.3) - activejob (= 7.0.4.3) - activerecord (= 7.0.4.3) - activestorage (= 7.0.4.3) - activesupport (= 7.0.4.3) + actionmailbox (7.0.8) + actionpack (= 7.0.8) + activejob (= 7.0.8) + activerecord (= 7.0.8) + activestorage (= 7.0.8) + activesupport (= 7.0.8) mail (>= 2.7.1) net-imap net-pop net-smtp - actionmailer (7.0.4.3) - actionpack (= 7.0.4.3) - actionview (= 7.0.4.3) - activejob (= 7.0.4.3) - activesupport (= 7.0.4.3) + actionmailer (7.0.8) + actionpack (= 7.0.8) + actionview (= 7.0.8) + activejob (= 7.0.8) + activesupport (= 7.0.8) mail (~> 2.5, >= 2.5.4) net-imap net-pop net-smtp rails-dom-testing (~> 2.0) - actionpack (7.0.4.3) - actionview (= 7.0.4.3) - activesupport (= 7.0.4.3) - rack (~> 2.0, >= 2.2.0) + actionpack (7.0.8) + actionview (= 7.0.8) + activesupport (= 7.0.8) + rack (~> 2.0, >= 2.2.4) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (7.0.4.3) - actionpack (= 7.0.4.3) - activerecord (= 7.0.4.3) - activestorage (= 7.0.4.3) - activesupport (= 7.0.4.3) + actiontext (7.0.8) + actionpack (= 7.0.8) + activerecord (= 7.0.8) + activestorage (= 7.0.8) + activesupport (= 7.0.8) globalid (>= 0.6.0) nokogiri (>= 1.8.5) - actionview (7.0.4.3) - activesupport (= 7.0.4.3) + actionview (7.0.8) + activesupport (= 7.0.8) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (7.0.4.3) - activesupport (= 7.0.4.3) + activejob (7.0.8) + activesupport (= 7.0.8) globalid (>= 0.3.6) - activemodel (7.0.4.3) - activesupport (= 7.0.4.3) - activerecord (7.0.4.3) - activemodel (= 7.0.4.3) - activesupport (= 7.0.4.3) - activestorage (7.0.4.3) - actionpack (= 7.0.4.3) - activejob (= 7.0.4.3) - activerecord (= 7.0.4.3) - activesupport (= 7.0.4.3) + activemodel (7.0.8) + activesupport (= 7.0.8) + activerecord (7.0.8) + activemodel (= 7.0.8) + activesupport (= 7.0.8) + activestorage (7.0.8) + actionpack (= 7.0.8) + activejob (= 7.0.8) + activerecord (= 7.0.8) + activesupport (= 7.0.8) marcel (~> 1.0) mini_mime (>= 1.1.0) - activesupport (7.0.4.3) + activesupport (7.0.8) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) tzinfo (~> 2.0) - addressable (2.8.1) + addressable (2.8.6) public_suffix (>= 2.0.2, < 6.0) + base64 (0.2.0) + bigdecimal (3.1.6) builder (3.2.4) - concurrent-ruby (1.2.2) - crack (0.4.5) + concurrent-ruby (1.2.3) + crack (0.4.6) + bigdecimal rexml crass (1.0.6) - date (3.3.3) + date (3.3.4) dotenv (2.8.1) dotenv-rails (2.8.1) dotenv (= 2.8.1) railties (>= 3.2) erubi (1.12.0) - faraday (2.7.4) - faraday-net_http (>= 2.0, < 3.1) - ruby2_keywords (>= 0.0.4) - faraday-net_http (3.0.2) - ffi (1.15.5) - globalid (1.1.0) - activesupport (>= 5.0) - hashdiff (1.0.1) + faraday (2.9.0) + faraday-net_http (>= 2.0, < 3.2) + faraday-net_http (3.1.0) + net-http + ffi (1.16.3) + globalid (1.2.1) + activesupport (>= 6.1) + hashdiff (1.1.0) hashie (5.0.0) - i18n (1.12.0) + i18n (1.14.1) concurrent-ruby (~> 1.0) - jwt (2.7.0) + jwt (2.7.1) listen (3.8.0) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) @@ -100,9 +103,9 @@ GEM railties (>= 4) request_store (~> 1.0) logstash-event (1.2.02) - loofah (2.19.1) + loofah (2.22.0) crass (~> 1.0.2) - nokogiri (>= 1.5.9) + nokogiri (>= 1.12.0) mail (2.8.1) mini_mime (>= 0.1.1) net-imap @@ -110,19 +113,23 @@ GEM net-smtp marcel (1.0.2) method_source (1.0.0) - mini_mime (1.1.2) - minitest (5.18.0) + mini_mime (1.1.5) + minitest (5.22.2) multi_xml (0.6.0) - net-imap (0.3.4) + net-http (0.4.1) + uri + net-imap (0.4.10) date net-protocol net-pop (0.1.2) net-protocol - net-protocol (0.2.1) + net-protocol (0.2.2) timeout - net-smtp (0.3.3) + net-smtp (0.4.0.1) net-protocol - nio4r (2.5.8) + nio4r (2.7.0) + nokogiri (1.16.2-arm64-darwin) + racc (~> 1.4) nokogiri (1.16.2-x86_64-linux) racc (~> 1.4) notifications-ruby-client (5.4.0) @@ -134,10 +141,10 @@ GEM rack (>= 1.2, < 4) snaky_hash (~> 2.0) version_gem (~> 1.1) - octokit (6.1.0) + octokit (6.1.1) faraday (>= 1, < 3) sawyer (~> 0.9) - omniauth (2.1.1) + omniauth (2.1.2) hashie (>= 3.4.6) rack (>= 2.2.3) rack-protection @@ -152,50 +159,52 @@ GEM omniauth-rails_csrf_protection (1.0.1) actionpack (>= 4.2) omniauth (~> 2.0) - public_suffix (5.0.1) + public_suffix (5.0.4) racc (1.7.3) - rack (2.2.6.4) - rack-protection (3.0.5) - rack + rack (2.2.8) + rack-protection (3.2.0) + base64 (>= 0.1.0) + rack (~> 2.2, >= 2.2.4) rack-test (2.1.0) rack (>= 1.3) rack_session_access (0.2.0) builder (>= 2.0.0) rack (>= 1.0.0) - rails (7.0.4.3) - actioncable (= 7.0.4.3) - actionmailbox (= 7.0.4.3) - actionmailer (= 7.0.4.3) - actionpack (= 7.0.4.3) - actiontext (= 7.0.4.3) - actionview (= 7.0.4.3) - activejob (= 7.0.4.3) - activemodel (= 7.0.4.3) - activerecord (= 7.0.4.3) - activestorage (= 7.0.4.3) - activesupport (= 7.0.4.3) + rails (7.0.8) + actioncable (= 7.0.8) + actionmailbox (= 7.0.8) + actionmailer (= 7.0.8) + actionpack (= 7.0.8) + actiontext (= 7.0.8) + actionview (= 7.0.8) + activejob (= 7.0.8) + activemodel (= 7.0.8) + activerecord (= 7.0.8) + activestorage (= 7.0.8) + activesupport (= 7.0.8) bundler (>= 1.15.0) - railties (= 7.0.4.3) - rails-dom-testing (2.0.3) - activesupport (>= 4.2.0) + railties (= 7.0.8) + rails-dom-testing (2.2.0) + activesupport (>= 5.0.0) + minitest nokogiri (>= 1.6) - rails-html-sanitizer (1.5.0) - loofah (~> 2.19, >= 2.19.1) - railties (7.0.4.3) - actionpack (= 7.0.4.3) - activesupport (= 7.0.4.3) + rails-html-sanitizer (1.6.0) + loofah (~> 2.21) + nokogiri (~> 1.14) + railties (7.0.8) + actionpack (= 7.0.8) + activesupport (= 7.0.8) method_source rake (>= 12.2) thor (~> 1.0) zeitwerk (~> 2.5) - rake (13.0.6) + rake (13.1.0) rb-fsevent (0.11.2) rb-inotify (0.10.1) ffi (~> 1.0) request_store (1.5.1) rack (>= 1.4) - rexml (3.2.5) - ruby2_keywords (0.0.5) + rexml (3.2.6) sassc (2.4.0) ffi (~> 1.9) sassc-rails (2.1.2) @@ -210,30 +219,32 @@ GEM snaky_hash (2.0.1) hashie version_gem (~> 1.1, >= 1.1.1) - sprockets (4.2.0) + sprockets (4.2.1) concurrent-ruby (~> 1.0) rack (>= 2.2.4, < 4) sprockets-rails (3.4.2) actionpack (>= 5.2) activesupport (>= 5.2) sprockets (>= 3.0.0) - thor (1.2.1) - tilt (2.1.0) - timeout (0.3.2) + thor (1.3.0) + tilt (2.3.0) + timeout (0.4.1) tzinfo (2.0.6) concurrent-ruby (~> 1.0) - version_gem (1.1.2) + uri (0.13.0) + version_gem (1.1.3) webmock (3.18.1) addressable (>= 2.8.0) crack (>= 0.3.2) hashdiff (>= 0.4.0, < 2.0.0) webrick (1.8.1) - websocket-driver (0.7.5) + websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) - zeitwerk (2.6.7) + zeitwerk (2.6.13) PLATFORMS + arm64-darwin-22 x86_64-linux DEPENDENCIES @@ -246,13 +257,13 @@ DEPENDENCIES omniauth-google-oauth2 (~> 1.1.1) omniauth-rails_csrf_protection (~> 1.0.1) rack_session_access (~> 0.2.0) - rails (~> 7.0.4.3) + rails (~> 7.0.8) sassc-rails webmock (~> 3.18.1) webrick (~> 1.8.1) RUBY VERSION - ruby 3.2.0p0 + ruby 3.1.4p223 BUNDLED WITH 2.4.8 From 78164cacd767993025f56a3c25b6eae3d59b4458 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 12:00:08 +0000 Subject: [PATCH 23/76] run tests with 3.1 --- .github/workflows/ghcr.yml | 48 ++++++++++++++++++++++++++++++ .github/workflows/rubyandnode.yaml | 2 +- Dockerfile | 26 ++++++++++++++++ Gemfile | 2 +- Gemfile.lock | 4 +-- README.md | 8 ++--- yarn.lock | 8 ++--- 7 files changed, 86 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/ghcr.yml create mode 100644 Dockerfile diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml new file mode 100644 index 0000000..0810811 --- /dev/null +++ b/.github/workflows/ghcr.yml @@ -0,0 +1,48 @@ +# +name: Create and publish a Docker image + +# Configures this workflow to run every time a PR is raised to the branch called `main`. +on: + pull_request: + branches: ['main'] + +# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. +jobs: + build-and-push-image: + runs-on: ubuntu-latest + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + permissions: + contents: read + packages: write + # + steps: + - name: Checkout repository + uses: actions/checkout@v4 + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. + # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. + # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + - name: Build and push Docker image + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/rubyandnode.yaml b/.github/workflows/rubyandnode.yaml index 94c7086..a75651b 100644 --- a/.github/workflows/rubyandnode.yaml +++ b/.github/workflows/rubyandnode.yaml @@ -11,7 +11,7 @@ jobs: - name: Set up Ruby uses: ruby/setup-ruby@e6689b4deb1cb2062ea45315001f687c0b52111b # V1.144.1 with: - ruby-version: '3.2' + ruby-version: '3.1' - name: Set up Node uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # V3.6.0 with: diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..9bee818 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,26 @@ +FROM ruby:3.2-bullseye +RUN apt-get update && apt-get install -y nodejs npm + + +# Default directory +ENV INSTALL_PATH /opt/app +RUN mkdir -p $INSTALL_PATH + +# Install rails + +#RUN chown -R user:user /opt/app +WORKDIR /opt/app + +COPY . . + +RUN bundle install +RUN npm install + +EXPOSE 3000 + +# Run a shell +#CMD ["bundle", "exec", "rails", "server"] +CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] + + + diff --git a/Gemfile b/Gemfile index bf42979..73461bb 100644 --- a/Gemfile +++ b/Gemfile @@ -5,7 +5,7 @@ ruby '~> 3.1.4' gem 'dotenv-rails', groups: [:development] -gem 'lograge', '~> 0.12.0' +gem 'lograge', '~> 0.14.0' gem 'logstash-event', '~> 1.2.02' gem 'notifications-ruby-client', '~> 5.4.0' gem 'octokit', '~> 6.1.0' diff --git a/Gemfile.lock b/Gemfile.lock index