2026-01-28 | MAIN --> PROD | DEV (e5fe6da) --> STAGING

[neilmb]

This is an auto-generated pull request to merge main into prod for a staging release on 2026-01-28 with the last commit being merged as e5fe6da

[github-actions]

Terraform plan for production

Plan: 1 to add, 2 to change, 1 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.production.module.cors.null_resource.cors_header must be replaced
-/+ resource "null_resource" "cors_header" {
!~      id       = "*******************" -> (known after apply)
!~      triggers = { # forces replacement
!~          "always_run" = "2026-01-27T18:06:30Z" -> (known after apply)
        }
    }

  # module.production.module.newrelic.newrelic_notification_destination.email_destination will be updated in-place
!~  resource "newrelic_notification_destination" "email_destination" {
        id         = "e7c0bf9e-3e32-454e-98e6-40aa0694adbc"
        name       = "email_destination"
#        (6 unchanged attributes hidden)

-       property {
-           key           = "email" -> null
-           value         = "[email protected],[email protected]" -> null
#            (2 unchanged attributes hidden)
        }
+       property {
+           key           = "email"
+           value         = "[email protected]"
#            (2 unchanged attributes hidden)
        }
    }

  # module.production.module.newrelic.newrelic_workflow.alert_workflow will be updated in-place
!~  resource "newrelic_workflow" "alert_workflow" {
        id                    = "d725c3a4-b865-432c-857e-a7f12339793a"
        name                  = "production_alert_workflow"
#        (8 unchanged attributes hidden)

-       issues_filter {
-           filter_id = "2f4e1c77-5496-4e01-af2b-b6d6a54253ff" -> null
            name      = null
-           type      = "FILTER" -> null

-           predicate {
-               attribute = "labels.policyIds" -> null
-               operator  = "EXACTLY_MATCHES" -> null
-               values    = [
-                   "5422816",
                ] -> null
            }
        }
+       issues_filter {
+           filter_id = (known after apply)
+           name      = "filter"
+           type      = "FILTER"

+           predicate {
+               attribute = "labels.policyIds"
+               operator  = "EXACTLY_MATCHES"
+               values    = [
+                   "5422816",
                ]
            }
        }

#        (1 unchanged block hidden)
    }

Plan: 1 to add, 2 to change, 1 to destroy.

✅ Plan applied in Deploy to the Production Environment #154

[github-actions]

Terraform plan for staging

Plan: 1 to add, 0 to change, 1 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.staging.module.cors.null_resource.cors_header must be replaced
-/+ resource "null_resource" "cors_header" {
!~      id       = "*******************" -> (known after apply)
!~      triggers = { # forces replacement
!~          "always_run" = "2026-01-28T10:49:56Z" -> (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

✅ Plan applied in Deploy to the Staging Environment #418

In general, the fix is to explicitly specify permissions for the GITHUB_TOKEN either at the top workflow level (applies to all jobs) or at the individual job level, and set them to the least privilege the workflow needs. This workflow only needs to read repository contents for actions/checkout, and there’s no evidence it needs to write to GitHub (no PR/issue/status updates), so contents: read is a suitable minimal starting point.

The single best way to fix this without changing existing behavior is to add a permissions block at the workflow root, between name: and on:. This keeps the configuration simple and applies to both jobs (push-with-creds and check-tables). We’ll set permissions: contents: read, which is equivalent to a read-only default for repository contents. No additional imports or methods are needed; it’s purely a YAML configuration change in .github/workflows/deploy-application-manual.yml.

Concretely:

• Edit .github/workflows/deploy-application-manual.yml.
• Insert:

permissions:
  contents: read

right after the name: Deploy Application Manual Trigger line (line 2 in the provided snippet). No other lines need modification.

In general, the fix is to add an explicit permissions: block to the workflow, granting only the minimal scopes the jobs need, instead of relying on implicit repository defaults. This can be done at the top (root) level of the workflow, which applies to all jobs that don’t override it, or per-job if different jobs need different scopes. Since this deployment workflow appears to only need to read repository contents (for actions/checkout) and does not obviously require write access to the repo, a minimal and safe choice is permissions: contents: read at the workflow root.

The single best fix here without changing existing functionality is to add a root-level permissions: block just below the name: field and above on:. actions/checkout@v4 only requires contents: read when doing a regular checkout; we are not using persist-credentials: false or any operation that needs write access, and the remaining steps authenticate with explicit Cloud Foundry credentials via secrets. Therefore, setting permissions: contents: read should not break the workflow but will ensure GITHUB_TOKEN is restricted. No additional imports, methods, or other definitions are required because this is a YAML configuration-only change in .github/workflows/deploy-application-manual.yml.

[github-actions]

Package	Line Rate	Branch Rate	Health
.	100%	100%	✔
api	98%	86%	✔
api.serializers	97%	88%	✔
api.views	91%	100%	✔
audit	95%	81%	✔
audit.cross_validation	97%	86%	✔
audit.fixtures	84%	50%	❌
audit.formlib	36%	0%	❌
audit.intakelib	89%	83%	➖
audit.intakelib.checks	92%	85%	✔
audit.intakelib.common	98%	82%	✔
audit.intakelib.transforms	100%	95%	✔
audit.management.commands	78%	17%	❌
audit.migrations	100%	100%	✔
audit.models	91%	68%	✔
audit.templatetags	100%	100%	✔
audit.views	72%	49%	❌
census_historical_migration	96%	65%	✔
census_historical_migration.migrations	100%	100%	✔
census_historical_migration.sac_general_lib	92%	84%	✔
census_historical_migration.transforms	95%	90%	✔
census_historical_migration.workbooklib	68%	69%	❌
config	78%	37%	❌
curation	98%	100%	✔
curation.curationlib	88%	72%	➖
curation.migrations	100%	100%	✔
dissemination	89%	70%	➖
dissemination.analytics	27%	0%	❌
dissemination.forms	80%	30%	❌
dissemination.migrations	97%	25%	✔
dissemination.models	100%	100%	✔
dissemination.report_generation	21%	0%	❌
dissemination.report_generation.excel	32%	0%	❌
dissemination.searchlib	62%	45%	❌
dissemination.templatetags	48%	0%	❌
dissemination.views	67%	44%	❌
djangooidc	53%	38%	❌
djangooidc.tests	100%	94%	✔
report_submission	100%	96%	✔
report_submission.migrations	100%	100%	✔
report_submission.templatetags	74%	100%	❌
report_submission.views	78%	61%	❌
support	94%	75%	✔
support.migrations	100%	100%	✔
support.models	90%	50%	➖
tools	98%	50%	✔
users	95%	86%	✔
users.fixtures	100%	83%	✔
users.management	100%	100%	✔
users.management.commands	100%	100%	✔
users.migrations	100%	100%	✔
Summary	88% (21837 / 24718)	69% (2681 / 3900)	➖

Minimum allowed line rate is 85%