Merge branch 'staging' into renovate/all-minor-patch-bundler

csvalpha · Jan 1, 2025 · ccaae01 · ccaae01
2 parents daa507f + 2373459
commit ccaae01
Show file tree

Hide file tree

Showing 69 changed files with 1,636 additions and 294 deletions.
diff --git a/.env.example b/.env.example
@@ -6,7 +6,7 @@ POSTGRES_USER=sofia_development
 POSTGRES_PASSWORD=1234567890abcdef
 POSTGRES_HOST=localhost
 
-AMBER_CLIENT_ID=
+AMBER_CLIENT_ID=987654321
 AMBER_CLIENT_SECRET=
 
 FROM_EMAIL=[email protected]
@@ -29,7 +29,7 @@ COMPANY_KVK=41 032 169
 
 SITE_NAME=S.O.F.I.A.
 SITE_SHORT_NAME=SOFIA
-SITE_LONG_NAME=Streepsysteem voor de Ordentelijke Festiviteiten van Inleggend Alpha 
+SITE_LONG_NAME=Streepsysteem voor de Ordentelijke Festiviteiten van Inleggend Alpha
 SITE_ASSOCIATION=C.S.V. Alpha
 
 CODE_BEER=8010

diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml
@@ -48,7 +48,7 @@ jobs:
       stage: ${{ steps.get_metadata.outputs.stage }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Get metadata
         id: get_metadata
@@ -98,7 +98,7 @@ jobs:
 
       - name: Checkout code
         if: fromJSON(needs.metadata.outputs.has_diff)
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run merge
         if: fromJSON(needs.metadata.outputs.has_diff)
@@ -161,19 +161,19 @@ jobs:
           fi
 
       - name: Checkout code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.merge.outputs.sha }}
 
       - name: Start deployment
-        uses: bobheadxi/deployments@88ce5600046c82542f8246ac287d0a53c461bca3 # v1.4.0
+        uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1.5.0
         id: start_deployment
         with:
           step: start
           env: ${{ needs.metadata.outputs.stage }}
 
       - name: Deploy
-        uses: appleboy/ssh-action@55dabf81b49d4120609345970c91507e2d734799 # v1.0.0
+        uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17 # v1.2.0
         env:
           STAGE: ${{ needs.metadata.outputs.stage }}
         with:
@@ -188,7 +188,7 @@ jobs:
             docker-compose up -d
 
       - name: Finalize Sentry release
-        uses: getsentry/action-release@4744f6a65149f441c5f396d5b0877307c0db52c7 # v1.4.1
+        uses: getsentry/action-release@e769183448303de84c5a06aaaddf9da7be26d6c7 # v1.7.0
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: ${{ vars.SENTRY_ORG_NAME }}
@@ -199,7 +199,7 @@ jobs:
           set_commits: skip
 
       - name: Finish deployment
-        uses: bobheadxi/deployments@88ce5600046c82542f8246ac287d0a53c461bca3 # v1.4.0
+        uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1.5.0
         if: steps.start_deployment.conclusion == 'success' && always()
         with:
           step: finish
@@ -213,6 +213,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [branch_check, metadata, merge, continuous_integration, publish_image, deploy]
     if: (github.ref_name == 'staging' || github.ref_name == 'master') && always()
+    permissions:
+      checks: write
     steps:
       - name: Get conclusion
         id: get_conclusion
@@ -228,11 +230,10 @@ jobs:
           done
 
       - name: Update Continuous Delivery check run
-        uses: guidojw/actions/update-check-run@abb0ee8d1336edf73383f2e5a09abd3a22f25b13 # v1.3.3
+        uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2.0.0
         with:
-          app_id: ${{ vars.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
           sha: ${{ needs.merge.outputs.sha }}
+          token: ${{ github.token }}
           name: Continuous Delivery
           conclusion: ${{ steps.get_conclusion.outputs.conclusion }}
           details_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -25,12 +25,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.sha }}
 
       - name: Build test image
-        uses: guidojw/actions/build-docker-image@abb0ee8d1336edf73383f2e5a09abd3a22f25b13 # v1.3.3
+        uses: guidojw/actions/build-docker-image@3ad963828827110a6b716a011f242bf01fdf1db4 # v1.4.7
         with:
           file: Dockerfile
           build-args: |
@@ -56,7 +56,7 @@ jobs:
           - 5432:5432
     steps:
       - name: Checkout code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.sha }}
 
@@ -71,7 +71,7 @@ jobs:
           bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.6.26
 
       - name: Load test image
-        uses: guidojw/actions/load-docker-image@abb0ee8d1336edf73383f2e5a09abd3a22f25b13 # v1.3.3
+        uses: guidojw/actions/load-docker-image@3ad963828827110a6b716a011f242bf01fdf1db4 # v1.4.7
         with:
           name: app
 