c6c9859..128f232 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -97,7 +97,7 @@ GEM listen (3.8.0) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) - lograge (0.12.0) + lograge (0.14.0) actionpack (>= 4) activesupport (>= 4) railties (>= 4) @@ -250,7 +250,7 @@ PLATFORMS DEPENDENCIES dotenv-rails listen (~> 3.7) - lograge (~> 0.12.0) + lograge (~> 0.14.0) logstash-event (~> 1.2.02) notifications-ruby-client (~> 5.4.0) octokit (~> 6.1.0) diff --git a/README.md b/README.md index 36ff1b8..e32d227 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Running locally This is a rails app, with dependencies managed by bundler. To run the app locally clone this repo, then: -``` +```sh bundle install npm install bundle exec rails server @@ -18,14 +18,14 @@ If you want to test the apps interaction with third party services (e.g. GitHub and GOV.UK Notify) you'll need to set up some secrets in environment variables. The easiest way to do this in development is using a `.env` file (see [.env.example](.env.example)): -``` +```sh cp .env.example .env $EDITOR .env ``` Run the tests with: -``` +```sh bundle exec rails test ``` @@ -38,6 +38,6 @@ This is continuously deployed from master [by Github Actions](https://github.com To deploy to a separate route (e.g. for testing / previewing changes) you can push to PaaS manually: -``` +```sh cf push gds-request-an-aws-account-preview ``` diff --git a/yarn.lock b/yarn.lock index 54ba9ab..800452b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2,7 +2,7 @@ # yarn lockfile v1 -"govuk-frontend@^4.5.0": - "integrity" "sha512-gZHDqf5vdlHjmx0NGJiNT12XLyR3d5KCS4AnlC3xTWOObJ0kQROrkIFyp3w4/PY3EQiYdgacVaJ6lizzygnzYw==" - "resolved" "https://registry.npmjs.org/govuk-frontend/-/govuk-frontend-4.5.0.tgz" - "version" "4.5.0" +govuk-frontend@^4.5.0: + version "4.5.0" + resolved "https://registry.npmjs.org/govuk-frontend/-/govuk-frontend-4.5.0.tgz" + integrity sha512-gZHDqf5vdlHjmx0NGJiNT12XLyR3d5KCS4AnlC3xTWOObJ0kQROrkIFyp3w4/PY3EQiYdgacVaJ6lizzygnzYw== From 7c305b05f25860084b8cda8744cd634e86cf8299 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 12:00:33 +0000 Subject: [PATCH 24/76] workflow to build and push a docker image to ghcr upon PR --- .github/workflows/ghcr.yml | 41 ++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index 0810811..22ea622 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -1,44 +1,63 @@ # name: Create and publish a Docker image -# Configures this workflow to run every time a PR is raised to the branch called `main`. on: pull_request: - branches: ['main'] + branches: ['ruby-3.1.4'] -# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds. +# Defines two custom environment variables for the workflow. These are used +# for the Container registry domain, and a name for the Docker image that +# this workflow builds. env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} -# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu. +# There is a single job in this workflow. It's configured to run on the latest +# available version of Ubuntu. jobs: build-and-push-image: runs-on: ubuntu-latest - # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in + # this job. permissions: contents: read packages: write - # + steps: - name: Checkout repository uses: actions/checkout@v4 - # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + + # Uses the `docker/login-action` action to log in to the Container + # registry registry using the account and password that will publish + # the packages. Once published, the packages are scoped to the account + # defined here. - name: Log in to the Container registry uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. + + # This step uses [docker/metadata-action] + # (https://github.com/docker/metadata-action#about) to extract tags and + # labels that will be applied to the specified image. The `id` "meta" + # allows the output of this step to be referenced in a subsequent step. + # The `images` value provides the base name for the tags and labels. - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. - # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. - # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. + + # This step uses the `docker/build-push-action` action to build the + # image, based on your repository's `Dockerfile`. If the build + # succeeds, it pushes the image to GitHub Packages. It uses the + # `context` parameter to define the build's context as the set of files + # located in the specified path. For more information, see "[Usage] + # (https://github.com/docker/build-push-action#usage)" in the README of + # the `docker/build-push-action` repository. It uses the `tags` and + # `labels` parameters to tag and label the image with the output from + # the "meta" step. - name: Build and push Docker image uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 with: From bc5f114b589b4bff7624922bfdd37440d4f8e6a3 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 12:00:49 +0000 Subject: [PATCH 25/76] trim whitespace --- .github/workflows/bundle_and_release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bundle_and_release.yml b/.github/workflows/bundle_and_release.yml index bc4fce1..e9fef68 100644 --- a/.github/workflows/bundle_and_release.yml +++ b/.github/workflows/bundle_and_release.yml @@ -22,7 +22,7 @@ jobs: ruby-version: '3.2' - name: install-system-dependencies - run: | + run: | sudo apt-get update sudo apt-get install -y nodejs=12.22.9~dfsg-1ubuntu3 @@ -32,7 +32,7 @@ jobs: sudo npm install --global yarn - name: bundle-re-request-an-aws-account - run: | + run: | bundle install --without development yarnpkg install @@ -40,7 +40,7 @@ jobs: env: CF_USERNAME: ${{ secrets.CF_EMAIL }} CF_PASSWORD: ${{ secrets.CF_PASSWORD }} - run: | + run: | cf api https://api.cloud.service.gov.uk cf auth cf target -o gds-tech-ops -s re-aws-account-management From a1f921350c2c8c8ffe8e948099295055986d5384 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 12:52:35 +0000 Subject: [PATCH 26/76] update setup-ruby version --- .github/workflows/rubyandnode.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rubyandnode.yaml b/.github/workflows/rubyandnode.yaml index a75651b..ec4c3de 100644 --- a/.github/workflows/rubyandnode.yaml +++ b/.github/workflows/rubyandnode.yaml @@ -9,7 +9,7 @@ jobs: steps: - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # V2.4.0 - name: Set up Ruby - uses: ruby/setup-ruby@e6689b4deb1cb2062ea45315001f687c0b52111b # V1.144.1 + uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 # v1.171.0 with: ruby-version: '3.1' - name: Set up Node From 7004700eeac692a4a056cb0cb8e50c89c1a2e779 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 14:04:20 +0000 Subject: [PATCH 27/76] bump builder versions --- .github/workflows/rubyandnode.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/rubyandnode.yaml b/.github/workflows/rubyandnode.yaml index ec4c3de..a772b02 100644 --- a/.github/workflows/rubyandnode.yaml +++ b/.github/workflows/rubyandnode.yaml @@ -7,17 +7,20 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # V2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + - name: Set up Ruby - uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 # v1.171.0 + uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 with: ruby-version: '3.1' + - name: Set up Node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # V3.6.0 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c with: - node-version: '12' + node-version: '20' + - name: Build and test run: | bundle install --without development yarn install - bundle exec rake + bundle exec rake \ No newline at end of file From f9c62a3451126ccc8cd2177962c36958004fcaf6 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 14:06:07 +0000 Subject: [PATCH 28/76] bump workflow versions make them match other workflows --- .github/workflows/bundle_and_release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bundle_and_release.yml b/.github/workflows/bundle_and_release.yml index e9fef68..7b9ecdf 100644 --- a/.github/workflows/bundle_and_release.yml +++ b/.github/workflows/bundle_and_release.yml @@ -10,14 +10,14 @@ jobs: runs-on: ubuntu-latest environment: production steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # V2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: add-cloudfoundry-repository run: | wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list - name: Set up Ruby - uses: ruby/setup-ruby@e6689b4deb1cb2062ea45315001f687c0b52111b # V1.144.1 + uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 with: ruby-version: '3.2' From 60882ab160aa6883b6d707a9e1bb4ee73d95be24 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 14:21:05 +0000 Subject: [PATCH 29/76] tweak --- .github/workflows/ghcr.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index 22ea622..19b48f1 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -3,7 +3,8 @@ name: Create and publish a Docker image on: pull_request: - branches: ['ruby-3.1.4'] + branches: + - 'ruby-3.1.4' # Defines two custom environment variables for the workflow. These are used # for the Container registry domain, and a name for the Docker image that From ae80313aa785243836f395422cf813c66ba010b4 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 14:50:44 +0000 Subject: [PATCH 30/76] trying to get the ghcr build and push workflow to trigger on this branch --- .github/workflows/ghcr.