Devsecops/matts/workflow fixes (#17186)

* workflow updates * fix dependabot versioning strategy for Dockerfile
CDCgov · Jan 28, 2025 · 69649d6 · 69649d6
1 parent 3619314
commit 69649d6
Show file tree

Hide file tree

Showing 43 changed files with 112 additions and 121 deletions.
diff --git a/.github/actions/azviz/README.md b/.github/actions/azviz/README.md
@@ -67,7 +67,7 @@ inputs:
 ```yml
 jobs:
   generate-viz:
-      runs-on: ubuntu-24.04
+      runs-on: ubuntu-latest
       steps:
         - name: Login to Azure
           uses: azure/login@v1

diff --git a/.github/actions/checksum-validate/README.md b/.github/actions/checksum-validate/README.md
@@ -14,7 +14,7 @@
 jobs:
   generate-checksums:
     name: Generate checksum
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/[email protected]
 
@@ -34,7 +34,7 @@ jobs:
     name: Validate checksum
     needs:
       - generate-checksums
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/[email protected]
 

diff --git a/.github/actions/connect-ovpn/README.md b/.github/actions/connect-ovpn/README.md
@@ -41,7 +41,7 @@ example.
 
 ```yml
   connect-open-vpn:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v1
       - name: Install Open VPN

diff --git a/.github/actions/reliable-pull-request/README.md b/.github/actions/reliable-pull-request/README.md
@@ -18,7 +18,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-24.04]
+        os: [ubuntu-latest]
     steps:
       - name: Checkout the repo
         uses: actions/[email protected]

diff --git a/.github/actions/remote-branch/README.md b/.github/actions/remote-branch/README.md
@@ -12,7 +12,7 @@
 jobs:
   create-branch-action:
     name: Create branch
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -27,7 +27,7 @@ jobs:
 jobs:
   create-branch-action:
     name: Create branch
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -51,7 +51,7 @@ jobs:
 jobs:
   create-branch-action:
     name: Create branch
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -23,7 +23,6 @@ updates:
     directory: "/frontend-react"
     schedule:
       interval: "weekly"
-    versioning-strategy: increase-if-necessary
 
   # slack-boltjs-app (chatops)
   - package-ecosystem: "gitsubmodule"

diff --git a/.github/workflows/StaleItemsReport.yml b/.github/workflows/StaleItemsReport.yml
@@ -8,7 +8,7 @@ on:
 jobs:
   alert_stale_items:
     name: Alert on Stale items in github
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Check Out Changes
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
@@ -67,8 +67,8 @@ jobs:
           message: |
             ${{ steps.stale_out.outputs.MESSAGE_RESPONSE }}
           icon-emoji: ':hourglass_flowing_sand:'
-          channel: prime-reportstream-engineering
-          webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+          channel: cdc-reportstream-bot-notifications
+          webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}
           color: warning
           slackify-markdown: true
 
@@ -80,7 +80,7 @@ jobs:
           message: |
             ${{ steps.stale_out.outputs.MESSAGE_ISSUES_RESPONSE }}
           icon-emoji: ':hourglass_flowing_sand:'
-          channel: prime-reportstream-engineering
-          webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+          channel: cdc-reportstream-bot-notifications
+          webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}
           color: warning
           slackify-markdown: true
diff --git a/.github/workflows/alert_MBUsers_Inactive.yml b/.github/workflows/alert_MBUsers_Inactive.yml
@@ -8,7 +8,7 @@ on:
 jobs:
   alert_version_upgrade:
     name: Alert about Metabase Inactive users
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Check Out Changes
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938

diff --git a/.github/workflows/alert_PD_schedule_Slack.yml b/.github/workflows/alert_PD_schedule_Slack.yml
@@ -6,11 +6,10 @@ on:
 
 env:
   channel: cdc-reportstream-bot-notifications
-  # Updated Slack Channel
 jobs:
   pre_job:
     name: Pre Job
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     outputs:
       IsMonday: ${{ steps.IsMonday.outputs.IsMonday }}
       WeekDay: ${{ steps.WeekDay.outputs.IsWeekDay }}
@@ -34,7 +33,7 @@ jobs:
     name: PD Alert for Monday
     needs: pre_job
     if: ${{ needs.pre_job.outputs.IsMonday == 'true' }}
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
     - name: Check Out Changes
       uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
@@ -89,7 +88,7 @@ jobs:
     name: PD Alert for WeekDays
     needs: pre_job
     if: ${{ needs.pre_job.outputs.WeekDay == 'true' }}
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
     - name: Check Out Changes
       uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
@@ -135,3 +134,4 @@ jobs:
         channel:  ${{ env.channel }}
         webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}
         color: good
+
diff --git a/.github/workflows/alert_cert_expire.yml b/.github/workflows/alert_cert_expire.yml
@@ -10,7 +10,7 @@ env:
 
 jobs:
   check-certificates:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Check Out Changes
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938

diff --git a/.github/workflows/alert_resource_costs.yml b/.github/workflows/alert_resource_costs.yml
@@ -15,7 +15,7 @@ jobs:
       fail-fast: false
       matrix:
         rg: [prime-data-hub-demo1, prime-data-hub-demo2, prime-data-hub-demo3]
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
 
     steps:
       - name: Check out changes

diff --git a/.github/workflows/alert_stale_branches.yaml b/.github/workflows/alert_stale_branches.yaml
@@ -8,7 +8,7 @@ on:
 jobs:
   alert_stale_branches:
     name: Alert on Stale branches
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Check Out Changes
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
@@ -30,6 +30,6 @@ jobs:
             Merged ${{ steps.counts.outputs.MERGE_COUNT }}
             Not Merged ${{ steps.counts.outputs.NOT_MERGE_COUNT }}
           icon-emoji: ':bell:'
-          channel: temp_branch_dump
-          webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+          channel: cdc-reportstream-bot-notifications
+          webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}
           color: warning
diff --git a/.github/workflows/alert_terraform_changes.yml b/.github/workflows/alert_terraform_changes.yml
@@ -16,7 +16,7 @@ jobs:
       matrix:
         env: [staging, prod]
     environment: ${{ matrix.env }}
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Check Out Changes
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
@@ -66,6 +66,5 @@ jobs:
 
           icon-emoji: ':bell:'
           channel: cdc-reportstream-bot-notifications
-  # Updated Slack channel
-          webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}  # Updated webhook secret
+          webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}
           color: warning
diff --git a/.github/workflows/alert_version_upgrade.yml b/.github/workflows/alert_version_upgrade.yml
@@ -8,7 +8,7 @@ on:
 jobs:
   alert_version_upgrade:
     name: Alert on Version upgrade
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Check Out Changes
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
@@ -44,7 +44,7 @@ jobs:
               "Staging Metabase Version": "${{ env.Schedules_UpgradeDetails_0_StgVersion }}"
               "Production Metabase Version": "${{ env.Schedules_UpgradeDetails_0_PrdVersion }}"
             icon-emoji: ':bell:'
-            channel:  prime-devops
-            webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+            channel:  cdc-reportstream-bot-notifications
+            webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}
             color: warning
 
diff --git a/.github/workflows/build_frontend.yaml b/.github/workflows/build_frontend.yaml
@@ -21,7 +21,7 @@ concurrency:
 jobs:
   pre_job:
     name: Pre Job
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     outputs:
       # Should not run for PRs (except deployment)
       is_permitted: ${{ steps.build_vars.outputs.has_frontend_change == 'true' && (github.event_name != 'pull_request' || steps.build_vars.outputs.is_deployment_pr == 'true') }}
@@ -38,7 +38,7 @@ jobs:
     name: Build Frontend React
     needs: pre_job
     if: needs.pre_job.outputs.is_permitted == 'true'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
 
     defaults:
       run:

diff --git a/.github/workflows/build_hub.yml b/.github/workflows/build_hub.yml
@@ -26,7 +26,7 @@ env:
 jobs:
   pre_job:
     name: Pre Job
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     outputs:
       has_router_change: ${{ steps.build_vars.outputs.has_router_change }}
     steps:
@@ -38,7 +38,7 @@ jobs:
 
   build_router:
     name: Build Router
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     needs: pre_job
     if: ${{ needs.pre_job.outputs.has_router_change == 'true' }}
     defaults:

