diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2b631ebe..11feddca 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -27,40 +27,39 @@ updates: interval: 'weekly' ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: "npm" directory: "/frontend" schedule: interval: "weekly" ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: "npm" directory: "/backend" schedule: interval: "weekly" ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: "pip" directory: "/backend/worker" schedule: interval: "weekly" ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: 'docker' directory: '/' schedule: interval: 'weekly' ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] + update-types: ["version-update:semver-patch", "version-update:semver-minor"] - package-ecosystem: 'github-actions' directory: '/' schedule: interval: 'weekly' ignore: - dependency-name: "*" - update-types: ["version-update:semver-patch","version-update:semver-minor"] - + update-types: ["version-update:semver-patch", "version-update:semver-minor"] diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 34b515da..53971b03 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -185,7 +185,9 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Run syncdb - run: aws lambda invoke --function-name crossfeed-staging-syncdb --region us-east-1 /dev/stdout + run: | + aws lambda invoke --function-name crossfeed-staging-syncdb \ + --region us-east-1 /dev/stdout working-directory: backend env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -234,7 +236,9 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Run syncdb - run: aws lambda invoke --function-name crossfeed-prod-syncdb --region us-east-1 /dev/stdout + run: | + aws lambda invoke --function-name crossfeed-prod-syncdb --region us-east-1 \ + /dev/stdout working-directory: backend env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 58670985..3ed6c54c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -3,9 +3,9 @@ name: "CodeQL" on: push: - branches: [ "develop", "production" ] + branches: ["develop", "production"] pull_request: - branches: [ "develop" ] + branches: ["develop"] schedule: - cron: "23 17 * * 6" @@ -21,7 +21,7 @@ jobs: strategy: fail-fast: false matrix: - language: [ javascript ] + language: [javascript] steps: - name: Checkout diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index b502ebab..de3c7499 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -24,15 +24,16 @@ defaults: jobs: format: runs-on: ubuntu-latest + env: + URL: "https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip" steps: - uses: actions/checkout@v3 - - name: Install Terraform run: | - wget https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip + wget $URL unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin - + - name: Check format run: terraform fmt -recursive -check -diff @@ -46,7 +47,7 @@ jobs: - name: Install Terraform run: | - wget https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip + wget $URL unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin @@ -71,7 +72,7 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - + - if: ${{ always() }} run: rm stage.plan || true @@ -85,7 +86,7 @@ jobs: - name: Install Terraform run: | - wget https://releases.hashicorp.com/terraform/1.0.7/terraform_1.0.7_linux_amd64.zip + wget $URL unzip terraform_1.0.7_linux_amd64.zip sudo mv terraform /usr/local/bin @@ -113,6 +114,6 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - + - if: ${{ always() }} run: rm prod.plan || true diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 13167c4d..d7a8999d 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -89,4 +89,6 @@ jobs: restore-keys: | pip- - run: pip install safety - - run: safety check -r worker/requirements.txt --policy-file ./worker/.safety-policy.yml + - run: | + safety check -r worker/requirements.txt \ + --policy-file ./worker/.safety-policy.yml diff --git a/.yamllint b/.yamllint index 8b73b6d2..2a119a6f 100644 --- a/.yamllint +++ b/.yamllint @@ -12,12 +12,12 @@ rules: # default. There are many scenarios where the inline mapping may be a key, # hash, or other long value that would exceed the line length but cannot # reasonably be broken across lines. - line-length: disable + line-length: + # This rule implies the allow-non-breakable-words rule + allow-non-breakable-inline-mappings: true + # Allows a 10% overage from the default limit of 80 + max: 88 # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable - - # yamlint doesn't like when we use spaces inside braces - # but that's pretty standard. - braces: disable diff --git a/backend/.eslintrc.yml b/backend/.eslintrc.yml index b3bbd73e..7a1d7724 100644 --- a/backend/.eslintrc.yml +++ b/backend/.eslintrc.yml @@ -1,6 +1,6 @@ --- { - "env": { "es6": true, "node": true }, + "env": {"es6": true, "node": true}, "parser": "@typescript-eslint/parser", "ignorePatterns": ["dist/**"], "extends": @@ -9,13 +9,13 @@ "plugin:@typescript-eslint/eslint-recommended", ], "plugins": ["prettier", "@typescript-eslint"], - "parserOptions": { "ecmaVersion": 2018, "sourceType": "module" }, + "parserOptions": {"ecmaVersion": 