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index 19b48f1..7ba7148 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -2,6 +2,10 @@ name: Create and publish a Docker image on: + push: + branches: + - 'ruby-3.1.4' + pull_request: branches: - 'ruby-3.1.4' From 657da69fb1cfb0c59a818ea95e4ffb2c4c81d4a7 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 14:53:43 +0000 Subject: [PATCH 31/76] change dockerfile to use ruby 3.1 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9bee818..b65b121 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:3.2-bullseye +FROM ruby:3.1-slim RUN apt-get update && apt-get install -y nodejs npm From 8cc26f2be630fa26bca74480da0808dfc1286a6c Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 15:06:53 +0000 Subject: [PATCH 32/76] bump action versions --- .github/workflows/ghcr.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index 7ba7148..df99e60 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -5,7 +5,7 @@ on: push: branches: - 'ruby-3.1.4' - + pull_request: branches: - 'ruby-3.1.4' @@ -37,7 +37,7 @@ jobs: # the packages. Once published, the packages are scoped to the account # defined here. - name: Log in to the Container registry - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -50,7 +50,7 @@ jobs: # The `images` value provides the base name for the tags and labels. - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -64,7 +64,7 @@ jobs: # `labels` parameters to tag and label the image with the output from # the "meta" step. - name: Build and push Docker image - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 with: context: . push: true From 05d1527bd7dc6eca777cf12d40ac3963cb57ec81 Mon Sep 17 00:00:00 2001 From: David Heath Date: Thu, 8 Feb 2024 15:23:35 +0000 Subject: [PATCH 33/76] Use 3.1-slim-20 version of timbru31/ruby-node pinned to sha as this is not an 'official' image --- Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index b65b121..30322fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,4 @@ -FROM ruby:3.1-slim -RUN apt-get update && apt-get install -y nodejs npm - +FROM timbru31/ruby-node:@sha256:4ffd5f07be681e35ebeec21f966de45adc3b7fcd10ba17a2600bfad4fdf9ebee # Default directory ENV INSTALL_PATH /opt/app From 4a39637b8e699f698f9ff5e2a4b0f8042307de1b Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Fri, 9 Feb 2024 14:02:02 +0000 Subject: [PATCH 34/76] upgraded octokit version from 6.1.0 to 8.1.0 --- Gemfile | 2 +- Gemfile.lock | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 601cfd6..b879109 100644 --- a/Gemfile +++ b/Gemfile @@ -8,7 +8,7 @@ gem 'dotenv-rails', groups: [:development] gem 'lograge', '~> 0.14.0' gem 'logstash-event', '~> 1.2.02' gem 'notifications-ruby-client', '~> 5.4.0' -gem 'octokit', '~> 6.1.0' +gem 'octokit', '~> 8.1.0' gem 'omniauth-google-oauth2', '~> 1.1.1' gem 'omniauth-rails_csrf_protection', '~> 1.0.1' gem 'rails', '~> 7.0.4.3' diff --git a/Gemfile.lock b/Gemfile.lock index f3bb7a8..7b69226 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -237,6 +237,7 @@ GEM PLATFORMS arm64-darwin-22 + arm64-darwin-23 x86_64-linux DEPENDENCIES From 3f9b13d433868316120546607eb1d0d5afdbc1fa Mon Sep 17 00:00:00 2001 From: David Heath Date: Sun, 11 Feb 2024 22:45:09 +0000 Subject: [PATCH 35/76] Correct syntax for FROM with digest --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 30322fe..3d3088c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM timbru31/ruby-node:@sha256:4ffd5f07be681e35ebeec21f966de45adc3b7fcd10ba17a2600bfad4fdf9ebee +FROM timbru31/ruby-node@sha256:4ffd5f07be681e35ebeec21f966de45adc3b7fcd10ba17a2600bfad4fdf9ebee # Default directory ENV INSTALL_PATH /opt/app From 4683e55601709751b4bfbd8be749ae4c0dd14c57 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 12 Feb 2024 07:21:15 +0000 Subject: [PATCH 36/76] chore: revert to 3.2.0 to bring back to current production vers --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 73461bb..012639b 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' git_source(:github) { |repo| "https://github.com/#{repo}.git" } -ruby '~> 3.1.4' +ruby '~> 3.2.0' gem 'dotenv-rails', groups: [:development] From 38f60a7ea336be232a8f5fd931babf1b1265549c Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 12 Feb 2024 07:21:51 +0000 Subject: [PATCH 37/76] Feat: multistage Dockerfile based on official images --- Dockerfile | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3d3088c..9438173 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,24 +1,32 @@ -FROM timbru31/ruby-node@sha256:4ffd5f07be681e35ebeec21f966de45adc3b7fcd10ba17a2600bfad4fdf9ebee - -# Default directory -ENV INSTALL_PATH /opt/app -RUN mkdir -p $INSTALL_PATH +#TODO pin all versions to sha digest +#TODO add .dockerignore +#TODO add non root user +FROM node:20.11-slim as nodebuilder -# Install rails - -#RUN chown -R user:user /opt/app WORKDIR /opt/app +COPY package-lock.json ./ +COPY package.json ./ +RUN npm install -COPY . . - +FROM ruby:3.2 as rubybuilder + +# Default directory +RUN apt update -y && apt -y install rsync +WORKDIR /opt/app +COPY Gemfile Gemfile.lock ./ RUN bundle install -RUN npm install +COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin +RUN rsync -a /usr/local/nodebin /usr/local/bin -EXPOSE 3000 +FROM ruby:3.2 +WORKDIR /opt/app +COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle +COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules +COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules -# Run a shell -#CMD ["bundle", "exec", "rails", "server"] -CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] +EXPOSE 3000 +COPY . . +CMD ["bundle", "exec", "rails", "server"] From a640fa62db36d1fa1c2bf0c0a2844ca8a18d17c7 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 12 Feb 2024 08:19:12 +0000 Subject: [PATCH 38/76] change branch trigger from 3.1.4 to 3.2 --- .github/workflows/ghcr.yml | 6 +++--- Gemfile.lock | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index df99e60..7cfad0e 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -1,14 +1,14 @@ # name: Create and publish a Docker image - +#todo this needs changing to be more of a manual trigger (or tied to development branch) on: push: branches: - - 'ruby-3.1.4' + - 'ruby-3.2-multistage' pull_request: branches: - - 'ruby-3.1.4' + - 'ruby-3.2-multistage' # Defines two custom environment variables for the workflow. These are used # for the Container registry domain, and a name for the Docker image that diff --git a/Gemfile.lock b/Gemfile.lock index 128f232..d3dbf58 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -263,7 +263,7 @@ DEPENDENCIES webrick (~> 1.8.1) RUBY VERSION - ruby 3.1.4p223 + ruby 3.2.3p157 BUNDLED WITH 2.4.8 From ce4378b23ffbe0f8d9eb1f5ce348c743c56e74cd Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 12 Feb 2024 08:20:04 +0000 Subject: [PATCH 39/76] updated ruby version in main file --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index 0aec50e..a3ec5a4 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.1.4 +3.2 From 8488f5ed52a991d55e21d96fc9cb9730d62c4ebf Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 12 Feb 2024 08:23:23 +0000 Subject: [PATCH 40/76] update ruby to 3.2 in workflow file rubyandnode --- .github/workflows/rubyandnode.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/rubyandnode.yaml b/.github/workflows/rubyandnode.yaml index a772b02..affbcca 100644 --- a/.github/workflows/rubyandnode.yaml +++ b/.github/workflows/rubyandnode.yaml @@ -12,8 +12,8 @@ jobs: - name: Set up Ruby uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 with: - ruby-version: '3.1' - + ruby-version: '3.2' + - name: Set up Node uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c with: @@ -23,4 +23,4 @@ jobs: run: | bundle install --without development yarn install - bundle exec rake \ No newline at end of file + bundle exec rake From 38fe6e7164844a4df2003e2eee4e879a5a39ca14 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 12 Feb 2024 08:31:29 +0000 Subject: [PATCH 41/76] todo tags --- .github/workflows/ghcr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index 7cfad0e..26d33c7 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -70,3 +70,5 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + #TODO: makesure the right tags are being applied From c901599a83a8a80b8745ff6f589f106beb74ba78 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 12 Feb 2024 16:17:38 +0000 Subject: [PATCH 42/76] feat: ENG-72 multistage and slim final img --- Dockerfile | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9438173..b13ea6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,19 +13,22 @@ FROM ruby:3.2 as rubybuilder # Default directory RUN apt update -y && apt -y install rsync WORKDIR /opt/app -COPY Gemfile Gemfile.lock ./ +COPY . . RUN bundle install COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin RUN rsync -a /usr/local/nodebin /usr/local/bin - -FROM ruby:3.2 -WORKDIR /opt/app -COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules +RUN bundle exec rake assets:precompile -EXPOSE 3000 +FROM ruby:3.2-slim +WORKDIR /opt/app COPY . . +COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle +COPY --from=rubybuilder /usr/local/bin /usr/local/bin/ +COPY --from=rubybuilder /opt/app/public /opt/app/public +EXPOSE 3000 + CMD ["bundle", "exec", "rails", "server"] From 810b12a40e774aad83b6f07f62d918e0a486c2dc Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 13 Feb 2024 00:35:58 +0000 Subject: [PATCH 43/76] dockerfile slim --- Dockerfile | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index b13ea6a..d19db98 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,23 +13,19 @@ FROM ruby:3.2 as rubybuilder # Default directory RUN apt update -y && apt -y install rsync WORKDIR /opt/app -COPY . . +COPY Gemfile Gemfile.lock ./ RUN bundle install COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin RUN rsync -a /usr/local/nodebin /usr/local/bin -COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules -COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules -RUN bundle exec rake assets:precompile FROM ruby:3.2-slim WORKDIR /opt/app -COPY . . COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle -COPY --from=rubybuilder /usr/local/bin /usr/local/bin/ -COPY --from=rubybuilder /opt/app/public /opt/app/public -EXPOSE 3000 - -CMD ["bundle", "exec", "rails", "server"] - +COPY --from=rubybuilder /usr/local/bin /usr/local/bin +COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules +COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules +EXPOSE 3000 +COPY . . +CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] From a8ab346a27bdd8d660d5e5056a505e759561c548 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 13 Feb 2024 00:36:17 +0000 Subject: [PATCH 44/76] host required for app runner otherwiser rails gets upset --- config/environments/development.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/environments/development.rb b/config/environments/development.rb index 425f56a..5fae823 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -1,6 +1,10 @@ Rails.application.configure do # Settings specified here will take precedence over those in config/application.rb. + # In app runner on aws we need to be able to test on host + # but ruby doesn't like app runner hosts so we have to add it + config.hosts << "dz83ne5st5.eu-west-2.awsapprunner.com" + # In the development environment your application's code is reloaded on # every request. This slows down response time but is perfect for development # since you don't have to restart the web server when you make code changes. From 64c72b4f88bd5b8e66ce5eab0b881353dce866f4 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 13 Feb 2024 00:41:38 +0000 Subject: [PATCH 45/76] update readme with note about building for x86 on arm architecture --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index e32d227..bb81427 100644 --- a/README.md +++ b/README.md @@ -41,3 +41,9 @@ To deploy to a separate route (e.g. for testing / previewing changes) you can pu ```sh cf push gds-request-an-aws-account-preview ``` + +Building Docker Image +-------------------- + +Note - when building the docker image on a mac arm but wanting to run the image on x86 architecture then run the `docker build` with this flag: `--platform="linux/amd64"` + From 4ad8c316eb268827c87de661924cbb8b11b9d1eb Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 13 Feb 2024 08:54:27 +0000 Subject: [PATCH 46/76] feat: ENG-72 docker runs as none root and secret_key_base is set --- Dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index d19db98..0dbb9f4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,15 +2,12 @@ #TODO add .dockerignore #TODO add non root user FROM node:20.11-slim as nodebuilder - WORKDIR /opt/app COPY package-lock.json ./ COPY package.json ./ RUN npm install FROM ruby:3.2 as rubybuilder - -# Default directory RUN apt update -y && apt -y install rsync WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ @@ -25,7 +22,11 @@ COPY --from=rubybuilder /usr/local/bin /usr/local/bin COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules +RUN useradd -ms /bin/bash app +USER app +COPY --chown=app . ./ +RUN RAILS_ENV=production SECRET_KEY_BASE=assets bundle exec rake assets:precompile + EXPOSE 3000 -COPY . . CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] From 63954e1361ec94cfb53fc33946c4163cb440e6c6 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 13 Feb 2024 08:58:01 +0000 Subject: [PATCH 47/76] chore: remove comment todo --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0dbb9f4..b304755 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,5 @@ #TODO pin all versions to sha digest #TODO add .dockerignore -#TODO add non root user FROM node:20.11-slim as nodebuilder WORKDIR /opt/app COPY package-lock.json ./ From 6faee02ac09395ba22c2df9dec2a497d6093ca39 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Tue, 13 Feb 2024 11:43:18 +0000 Subject: [PATCH 48/76] Pin docker image versions to SHA digests in Dockerfile --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index b304755..682971c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ #TODO pin all versions to sha digest #TODO add .dockerignore -FROM node:20.11-slim as nodebuilder +FROM node@sha256:ecc9a2581f8588014a49a523a9ed146d27963f6d988d11bd16bbdcb3598f5f98 as nodebuilder WORKDIR /opt/app COPY package-lock.json ./ COPY package.json ./ RUN npm install -FROM ruby:3.2 as rubybuilder +FROM ruby@sha256:ddc5729409d1d3222e74a5edb62d142ebd5fa47e9a98fc2905d66056eec6ae3b as rubybuilder RUN apt update -y && apt -y install rsync WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ @@ -14,7 +14,7 @@ RUN bundle install COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin RUN rsync -a /usr/local/nodebin /usr/local/bin -FROM ruby:3.2-slim +FROM ruby@sha256:04da59d84a16b6db4a6663a6940a5142d79a50d8727acd00f10c3701cdeb46b0 WORKDIR /opt/app COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle COPY --from=rubybuilder /usr/local/bin /usr/local/bin From 859dbdd3ac9247b8f8f80d6303bf747d2816c1a9 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 13 Feb 2024 21:04:01 +0000 Subject: [PATCH 49/76] ignore some emacs files --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index d23b852..6a0cf60 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,7 @@ node_modules/ yarn-error.log + +# emacs +.#* +*.*# \ No newline at end of file From da509ccc3527a5fe5ff1f72dbc5e309789edcb9e Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 14 Feb 2024 08:52:41 +0000 Subject: [PATCH 50/76] chore: include nano for devops purposes --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b304755..1752ba2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,12 +7,13 @@ COPY package.json ./ RUN npm install FROM ruby:3.2 as rubybuilder -RUN apt update -y && apt -y install rsync +RUN apt update -y && apt -y install rsync nano +RUN cp /usr/bin/nano /usr/local/bin/ WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ -RUN bundle install COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin RUN rsync -a /usr/local/nodebin /usr/local/bin +RUN bundle install FROM ruby:3.2-slim WORKDIR /opt/app From 482447e5c9da204fa9c8f7e74ae713c99d14fcad Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 14 Feb 2024 09:05:07 +0000 Subject: [PATCH 51/76] ENG-129 new credentials.yml.enc with new master key --- Dockerfile | 3 +-- README.md | 22 ++++++++++++++++++++++ config/credentials.yml.enc | 2 +- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1752ba2..5ebb2fa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,8 +25,7 @@ COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules RUN useradd -ms /bin/bash app USER app COPY --chown=app . ./ -RUN RAILS_ENV=production SECRET_KEY_BASE=assets bundle exec rake assets:precompile +RUN RAILS_ENV=production bundle exec rake assets:precompile EXPOSE 3000 CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] - diff --git a/README.md b/README.md index bb81427..2a87e69 100644 --- a/README.md +++ b/README.md @@ -47,3 +47,25 @@ Building Docker Image Note - when building the docker image on a mac arm but wanting to run the image on x86 architecture then run the `docker build` with this flag: `--platform="linux/amd64"` +Ruby App Master Key +------------------- + +If running in production a master key is required to decrypt `credentials.yml.enc`. This has been created and is passed into the container/environment at runtime. + + +ENV vars +-------- + + - `RAILS_ALLOW_LOCAHOST` true|false(default): allows application to be accessed via localhost + - `RAILS_FORCE_SSL` true|false(default): will redirect to https if set to true (producti) + - `RAILS_SERVE_STATIC_FILES` true|false(default) + - `RAILS_LOG_TO_STDOUT` true : will log out errors etc since production defaults to logfile + +ENV secrets +----------- + + - `GOOGLE_CLIENT_ID`: an OAuth2 client ID + - `GOOGLE_CLIENT_SECRET`: an OAuth2 client secret + - `GITHUB_PERSONAL_ACCESS_TOKEN`: the PAT required to act on requied alphagov repos + - `NOTIFY_API_KEY`: a key to use the notify api to send emails + - `RAILS_MASTER_KEY`: the key that has been used to encode `config/credentials.yml.enc` diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc index b946d28..48e7ac6 100644 --- a/config/credentials.yml.enc +++ b/config/credentials.yml.enc @@ -1 +1 @@ -JYLZWFEpYkOLwd9tdWtEy4YpSN86ddx1ZUaw7r3RYAccKyb5E/F0Z5exbmvSYMb4D7jIrVbJA4/QLtjIAiQbfBHU1TzELX3SmmXynIgwQSP5lAghqSjMfibh7K4nDo+tcuEK7vzJQLMgppKe0k8FZ/YbhfN+9z3JnWAZDF2luNB2eA7Sd90hjsWfetfKytXHmxyZyRs5wRFbcFiWxr1qkZMqrNBeYT0SJvmlIn/0gPaWhaChfYlQ6Oec0a6HVStgUUTk+DQxlm41nGiZFUrziJJ9sCWpg2vqpM9qTRJA6c2KThM2Vk3QUf8kwuN3xq1hbxlShbuVzYsK3zrDW+1WfotjZUK1zRBlG/yoTG8bKBfEiBUhRShmA7QNELZ0xWS5CkxY8eBGN2PHb3UL9JKBEFPdiARM8y48l8w7--xLWlXU8H2TZfsGY0--x/+J9h+S77hp/zKTCA2RIg== \ No newline at end of file +ILSvU3YecAgXRmD7PlcrjoujG3HNsOVDvJsSni6mKuVfm30wm/8X2RxccZt8b/FMgW/ummy7XG3VBk7kHvPuTnD5oI6Pjm/OnKiyv+ZHd8ZPZv0PLtfCKlpfzvrYG/HQBUBLv+2lg0UW14rfr4v507h2ReH+cTC/Ag0cdnDjjB4mig+uvJwLr0lY/WJwBOoQk53+ClWEJmd6XVA0FKbQd125CCq0aKxxK6X6utGDXkdF4lREJcmMArlaADyuJa6rv6QkTEeGbhG+vM4ZJv3HeIFHbLI9SgShzhc/K8gLXZCjTaJYEOgNnBxQHHOx2dC9kEQtGTuICBm3SVn6vUToGIVlyIJFxFnoo52aEXTdnE+UDx2Y6WDS5aUMK/QfSalDPHPiNjhMqWTsbjydTsquORP1tcwxLPb0tBPU--SQAY12axmtmcxWvG--CyutWZo2oB+0Dm0O6W7HVw== \ No newline at end of file From d5dced290d30c9e652fd9f80a26e1113215e9127 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 14 Feb 2024 09:10:23 +0000 Subject: [PATCH 52/76] FEAT: ENG-134 you can now run app as production locally --- config/environments/production.rb | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/config/environments/production.rb b/config/environments/production.rb index b8d1ee4..e01fae3 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -1,16 +1,30 @@ Rails.application.configure do + # In app runner on aws we need to be able to test on host + # but ruby doesn't like app runner hosts so we have to add it + # @TODO remove these once we have perm host/domain set up + config.hosts << "dz83ne5st5.eu-west-2.awsapprunner.com" + + config.cache_classes = true config.eager_load = true - config.consider_all_requests_local = false config.action_controller.perform_caching = true config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present? config.log_level = :debug config.log_tags = [ :request_id ] config.i18n.fallbacks = true config.active_support.deprecation = :notify - config.force_ssl = true config.logger = ActiveSupport::Logger.new(STDERR) + # so we can run production config in localhost to check it + # remove the force ssl config if env var set to false + # and ensure default will always be true + ENV['RAILS_FORCE_SSL'].blank ? config.force.ssl = true : config.force_ssl = ENV['RAILS_FORCE_SSL'].present? + + # so we can run procudion config in localhost to check it + # if env var is set to true consider all request to be local and allow hosts + config.consider_all_requests_local = ENV['RAILS_ALLOW_LOCALHOST'].present? + config.hosts << "localhost:3000" if ENV['RAILS_ALLOW_LOCALHOST'].present? + # Define a content security policy # For further information see the following documentation # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy From 356c791343cf206ea1ec0187e6c427a6ca20111c Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 14 Feb 2024 09:17:06 +0000 Subject: [PATCH 53/76] chore: typo --- config/environments/production.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/environments/production.rb b/config/environments/production.rb index e01fae3..a7f6f05 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -18,7 +18,7 @@ # so we can run production config in localhost to check it # remove the force ssl config if env var set to false # and ensure default will always be true - ENV['RAILS_FORCE_SSL'].blank ? config.force.ssl = true : config.force_ssl = ENV['RAILS_FORCE_SSL'].present? + ENV['RAILS_FORCE_SSL'].blank? ? config.force.ssl = true : config.force_ssl = ENV['RAILS_FORCE_SSL'].present? # so we can run procudion config in localhost to check it # if env var is set to true consider all request to be local and allow hosts From 75b86f22b5ef385b53c81abf482103933cfda16a Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 14 Feb 2024 09:47:45 +0000 Subject: [PATCH 54/76] FIX: ENG-134 ssl wasn't getting deactivated --- README.md | 3 +-- config/environments/production.rb | 7 ++----- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 2a87e69..f954d05 100644 --- a/README.md +++ b/README.md @@ -56,8 +56,7 @@ If running in production a master key is required to decrypt `credentials.yml.en ENV vars -------- - - `RAILS_ALLOW_LOCAHOST` true|false(default): allows application to be accessed via localhost - - `RAILS_FORCE_SSL` true|false(default): will redirect to https if set to true (producti) + - `RAILS_ALLOW_LOCALHOST` true|false(default): allows application to be accessed via localhost - `RAILS_SERVE_STATIC_FILES` true|false(default) - `RAILS_LOG_TO_STDOUT` true : will log out errors etc since production defaults to logfile diff --git a/config/environments/production.rb b/config/environments/production.rb index a7f6f05..8460e9d 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -15,15 +15,12 @@ config.active_support.deprecation = :notify config.logger = ActiveSupport::Logger.new(STDERR) - # so we can run production config in localhost to check it - # remove the force ssl config if env var set to false - # and ensure default will always be true - ENV['RAILS_FORCE_SSL'].blank? ? config.force.ssl = true : config.force_ssl = ENV['RAILS_FORCE_SSL'].present? - # so we can run procudion config in localhost to check it # if env var is set to true consider all request to be local and allow hosts config.consider_all_requests_local = ENV['RAILS_ALLOW_LOCALHOST'].present? config.hosts << "localhost:3000" if ENV['RAILS_ALLOW_LOCALHOST'].present? + config.force_ssl = true + config.force_ssl = false if ENV['RAILS_ALLOW_LOCALHOST'].present? # Define a content security policy # For further information see the following documentation From fa424e89da103d4007fda7b1177c2aea050e4992 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Fri, 16 Feb 2024 10:17:54 +0000 Subject: [PATCH 55/76] added a .dockerignore file --- .dockerignore | 12 ++++++++++++ .ruby-version | 2 +- Dockerfile | 11 ++++++----- 3 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..ec0d784 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,12 @@ +.DS_Store +.git +.github +.gitignore +.rbenv-gemsets +.ruby-version +.secrets +node_modules +yarn.lock +node_modules/ +vendor/ +README.md diff --git a/.ruby-version b/.ruby-version index a3ec5a4..b347b11 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.2 +3.2.3 diff --git a/Dockerfile b/Dockerfile index 682971c..1f0520a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,12 +7,14 @@ COPY package.json ./ RUN npm install FROM ruby@sha256:ddc5729409d1d3222e74a5edb62d142ebd5fa47e9a98fc2905d66056eec6ae3b as rubybuilder -RUN apt update -y && apt -y install rsync +RUN apt update -y && apt -y install rsync nano && which nano +RUN cp $(which nano) /usr/local/bin/ + WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ -RUN bundle install COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin RUN rsync -a /usr/local/nodebin /usr/local/bin +RUN bundle install FROM ruby@sha256:04da59d84a16b6db4a6663a6940a5142d79a50d8727acd00f10c3701cdeb46b0 WORKDIR /opt/app @@ -24,8 +26,7 @@ COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules RUN useradd -ms /bin/bash app USER app COPY --chown=app . ./ -RUN RAILS_ENV=production SECRET_KEY_BASE=assets bundle exec rake assets:precompile +RUN RAILS_ENV=production bundle exec rake assets:precompile EXPOSE 3000 -CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] - +CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] \ No newline at end of file From 87c93feb75322f1483196d8c896d84a04a1e6134 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Fri, 16 Feb 2024 11:46:19 +0000 Subject: [PATCH 56/76] FEAT: ENG-127 docker build ignores files --- .dockerignore | 26 ++++++++++++++++++++++---- Dockerfile | 14 ++++++++------ Gemfile | 2 +- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/.dockerignore b/.dockerignore index ec0d784..a2fc92c 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,12 +1,30 @@ +#ensure these are copied +!tmp/ +!lib/assets/ +!lib/tasks/ +!log/ +!vendor/ + +#keep these directories but nothing in them +lib/* +log/* +tmp/* +vendor/* + + +#ignore these files/directories .DS_Store .git .github .gitignore .rbenv-gemsets .ruby-version -.secrets -node_modules yarn.lock -node_modules/ -vendor/ +node_modules README.md +.dockerignore +.env.example +manifest.yml +test +Dockerfile + diff --git a/Dockerfile b/Dockerfile index 1f0520a..08de73b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,14 @@ #TODO pin all versions to sha digest #TODO add .dockerignore -FROM node@sha256:ecc9a2581f8588014a49a523a9ed146d27963f6d988d11bd16bbdcb3598f5f98 as nodebuilder +FROM node:20.11-slim as nodebuilder WORKDIR /opt/app COPY package-lock.json ./ COPY package.json ./ RUN npm install -FROM ruby@sha256:ddc5729409d1d3222e74a5edb62d142ebd5fa47e9a98fc2905d66056eec6ae3b as rubybuilder -RUN apt update -y && apt -y install rsync nano && which nano -RUN cp $(which nano) /usr/local/bin/ +FROM ruby:3.2.3 as rubybuilder +RUN apt update -y && apt -y install rsync nano +RUN cp /usr/bin/nano /usr/local/bin/ WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ @@ -16,17 +16,19 @@ COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin RUN rsync -a /usr/local/nodebin /usr/local/bin RUN bundle install -FROM ruby@sha256:04da59d84a16b6db4a6663a6940a5142d79a50d8727acd00f10c3701cdeb46b0 +FROM ruby:3.2.3-slim WORKDIR /opt/app COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle COPY --from=rubybuilder /usr/local/bin /usr/local/bin COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules +#RUN mkdir /opt/app/tmp RUN useradd -ms /bin/bash app USER app COPY --chown=app . ./ RUN RAILS_ENV=production bundle exec rake assets:precompile EXPOSE 3000 -CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] \ No newline at end of file +CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] + diff --git a/Gemfile b/Gemfile index 012639b..82ceff3 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' git_source(:github) { |repo| "https://github.com/#{repo}.git" } -ruby '~> 3.2.0' +ruby '~> 3.2.3' gem 'dotenv-rails', groups: [:development] From f51d4afde92f9894b67b88e1e26d0a0b594a7b30 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Fri, 16 Feb 