Merge pull request #2285 from GSA/main

02/24/2025 Prod Deploy

Author: ccostino

.ds.baseline

@@ -555,15 +555,15 @@
         "filename": "tests/app/main/views/test_register.py",
         "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
         "is_verified": false,
-        "line_number": 200,
+        "line_number": 199,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "tests/app/main/views/test_register.py",
         "hashed_secret": "bb5b7caa27d005d38039e3797c3ddb9bcd22c3c8",
         "is_verified": false,
-        "line_number": 273,
+        "line_number": 272,
         "is_secret": false
       }
     ],
@@ -684,5 +684,5 @@
       }
     ]
   },
-  "generated_at": "2025-01-13T20:16:58Z"
+  "generated_at": "2025-02-03T17:01:06Z"
 }

.github/ISSUE_TEMPLATE/issue_template.yml

@@ -64,6 +64,17 @@ body:
     validations:
       required: false
 
+  - type: markdown
+    attributes:
+      value: '**Accessibility:**'
+  - type: textarea
+    id: accessibility
+    attributes:
+      label: "List any specific accessibility guidance or tests that need to be considered for this user story."
+      description: "List what type of accessibility tests need to pass."
+    validations:
+      required: false
+
   - type: markdown
     attributes:
       value: '**Notes:**'

.github/pull_request_template.md

@@ -20,3 +20,10 @@ Please enter a detailed description here.
 * Consideration 1
 * Consideration 2
 * Consideration ...
+
+## A11y Checks (if applicable)
+
+* Double check work is getting picked up by the automated E2E tests 
+* Conduct browser-based tests through [AxeDevTools](https://www.deque.com/axe/devtools/) and [WAVE](https://wave.webaim.org/)
+* Review the [Manual Checklist](https://docs.google.com/document/d/192bBXStebdXWtYhZQ73qaWMJhGcuSB1W6c9YBXhWZvc/edit?usp=sharing)
+* Make sure there are no linting errors in VSCode or other IDE of choice

.github/workflows/checks.yml

@@ -10,7 +10,7 @@ env:
   FLASK_APP: application.py
   WERKZEUG_DEBUG_PIN: off
   REDIS_ENABLED: 0
-  NODE_VERSION: 16.15.1
+  NODE_VERSION: 22.3.0
   AWS_US_TOLL_FREE_NUMBER: "+18556438890"
   ADMIN_BASE_URL: http://localhost:6012
 
@@ -38,10 +38,10 @@ jobs:
           output: report-markdown
           annotations: failed-tests
           prnumber: ${{ steps.findPr.outputs.number }}
-      - name: Run style checks
-        run: poetry run flake8 .
       - name: Check imports alphabetized
         run: poetry run isort --check-only ./app ./tests
+      - name: Run style checks
+        run: poetry run flake8 .
       - name: Check dead code
         run: make dead-code
       - name: Run js tests
@@ -139,7 +139,7 @@ jobs:
       - uses: ./.github/actions/setup-project
       - name: Create requirements.txt
         run: poetry export --without-hashes --format=requirements.txt > requirements.txt
-      - uses: pypa/gh-action-pip-audit@v1.0.8
+      - uses: pypa/gh-action-pip-audit@v1.1.0
         with:
           inputs: requirements.txt
           ignore-vulns: |
@@ -165,8 +165,9 @@ jobs:
         run: make run-flask &
         env:
           NOTIFY_ENVIRONMENT: scanning
+          FEATURE_ABOUT_PAGE_ENABLED: true
       - name: Run OWASP Baseline Scan
-        uses: zaproxy/action-baseline@v0.9.0
+        uses: zaproxy/action-baseline@v0.14.0
         with:
           docker_name: "ghcr.io/zaproxy/zaproxy:weekly"
           target: "http://localhost:6012"

