From 6e91f01966b0048c5d668086e95d0d19a9eb69a4 Mon Sep 17 00:00:00 2001 From: Ramilya Nigmatullina Date: Tue, 19 Jul 2022 17:07:36 +0300 Subject: [PATCH 1/2] Upgrade gems to resolve vulnerabilities (#207) --- Gemfile.lock | 112 +++++++++++++++++++++++++-------------------------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 837572a..a320d1b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -7,56 +7,56 @@ GEM action_policy (>= 0.5.0) graphql (>= 1.9.3) ruby-next-core (>= 0.10.0) - actioncable (6.0.4.6) - actionpack (= 6.0.4.6) + actioncable (6.0.4.7) + actionpack (= 6.0.4.7) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.0.4.6) - actionpack (= 6.0.4.6) - activejob (= 6.0.4.6) - activerecord (= 6.0.4.6) - activestorage (= 6.0.4.6) - activesupport (= 6.0.4.6) + actionmailbox (6.0.4.7) + actionpack (= 6.0.4.7) + activejob (= 6.0.4.7) + activerecord (= 6.0.4.7) + activestorage (= 6.0.4.7) + activesupport (= 6.0.4.7) mail (>= 2.7.1) - actionmailer (6.0.4.6) - actionpack (= 6.0.4.6) - actionview (= 6.0.4.6) - activejob (= 6.0.4.6) + actionmailer (6.0.4.7) + actionpack (= 6.0.4.7) + actionview (= 6.0.4.7) + activejob (= 6.0.4.7) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.0.4.6) - actionview (= 6.0.4.6) - activesupport (= 6.0.4.6) + actionpack (6.0.4.7) + actionview (= 6.0.4.7) + activesupport (= 6.0.4.7) rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (6.0.4.6) - actionpack (= 6.0.4.6) - activerecord (= 6.0.4.6) - activestorage (= 6.0.4.6) - activesupport (= 6.0.4.6) + actiontext (6.0.4.7) + actionpack (= 6.0.4.7) + activerecord (= 6.0.4.7) + activestorage (= 6.0.4.7) + activesupport (= 6.0.4.7) nokogiri (>= 1.8.5) - actionview (6.0.4.6) - activesupport (= 6.0.4.6) + actionview (6.0.4.7) + activesupport (= 6.0.4.7) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (6.0.4.6) - activesupport (= 6.0.4.6) + activejob (6.0.4.7) + activesupport (= 6.0.4.7) globalid (>= 0.3.6) - activemodel (6.0.4.6) - activesupport (= 6.0.4.6) - activerecord (6.0.4.6) - activemodel (= 6.0.4.6) - activesupport (= 6.0.4.6) - activestorage (6.0.4.6) - actionpack (= 6.0.4.6) - activejob (= 6.0.4.6) - activerecord (= 6.0.4.6) + activemodel (6.0.4.7) + activesupport (= 6.0.4.7) + activerecord (6.0.4.7) + activemodel (= 6.0.4.7) + activesupport (= 6.0.4.7) + activestorage (6.0.4.7) + actionpack (= 6.0.4.7) + activejob (= 6.0.4.7) + activerecord (= 6.0.4.7) marcel (~> 1.0.0) - activesupport (6.0.4.6) + activesupport (6.0.4.7) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -90,7 +90,7 @@ GEM bundler (>= 1.2.0, < 3) thor (~> 0.18) byebug (11.1.1) - concurrent-ruby (1.1.9) + concurrent-ruby (1.1.10) connection_pool (2.2.5) content_disposition (1.0.0) crass (1.0.6) @@ -133,7 +133,7 @@ GEM faraday-net_http_persistent (1.0.3) net-http-persistent (>= 3.1) ffaker (2.14.0) - ffi (1.12.2) + ffi (1.15.5) gems (1.2.0) globalid (1.0.0) activesupport (>= 5.0) @@ -192,7 +192,7 @@ GEM listen (3.2.1) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) - loofah (2.14.0) + loofah (2.16.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.1) @@ -211,7 +211,7 @@ GEM connection_pool (~> 2.2) newrelic_rpm (6.11.0.365) nio4r (2.5.8) - nokogiri (1.13.3) + nokogiri (1.13.4) mini_portile2 (~> 2.8.0) racc (~> 1.4) open-uri (0.2.0) @@ -225,7 +225,7 @@ GEM pg (1.2.3) promise.rb (0.7.4) public_suffix (4.0.6) - puma (4.3.11) + puma (5.6.4) nio4r (~> 2.0) racc (1.6.0) rack (2.2.3) @@ -233,29 +233,29 @@ GEM rack (>= 2.0.0) rack-test (1.1.0) rack (>= 1.0, < 3) - rails (6.0.4.6) - actioncable (= 6.0.4.6) - actionmailbox (= 6.0.4.6) - actionmailer (= 6.0.4.6) - actionpack (= 6.0.4.6) - actiontext (= 6.0.4.6) - actionview (= 6.0.4.6) - activejob (= 6.0.4.6) - activemodel (= 6.0.4.6) - activerecord (= 6.0.4.6) - activestorage (= 6.0.4.6) - activesupport (= 6.0.4.6) + rails (6.0.4.7) + actioncable (= 6.0.4.7) + actionmailbox (= 6.0.4.7) + actionmailer (= 6.0.4.7) + actionpack (= 6.0.4.7) + actiontext (= 6.0.4.7) + actionview (= 6.0.4.7) + activejob (= 6.0.4.7) + activemodel (= 6.0.4.7) + activerecord (= 6.0.4.7) + activestorage (= 6.0.4.7) + activesupport (= 6.0.4.7) bundler (>= 1.3.0) - railties (= 6.0.4.6) + railties (= 6.0.4.7) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) rails-html-sanitizer (1.4.2) loofah (~> 2.3) - railties (6.0.4.6) - actionpack (= 6.0.4.6) - activesupport (= 6.0.4.6) + railties (6.0.4.7) + actionpack (= 6.0.4.7) + activesupport (= 6.0.4.7) method_source rake (>= 0.8.7) thor (>= 0.20.3, < 2.0) @@ -330,7 +330,7 @@ GEM spring-watcher-listen (2.0.1) listen (>= 2.7, < 4.0) spring (>= 1.2, < 3.0) - sprockets (4.0.2) + sprockets (4.0.3) concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (3.4.2) From 2f986f22dbec37ffa504572037209cf919a69a38 Mon Sep 17 00:00:00 2001 From: Evgeniy Esaulkov <58729845+EvgeniyEsaulkov@users.noreply.github.com> Date: Fri, 29 Jul 2022 18:40:20 +0300 Subject: [PATCH 2/2] Use Github actions instead Semaphore CI (#214) * add config for github actions * update config * add vulnerabilities to ignore list * update bin/quality * disable bundler-audit * remove semaphore ci config * empty commit * Update .github/workflows/ci.yml Co-authored-by: Dmitry Barskov * fix review * Update .github/workflows/ci.yml Co-authored-by: Dmitry Barskov * Update bundler audit (#218) * Update bundler audit * Remove pg database option * Add pg pass Co-authored-by: Dmitry Barskov Co-authored-by: Arthur Zaharov --- .bundler-audit.yml | 12 ++++++ .github/workflows/ci.yml | 46 +++++++++++++++++++++++ .semaphore/heroku.yml | 25 ------------- .semaphore/semaphore.yml | 81 ---------------------------------------- Gemfile.lock | 6 +-- 5 files changed, 61 insertions(+), 109 deletions(-) create mode 100644 .bundler-audit.yml create mode 100644 .github/workflows/ci.yml delete mode 100644 .semaphore/heroku.yml delete mode 100644 .semaphore/semaphore.yml diff --git a/.bundler-audit.yml b/.bundler-audit.yml new file mode 100644 index 0000000..63597a5 --- /dev/null +++ b/.bundler-audit.yml @@ -0,0 +1,12 @@ +--- +ignore: + - CVE-2022-22577 + - CVE-2022-27777 + - CVE-2022-32224 + - CVE-2022-32511 + - CVE-2022-29181 + - CVE-2022-30123 + - CVE-2022-30122 + - CVE-2022-32209 + - CVE-2022-31163 + - GHSA-cgx6-hpwq-fhv5 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..7c4d9b6 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,46 @@ +name: CI +on: + pull_request: + push: + branches: + - 'master' + +jobs: + ci: + runs-on: ubuntu-latest + env: + DATABASE_URL: postgres://postgres:postgres@localhost:5432 + REDIS_URL: redis://localhost:6379/0 + RAILS_ENV: test + services: + postgres: + image: postgres + ports: ['5432:5432'] + env: + POSTGRES_PASSWORD: postgres + options: >- + --health-cmd pg_isready + --health-interval 10s + --health-timeout 5s + --health-retries 5 + redis: + image: redis + ports: ['6379:6379'] + options: --entrypoint redis-server + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + bundler-cache: true + + - name: Run quality checks + run: bin/quality + + - name: Setup db + run: bin/rails db:setup + + - name: Run tests + run: bin/tests diff --git a/.semaphore/heroku.yml b/.semaphore/heroku.yml deleted file mode 100644 index 4f2ce60..0000000 --- a/.semaphore/heroku.yml +++ /dev/null @@ -1,25 +0,0 @@ -version: v1.0 -name: Deploy to Heroku -agent: - machine: - type: e1-standard-2 - os_image: ubuntu1804 - -blocks: - - name: Deploy - task: - secrets: - - name: rails-base-graphql-api-heroku - env_vars: - - name: HEROKU_REMOTE - value: https://git.heroku.com/rails-base-graphql-api.git - jobs: - - name: Deploy to Heroku - commands: - - checkout --use-cache - - ssh-keyscan -H heroku.com >> ~/.ssh/known_hosts - - chmod 600 ~/.ssh/id_rsa_rails_base_graphql_api_heroku - - ssh-add ~/.ssh/id_rsa_rails_base_graphql_api_heroku - - git config --global url.ssh://git@heroku.com/.insteadOf https://git.heroku.com/ - - git remote add heroku $HEROKU_REMOTE - - git push heroku -f $SEMAPHORE_GIT_BRANCH:master diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml deleted file mode 100644 index d089f0b..0000000 --- a/.semaphore/semaphore.yml +++ /dev/null @@ -1,81 +0,0 @@ -version: v1.0 -name: Rails Base GraphQL API - -agent: - machine: - type: e1-standard-2 - os_image: ubuntu1804 - -execution_time_limit: - hours: 1 - -auto_cancel: - queued: - when: "true" - -fail_fast: - stop: - when: "true" - -global_job_config: - prologue: - commands: - # Setup dynamic environment variables b/c they do not support via env_vars yet - - export DOCKER_REPO="docker.pkg.github.com/fs/rails-base-graphql-api" - - export BUILDER_NAME="${DOCKER_REPO}/builder:${SEMAPHORE_GIT_BRANCH}" - - export IMAGE_NAME="${DOCKER_REPO}/final:${SEMAPHORE_GIT_BRANCH}" - - export RAILS_ENV="test" - - export RACK_ENV="test" - - export BUNDLE_WITHOUT="development staging production" - - export DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL="true" - - export AUTH_SECRET_TOKEN="big_secret_token" - - export REDIS_URL="redis://redis:6379/1" - - export MAILER_SENDER_ADDRESS="noreply@example.com" - - export PASSWORD_RECOVERY_LINK_TEMPLATE="http://lvh.me:5000/password_reset?token=%{password_reset_token}" - - # Authenticate with DockerHub - - echo "${DOCKER_PASSWORD}" | docker login https://docker.pkg.github.com -u "${DOCKER_USERNAME}" --password-stdin - - - checkout - -blocks: - - name: Build - task: - secrets: - - name: github-docker-secrets - jobs: - - name: Docker build - commands: - - docker pull "${BUILDER_NAME}" || true - - docker pull "${IMAGE_NAME}" || true - - docker build -t "${BUILDER_NAME}" --target Builder --cache-from="${BUILDER_NAME}" --build-arg BUNDLE_WITHOUT="${BUNDLE_WITHOUT}" --build-arg BUNDLER_VERSION=2.1.4 . - - docker build -t "${IMAGE_NAME}" --target Final --cache-from="${BUILDER_NAME}" --cache-from="${IMAGE_NAME}" --build-arg BUNDLE_WITHOUT="${BUNDLE_WITHOUT}" --build-arg BUNDLER_VERSION=2.1.4 . - - docker push "${BUILDER_NAME}" - - docker push "${IMAGE_NAME}" - - - name: Run - task: - secrets: - - name: github-docker-secrets - - prologue: - commands: - - docker pull "${IMAGE_NAME}" - - cp docker-compose.linux.yml docker-compose.override.yml - - docker-compose run app bin/rails db:create db:schema:load - - docker-compose up --detach - - jobs: - - name: Run RSpec - commands: - - bin/docker-tests - - - name: Run Quality - commands: - - bin/docker-quality - -promotions: - - name: Deploy to Heroku - pipeline_file: heroku.yml - auto_promote: - when: "result = 'passed' and branch = 'master'" diff --git a/Gemfile.lock b/Gemfile.lock index a320d1b..c56b4d7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -86,9 +86,9 @@ GEM msgpack (~> 1.0) brakeman (5.2.1) builder (3.2.4) - bundler-audit (0.6.1) + bundler-audit (0.9.1) bundler (>= 1.2.0, < 3) - thor (~> 0.18) + thor (~> 1.0) byebug (11.1.1) concurrent-ruby (1.1.10) connection_pool (2.2.5) @@ -340,7 +340,7 @@ GEM stringio (3.0.1) strong_migrations (0.6.8) activerecord (>= 5) - thor (0.20.3) + thor (1.2.1) thread_safe (0.3.6) time (0.2.0) date