2024 12:58:15 +0000 Subject: [PATCH 57/76] ENG-126 removed npm from final image --- Dockerfile | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index dd94b29..5c066ab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,26 +8,31 @@ RUN npm install FROM ruby:3.2.3 as rubybuilder -RUN apt update -y && apt -y install rsync nano +RUN apt update -y && apt -y install nano RUN cp /usr/bin/nano /usr/local/bin/ WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin -RUN rsync -a /usr/local/nodebin /usr/local/bin +RUN export PATH=$PATH:usr/local/nodebin RUN bundle install +COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules +#COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules +RUN useradd -ms /bin/bash app +USER app +COPY --chown=app . ./ +RUN RAILS_ENV=production bundle exec rake assets:precompile + + +# Remove node and npm since no longer needed and address CVES issues. +USER root +RUN rm -rf /opt/app/node_modules FROM ruby:3.2.3-slim WORKDIR /opt/app COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle -COPY --from=rubybuilder /usr/local/bin /usr/local/bin -COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules -COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules - -#RUN mkdir /opt/app/tmp RUN useradd -ms /bin/bash app USER app -COPY --chown=app . ./ -RUN RAILS_ENV=production bundle exec rake assets:precompile +COPY --chown=app --from=rubybuilder /opt/app /opt/app EXPOSE 3000 CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] From 68ea9a9a804d6c123e9c4880e227375cdfc271d5 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Fri, 16 Feb 2024 13:01:56 +0000 Subject: [PATCH 58/76] removed line 19 from final image --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5c066ab..a785a18 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,6 @@ COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin RUN export PATH=$PATH:usr/local/nodebin RUN bundle install COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules -#COPY --from=nodebuilder /usr/local/lib/node_modules /usr/local/bin/node_modules RUN useradd -ms /bin/bash app USER app COPY --chown=app . ./ From ba8c9a0e1c3f4a2812ed59d2f0ca0308112aba0e Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 13:45:03 +0000 Subject: [PATCH 59/76] fix: ENG-126 precomplile needs to be in final image to be effective --- Dockerfile | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index a785a18..752736a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,26 +12,21 @@ RUN apt update -y && apt -y install nano RUN cp /usr/bin/nano /usr/local/bin/ WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ -COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin -RUN export PATH=$PATH:usr/local/nodebin RUN bundle install + +FROM ruby:3.2.3-slim +WORKDIR /opt/app +COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle +COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules +RUN export PATH=$PATH:usr/local/nodebin RUN useradd -ms /bin/bash app USER app COPY --chown=app . ./ RUN RAILS_ENV=production bundle exec rake assets:precompile - - -# Remove node and npm since no longer needed and address CVES issues. USER root -RUN rm -rf /opt/app/node_modules - -FROM ruby:3.2.3-slim -WORKDIR /opt/app -COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle -RUN useradd -ms /bin/bash app +RUN rm -rf /usr/local/nodebin && rm -rf /opt/app/node_modules USER app -COPY --chown=app --from=rubybuilder /opt/app /opt/app EXPOSE 3000 CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] From 59c35f9898fe1a575b658fced059441aa060803c Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 13:53:44 +0000 Subject: [PATCH 60/76] chore: ENG- --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 752736a..ae3a405 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,7 @@ RUN apt update -y && apt -y install nano RUN cp /usr/bin/nano /usr/local/bin/ WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ +RUN bundle config set --local without 'development test' RUN bundle install FROM ruby:3.2.3-slim From 89523c9844ea7c8c87fb03ad581e637a3bc0f31e Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 14:54:56 +0000 Subject: [PATCH 61/76] FEAT: ENG-133 allowed domains can be passed in via env var --- README.md | 3 +-- config/environments/development.rb | 4 ---- config/environments/production.rb | 17 +++++++++-------- 3 files changed, 10 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index f954d05..f803b2e 100644 --- a/README.md +++ b/README.md @@ -55,8 +55,7 @@ If running in production a master key is required to decrypt `credentials.yml.en ENV vars -------- - - - `RAILS_ALLOW_LOCALHOST` true|false(default): allows application to be accessed via localhost + - `RAILS_ALLOWED_DOMAINS`: the domain of the app runtime env (eg loalhost:3000 or sub.domain.tld) - `RAILS_SERVE_STATIC_FILES` true|false(default) - `RAILS_LOG_TO_STDOUT` true : will log out errors etc since production defaults to logfile diff --git a/config/environments/development.rb b/config/environments/development.rb index 5fae823..7f5ec6a 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -1,9 +1,5 @@ Rails.application.configure do # Settings specified here will take precedence over those in config/application.rb. - - # In app runner on aws we need to be able to test on host - # but ruby doesn't like app runner hosts so we have to add it - config.hosts << "dz83ne5st5.eu-west-2.awsapprunner.com" # In the development environment your application's code is reloaded on # every request. This slows down response time but is perfect for development diff --git a/config/environments/production.rb b/config/environments/production.rb index 8460e9d..069da68 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -2,9 +2,8 @@ # In app runner on aws we need to be able to test on host # but ruby doesn't like app runner hosts so we have to add it # @TODO remove these once we have perm host/domain set up - config.hosts << "dz83ne5st5.eu-west-2.awsapprunner.com" + config.hosts = [ENV['RAILS_ALLOWED_DOMAINS']] - config.cache_classes = true config.eager_load = true config.action_controller.perform_caching = true @@ -15,12 +14,14 @@ config.active_support.deprecation = :notify config.logger = ActiveSupport::Logger.new(STDERR) - # so we can run procudion config in localhost to check it - # if env var is set to true consider all request to be local and allow hosts - config.consider_all_requests_local = ENV['RAILS_ALLOW_LOCALHOST'].present? - config.hosts << "localhost:3000" if ENV['RAILS_ALLOW_LOCALHOST'].present? - config.force_ssl = true - config.force_ssl = false if ENV['RAILS_ALLOW_LOCALHOST'].present? + # so we can run production in localhost we check the allowd domain + if ENV['RAILS_ALLOWED_DOMAINS'] == "localhost:3000" + config.consider_all_requests_local = true + config.force_ssl = false + else + config.consider_all_requests_local = false + config.force_ssl = true + end # Define a content security policy # For further information see the following documentation From 07200df1f6fe46315e639880e846eb76d1704e98 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 14:57:55 +0000 Subject: [PATCH 62/76] chore: ENG-133 install node and bundle in production mode --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index dd94b29..eb05743 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM node:20.11-slim as nodebuilder WORKDIR /opt/app COPY package-lock.json ./ COPY package.json ./ -RUN npm install +RUN npm ci FROM ruby:3.2.3 as rubybuilder @@ -14,7 +14,7 @@ WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin RUN rsync -a /usr/local/nodebin /usr/local/bin -RUN bundle install +RUN bundle config set --local without 'development test' FROM ruby:3.2.3-slim WORKDIR /opt/app From 799fff09fc8fb2120bc69c54b6efabad0f555798 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 15:11:08 +0000 Subject: [PATCH 63/76] chore ENG-133 dockerfile optimisations --- .dockerignore | 3 +-- Dockerfile | 14 +++++++------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.dockerignore b/.dockerignore index a2fc92c..9426340 100644 --- a/.dockerignore +++ b/.dockerignore @@ -26,5 +26,4 @@ README.md .env.example manifest.yml test -Dockerfile - +Dockerfile \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 4effffb..d9f80fd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,3 @@ -#TODO pin all versions to sha digest -#TODO add .dockerignore FROM node:20.11-slim as nodebuilder WORKDIR /opt/app COPY package-lock.json ./ @@ -8,11 +6,13 @@ RUN npm ci FROM ruby:3.2.3 as rubybuilder -RUN apt update -y && apt -y install nano -RUN cp /usr/bin/nano /usr/local/bin/ +RUN apt update -y \ + && apt -y install nano \ + && cp /usr/bin/nano /usr/local/bin/ WORKDIR /opt/app COPY Gemfile Gemfile.lock ./ -RUN bundle config set --local without 'development test' +RUN bundle config set --local without 'development test' \ + && bundle install FROM ruby:3.2.3-slim @@ -20,8 +20,8 @@ WORKDIR /opt/app COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle COPY --from=nodebuilder /usr/local/bin /usr/local/nodebin COPY --from=nodebuilder /opt/app/node_modules /opt/app/node_modules -RUN export PATH=$PATH:usr/local/nodebin -RUN useradd -ms /bin/bash app +RUN export PATH=$PATH:usr/local/nodebin \ + && useradd -ms /bin/bash app USER app COPY --chown=app . ./ RUN RAILS_ENV=production bundle exec rake assets:precompile From 005be60c2f49347c3301a72420017b823e30af61 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 15:15:22 +0000 Subject: [PATCH 64/76] chore: comments dockerfile --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d9f80fd..ad5fa8f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,11 @@ +# get official nodejs/npm binaries FROM node:20.11-slim as nodebuilder WORKDIR /opt/app COPY package-lock.json ./ COPY package.json ./ RUN npm ci - +# bundle install the gems for production FROM ruby:3.2.3 as rubybuilder RUN apt update -y \ && apt -y install nano \ @@ -14,7 +15,7 @@ COPY Gemfile Gemfile.lock ./ RUN bundle config set --local without 'development test' \ && bundle install - +# copy required files from base images, precompile assets & cleanupS FROM ruby:3.2.3-slim WORKDIR /opt/app COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle From f24b9666c9014fedabc3f74cbc986e04052c01b6 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 15:15:41 +0000 Subject: [PATCH 65/76] typo --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ad5fa8f..3b4fc18 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ COPY Gemfile Gemfile.lock ./ RUN bundle config set --local without 'development test' \ && bundle install -# copy required files from base images, precompile assets & cleanupS +# copy required files from base images, precompile assets & cleanup FROM ruby:3.2.3-slim WORKDIR /opt/app COPY --from=rubybuilder /usr/local/bundle /usr/local/bundle From d6472a835359ef26037b8b1c96102d62f776f2ab Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 19:10:05 +0000 Subject: [PATCH 66/76] ENG-126 reverting node modules, we infact need it for sass --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3b4fc18..4248985 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,9 +26,6 @@ RUN export PATH=$PATH:usr/local/nodebin \ USER app COPY --chown=app . ./ RUN RAILS_ENV=production bundle exec rake assets:precompile -USER root -RUN rm -rf /usr/local/nodebin && rm -rf /opt/app/node_modules -USER app EXPOSE 3000 CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0", "--port", "3000"] From da00be1cb7272579f38c588b72e987b8e631034c Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 16 Feb 2024 19:14:35 +0000 Subject: [PATCH 67/76] FEAT: ENG-16 we now know what host a pr was raised from --- .../check_your_answers_controller.rb | 3 +- app/controllers/remove_user_controller.rb | 2 +- app/controllers/reset_password_controller.rb | 2 +- app/controllers/user_controller.rb | 2 +- app/services/github_service.rb | 62 +++---------------- 5 files changed, 13 insertions(+), 58 deletions(-) diff --git a/app/controllers/check_your_answers_controller.rb b/app/controllers/check_your_answers_controller.rb index bd0c13c..e01a528 100644 --- a/app/controllers/check_your_answers_controller.rb +++ b/app/controllers/check_your_answers_controller.rb @@ -59,7 +59,8 @@ def post programme_or_other, email, admin_users, - tags + tags, + request.host ) session['pull_request_url'] = pull_request_url diff --git a/app/controllers/remove_user_controller.rb b/app/controllers/remove_user_controller.rb index 245ec96..2edba09 100644 --- a/app/controllers/remove_user_controller.rb +++ b/app/controllers/remove_user_controller.rb @@ -14,7 +14,7 @@ def post email_list = @form.email_list begin - pull_request_url = GithubService.new.create_remove_user_pull_request(email_list, requester_email) + pull_request_url = GithubService.new.create_remove_user_pull_request(email_list, requester_email, request.host) session['pull_request_url'] = pull_request_url diff --git a/app/controllers/reset_password_controller.rb b/app/controllers/reset_password_controller.rb index 7be3c31..cd9a825 100644 --- a/app/controllers/reset_password_controller.rb +++ b/app/controllers/reset_password_controller.rb @@ -14,7 +14,7 @@ def post requester_email = session.fetch('email') begin - pull_request_url = GithubService.new.create_reset_user_email_pull_request(requester_name, requester_email) + pull_request_url = GithubService.new.create_reset_user_email_pull_request(requester_name, requester_email, request.host) session['pull_request_url'] = pull_request_url diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index bac81a1..1080ea2 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -14,7 +14,7 @@ def post email_list = @form.email_list begin - pull_request_url = GithubService.new.create_new_user_pull_request(email_list, requester_email) + pull_request_url = GithubService.new.create_new_user_pull_request(email_list, requester_email, request.host) session['pull_request_url'] = pull_request_url diff --git a/app/services/github_service.rb b/app/services/github_service.rb index 1e67ace..b67eb90 100644 --- a/app/services/github_service.rb +++ b/app/services/github_service.rb @@ -7,7 +7,7 @@ def initialize end end - def create_new_account_pull_request(account_name, account_description, programme, email, admin_users, tags) + def create_new_account_pull_request(account_name, account_description, programme, email, admin_users, tags, host) unless @client Errors::log_error 'No GITHUB_PERSONAL_ACCESS_TOKEN set. Skipping pull request.' return nil @@ -55,7 +55,7 @@ def create_new_account_pull_request(account_name, account_description, programme 'master', new_branch_name, "Add new AWS account for #{programme}: #{account_name}", - "Account requested using gds-request-an-aws-account.cloudapps.digital by #{email} + "Account requested using #{host} by #{email} Description: #{account_description_quote} @@ -68,7 +68,7 @@ def create_new_account_pull_request(account_name, account_description, programme ).html_url end - def create_new_user_pull_request(email_list, requester_email) + def create_new_user_pull_request(email_list, requester_email, host) unless @client Errors::log_error 'No GITHUB_PERSONAL_ACCESS_TOKEN set. Skipping pull request.' return nil @@ -125,56 +125,10 @@ def create_new_user_pull_request(email_list, requester_email) 'master', new_branch_name, commit_message_title, - "Requested using gds-request-an-aws-account.cloudapps.digital by #{requester_email} + "Requested using #{host} by #{requester_email} #{email_list}" - ).html_url - end - - def create_remove_user_pull_request(email_list, requester_email) - unless @client - Errors::log_error 'No GITHUB_PERSONAL_ACCESS_TOKEN set. Skipping pull request.' - return nil - end - - github_repo = 'alphagov/aws-user-management-account-users' - users_path = 'terraform/gds_users.tf.json' - groups_path = 'terraform/iam_crossaccountaccess_members.tf.json' - - users_contents = @client.contents github_repo, path: users_path - groups_contents = @client.contents github_repo, path: groups_path - - terraform_users_service = TerraformUsersService.new Base64.decode64(users_contents.content), Base64.decode64(groups_contents.content) - new_users_contents = terraform_users_service.remove_users(email_list) - new_groups_contents = terraform_users_service.remove_users_from_group(email_list) - - first_part_of_new_email_address = email_list.split('@').first - - new_branch_name = 'remove-aws-user-' + first_part_of_new_email_address.split('.').join('-') + ('-and-friends' if multiple_users?(email_list)).to_s - create_branch github_repo, new_branch_name, @client.commit(github_repo, 'master').sha - name = first_part_of_new_email_address.split('.').map { |name| name.capitalize }.join(' ') - requester_name = requester_email.split('@').first.split('.').map { |name| name.capitalize }.join(' ') - - if multiple_users?(email_list) - commit_message_title = "Remove AWS user #{first_part_of_new_email_address} and friends" - else - commit_message_title = "Remove AWS user #{first_part_of_new_email_address}" - end - - @client.update_contents( - github_repo, - users_path, - "#{commit_message_title} - -#{email_list} - -Co-authored-by: #{requester_name} <#{requester_email}>", - users_contents.sha, - new_users_contents, - branch: new_branch_name - ) - @client.update_contents( - github_repo, + ).html_url github_repo, groups_path, "Remove users from crossaccountaccess group @@ -190,13 +144,13 @@ def create_remove_user_pull_request(email_list, requester_email) 'master', new_branch_name, commit_message_title, - "Requested using gds-request-an-aws-account.cloudapps.digital by #{requester_email} + "Requested using #{host} by #{requester_email} #{email_list}" ).html_url end - def create_reset_user_email_pull_request(requester_name, requester_email) + def create_reset_user_email_pull_request(requester_name, requester_email, host) unless @client Errors::log_error 'No GITHUB_PERSONAL_ACCESS_TOKEN set. Skipping pull request.' return nil @@ -239,7 +193,7 @@ def create_reset_user_email_pull_request(requester_name, requester_email) 'master', new_branch_name, commit_message_title, - "Requested using gds-request-an-aws-account.cloudapps.digital by #{requester_name}" + "Requested using #{host} by #{requester_name}" ).html_url end From 2081c44980f01c1ba040715078abc1d10ed58d3e Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 19 Feb 2024 10:12:36 +0000 Subject: [PATCH 68/76] fix: put the function back --- app/services/github_service.rb | 45 ++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/app/services/github_service.rb b/app/services/github_service.rb index b67eb90..e882046 100644 --- a/app/services/github_service.rb +++ b/app/services/github_service.rb @@ -128,6 +128,51 @@ def create_new_user_pull_request(email_list, requester_email, host) "Requested using #{host} by #{requester_email} #{email_list}" + ).html_url + end + + def create_remove_user_pull_request(email_list, requester_email) + unless @client + Errors::log_error 'No GITHUB_PERSONAL_ACCESS_TOKEN set. Skipping pull request.' + return nil + end + + github_repo = 'alphagov/aws-user-management-account-users' + users_path = 'terraform/gds_users.tf.json' + groups_path = 'terraform/iam_crossaccountaccess_members.tf.json' + + users_contents = @client.contents github_repo, path: users_path + groups_contents = @client.contents github_repo, path: groups_path + + terraform_users_service = TerraformUsersService.new Base64.decode64(users_contents.content), Base64.decode64(groups_contents.content) + new_users_contents = terraform_users_service.remove_users(email_list) + new_groups_contents = terraform_users_service.remove_users_from_group(email_list) + + first_part_of_new_email_address = email_list.split('@').first + + new_branch_name = 'remove-aws-user-' + first_part_of_new_email_address.split('.').join('-') + ('-and-friends' if multiple_users?