Next Prod Release

.github/CODEOWNERS

@@ -1,8 +1,11 @@
 # Require admin approval for GitHub settings and workflow modifications
 /.github/  @usdigitalresponse/grants-admins
 
-# Require admin approval for Terraform IAC modifications
-/terraform/ @usdigitalresponse/grants-admins
-
 # Require admin approval when Postgres root CA bundle is modified
 /packages/server/rds-combined-ca-bundle.pem @usdigitalresponse/grants-admins
+
+# Require admin approval for special doc modifications
+README.md  @usdigitalresponse/grants-admins
+LICENSE  @usdigitalresponse/grants-admins
+CODE_OF_CONDUCT.md  @usdigitalresponse/grants-admins
+CONTRIBUTING.md @usdigitalresponse/grants-admins

.github/next_release_version.bash

@@ -0,0 +1,53 @@
+#! /bin/bash
+
+# Defaults
+next_version_release_year=$(TZ='UTC' date '+%Y')
+next_version_release_number=1
+
+if [[ $1 == 'test' ]]; then
+    echo 'Running tests...' >&2
+    dotest() {
+        result=$(bash $0 "release/${1}" 2> /dev/null | tail -n 1)
+        expect="${2}"
+        if [[ $result != $expect ]]; then
+            printf "Test failed:\n  Expected: $expect\n  Received: $result\n" >&2
+            exit 1
+        fi
+    }
+    dotest 'release/1234.987' "$next_version_release_year.1"
+    dotest 'release/0.0' "$next_version_release_year.1"
+    dotest 'release/0' "$next_version_release_year.1"
+    dotest 'sometag' "$next_version_release_year.1"
+    dotest "release/$next_version_release_year.1" "$next_version_release_year.2"
+    dotest "release/$next_version_release_year.19" "$next_version_release_year.20"
+    dotest "release/$next_version_release_year.399" "$next_version_release_year.400"
+    echo 'Tests complete' >&2
+    exit 0
+fi
+
+if [[ -z $1 ]]; then
+    # Ensure tag history is available
+    git fetch --prune --unshallow
+    tag=$(git describe --tags --match='release/[0-9][0-9][0-9][0-9].[0-9]*' refs/heads/main)
+else
+    tag=$1
+fi
+
+regex='release\/([0-9]{4})\.([0-9]+)'
+if [[ $tag =~ $regex ]]; then
+    echo "Found tag for previous release: $tag" >&2
+    prev_version_release_number="${BASH_REMATCH[2]}"
+    echo "Previous version number: $prev_version_release_number" >&2
+    if [[ $next_version_release_year == "${BASH_REMATCH[1]}" ]]; then
+        ((next_version_release_number=prev_version_release_number+1))
+    else
+        echo "Ignoring previous version number because it pertains to a different year" >&2
+    fi
+else
+    echo "Could not locate a previous release version" >&2
+fi
+
+next_version="$next_version_release_year.$next_version_release_number"
+echo "Next version: $next_version" >&2
+# Output result to stdout
+printf "$next_version"

.github/release-drafter.yml

@@ -0,0 +1,133 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/release-drafter/release-drafter/master/schema.json
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'release/$RESOLVED_VERSION'
+tag-prefix: 'release/'
+version-template: '2023.$MINOR'
+version-resolver:
+  default: minor
+prerelease: true
+categories:
+  - title: 🚀 New features and enhancements
+    collapse-after: 10
+    labels:
+      - enhancement
+  - title: 🐛 Bug fixes
+    collapse-after: 10
+    labels:
+      - bug
+  - title: 📖 Documentation improvements
+    collapse-after: 10
+    labels:
+      - documentation
+  - title: 🔧 Dependency updates
+    collapse-after: 3
+    labels:
+      - dependencies
+  - title: 🔍 Federal Grant Finder updates
+    collapse-after: 3
+    labels:
+      - Grants Finder
+  - title: 🧾 ARPA Reporter updates
+    collapse-after: 3
+    labels:
+      - arpa validations
+      - arpa subrecipients
+      - arpa web tool
+      - arpa audit report
+      - arpa output templates
+      - arpa quarterly reporter
+      - performance reporter
+  - title: Other changes
+    labels:
+      - '*'
+category-template: '### $TITLE'
+exclude-labels:
+  - skip-changelog
+exclude-contributors:
+  - dependabot
+  - 'dependabot[bot]'
+  - step-security-bot
+autolabeler:
+  - label: javascript
+    files:
+      - '**/*.js'
+      - '**/package.json'
+      - 'packages/**'
+      - '**/yarn.lock'
+      - '**/.npmrc'
+      - '**/.nvmrc'
+      - '**/.nycrc'
+      - '**/.node-version'
+      - '**/.huskyrc.json'
+      - '**/lerna.json'
+      - '**/eslintrc.js'
+      - '**/.browserslistrc'
+  - label: database-changes
+    files:
+      - 'packages/server/migrations/**'
+      - 'packages/server/knexfile.js'
+      - 'packages/server/rds-combined-ca-bundle.pem'
+  - label: terraform
+    files:
+      - 'terraform/**'
+  - label: Infra
+    files:
+      - 'terraform/**'
+      - 'docker/**'
+      - '**/docker-compose.yml'
+      - '**/docker-compose.yaml'
+      - 'localstack/**'
+  - label: dependencies
+    files:
+      - '**/yarn.lock'
+      - '**/.terraform.lock.hcl'
+    branch:
+      - '/^dependabot\/.+$/i'
+  - label: documentation
+    files:
+      - README
+      - '**/doc/**'
+      - '**/docs/**'
+      - '**/*.md'
+      - .adr-dir
+    branch:
+      - '/^docs?\/.+$/'
+  - label: bug
+    branch:
+      - '/^fix\/.+$/i'
+      - '/^bug\/.+$/i'
+    title:
+      - '/\bfix(es)?\b/i'
+      - '/\bbug\b/i'
+      - '/\brevert(s)?\b/i'
+  - label: enhancement
+    branch:
+      - '/^feat(ures?)?\/.+$/i'
+      - '/^enhance(s|ments?)?\/.+$/i'
+    title:
+      - '/\b(?<!^chores?\b.*)feat(ures?)?\b/i'
+      - '/\b(?<!^chores?\b.*)enhance(s|ment)?\b/i'
+  - label: github
+    files:
+      - '.github/**'
+      - '**/.gitignore'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&'
+no-contributors-template: >-
+  '*All changes in this release were crafted by robots (and reviewed by humans).*'
+template: |
+  ## 📚 Summary
+
+  The releaser should provide a high-level summary here (or remove this section).
+
+  ## 🛠️ Changes
+
+  $CHANGES
+
+  ## 🤝 Contributors
+
+  We would like to thank the following people who made this release possible:
+
+  $CONTRIBUTORS
+
+  ## Deployment History

.github/release.yml

@@ -0,0 +1,20 @@
+changelog:
+  exclude:
+    labels:
+      - skip-changelog
+  categories:
+    - title: 🚀 New features and enhancements
+      labels:
+        - enhancement
+    - title: 🐛 Bug fixes
+      labels:
+        - bug
+    - title: 📖 Documentation improvements
+      labels:
+        - documentation
+    - title: 🔧 Dependency updates
+      labels:
+        - dependencies
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/aws-auth.yml

@@ -0,0 +1,69 @@
+name: Configure AWS Credentials
+
+on:
+  workflow_call:
+    inputs:
+      aws-region:
+        type: string
+        required: true
+    secrets:
+      role-to-assume:
+        required: true
+      gpg-passphrase:
+        required: true
+    outputs:
+      aws-access-key-id:
+        value: ${{ jobs.oidc-auth.outputs.aws-access-key-id }}
+      aws-secret-access-key:
+        value: ${{ jobs.oidc-auth.outputs.aws-secret-access-key }}
+      aws-session-token:
+        value: ${{ jobs.oidc-auth.outputs.aws-session-token }}
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  oidc-auth:
+    name: OIDC Auth
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    outputs:
+      aws-access-key-id: ${{ steps.encrypt-aws-access-key-id.outputs.out }}
+      aws-secret-access-key: ${{ steps.encrypt-aws-secret-access-key.outputs.out }}
+      aws-session-token: ${{ steps.encrypt-aws-session-token.outputs.out }}
+    steps:
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            sts.us-west-2.amazonaws.com:443
+      - id: auth
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          aws-region: us-west-2
+          role-to-assume: "${{ secrets.role-to-assume }}"
+      - name: Encrypt aws-access-key-id
+        id: encrypt-aws-access-key-id
+        run: |
+          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_ACCESS_KEY_ID") | base64 -w0)
+          echo "out=$encrypted" >> $GITHUB_OUTPUT
+        env:
+          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
+      - name: Encrypt aws-secret-access-key
+        id: encrypt-aws-secret-access-key
+        run: |
+          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SECRET_ACCESS_KEY") | base64 -w0)
+          echo "out=$encrypted" >> $GITHUB_OUTPUT
+        env:
+          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
+      - name: Encrypt aws-session-token
+        id: encrypt-aws-session-token
+        run: |
+          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SESSION_TOKEN") | base64 -w0)
+          echo "out=$encrypted" >> $GITHUB_OUTPUT
+        env:
+          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}