.github/workflows/daily_checks.yml

@@ -16,7 +16,7 @@ env:
   FLASK_APP: application.py
   WERKZEUG_DEBUG_PIN: off
   REDIS_ENABLED: 0
-  NODE_VERSION: 16.15.1
+  NODE_VERSION: 22.3.0
 
 jobs:
   dependency-audits:
@@ -26,7 +26,7 @@ jobs:
     - uses: ./.github/actions/setup-project
     - name: Create requirements.txt
       run: poetry export --without-hashes --format=requirements.txt > requirements.txt
-    - uses: pypa/gh-action-pip-audit@v1.0.6
+    - uses: pypa/gh-action-pip-audit@v1.1.0
       with:
         inputs: requirements.txt
     - name: Run npm audit
@@ -50,7 +50,7 @@ jobs:
         env:
           NOTIFY_ENVIRONMENT: scanning
       - name: Run OWASP Full Scan
-        uses: zaproxy/action-full-scan@v0.7.0
+        uses: zaproxy/action-full-scan@v0.12.0
         with:
           docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
           target: 'http://localhost:6012'

.github/workflows/deploy-demo.yml

@@ -16,9 +16,17 @@ jobs:
         with:
           fetch-depth: 2
 
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.7.5"
+          terraform_wrapper: false
+
       - name: Check for changes to Terraform
         id: changed-terraform-files
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
         with:
           files: |
             terraform/demo/**
@@ -93,7 +101,7 @@ jobs:
 
       - name: Check for changes to egress config
         id: changed-egress-config
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
         with:
           files: |
             deploy-config/egress_proxy/notify-admin-demo.*.acl

.github/workflows/deploy-prod.yml

@@ -16,9 +16,17 @@ jobs:
         with:
           fetch-depth: 2
 
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.7.5"
+          terraform_wrapper: false
+
       - name: Check for changes to Terraform
         id: changed-terraform-files
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
         with:
           files: |
             terraform/production/**
@@ -93,7 +101,7 @@ jobs:
 
       - name: Check for changes to egress config
         id: changed-egress-config
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
         with:
           files: |
             deploy-config/egress_proxy/notify-admin-production.*.acl

.github/workflows/deploy.yml

@@ -21,9 +21,17 @@ jobs:
       with:
         fetch-depth: 2
 
+    # Looks like we need to install Terraform ourselves now!
+    # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: "^1.7.5"
+        terraform_wrapper: false
+
     - name: Check for changes to Terraform
       id: changed-terraform-files
-      uses: tj-actions/changed-files@v44
+      uses: tj-actions/changed-files@v45
       with:
         files: |
           terraform/staging/**
@@ -100,7 +108,7 @@ jobs:
 
     - name: Check for changes to egress config
       id: changed-egress-config
-      uses: tj-actions/changed-files@v44
+      uses: tj-actions/changed-files@v45
       with:
         files: |
           deploy-config/egress_proxy/notify-admin-staging.*.acl

.github/workflows/drift.yml

@@ -15,6 +15,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.7.5"
+          terraform_wrapper: false
+
       - name: Check for drift
         uses: dflook/terraform-check@v1
         env:
@@ -35,6 +43,14 @@ jobs:
         with:
           ref: 'production'
 
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.7.5"
+          terraform_wrapper: false
+
       - name: Check for drift
         uses: dflook/terraform-check@v1
         env:
@@ -55,6 +71,14 @@ jobs:
         with:
           ref: 'production'
 
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.7.5"
+          terraform_wrapper: false
+
       - name: Check for drift
         uses: dflook/terraform-check@v1
         env:

.github/workflows/terraform-demo.yml

@@ -18,6 +18,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.7.5"
+          terraform_wrapper: false
+
       - name: Terraform format
         id: format
         run: terraform fmt -check
@@ -51,7 +59,7 @@ jobs:
 
       # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow
       - name: Update PR
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         # we would like to update the PR even when a prior step failed
         if: ${{ always() }}
         with: