-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into 2271-my-profile-breadcrumbs
- Loading branch information
Showing
36 changed files
with
2,682 additions
and
826 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,11 @@ | ||
# Require admin approval for GitHub settings and workflow modifications | ||
/.github/ @usdigitalresponse/grants-admins | ||
|
||
# Require admin approval for Terraform IAC modifications | ||
/terraform/ @usdigitalresponse/grants-admins | ||
|
||
# Require admin approval when Postgres root CA bundle is modified | ||
/packages/server/rds-combined-ca-bundle.pem @usdigitalresponse/grants-admins | ||
|
||
# Require admin approval for special doc modifications | ||
README.md @usdigitalresponse/grants-admins | ||
LICENSE @usdigitalresponse/grants-admins | ||
CODE_OF_CONDUCT.md @usdigitalresponse/grants-admins | ||
CONTRIBUTING.md @usdigitalresponse/grants-admins |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
#! /bin/bash | ||
|
||
# Defaults | ||
next_version_release_year=$(TZ='UTC' date '+%Y') | ||
next_version_release_number=1 | ||
|
||
if [[ $1 == 'test' ]]; then | ||
echo 'Running tests...' >&2 | ||
dotest() { | ||
result=$(bash $0 "release/${1}" 2> /dev/null | tail -n 1) | ||
expect="${2}" | ||
if [[ $result != $expect ]]; then | ||
printf "Test failed:\n Expected: $expect\n Received: $result\n" >&2 | ||
exit 1 | ||
fi | ||
} | ||
dotest 'release/1234.987' "$next_version_release_year.1" | ||
dotest 'release/0.0' "$next_version_release_year.1" | ||
dotest 'release/0' "$next_version_release_year.1" | ||
dotest 'sometag' "$next_version_release_year.1" | ||
dotest "release/$next_version_release_year.1" "$next_version_release_year.2" | ||
dotest "release/$next_version_release_year.19" "$next_version_release_year.20" | ||
dotest "release/$next_version_release_year.399" "$next_version_release_year.400" | ||
echo 'Tests complete' >&2 | ||
exit 0 | ||
fi | ||
|
||
if [[ -z $1 ]]; then | ||
# Ensure tag history is available | ||
git fetch --prune --unshallow | ||
tag=$(git describe --tags --match='release/[0-9][0-9][0-9][0-9].[0-9]*' refs/heads/main) | ||
else | ||
tag=$1 | ||
fi | ||
|
||
regex='release\/([0-9]{4})\.([0-9]+)' | ||
if [[ $tag =~ $regex ]]; then | ||
echo "Found tag for previous release: $tag" >&2 | ||
prev_version_release_number="${BASH_REMATCH[2]}" | ||
echo "Previous version number: $prev_version_release_number" >&2 | ||
if [[ $next_version_release_year == "${BASH_REMATCH[1]}" ]]; then | ||
((next_version_release_number=prev_version_release_number+1)) | ||
else | ||
echo "Ignoring previous version number because it pertains to a different year" >&2 | ||
fi | ||
else | ||
echo "Could not locate a previous release version" >&2 | ||
fi | ||
|
||
next_version="$next_version_release_year.$next_version_release_number" | ||
echo "Next version: $next_version" >&2 | ||
# Output result to stdout | ||
printf "$next_version" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
# yaml-language-server: $schema=https://raw.githubusercontent.com/release-drafter/release-drafter/master/schema.json | ||
name-template: 'v$RESOLVED_VERSION' | ||
tag-template: 'release/$RESOLVED_VERSION' | ||
tag-prefix: 'release/' | ||
version-template: '2023.$MINOR' | ||
version-resolver: | ||
default: minor | ||
prerelease: true | ||
categories: | ||
- title: 🚀 New features and enhancements | ||
collapse-after: 10 | ||
labels: | ||
- enhancement | ||
- title: 🐛 Bug fixes | ||
collapse-after: 10 | ||
labels: | ||
- bug | ||
- title: 📖 Documentation improvements | ||
collapse-after: 10 | ||
labels: | ||
- documentation | ||
- title: 🔧 Dependency updates | ||
collapse-after: 3 | ||
labels: | ||
- dependencies | ||
- title: 🔍 Federal Grant Finder updates | ||
collapse-after: 3 | ||
labels: | ||
- Grant Finder | ||
- title: 🧾 ARPA Reporter updates | ||
collapse-after: 3 | ||
labels: | ||
- arpa validations | ||
- arpa subrecipients | ||
- arpa web tool | ||
- arpa audit report | ||
- arpa output templates | ||
- arpa quarterly reporter | ||
- performance reporter | ||
- title: Other changes | ||
labels: | ||
- '*' | ||
category-template: '### $TITLE' | ||
exclude-labels: | ||
- skip-changelog | ||
exclude-contributors: | ||
- dependabot | ||
- 'dependabot[bot]' | ||
- step-security-bot | ||
autolabeler: | ||
- label: javascript | ||
files: | ||
- '**/*.js' | ||
- '**/package.json' | ||
- 'packages/**' | ||
- '**/yarn.lock' | ||
- '**/.npmrc' | ||
- '**/.nvmrc' | ||
- '**/.nycrc' | ||
- '**/.node-version' | ||
- '**/.huskyrc.json' | ||
- '**/lerna.json' | ||
- '**/eslintrc.js' | ||
- '**/.browserslistrc' | ||
- label: database-changes | ||
files: | ||
- 'packages/server/migrations/**' | ||
- 'packages/server/knexfile.js' | ||
- 'packages/server/rds-combined-ca-bundle.pem' | ||
- label: terraform | ||
files: | ||
- 'terraform/**' | ||
- label: Infra | ||
files: | ||
- 'terraform/**' | ||
- 'docker/**' | ||
- '**/docker-compose.yml' | ||
- '**/docker-compose.yaml' | ||
- 'localstack/**' | ||
- label: dependencies | ||
files: | ||
- '**/yarn.lock' | ||
- '**/.terraform.lock.hcl' | ||
branch: | ||
- '/^dependabot\/.+$/i' | ||
- label: documentation | ||
files: | ||
- README | ||
- '**/doc/**' | ||
- '**/docs/**' | ||
- '**/*.md' | ||
- .adr-dir | ||
branch: | ||
- '/^docs?\/.+$/' | ||
- label: bug | ||
branch: | ||
- '/^fix\/.+$/i' | ||
- '/^bug\/.+$/i' | ||
title: | ||
- '/\bfix(es)?\b/i' | ||
- '/\bbug\b/i' | ||
- '/\brevert(s)?\b/i' | ||
- label: enhancement | ||
branch: | ||
- '/^feat(ures?)?\/.+$/i' | ||
- '/^enhance(s|ments?)?\/.+$/i' | ||
title: | ||
- '/\b(?<!^chores?\b.*)feat(ures?)?\b/i' | ||
- '/\b(?<!^chores?\b.*)enhance(s|ment)?\b/i' | ||
- label: github | ||
files: | ||
- '.github/**' | ||
- '**/.gitignore' | ||
change-template: '- $TITLE @$AUTHOR (#$NUMBER)' | ||
change-title-escapes: '\<*_&' | ||
no-contributors-template: >- | ||
'*All changes in this release were crafted by robots (and reviewed by humans).*' | ||
template: | | ||
## 📚 Summary | ||
The releaser should provide a high-level summary here (or remove this section). | ||
## 🛠️ Changes | ||
$CHANGES | ||
## 🤝 Contributors | ||
We would like to thank the following people who made this release possible: | ||
$CONTRIBUTORS | ||
## Deployment History |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
changelog: | ||
exclude: | ||
labels: | ||
- skip-changelog | ||
categories: | ||
- title: 🚀 New features and enhancements | ||
labels: | ||
- enhancement | ||
- title: 🐛 Bug fixes | ||
labels: | ||
- bug | ||
- title: 📖 Documentation improvements | ||
labels: | ||
- documentation | ||
- title: 🔧 Dependency updates | ||
labels: | ||
- dependencies | ||
- title: Other Changes | ||
labels: | ||
- "*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
name: Configure AWS Credentials | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
aws-region: | ||
type: string | ||
required: true | ||
secrets: | ||
role-to-assume: | ||
required: true | ||
gpg-passphrase: | ||
required: true | ||
outputs: | ||
aws-access-key-id: | ||
value: ${{ jobs.oidc-auth.outputs.aws-access-key-id }} | ||
aws-secret-access-key: | ||
value: ${{ jobs.oidc-auth.outputs.aws-secret-access-key }} | ||
aws-session-token: | ||
value: ${{ jobs.oidc-auth.outputs.aws-session-token }} | ||
|
||
permissions: | ||
contents: read | ||
id-token: write | ||
|
||
jobs: | ||
oidc-auth: | ||
name: OIDC Auth | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
id-token: write | ||
outputs: | ||
aws-access-key-id: ${{ steps.encrypt-aws-access-key-id.outputs.out }} | ||
aws-secret-access-key: ${{ steps.encrypt-aws-secret-access-key.outputs.out }} | ||
aws-session-token: ${{ steps.encrypt-aws-session-token.outputs.out }} | ||
steps: | ||
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
sts.us-west-2.amazonaws.com:443 | ||
- id: auth | ||
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | ||
with: | ||
aws-region: us-west-2 | ||
role-to-assume: "${{ secrets.role-to-assume }}" | ||
- name: Encrypt aws-access-key-id | ||
id: encrypt-aws-access-key-id | ||
run: | | ||
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_ACCESS_KEY_ID") | base64 -w0) | ||
echo "out=$encrypted" >> $GITHUB_OUTPUT | ||
env: | ||
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} | ||
- name: Encrypt aws-secret-access-key | ||
id: encrypt-aws-secret-access-key | ||
run: | | ||
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SECRET_ACCESS_KEY") | base64 -w0) | ||
echo "out=$encrypted" >> $GITHUB_OUTPUT | ||
env: | ||
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} | ||
- name: Encrypt aws-session-token | ||
id: encrypt-aws-session-token | ||
run: | | ||
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SESSION_TOKEN") | base64 -w0) | ||
echo "out=$encrypted" >> $GITHUB_OUTPUT | ||
env: | ||
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} |
Oops, something went wrong.