@@ -80,8 +80,8 @@ jobs:
           RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
         run: |
           EXIT_STATUS=0
-          ./actionlint -ignore 'property "gh_app_private_key" is not defined' -ignore 'SC2153:' \
-            -ignore 'property "sha" is not defined in object type {}' || EXIT_STATUS=$?
+          ./actionlint -ignore 'SC2153:'  -ignore 'property "sha" is not defined in object type {}' || \
+            EXIT_STATUS=$?
           docker run -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -e POSTGRES_HOST=localhost -e \
             RAILS_MASTER_KEY --network=host app bin/ci.sh lint || EXIT_STATUS=$?
           exit $EXIT_STATUS
@@ -105,7 +105,7 @@ jobs:
           - 5432:5432
     steps:
       - name: Checkout code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.sha }}
 
@@ -114,7 +114,7 @@ jobs:
           echo '::add-matcher::.github/problem-matchers/rspec.json'
 
       - name: Load test image
-        uses: guidojw/actions/load-docker-image@abb0ee8d1336edf73383f2e5a09abd3a22f25b13 # v1.3.3
+        uses: guidojw/actions/load-docker-image@3ad963828827110a6b716a011f242bf01fdf1db4 # v1.4.7
         with:
           name: app
 
@@ -128,14 +128,14 @@ jobs:
 
       - name: Upload coverage report to Codecov
         if: ${{ !cancelled() }}
-        uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
         with:
           fail_ci_if_error: true
           token: ${{ secrets.CODECOV_TOKEN }}
 
       - name: Upload coverage report artifact
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: coverage
           path: coverage/

diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml
@@ -51,24 +51,24 @@ jobs:
     needs: metadata
     steps:
       - name: Checkout code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ inputs.sha }}
           fetch-depth: 0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ vars.DOCKER_REGISTRY_URL }}
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push image
         id: build_push_image
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           push: true
           context: .
@@ -90,7 +90,7 @@ jobs:
 
       - name: Create Sentry release
         if: ${{ !(github.event_name == 'workflow_dispatch' && github.workflow == 'Publish Image') }}
-        uses: getsentry/action-release@4744f6a65149f441c5f396d5b0877307c0db52c7 # v1.4.1
+        uses: getsentry/action-release@e769183448303de84c5a06aaaddf9da7be26d6c7 # v1.7.0
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: ${{ vars.SENTRY_ORG_NAME }}
@@ -106,6 +106,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [metadata, publish]
     if: github.event_name == 'workflow_dispatch' && github.workflow == 'Publish Image' && always()
+    permissions:
+      checks: write
     steps:
       - name: Get conclusion
         id: get_conclusion
@@ -121,10 +123,9 @@ jobs:
           done
 
       - name: Update Publish Image check run
-        uses: guidojw/actions/update-check-run@abb0ee8d1336edf73383f2e5a09abd3a22f25b13 # v1.3.3
+        uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2.0.0
         with:
-          app_id: ${{ vars.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          token: ${{ github.token }}
           name: Publish Image
           conclusion: ${{ steps.get_conclusion.outputs.conclusion }}
           details_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
diff --git a/Gemfile b/Gemfile
@@ -20,7 +20,7 @@ gem 'net-smtp', require: false
 gem 'omniauth', '~> 2.1.1'
 gem 'omniauth-oauth2', '~> 1.8.0'
 gem 'omniauth-rails_csrf_protection', '~> 1.0', '>= 1.0.1'
-gem 'paper_trail', '~> 14.0.0'
+gem 'paper_trail', '~> 16.0.0'
 gem 'paranoia', '~> 3.0.0'
 gem 'pg', '~> 1.5.3'
 gem 'puma', '~> 6.4.0'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -101,7 +101,7 @@ GEM
     coderay (1.1.3)
     colorize (0.8.1)
     concurrent-ruby (1.3.4)
-    connection_pool (2.4.0)
+    connection_pool (2.4.1)
     consistency_fail (0.3.7)
     crass (1.0.6)
     devise (4.9.2)
@@ -234,7 +234,7 @@ GEM
     mini_portile2 (2.8.8)
     mini_racer (0.6.3)
       libv8-node (~> 16.10.0.0)
-    minitest (5.24.1)
+    minitest (5.25.2)
     mollie-api-ruby (4.7.1)
     msgpack (1.7.0)
     multi_json (1.15.0)
@@ -282,8 +282,8 @@ GEM
       omniauth (~> 2.0)
     open4 (1.3.4)
     orm_adapter (0.5.0)
-    paper_trail (14.0.0)
-      activerecord (>= 6.0)
+    paper_trail (16.0.0)
+      activerecord (>= 6.1)
       request_store (~> 1.4)
     parallel (1.23.0)
     paranoia (3.0.0)
@@ -362,7 +362,7 @@ GEM
     redis-activesupport (5.3.0)
       activesupport (>= 3, < 8)
       redis-store (>= 1.3, < 2)
-    redis-client (0.14.1)
+    redis-client (0.22.2)
       connection_pool
     redis-rack (2.1.4)
       rack (>= 2.0.8, < 3)
@@ -374,7 +374,7 @@ GEM
     redis-store (1.9.1)
       redis (>= 4, < 5)
     regexp_parser (2.8.0)
-    request_store (1.5.1)
+    request_store (1.7.0)
       rack (>= 1.4)
     responders (3.1.0)
       actionpack (>= 5.2)
@@ -449,7 +449,7 @@ GEM
       sentry-ruby (~> 5.9.0)
       sidekiq (>= 3.0)
     shellany (0.0.1)
-    sidekiq (7.1.0)
+    sidekiq (7.1.6)
       concurrent-ruby (< 2)
       connection_pool (>= 2.3.0)
       rack (>= 2.2.4)
@@ -569,7 +569,7 @@ DEPENDENCIES
   omniauth (~> 2.1.1)
   omniauth-oauth2 (~> 1.8.0)
   omniauth-rails_csrf_protection (~> 1.0, >= 1.0.1)
-  paper_trail (~> 14.0.0)
+  paper_trail (~> 16.0.0)
   paranoia (~> 3.0.0)
   pg (~> 1.5.3)
   pry-byebug

diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb
@@ -10,7 +10,7 @@ class ActivitiesController < ApplicationController # rubocop:disable Metrics/Cla
 
   def index
     authorize Activity
-    @activities = policy_scope(Activity.includes(%i[price_list created_by])
+    @activities = policy_scope(Activity.includes(%i[price_list created_by locked_by])
                                    .order(start_time: :desc)
                                    .page(params[:page]))
 
@@ -19,7 +19,7 @@ def index
       end_time: 6.hours.from_now.beginning_of_hour
     )
 
-    @price_lists_json = PriceList.all.to_json(only: %i[id name])
+    @price_lists_json = PriceList.unarchived.to_json(only: %i[id name])
   end
 
   def create
@@ -63,8 +63,7 @@ def destroy
 
   def show # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
     @activity = Activity.includes(:price_list,
-                                  { orders: [{ order_rows: :product }, :user, :created_by] },
-                                  credit_mutations: [:user]).find(params[:id])
+                                  { orders: [{ order_rows: :product }, :user, :created_by] }).find(params[:id])
     authorize @activity
 
     @price_list = @activity.price_list
@@ -122,8 +121,9 @@ def order_screen # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
   def product_totals
     authorize Activity
 
-    activity = Activity.includes(:price_list, orders: [{ order_rows: :product }, :user]).find(params[:id])
-    render json: activity.count_per_product(**params.permit(:user, :paid_with_pin, :paid_with_cash).to_h.symbolize_keys)
+    permitted_params = params.permit(:id, :user, :paid_with_pin, :paid_with_cash)
+    activity = Activity.includes(:price_list, orders: [{ order_rows: :product }, :user]).find(permitted_params[:id])
+    render json: activity.count_per_product(**permitted_params.except(:id).to_h.symbolize_keys)
   end
 
   def sumup_callback

diff --git a/app/controllers/credit_mutations_controller.rb b/app/controllers/credit_mutations_controller.rb
@@ -1,12 +1,14 @@
 class CreditMutationsController < ApplicationController
   before_action :authenticate_user!
   after_action :verify_authorized
+  after_action :verify_policy_scoped, only: :index
 
   def index
-    @credit_mutations = CreditMutation.includes(model_includes)
+    authorize CreditMutation
+
+    @credit_mutations = policy_scope(CreditMutation.includes(model_includes)
                                       .order(created_at: :desc)
-                                      .page params[:page]
-    authorize @credit_mutations
+                                      .page(params[:page]))
 
     @new_mutation = CreditMutation.new
   end

diff --git a/app/controllers/invoices_controller.rb b/app/controllers/invoices_controller.rb
@@ -6,7 +6,7 @@ class InvoicesController < ApplicationController
   def index
     authorize Invoice
 
-    @invoices = Invoice.all.order(created_at: :desc)
+    @invoices = Invoice.includes(:user, :activity, :rows).order(created_at: :desc)
     @activities_json = Activity.all.to_json(only: %i[id title start_time])
     @invoice = Invoice.new
     @invoice.rows.build

diff --git a/app/controllers/orders_controller.rb b/app/controllers/orders_controller.rb
@@ -55,7 +55,7 @@ def destroy
 
     authorize @order
 
-    if @order.activity.locked?
+    if @order.activity&.locked?
       render json: {}, status: :forbidden
     else
       @order.order_rows.each do |order_row|