Merge pull request #74 from ropable/master

Update to Django 4.2
dbca-wa · Mar 5, 2024 · 12ccf3b · 12ccf3b
2 parents befd41a + ccee8fb
commit 12ccf3b
Show file tree

Hide file tree

Showing 7 changed files with 233 additions and 234 deletions.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -22,38 +22,67 @@ jobs:
       packages: write
       security-events: write
     steps:
+      #----------------------------------------------
+      # Checkout repo
+      #----------------------------------------------
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      #----------------------------------------------
+      # Set up Docker BuildX environment
+      #----------------------------------------------
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      #----------------------------------------------
+      # Log Docker into the GitHub Container Repository
+      #----------------------------------------------
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      #----------------------------------------------
+      # Extract Docker image metadata from GitHub events
+      #----------------------------------------------
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
             latest=true
+      #----------------------------------------------
+      # Build and push Docker image (not on PR)
+      #----------------------------------------------
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Run Trivy vuln scanner on Docker image
+  scan:
+    name: Image vulnerability scan
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    steps:
+      #----------------------------------------------
+      # Run vulnerability scan on built image
+      #----------------------------------------------
+      - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}'
-          ignore-unfixed: true
+          scan-type: 'image'
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: 'HIGH,CRITICAL'
           format: 'sarif'
           output: 'trivy-results.sarif'
       - name: Upload Trivy scan results to GitHub Security tab

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -14,10 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     env:
       DATABASE_URL: postgis://postgres:postgres@localhost:5432/postgres
-      PORT: 80
     services:
       postgres:
-        image: postgis/postgis:13-3.1-alpine
+        image: postgis/postgis:15-3.4-alpine
         env:
           POSTGRES_USER: postgres
           POSTGRES_PASSWORD: postgres
@@ -26,17 +25,6 @@ jobs:
         options: --mount type=tmpfs,destination=/var/lib/postgresql/data --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
     steps:
       #----------------------------------------------
-      # Checkout repo and set up Python
-      #----------------------------------------------
-      - name: Checkout repo
-        uses: actions/checkout@v4
-        id: checkout-repo
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        id: setup-python
-        with:
-          python-version: '3.9'
-      #----------------------------------------------
       # Install GDAL into the environment
       #----------------------------------------------
       - name: Install GDAL
@@ -46,6 +34,18 @@ jobs:
           sudo apt-get update
           sudo apt-get install --no-install-recommends --yes gdal-bin libgdal-dev
       #----------------------------------------------
+      # Checkout repo and set up Python
+      #----------------------------------------------
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        id: setup-python
+        with:
+          python-version: '3.11'
+      #----------------------------------------------
       # Install & configure Poetry
       #----------------------------------------------
       - name: Install Poetry

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 # Prepare the base environment.
-FROM python:3.10.13-slim as builder_base_caddy
+FROM python:3.11.8-slim as builder_base_caddy
 MAINTAINER asi@dbca.wa.gov.au
 LABEL org.opencontainers.image.source https://github.com/dbca-wa/caddy
 

diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ http://www.postgresql.org/docs/current/static/textsearch.html
 
 This project includes the following pre-commit hooks:
 
-- TruffleHog (credential scanning): https://github.com/marketplace/actions/trufflehog-oss
+- TruffleHog: https://docs.trufflesecurity.com/docs/scanning-git/precommit-hooks/
 
 Pre-commit hooks may have additional system dependencies to run. Optionally
 install pre-commit hooks locally like so:

diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml
@@ -20,4 +20,4 @@ patches:
   - path: service_patch.yaml
 images:
   - name: ghcr.io/dbca-wa/caddy
-    newTag: 2.3.2
+    newTag: 2.3.3