diff --git a/.github/workflows/cleanup_acr_images.yml b/.github/workflows/cleanup_acr_images.yml
@@ -10,7 +10,7 @@ env:
 
 jobs:
   cleanup_images:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     strategy:
       max-parallel: 1
       matrix:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -29,7 +29,7 @@ jobs:
   analyze:
     name: Analyze
     if: github.actor != 'dependabot[bot]'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read

diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
@@ -19,7 +19,7 @@ permissions:
   pull-requests: write
 jobs:
   dependency-review:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938

diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml
@@ -17,7 +17,7 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
       cancel-in-progress: true
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     outputs:
       env_name: ${{ steps.build_vars.outputs.env_name }}
       tf_change: ${{ steps.build_vars.outputs.has_terraform_change }}
@@ -37,7 +37,7 @@ jobs:
     needs:
       - pre_job
     environment: ${{ needs.pre_job.outputs.env_name }}
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     outputs:
       change_count: ${{ steps.stats1.outputs.change-count }}
     steps:
@@ -60,42 +60,36 @@ jobs:
           terraform-directory: operations/app/terraform/vars/${{ needs.pre_job.outputs.env_name }}
           terraform-version: 1.7.4
           add-args: "-refresh=false"
-
-      - name: Terraform Format 
+      - name: Terraform Format
         # fails on formatting issues, fix locally with `tf fmt -recursive` and push again if this step fails
         run: terraform fmt -check -recursive
-
-      - name: "Terraform init"
+      - name: Terraform Init
         run: terraform init -input=false
-
-      - name: "Terraform validate"
+      - name: Terraform Validate
         run: terraform validate
-
       - name: Terraform Plan
-        run: |
-          terraform plan -out=tf.plan -input=false -no-color -lock-timeout=600s
-      
+        run: terraform plan -out=tf.plan -input=false -no-color -lock-timeout=600s
       - name: Comment Plan on PR
         uses: blinqas/tf-plan-pr-comment@v1
         with:
           output_file: ${{ github.workspace }}/plan_output.txt
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      
-      approve_deploy:
-        name: Approve Deploy - ${{ needs.pre_job.outputs.env_name }}
-        concurrency:
-          group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
-          cancel-in-progress: true
-        needs:
-          - pre_job
-          - confirm_changes
-        if: needs.confirm_changes.outputs.change_count > '0'
-        runs-on: ubuntu-24.04
-        environment: ${{ needs.pre_job.outputs.env_name }}_terraform
-        steps:
-          - name: Echo change count
-            run: echo ${{ needs.confirm_changes.outputs.change_count }}
+
+  approve_deploy:
+    name: Approve Deploy - ${{ needs.pre_job.outputs.env_name }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
+      cancel-in-progress: true
+    needs:
+      - pre_job
+      - confirm_changes
+    if: needs.confirm_changes.outputs.change_count > '0'
+    runs-on: ubuntu-latest
+    environment: ${{ needs.pre_job.outputs.env_name }}_terraform
+    steps:
+      - name: Echo change count
+        run: echo ${{ needs.confirm_changes.outputs.change_count }}
 
   run_deploy:
     name: Run Deploy - ${{ needs.pre_job.outputs.env_name }}
@@ -106,7 +100,7 @@ jobs:
       - pre_job
       - approve_deploy
     if: needs.confirm_changes.outputs.change_count > '0'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     environment: ${{ needs.pre_job.outputs.env_name }}
     defaults:
       run:
@@ -136,4 +130,3 @@ jobs:
           terraform fmt -recursive
           terraform plan -out ${{ needs.pre_job.outputs.env_name }}-tf.plan
           terraform apply -input=false -no-color -lock-timeout=600s -auto-approve ${{ needs.pre_job.outputs.env_name }}-tf.plan
-        #THIS IS JUST A COMMENT FOR THE COMMIT TO TAKE ACTION
diff --git a/.github/workflows/deployment_rollback.yml b/.github/workflows/deployment_rollback.yml
@@ -17,7 +17,7 @@ env:
 
 jobs:
   DeployToCandidateSlot:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     env:
       ALLOWED_USERS: "devopsmatt,emvaldes,scott-aquia,bethbeza"