(email_list)).to_s + create_branch github_repo, new_branch_name, @client.commit(github_repo, 'master').sha + name = first_part_of_new_email_address.split('.').map { |name| name.capitalize }.join(' ') + requester_name = requester_email.split('@').first.split('.').map { |name| name.capitalize }.join(' ') + + if multiple_users?(email_list) + commit_message_title = "Remove AWS user #{first_part_of_new_email_address} and friends" + else + commit_message_title = "Remove AWS user #{first_part_of_new_email_address}" + end + + @client.update_contents( + github_repo, + users_path, + "#{commit_message_title} +#{email_list} +Co-authored-by: #{requester_name} <#{requester_email}>", + users_contents.sha, + new_users_contents, + branch: new_branch_name + ) + @client.update_contents( + github_repo, ).html_url github_repo, groups_path, "Remove users from crossaccountaccess group From ffd9a37bca9daeb65d6fd09ca3cf5a6ac0a68b55 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 19 Feb 2024 11:21:02 +0000 Subject: [PATCH 69/76] fix: repaired github service --- app/services/github_service.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/services/github_service.rb b/app/services/github_service.rb index e882046..7080afe 100644 --- a/app/services/github_service.rb +++ b/app/services/github_service.rb @@ -128,10 +128,10 @@ def create_new_user_pull_request(email_list, requester_email, host) "Requested using #{host} by #{requester_email} #{email_list}" - ).html_url + ).html_url end - def create_remove_user_pull_request(email_list, requester_email) + def create_remove_user_pull_request(email_list, requester_email, host) unless @client Errors::log_error 'No GITHUB_PERSONAL_ACCESS_TOKEN set. Skipping pull request.' return nil @@ -165,7 +165,9 @@ def create_remove_user_pull_request(email_list, requester_email) github_repo, users_path, "#{commit_message_title} + #{email_list} + Co-authored-by: #{requester_name} <#{requester_email}>", users_contents.sha, new_users_contents, @@ -173,7 +175,6 @@ def create_remove_user_pull_request(email_list, requester_email) ) @client.update_contents( github_repo, - ).html_url github_repo, groups_path, "Remove users from crossaccountaccess group From 193687989cdcbfcfd65817a8ceb94611e63332b3 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 19 Feb 2024 16:45:13 +0000 Subject: [PATCH 70/76] fix: docker build apprunner image & node i wihtout prod --- .github/workflows/ghcr.yml | 4 ++-- Dockerfile | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index 26d33c7..76c09ca 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -4,11 +4,11 @@ name: Create and publish a Docker image on: push: branches: - - 'ruby-3.2-multistage' + - 'main' pull_request: branches: - - 'ruby-3.2-multistage' + - 'apprunner-image' # Defines two custom environment variables for the workflow. These are used # for the Container registry domain, and a name for the Docker image that diff --git a/Dockerfile b/Dockerfile index 4248985..7e47078 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ FROM node:20.11-slim as nodebuilder WORKDIR /opt/app COPY package-lock.json ./ COPY package.json ./ -RUN npm ci +RUN npm i # bundle install the gems for production FROM ruby:3.2.3 as rubybuilder From 8ab62fcc23d777b347b528672ca7dbe67626aee5 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 19 Feb 2024 16:58:08 +0000 Subject: [PATCH 71/76] push bump --- .github/workflows/ghcr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index 76c09ca..e507a91 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -18,7 +18,7 @@ env: IMAGE_NAME: ${{ github.repository }} # There is a single job in this workflow. It's configured to run on the latest -# available version of Ubuntu. +# available version of Ubuntu. jobs: build-and-push-image: runs-on: ubuntu-latest From 3d133888fc3e0b9afa052ff85842d01931ffd6d3 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 19 Feb 2024 17:03:04 +0000 Subject: [PATCH 72/76] fix: run when pushing in apprunner images --- .github/workflows/ghcr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index e507a91..d324b0f 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -4,7 +4,7 @@ name: Create and publish a Docker image on: push: branches: - - 'main' + - 'apprunner-image' pull_request: branches: From 27d255d560961b6a670bc999c2e2e664da70f68c Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Tue, 20 Feb 2024 14:06:23 +0000 Subject: [PATCH 73/76] removed bundle release workflows --- .github/workflows/bundle_and_release.yml | 48 ------------------------ 1 file changed, 48 deletions(-) delete mode 100644 .github/workflows/bundle_and_release.yml diff --git a/.github/workflows/bundle_and_release.yml b/.github/workflows/bundle_and_release.yml deleted file mode 100644 index 7b9ecdf..0000000 --- a/.github/workflows/bundle_and_release.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: release-re-request-an-aws-account - -on: - push: - branches: [ master ] - - workflow_dispatch: -jobs: - build-release: - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - - name: add-cloudfoundry-repository - run: | - wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - - echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list - - - name: Set up Ruby - uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 - with: - ruby-version: '3.2' - - - name: install-system-dependencies - run: | - sudo apt-get update - - sudo apt-get install -y nodejs=12.22.9~dfsg-1ubuntu3 - sudo apt-get install -y cf8-cli - - sudo gem install bundler:2.4.8 - sudo npm install --global yarn - - - name: bundle-re-request-an-aws-account - run: | - bundle install --without development - yarnpkg install - - - name: deploy-to-paas - env: - CF_USERNAME: ${{ secrets.CF_EMAIL }} - CF_PASSWORD: ${{ secrets.CF_PASSWORD }} - run: | - cf api https://api.cloud.service.gov.uk - cf auth - cf target -o gds-tech-ops -s re-aws-account-management - - cf push -f ./manifest.yml --strategy rolling From 5f8ffd695cb877f0989472046f5485e0da030822 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Tue, 20 Feb 2024 14:11:05 +0000 Subject: [PATCH 74/76] deleted bin/cf-set-env because we are no longer using cf --- bin/cf-set-env | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100755 bin/cf-set-env diff --git a/bin/cf-set-env b/bin/cf-set-env deleted file mode 100755 index cfd8d44..0000000 --- a/bin/cf-set-env +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bash - -set -eu - -cd "$(dirname "$0")/.." - -if [ ! -f .env ] -then - >&2 echo "$(tput setaf 1)This script sets the environment variables on PaaS to the contents of .env -No .env file found, exiting$(tput sgr0)" - exit 1 -fi - -while IFS= read -r line -do - key="$(cut -d = -f 1 <<< "$line")" - value="$(cut -d = -f 2 <<< "$line")" - cf set-env gds-request-an-aws-account "$key" "$value" -done < .env - -cf restage gds-request-an-aws-account - From 74b52a63db2ca3ebadfe72f683c85edcda0384c9 Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Tue, 20 Feb 2024 14:13:20 +0000 Subject: [PATCH 75/76] deleted deploying to Paas section in READme --- README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/README.md b/README.md index f803b2e..6ceaf11 100644 --- a/README.md +++ b/README.md @@ -31,16 +31,6 @@ bundle exec rails test To sign in as a development user, visit (to try different email addresses, you can provide a `email` parameter). If you want to test with real Google SSO, you can [create an application in the Google Cloud Console](https://console.developers.google.com/apis/credentials). -Deploying to PaaS ------------------ - -This is continuously deployed from master [by Github Actions](https://github.com/alphagov/re-request-an-aws-account/blob/master/.github/workflows/bundle_and_release.yml) - -To deploy to a separate route (e.g. for testing / previewing changes) you can push to PaaS manually: - -```sh -cf push gds-request-an-aws-account-preview -``` Building Docker Image -------------------- From ac4fe7ac0b31a91aecb34141c17531090635f56d Mon Sep 17 00:00:00 2001 From: Hauwa Muhammad Date: Tue, 20 Feb 2024 14:33:29 +0000 Subject: [PATCH 76/76] modified workflows from apprunner-image to main --- .github/workflows/ghcr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml index d324b0f..7df259e 100644 --- a/.github/workflows/ghcr.yml +++ b/.github/workflows/ghcr.yml @@ -4,11 +4,11 @@ name: Create and publish a Docker image on: push: branches: - - 'apprunner-image' + - 'main' pull_request: branches: - - 'apprunner-image' + - 'main' # Defines two custom environment variables for the workflow. These are used # for the Container registry domain, and a name for the Docker image that