2018, "sourceType": "module"}, "rules": { "prettier/prettier": "error", "react/prop-types": 0, "react/display-name": 0, }, - "settings": { "react": { "version": "detect" } }, - "globals": { "Atomics": "readonly", "SharedArrayBuffer": "readonly" }, + "settings": {"react": {"version": "detect"}}, + "globals": {"Atomics": "readonly", "SharedArrayBuffer": "readonly"}, } diff --git a/backend/src/api/functions.yml b/backend/src/api/functions.yml index 751db85d..af7968b1 100644 --- a/backend/src/api/functions.yml +++ b/backend/src/api/functions.yml @@ -7,7 +7,8 @@ api: method: ANY cors: true - http: - path: /{any+} # this matches any path, the token 'any' doesn't mean anything special + # this matches any path, the token 'any' doesn't mean anything special + path: /{any+} method: ANY cors: true # provisionedConcurrency: 1 diff --git a/backend/worker/.safety-policy.yml b/backend/worker/.safety-policy.yml index 08666deb..a2b6e004 100644 --- a/backend/worker/.safety-policy.yml +++ b/backend/worker/.safety-policy.yml @@ -1,15 +1,32 @@ --- # Safety Security and License Configuration file -# We recommend checking this file into your source control in the root of your Python project -# If this file is named .safety-policy.yml and is in the same directory where you run `safety check` it will be used by default. -# Otherwise, you can use the flag `safety check --policy-file ` to specify a custom location and name for the file. -# To validate and review your policy file, run the validate command: `safety validate policy_file --path ` +# We recommend checking this file into your source control in the root of your Python +# project +# If this file is named .safety-policy.yml and is in the same directory where you run +# `safety check` it will be used by default. +# Otherwise, you can use the flag `safety check --policy-file ` to +# specify a custom location and name for the file. +# To validate and review your policy file, run the validate command: `safety validate +# policy_file --path ` +# A severity number between 0 and 10. Some helpful reference points: 9=ignore all +# vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except +# CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & +# MEDIUM severity. security: # configuration for the `safety check` command - ignore-cvss-severity-below: 0 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity. - ignore-cvss-unknown-severity: False # True or False. We recommend you set this to False. - ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period) - # We recommend making use of the optional `reason` and `expires` keys for each vulnerability that you ignore. + ignore-cvss-severity-below: 0 + # True or False. We recommend you set this to False. + ignore-cvss-unknown-severity: False + # Here you can list multiple specific vulnerabilities you want to ignore + # (optionally for a time period) + ignore-vulnerabilities: + # We recommend making use of the optional `reason` and `expires` keys for each + # vulnerability that you ignore. 54672: # Vulnerability found in scrapy version >= 0.7 - reason: No fix currently available # optional, for internal note purposes to communicate with your team. This reason will be reported in the Safety reports + # optional, for internal note purposes to communicate with your team. + # This reason will be reported in the Safety reports + reason: No fix currently available expires: '2024-06-01' # We will revisit for a fix in 6 months. - continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. We recommend you set this to False. + # Suppress non-zero exit codes when vulnerabilities are found. Enable this in + # pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. + # We recommend you set this to False. + continue-on-vulnerability-error: False diff --git a/frontend/.eslintrc.yml b/frontend/.eslintrc.yml index c368aa49..a1fa0422 100644 --- a/frontend/.eslintrc.yml +++ b/frontend/.eslintrc.yml @@ -1,6 +1,6 @@ --- { - 'env': { 'browser': true, 'es6': true, 'node': true }, + 'env': {'browser': true, 'es6': true, 'node': true}, 'parser': '@typescript-eslint/parser', 'extends': [ @@ -12,7 +12,7 @@ 'plugins': ['react', 'react-hooks', 'prettier', '@typescript-eslint'], 'parserOptions': { - 'ecmaFeatures': { 'jsx': true }, + 'ecmaFeatures': {'jsx': true}, 'ecmaVersion': 2018, 'sourceType': 'module' }, @@ -22,6 +22,6 @@ 'react/prop-types': 0, 'react/display-name': 0 }, - 'settings': { 'react': { 'version': 'detect' } }, - 'globals': { 'Atomics': 'readonly', 'SharedArrayBuffer': 'readonly' } + 'settings': {'react': {'version': 'detect'}}, + 'globals': {'Atomics': 'readonly', 'SharedArrayBuffer': 'readonly'} } diff --git a/frontend/serverless.yml b/frontend/serverless.yml index 22a03f0e..2ea0067e 100644 --- a/frontend/serverless.yml +++ b/frontend/serverless.yml @@ -46,7 +46,8 @@ functions: path: / # this matches the base path method: GET - http: - path: /{any+} # this matches any path, the token 'any' doesn't mean anything special + # this matches any path, the token 'any' doesn't mean anything special + path: /{any+} method: GET # provisionedConcurrency: 1 docs: